The key features of Consul are:

  • Service Discovery: Clients of Consul can register a service, such as api or mysql, and other clients can use Consul to discover providers of a given service. Using either DNS or HTTP, applications can easily find the services they depend upon.

  • Health Checking: Consul clients can provide any number of health checks, either associated with a given service ("is the webserver returning 200 OK"), or with the local node ("is memory utilization below 90%"). This information can be used by an operator to monitor cluster health, and it is used by the service discovery components to route traffic away from unhealthy hosts.

  • KV Store: Applications can make use of Consul's hierarchical key/value store for any number of purposes, including dynamic configuration, feature flagging, coordination, leader election, and more. The simple HTTP API makes it easy to use.

  • Secure Service Communication: Consul can generate and distribute TLS certificates for services to establish mutual TLS connections. Intentions can be used to define which services are allowed to communicate. Service segmentation can be easily managed with intentions that can be changed in real time instead of using complex network topologies and static firewall rules.

  • Multi Datacenter: Consul supports multiple datacenters out of the box. This means users of Consul do not have to worry about building additional layers of abstraction to grow to multiple regions.

  • Similar to Zookeeper, but has some service mesh features built in as first-class features - service discovery APIs and health checks.

  • Consul integrates with Envoy to dynamically figure out what instances to send data to. (Is this effectively a more-configurable NLB/ALB?)

  • Consul Connect is a tool (typically deployed as a sidecar) that provides auth (is this a Vault integration?) and TLS encryption for service-to-service comms

    • You can define a service graph that determines which services can talk to which other services.

    • Consul handles certificate generation + signing + rotation

    • I'm curious about how this integrates with AWS builtins. As an example, does this render security groups within a VPC obsolete, or do you pretty much need both?

    • Services can embed this as a library so the proxy isn't required.

  • The consul agent (separate from ^^^) also runs on every machine, and is in charge of things like health checks and maintaining a local cache of membership data.