🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
HCA-002
HCA-002 HashiCorp

Consul Associate 002

The HCA‑002 exam validates knowledge of Consul architecture, service discovery, Connect mesh, KV store, and ACLs, enabling practitioners to deploy and manage Consul clusters securely and efficiently.

60
Minutes
57
Questions
70/100
Passing Score
$70.5
Exam Cost
1
Languages

Who Should Take This

It is designed for DevOps engineers, site reliability engineers, and system administrators who have basic familiarity with HashiCorp tools and need to operate Consul in production. Learners aim to master core concepts, configure service mesh, and implement ACLs to ensure reliable, secure service discovery across dynamic environments.

What's Covered

1 Understand Consul agent roles, datacenter design, consensus protocol, gossip protocol, and anti-entropy mechanisms.
2 Register services, query services via DNS and HTTP API, configure health checks, and use prepared queries.
3 Understand Connect, sidecar proxies, intentions for service-to-service authorization, and certificate management.
4 Use the KV store for configuration management, watches, and distributed locking.
5 Bootstrap and manage ACL system, create policies, tokens, and roles for access control.
6 Configure Consul agents in server and client modes, manage cluster membership, and handle agent lifecycle.
7 Configure WAN federation, DNS forwarding, and cross-datacenter service discovery.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response
  • Fill In The Blank

Scoring Method

Percentage-based, 70% to pass

Delivery Method

Online proctored via PSI

Recertification

Valid for 2 years. Recertify by passing the current exam version.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

55 learning goals
1 Consul Architecture
2 topics

Agents and Datacenter Design

  • Describe the Consul agent architecture including server agents, client agents, and their roles in service registration, health checking, and query forwarding
  • Describe the Consul datacenter model including LAN gossip pool, server quorum, and the recommended server count (3 or 5) for fault tolerance
  • Describe the Raft consensus protocol as used by Consul servers and explain how leader election and log replication ensure consistent state across the cluster
  • Describe the Serf gossip protocol used by Consul for membership management and explain the difference between LAN gossip (intra-datacenter) and WAN gossip (inter-datacenter)
  • Analyze Consul cluster sizing decisions to recommend appropriate server count and resource allocation based on expected service count and query volume
  • Describe the Consul data plane and explain how it separates control plane (servers) from data plane (Envoy proxies) in modern Consul deployments

Anti-Entropy and Catalog

  • Describe the anti-entropy mechanism and explain how Consul agents synchronize local state with the central catalog to detect and repair inconsistencies
  • Describe the service catalog and explain how it aggregates service registrations, health check results, and metadata from all agents in the datacenter
  • Analyze catalog consistency scenarios to determine how agent failures, network partitions, and stale reads affect service discovery accuracy
  • Implement Consul snapshots for backup and restore of cluster state including service registrations, KV data, and ACL configurations
2 Service Discovery
3 topics

Service Registration

  • Implement service registration using service definition files and the HTTP API to register services with name, port, tags, and metadata
  • Configure service tags and metadata to enable filtering and routing decisions during service discovery queries
  • Implement service deregistration and maintenance mode to gracefully remove services from the discovery pool during deployments or incidents
  • Implement external service registration to add non-Consul-managed services such as databases and SaaS endpoints into the service catalog for unified discovery

Health Checks

  • Describe the health check types available in Consul including HTTP, TCP, gRPC, script, TTL, and Docker checks and explain when each type is appropriate
  • Implement health checks with configurable interval, timeout, and deregister_critical_service_after settings to monitor service availability
  • Analyze the impact of health check configuration on service discovery results and evaluate how check intervals and timeouts affect detection latency versus system load
  • Implement TTL-based health checks where the service must periodically report its health status and configure automatic deregistration for unresponsive services

DNS and HTTP Query Interface

  • Implement DNS-based service discovery using Consul's DNS interface to resolve service names to healthy instance addresses and ports
  • Implement HTTP API-based service discovery using the /v1/catalog and /v1/health endpoints to query services with filtering and blocking queries
  • Implement prepared queries to define pre-configured service lookups with failover rules, nearest-node routing, and tag-based filtering
  • Analyze DNS caching behavior and TTL settings to evaluate the trade-off between discovery responsiveness and DNS query load on Consul servers
3 Service Mesh (Connect)
2 topics

Connect Fundamentals

  • Describe Consul Connect and explain how it provides service-to-service authorization and encryption using mutual TLS through sidecar proxies
  • Describe the sidecar proxy model and explain how Envoy or built-in proxies handle inbound and outbound traffic interception for connected services
  • Implement sidecar proxy registration alongside service definitions to enable automatic mTLS for service-to-service communication
  • Describe the Connect certificate authority system and explain how Consul issues and rotates leaf certificates for service identity verification
  • Implement Connect service mesh on Kubernetes using the Consul Helm chart and explain how injected sidecar containers integrate with the Kubernetes pod model

Intentions and Traffic Management

  • Describe Consul intentions and explain how they define service-to-service authorization rules using allow and deny actions
  • Implement intentions using the CLI and HTTP API to control which services can communicate with each other in the service mesh
  • Implement L7 traffic management including service splitters, resolvers, and routers to control traffic routing based on HTTP headers, paths, and weights
  • Analyze intention precedence and default behavior to determine effective service communication policies in a complex multi-service environment
  • Implement service resolver configurations to define subsets, failover targets, and redirect rules for advanced traffic routing within the service mesh
4 Consul KV Store
1 topic

KV Operations and Watches

  • Implement Consul KV store operations including put, get, delete, and recursive list using the CLI and HTTP API for configuration data management
  • Implement Consul watches on KV prefixes to trigger handler scripts or HTTP callbacks when configuration values change
  • Implement distributed locking using the KV store session and lock mechanisms for leader election and mutual exclusion in distributed applications
  • Analyze KV store usage patterns to determine appropriate key hierarchy design and evaluate consistency guarantees for configuration distribution at scale
  • Implement Consul template integration with the KV store to dynamically generate configuration files from KV data and automatically reload dependent services
5 Access Control (ACLs)
1 topic

ACL System Configuration

  • Describe the Consul ACL system including tokens, policies, roles, and the default deny behavior when ACLs are enabled
  • Implement ACL bootstrapping to initialize the ACL system, generate the initial management token, and configure agent tokens for cluster operation
  • Implement ACL policies using HCL to define fine-grained permissions for service, node, KV, session, and agent resources
  • Implement ACL tokens and roles to assign policy sets to agents, services, and operators with appropriate permission scoping
  • Analyze ACL policy configurations to identify overly permissive rules and recommend least-privilege policy adjustments for a multi-team Consul deployment
  • Implement ACL token migration from legacy to new ACL system and describe the differences between legacy and current ACL token management APIs
6 Agent Configuration
1 topic

Server and Client Configuration

  • Implement Consul server agent configuration including bind address, advertise address, bootstrap expect, and datacenter name settings
  • Implement Consul client agent configuration including retry join, service definitions directory, and enable script checks settings
  • Implement agent lifecycle operations including graceful leave, force leave for failed nodes, and agent reload for configuration changes without restart
  • Configure Consul agent encryption using gossip encryption keys and TLS certificates for RPC and HTTP communication security
  • Analyze agent configuration parameters to troubleshoot cluster join failures, split-brain scenarios, and performance issues caused by misconfigured settings
  • Implement Consul agent telemetry configuration to export metrics to monitoring systems such as Prometheus or StatsD for cluster health observability
7 Multi-Datacenter and DNS
1 topic

WAN Federation and DNS

  • Describe WAN federation and explain how Consul servers in different datacenters join the WAN gossip pool to enable cross-datacenter service discovery
  • Implement cross-datacenter service discovery using DNS queries with datacenter-qualified names and prepared query failover configurations
  • Configure DNS forwarding to integrate Consul DNS with existing DNS infrastructure using dnsmasq, systemd-resolved, or BIND forwarders
  • Analyze multi-datacenter topology requirements to recommend WAN federation versus cluster peering based on network connectivity and operational complexity
  • Describe cluster peering as an alternative to WAN federation and explain how peering tokens establish trust between independent Consul clusters
  • Implement network segment configuration to partition Consul agents into separate LAN gossip pools for network isolation within a single datacenter

Certification Benefits

Salary Impact

$135,000
Average Salary

Related Job Roles

Platform Engineer DevOps Engineer Network Engineer Site Reliability Engineer Infrastructure Engineer

Industry Recognition

The Consul Associate certification validates service networking skills for modern distributed architectures and is valued in organizations adopting service mesh and dynamic service discovery.

Scope

Included Topics

  • HashiCorp Consul Associate 002 exam objectives: Consul architecture including agents, servers, clients, datacenters, and consensus protocol; service discovery including service registration, DNS interface, HTTP API, and health checks; service mesh including sidecar proxies, intentions, and Connect; Consul KV store for configuration management; ACL system including tokens, policies, and roles; agent configuration including server and client modes; service definitions and health check types; Consul DNS interface and prepared queries; multi-datacenter federation and WAN gossip.

Not Covered

  • Consul Enterprise features (namespaces, admin partitions, audit logging)
  • Envoy proxy internals and xDS protocol details
  • Custom Connect proxy development
  • Consul-Terraform-Sync (CTS) deep dives
  • Vault integration for Connect CA management
  • Kubernetes-specific Consul features (consul-k8s helm chart details)
  • Network infrastructure and BGP/OSPF routing

Official Exam Page

Learn more at HashiCorp

Visit

Ready to master HCA-002?

Adaptive learning that maps your knowledge and closes your gaps.

Subscribe to Access

Trademark Notice

HashiCorp®, Terraform®, Vault®, and Consul® are registered trademarks of HashiCorp, Inc. HashiCorp does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.