»gateway Stanza

Placementjob -> group -> service -> connect -> gateway

The gateway stanza allows configuration of Consul Connect Gateways. Nomad will automatically create the necessary Gateway Configuration Entry as well as inject an Envoy proxy task into the Nomad job to serve as the Gateway.

The gateway configuration is valid within the context of a connect stanza. Additional information about Gateway configurations can be found in Consul's Connect Gateways documentation.

job "ingress-example" {

  datacenters = ["dc1"]

  group "ingress-group" {

    network {
      mode = "bridge"

      port "inbound" {
        static = 8080

    service {
      name = "ingress-service"
      port = "8080"

      connect {
        gateway {
          proxy {
            // Consul Gateway Proxy configuration options
            connect_timeout = "500ms"

          ingress {
            // Consul Ingress Gateway Configuration Entry

            tls {
              enabled = false

            listener {
              port     = 8080
              protocol = "http"
              service {
                name  = "web"
                hosts = ["example.com", "example.com:8080"]

            listener {
              port = 3306
              protocol = "tcp"
              service {
                name = "database"

»gateway Parameters

  • proxy (proxy: nil) - Configuration of the Envoy proxy that will be injected into the task group.
  • ingress (ingress: nil) - Configuration Entry of type ingress-gateway that will be associated with the service.

»proxy Parameters

  • connect_timeout (string: "5s") - The amount of time to allow when making upstream connections before timing out. Defaults to 5 seconds. If the upstream service has the configuration option connect_timeout_ms set for the service-resolver, that timeout value will take precedence over this gateway proxy option.
  • envoy_gateway_bind_tagged_addresses (bool: false) - Indicates that the gateway services tagged addresses should be bound to listeners in addition to the default listener address.
  • envoy_gateway_bind_addresses (map<string|address>: nil) - A map of additional addresses to be bound. The keys to this map are the same of the listeners to be created and the values are a map with two keys - address and port, that combined make the address to bind the listener to. These are bound in addition to the default address. If bridge networking is in use, this map is automatically populated with additional listeners enabling the Envoy proxy to work from inside the network namespace.
envoy_gateway_bind_addresses "<service>" {
  address = ""
  port    = <port>
  • envoy_gateway_no_default_bind (bool: false) - Prevents binding to the default address of the gateway service. This should be used with one of the other options to configure the gateway's bind addresses. If bridge networking is in use, this value will default to true since the Envoy proxy does not need to bind to the service address from inside the network namespace.
  • config (map: nil) - Escape hatch for Advanced Configuration of Envoy.

»address Parameters

  • address (string: required) - The address to bind to when combined with port.
  • port (int: required) - The port to listen to.

»ingress Parameters

  • tls (tls: nil) - TLS configuration for this gateway.
  • listener (array<listener> : required) - One or more listeners that the ingress gateway should setup, uniquely identified by their port number.

»tls Parameters

  • enabled (bool: false) - Set this configuration to enable TLS for every listener on the gateway. If TLS is enabled, then each host defined in the host field will be added as a DNSSAN to the gateway's x509 certificate.

»listener Parameters

  • port (int: required) - The port that the listener should receive traffic on.

  • protocol (string: "tcp") - The protocol associated with the listener. Either tcp or http.

  • service (array<service>: required) - One or more services to be exposed via this listener. For tcp listeners, only a single service is allowed.

»service Parameters

  • name (string: required) - The name of the service that should be exposed through this listener. This can be either a service registered in the catalog, or a service defined by other config entries, or a service that is going to be configured by Nomad. If the wildcard specifier * is provided, then ALL services will be exposed through this listener. This is not supported for a listener with protocol tcp.

  • hosts (array<string>: nil) - A list of hosts that specify what requests will match this service. This cannot be used with a tcp listener, and cannot be specified alongside a wildcard (*) service name. If not specified, the default domain <service-name>.ingress.* will be used to match services. Requests must send the correct host to be routed to the defined service.

    The wildcard specifier * can be used by itself to match all traffic coming to the ingress gateway, if TLS is not enabled. This allows a user to route all traffic to a single service without specifying a host, allowing simpler tests and demos. Otherwise, the wildcard specifier can be used as part of the host to match multiple hosts, but only in the leftmost DNS label. This ensures that all defined hosts are valid DNS records. For example, *.example.com is valid while example.* and *-suffix.example.com are not.

»Gateway with host networking

Nomad supports running gateways using host networking. A static port must be allocated for use by the Envoy admin interface and assigned to the proxy service definition.

»Specify Envoy image

The Docker image used for Connect gateway tasks defaults to the official Envoy Docker image, envoyproxy/envoy:v${NOMAD_envoy_version}, where ${NOMAD_envoy_version} is resolved automatically by a query to Consul. The image to use can be configured by setting meta.connect.gateway_image in the Nomad job. Custom images can still make use of the envoy version interpolation, e.g.

meta.connect.gateway_image = custom/envoy-${NOMAD_envoy_version}:latest