{"id":"097a67a1-8b8c-4b45-9308-a4c6cec13a64","task":"Configure Nomad with Consul service mesh and Envoy sidecar proxies for mTLS between services in a Connect-enabled job","domain":"developer.hashicorp.com","steps":["Ensure Consul is running with connect enabled in the agent config: connect { enabled = true } and that Nomad is configured with consul { address = \"127.0.0.1:8500\" }","In the Nomad job HCL, add a connect sidecar_service stanza under the service block: service { name = \"api\"; connect { sidecar_service { } } } — Nomad and Consul will automatically provision an Envoy sidecar","For a downstream service (e.g., a web tier connecting to the api), add sidecar_service with an upstreams block: upstreams { destination_name = \"api\"; local_bind_port = 9000 } so Envoy transparently proxies api traffic via mTLS","Connect to the upstream in your application using 127.0.0.1:9000 (the local Envoy listener) rather than the api service's direct address — the Envoy proxy handles mTLS certificate negotiation transparently","Run nomad job run job.nomad and verify the sidecar allocation appears alongside the main task with nomad alloc status <alloc-id>; check Consul UI to confirm the service is registered as connected","Test mTLS enforcement by attempting a direct TCP connection to the api task's port bypassing Envoy — the connection should be rejected because the task should be bound to localhost or only accept via Envoy"],"gotchas":["Nomad Connect requires that the Envoy binary is present on worker nodes; Nomad downloads and caches Envoy automatically when the CNI plugins and the nomad-cni package are installed, but missing CNI plugins cause task group networking to fail before the sidecar even starts","The local_bind_port in the upstreams block must not conflict with ports used by the application or other upstreams; Nomad does not validate port conflicts between upstreams, leading to silent binding failures","Consul Connect uses short-lived leaf certificates issued by the Consul CA; if the Consul CA root cert is rotated without a grace period overlapping with existing certificate validity, in-flight mTLS connections may be interrupted during the rotation window"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:41:57.021Z"},"url":"https://mcp.waymark.network/r/097a67a1-8b8c-4b45-9308-a4c6cec13a64"}