The role of the mesh gateway or cross-cluster gateway is very important as it provides a flat network that we can use to connect multiple Consul clusters, regardless of their location in a zero-trust network environment through mutual TLS.
This can be seen in the following diagram:
Two Consul servers are running in a Kubernetes environment and one Consul server is running in a VM. server-2 is the leader in both data centers.
The mesh gateway works as follows:
- The Consul web service receives traffic through the Ingress gateway from the internet.
- service-defaults for the api Consul service (residing on DC2) is defined using the local mode of the mesh gateway.
- service-resolver for api redirects the traffic to DC2.
- When the web application invokes the api service, it goes through the mesh gateway of DC1, and the service resolves to the api service on DC2.
- The traffic is mTLS between two configured gateways and between services and the mesh gateway.
- The mesh gateway does not decrypt network traffic.
This concludes the mesh gateway, which is used to securely connect Consul clusters.