¶ Encryption and Identity
- Enable gossip encryption with a rotated
encrypt key.
- Enforce mTLS for RPC and HTTPS API traffic.
- Use ACLs in default-deny mode and create scoped tokens per service.
- Bind client interfaces to internal networks only.
- Restrict UI/API access through reverse proxy or VPN.
- Disable unauthenticated read access to catalog and KV.
- Store ACL bootstrap tokens in a secrets manager, not local files.
- Enable audit logging for ACL and configuration changes.
- Patch Consul agents/servers consistently across the cluster.
¶ Resilience and Recovery
- Back up snapshots regularly and test restore drills.
- Protect snapshot storage with encryption and access controls.
- Monitor leader election, raft health, and TLS certificate expiry.