Intentions are access controls in Consul that are used to define accessibility to various services. Intentions can be defined either through a UI, CLI, or through REST API calls. Once the intentions have been defined, they are enforced by the sidecar proxies to allow or disallow connections between services. For example, you may want to restrict access to the database backend services, but only for the services that have legitimate access requirements. This prevents unauthorized access to a service.

Intentions, once defined, can be replicated across data centers, and they are cached locally so that inbound connections can be allowed if there is a disruption in a service that stops reaching the Consul service.

Let's learn how to create an intention so that we can allow connections from the dashboard to the counting service:

1. Click Intentions on the top menu bar of the Consul dashboard. Click Create to define rules for the connections:

2. We will create a deny rule for all the source and destination services. Select All Services for the source and destination, check Deny, and click Save:

3. It may take a few seconds for a new rule to propagate. Switch to the demo application tab. The dashboard of the demo application should show Counting Service is Unreachable:

4. After switching to the Consul dashboard tab, click Create for an allow rule for the dashboard service to connect to the counting service, as shown in the following screenshot:

5. Switch to the dashboard of the demo application tab. The counting service should now be available for the dashboard, but it should remain unavailable for any other service. Note that this is accomplished without writing any code:

We just saw the use of intentions to provide access control to services. Now, we will delete the intentions rules that we created previously.

6. Switch back to the Consul dashboard (webconsole.consul.local). Navigate to Intentions and delete both rules.
7. Click the three horizontal dots against each intention and delete both services.

The purpose of intentions is to create a blacklist and whitelist of the services. Note that it is good practice to deny access from all and then allow access by whitelisting the required services, as shown in this section. From a security standpoint, this is an important feature for blocking access to services that a user does not have any legitimate need to access.

Next, we'll learn about Consul's key/value store, which stores the service mesh configuration.