Consul on Amazon ECS 0.4 Now Supports Multi-Tenancy
The latest version of HashiCorp Consul on Amazon ECS adds support for multi-tenancy with administrative partitions and namespaces.
We are pleased to announce that HashiCorp Consul on Amazon Elastic Container Service (ECS) 0.4 is now generally available for all users. This release adds multi-tenancy support with administrative partitions and namespaces in an effort to help organizations run Consul to reduce operational complexity and seamlessly integrate service mesh into their application workflows.
» Tackling Name Sprawl with Namespaces (Enterprise)
When the number of development teams using Consul on ECS reaches a certain point, they have to start coordinating to prevent service name conflicts and to control access within Consul. Namespaces for Consul on ECS allow global operators to create isolated environments in a shared cluster and apply any required service access restrictions for authenticated users. This alleviates the need for multiple teams to coordinate resource names and provides a way to delegate and sub-delegate administrative privileges for individual teams, facilitating finer-grained control with access-based security.
» Multi-Tenancy with Administrative Partitions (Enterprise)
When an organization scales a service mesh, it faces increased operational complexity because teams have to manage the mesh across multiple tenants. This creates an unmanageable situation for operators when dozens, if not hundreds, of ECS clusters and virtual machines are deployed within the organization. Operators lack organizational autonomy when providing resources like networking, namespaces, and services to individual teams.
Consul on ECS now supports multi-tenancy with admin partitions to provide a shared service-networking solution for multiple tenants — across Amazon ECS, EKS, and EC2 deployments — within a single Consul datacenter. Admin partitions support various deployment patterns that enable multiple ECS clusters from different tenants to share a single Consul control plane. This helps enterprises improve operational efficiency while giving individual teams the organizational autonomy and isolation required to manage their services as they see fit. To learn more, please read the HashiCorp Consul 1.11 release blog.
» Deploying Consul ECS with Admin Partitions
Consul on ECS supports one Consul partition per ECS cluster. This deployment model introduces a network and administrative boundary — a Consul partition — to an ECS cluster to support multi-tenancy.
With Consul on ECS 0.4, the ACL controller is updated to support admin partitions. The following example shows how to configure the ACL controller when using the acl-controller Terraform module. You simply specify that partitions are enabled and the name of the partition assigned to the ACL controller:
module "acl_controller" {
source = "hashicorp/consul-ecs/aws//modules/acl-controller"
consul_partition = "example-partition"
consul_partitions_enabled = true
...
}
The ACL controller runs as a task in an ECS cluster. When using admin partitions, you will run one ACL controller in each ECS cluster where you use Consul service mesh. The ACL controller in an ECS cluster will automatically create its assigned Consul partition and will watch for new ECS tasks in order to automatically create the Consul namespaces, ACL tokens, and ACL policies needed by those tasks.
With the ACL controller running, you can deploy service mesh tasks to the ECS cluster to run an application. The following example shows how to specify the Consul namespace and partition when using the mesh-task
module:
module "example_app" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
family = "example-app"
container_definitions = ...
consul_partition = "example-partition"
consul_namespace = "example-namespace"
...
}
After the task starts up, the ACL controller will create the ACL token needed by the task. The task will then automatically register into the specified Consul partition and namespace prior to starting your application container, achieving multi-tenancy and reducing operational burden.
» Try Consul on ECS Now
We are thrilled for users to take advantage of this latest Consul on ECS release to discover and securely connect any application. A pair of HashiCorp Learn tutorials are available to help you get started with Consul on ECS:
To learn more, please see HashiCorp Consul’s AWS ECS documentation, which includes step-by-step instructions for moving existing applications to the service mesh, along with detailed architectural information.
Sign up for the latest HashiCorp news
More blog posts like this one
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
Consul 1.20 improves multi-tenancy, metrics, and OpenShift deployment
HashiCorp Consul 1.20 is a significant upgrade for the Kubernetes operator and developer experience, including better multi-tenant service discovery, catalog registration metrics, and secure OpenShift integration.
New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier
The latest Security Lifecycle Management (SLM) features from HashiCorp Vault, Boundary, and Consul help organizations offer a smoother path to better security practices for developers.