I was getting myself familiar with Consul services and trying things out. However, until now I couldn't find a way to allow specific subnets to send requests to Consul server.
here is my basic consul config.json:
{
"server": true,
"datacenter":"dc1",
"data_dir":"/opt/consul",
"bind_addr":"{{ ansible_ssh_host }}",
"client_addr": "0.0.0.0",
"bootstrap_expect": 1,
"node_name": "consul_server",
"ui": true,
"encrypt":"",
"acl" : {
"enabled" : true,
"default_policy" : "deny",
"down_policy" : "extend-cache"
}
}
in this case, client_addr is set to anywhere 0.0.0.0. How can I set it to something like 10.10.4.0/24 10.10.2.0/24 or 10.10.0.0/16?
The client_addr config option controls which interfaces Consul will bind to for the DNS, HTTP[S], and gRPC listners. You can specify a space-separated list of addresses on the machine on which Consul should listen. E.g.,
{
"client_addr": "192.0.2.10 198.51.100.20 203.0.113.30"
}
This won't prevent Consul from being reachable from clients on other CIDRs that can route to one of the listening IPs. You'll need to use a firewall if you want to restrict which IPs can communicate with Consul.
You can, however, restrict which CIDRs Consul will accept API write requests from using the http_config.allow_write_http_from configuration option.
{
"http_config": {
"allow_write_http_from": [
"192.0.2.0/24",
"198.51.100.0/24",
"203.0.113.0/24"
]
}
}
This example config will only allow HTTP PUT/POST/DELETE options from clients residing in one of the listed address ranges.