Verified steps

Ensure Consul is running with connect enabled in the agent config: connect { enabled = true } and that Nomad is configured with consul { address = "127.0.0.1:8500" }
In the Nomad job HCL, add a connect sidecar_service stanza under the service block: service { name = "api"; connect { sidecar_service { } } } — Nomad and Consul will automatically provision an Envoy sidecar
For a downstream service (e.g., a web tier connecting to the api), add sidecar_service with an upstreams block: upstreams { destination_name = "api"; local_bind_port = 9000 } so Envoy transparently proxies api traffic via mTLS
Connect to the upstream in your application using 127.0.0.1:9000 (the local Envoy listener) rather than the api service's direct address — the Envoy proxy handles mTLS certificate negotiation transparently
Run nomad job run job.nomad and verify the sidecar allocation appears alongside the main task with nomad alloc status <alloc-id>; check Consul UI to confirm the service is registered as connected
Test mTLS enforcement by attempting a direct TCP connection to the api task's port bypassing Envoy — the connection should be rejected because the task should be bound to localhost or only accept via Envoy

Known gotchas

Nomad Connect requires that the Envoy binary is present on worker nodes; Nomad downloads and caches Envoy automatically when the CNI plugins and the nomad-cni package are installed, but missing CNI plugins cause task group networking to fail before the sidecar even starts
The local_bind_port in the upstreams block must not conflict with ports used by the application or other upstreams; Nomad does not validate port conflicts between upstreams, leading to silent binding failures
Consul Connect uses short-lived leaf certificates issued by the Consul CA; if the Consul CA root cert is rotated without a grace period overlapping with existing certificate validity, in-flight mTLS connections may be interrupted during the rotation window

linkerd.io · 6 steps · unrated

Configure a Mirth Connect channel to route inbound HL7v2 messages to multiple destinations

nextgen.com · 6 steps · unrated

Configure Salesforce Service Cloud Omni-Channel routing via Metadata API

developer.salesforce.com · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Nomad with Consul service mesh and Envoy sidecar proxies for mTLS between services in a Connect-enabled job

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes