Hi Anton,
I am following up to answer the remaining open follow-up questions.
You can find the Consul documentation on port usage here (note our port numbers might differ from the defaults).
Note that the mTLS solution relies on the same binary/daemon and running as:
a) server mode (tier-0 service, so you deploy only one of them, can't be an highly available approach, for 0-downtime production guarantee, Consul requires 3 server nodes, which elect a leader using the raft consensus approach. These could be deployed on dedicated node(s) or in conjunction with existing topology nodes (like our example for a dual-dc install, continue reading, I have added details in the following answer). For more details, see also here.
b) sidecar mode (each of which will be controlled by the Consul server/s, and provide mTLS bidirectional communications across the other nodes of the mesh).
> When you say “consul server”, do you mean the servers installed on Zookeeper nodes, correct?
Yes, the wording "Consul Server" above is used above to refer to one or more nodes running the Consul daemon in server mode.
Assuming you are referring to the example in the dual-DC installation, then - yes - that topology describes the installation of three Consul Server nodes in each of the two regions, looking at the IP addresses listed in the two configuration files.
Ref doc here.
> Also, what is this Apigee mTLS Node (mentioned in the table in documentation). Is this actually the Consul Server?
Yes, with the explanation at the points above, should appear clear now.
> If I get it correctly, all Consul proxies (egress, I assume) talk to these Consul servers using the 8305 port, right?
Consul proxies (i.e. the sidecars) - running on different nodes than the Consul Servers - use target TCP port 8305 to connect to all Consul Servers in our setup. Details here.
> Port 8300 needs to be opened only on Consul Servers (for localhost), correct?
and:
> In sum, ports 8305 & 8300 are needed to be open only one Consul Servers nodes?
Only for Consul Servers, but it's a TCP RPC port and needs to be exposed to the other Consul Servers (if you choose to have min 3 per data centre as tier-0 HA service).
> Also, is Administration Machine and Consul Servers required for operations after the Apigee mTLS has been configured?
Consul Servers: yes, they coordinate the sidecars, providing health-check services and latency monitoring.
Admin Machine: it's the one used for the setup of the CA and the generation of the configuration files. It is not involved in the traffic. If no other components are installed and running on it, then you don't need up and running, but you will still need its attached filesystem to have it online again during upgrades and certificates refresh, rotation and topology changes.
> What if one of the Consul Servers becomes unresponsive — will this have an impact on operations?
Yes, for HA and zero downtime operations, you will need to:
a) Deploy 3 Consul Servers per DC (not a single point of failure)
b) monitor their health.
They will re-elect the leader from the residual if the current leader disappears. See above.
Let me know if you need further clarifications or we need to dig deeper.
Regards,
Nicola
LinkedIn
Twitter
