Consul has become the go-to solution for service discovery, health checking, and distributed key-value storage across dynamic infrastructure. But as your Consul clusters grow to manage hundreds of services and thousands of KV entries, a robust backup and recovery strategy becomes critical. A corrupted Consul state can take down your entire service mesh in seconds.

This guide compares three approaches to backing up and restoring Consul: the built-in consul snapshot command, consul-backinator (a feature-rich CLI utility), and consul-snapshot (a daemon-based tool with automated S3 shipping and health monitoring).

Why Consul Backup Matters

Consul stores critical infrastructure state including service registrations, health check results, KV configuration data, ACL policies, and prepared queries. If a Consul server node fails or data becomes corrupted, the loss of this state can cause cascading failures across your entire infrastructure.

Unlike traditional databases, Consul’s Raft-based consensus protocol means that a snapshot captures the complete cluster state at a point in time — making it ideal for disaster recovery, migration between data centers, and compliance archiving.

What Gets Backed Up

A proper Consul backup should include:

  • KV Store — all configuration data stored in the key-value store
  • ACL Policies and Tokens — access control rules and authentication tokens
  • Service Registrations — catalog of all registered services and their health status
  • Prepared Queries — DNS and HTTP query templates
  • Session Data — distributed lock and session information
  • Raft State — the complete consensus log for cluster recovery

Built-In Consul Snapshot

HashiCorp Consul includes a native snapshot command that leverages the Raft consensus protocol to capture a consistent point-in-time copy of the entire cluster state.

Taking a Snapshot

The built-in snapshot command connects to any Consul server leader and creates a binary snapshot file:

1
2
3
4
5
6
7
8

# Take a snapshot
consul snapshot save backup.snap

# With ACL token authentication
consul snapshot save -token="$(cat /etc/consul.d/bootstrap.token)" backup.snap

# Verify snapshot integrity
consul snapshot inspect backup.snap

The output provides metadata about the snapshot including the index number, number of entries, and creation timestamp:

1
2
3
4
5
6
7

{
  "ID": 42,
  "Size": 15728640,
  "Index": 12345,
  "Term": 5,
  "Version": 1
}

Restoring from a Snapshot

Restoring requires stopping all Consul servers and restarting with the snapshot:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Stop Consul on all server nodes
sudo systemctl stop consul

# Restore on the first server
consul snapshot restore -token="$(cat /etc/consul.d/bootstrap.token)" backup.snap

# Start the restored server
sudo systemctl start consul

# Start remaining servers — they will rejoin via Raft
sudo systemctl start consul

Automating with Cron

1
2

# /etc/cron.d/consul-backup
0 */6 * * * root consul snapshot save /var/backups/consul/consul-$(date +\%Y\%m\%d-\%H\%M).snap

consul-backinator

consul-backinator is an open-source CLI utility developed by myENA that extends Consul’s backup capabilities with support for ACLs, queries, and flexible output formats. It supports 222 stars on GitHub and is actively maintained.

Key Features

  • Backs up KV pairs, ACL policies/tokens, and prepared queries in a single operation
  • Supports JSON and gob (binary) output formats
  • Can restore individual components (just KV, just ACLs, etc.)
  • No need to stop Consul servers for backup or restore
  • Supports prefix-based filtering for partial backups

Installation and Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# backinator.yml
consul:
  address: "http://127.0.0.1:8500"
  token: "your-acl-token"

backup:
  format: "json"
  output: "/var/backups/consul/"
  include:
    - kv
    - acls
    - queries

Running a Backup

1
2
3
4
5
6
7
8

# Full backup
consul-backinator backup --config backinator.yml

# Backup only KV data with a specific prefix
consul-backinator backup --config backinator.yml --prefix "app/config/"

# Restore from backup
consul-backinator restore --config backinator.yml --file /var/backups/consul/latest.json

Docker Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

version: "3.8"
services:
  consul-backinator:
    image: myena/consul-backinator:latest
    volumes:
      - ./backinator.yml:/etc/backinator/backinator.yml:ro
      - ./backups:/var/backups/consul
    environment:
      - CONSUL_HTTP_ADDR=http://consul-server:8500
      - CONSUL_HTTP_TOKEN=${CONSUL_TOKEN}
    command: backup --config /etc/backinator/backinator.yml

consul-snapshot

consul-snapshot takes a different approach — it runs as a long-lived daemon that automatically creates backups on a schedule and ships them to S3-compatible storage. With 116 GitHub stars, it’s designed for production environments where automated, reliable backups are essential.

Key Features

  • Runs as a daemon with configurable backup intervals
  • Automatically ships backups to Amazon S3 or compatible storage
  • Includes built-in backup health monitoring and alerting
  • Retains a configurable number of backup rotations
  • Supports encryption of backup files at rest

Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

{
  "consul": {
    "address": "127.0.0.1:8500",
    "token": "your-acl-token"
  },
  "backup": {
    "interval": "6h",
    "retain": 30,
    "dest": "/var/backups/consul/"
  },
  "s3": {
    "bucket": "consul-backups-prod",
    "region": "us-east-1",
    "prefix": "daily/"
  },
  "monitoring": {
    "enabled": true,
    "threshold": "24h"
  }
}

Running as a Service

1
2
3
4
5
6
7
8

# Install as a systemd service
sudo cp consul-snapshot /usr/local/bin/
sudo cp consul-snapshot.service /etc/systemd/system/
sudo systemctl enable --now consul-snapshot

# Check status
sudo systemctl status consul-snapshot
sudo journalctl -u consul-snapshot -f

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

version: "3.8"
services:
  consul-snapshot:
    image: pshima/consul-snapshot:latest
    volumes:
      - ./config.json:/etc/consul-snapshot/config.json:ro
      - ./backups:/var/backups/consul
    environment:
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_DEFAULT_REGION=us-east-1
    restart: unless-stopped

Feature Comparison

Featureconsul snapshotconsul-backinatorconsul-snapshot
KV backupYesYesYes
ACL backupYesYesYes
Query backupYesYesNo
Selective restoreNoYesNo
Automated schedulingNo (cron needed)No (cron needed)Built-in daemon
S3 integrationNoNoYes
Health monitoringNoNoYes
Partial backupNoPrefix filterNo
JSON outputNoYesNo
Zero-downtime backupNoYesYes
Docker imageOfficialCommunityCommunity
GitHub StarsN/A (built-in)222116

Choosing the Right Tool

Use built-in consul snapshot when:

  • You need the simplest, most reliable backup method
  • You’re running Consul 1.0+ and want native support
  • You can schedule backups via cron or your orchestration platform

Use consul-backinator when:

  • You need to selectively restore specific components (KV only, ACLs only)
  • You want JSON output for auditing and inspection
  • You need prefix-based partial backups for large KV stores

Use consul-snapshot when:

  • You need automated, scheduled backups without cron management
  • S3 or cloud storage integration is required
  • You want built-in backup health monitoring and alerting
  • Running in production where backup reliability is critical

Best Practices for Consul Backup

1. Test Restore Procedures Regularly

A backup is only as good as your ability to restore it. Schedule quarterly restore drills in a staging environment:

1
2
3
4

# Restore to a test cluster
consul snapshot restore -http-addr=http://test-consul:8500 backup.snap
# Verify all services are registered correctly
consul catalog services -http-addr=http://test-consul:8500

2. Encrypt Backup Files

Store backups in encrypted storage, especially when shipping to cloud providers:

1
2
3
4

# Encrypt before storing
gpg --symmetric --cipher-algo AES256 backup.snap
# Or use AWS S3 server-side encryption
aws s3 cp backup.snap s3://bucket/ --sse AES256

3. Monitor Backup Health

Set up monitoring to alert when backups are older than expected:

1
2
3
4
5
6

# Check last backup age
last_backup=$(ls -t /var/backups/consul/*.snap | head -1)
age=$(( ($(date +%s) - $(stat -c %Y "$last_backup")) / 3600 ))
if [ $age -gt 12 ]; then
  echo "WARNING: Last Consul backup is ${age}h old"
fi

4. Follow the 3-2-1 Rule

Maintain at least 3 copies of your Consul data, on 2 different media types, with 1 copy offsite. Combine local snapshots with S3 shipping and periodic cold storage exports.

Why Self-Host Consul Backup Infrastructure?

Managing your own Consul backup infrastructure ensures complete control over your service discovery data — a critical dependency for microservices architectures. Self-hosted backup solutions eliminate vendor lock-in, allow integration with existing monitoring and alerting systems, and ensure compliance with data sovereignty requirements.

When Consul manages service registrations for hundreds of microservices, a backup failure can mean minutes of downtime while services are manually re-registered. Automated backup tools like consul-backinator and consul-snapshot reduce this risk to near zero by ensuring point-in-time recovery capabilities are always available.

For teams running multiple Consul data centers, having a standardized backup process across all environments simplifies disaster recovery runbooks and reduces the cognitive load during incident response. Combined with Consul’s native ACL system, you can ensure that only authorized operators can trigger restores, preventing accidental data overwrites.

For related reading on service discovery architectures, see our etcd vs Consul vs ZooKeeper comparison and distributed locking guide.

FAQ

What is the difference between consul snapshot and consul-backinator?

consul snapshot is the native backup command built into Consul that creates binary snapshots of the entire cluster state. consul-backinator is a third-party CLI tool that offers additional features like selective component backup (KV only, ACLs only), JSON output format, and prefix-based filtering for partial backups.

How often should I back up Consul?

For production environments, back up Consul every 6 hours at minimum. For high-traffic clusters with frequent KV changes, consider hourly backups. The consul-snapshot daemon makes this easy by running continuously on a configurable schedule.

Can I restore a Consul snapshot to a different cluster?

Yes, but be aware that the restored cluster will have the same cluster ID as the original. If you need to merge data into an existing cluster, use consul-backinator for selective component restoration instead of a full snapshot restore.

Does consul-backinator support S3 storage?

consul-backinator itself does not include S3 integration — it writes to local filesystem paths. For S3 support, use consul-snapshot which has built-in S3 shipping, or combine consul-backinator with a separate S3 sync tool like rclone.

How do I verify a Consul backup is valid?

Use consul snapshot inspect backup.snap to check the snapshot metadata including index number and creation timestamp. For consul-backinator JSON backups, you can inspect the JSON file directly. The most reliable verification is a test restore to a staging cluster.

Can I back up Consul without stopping the servers?

consul-backinator and consul-snapshot support zero-downtime backups by using Consul’s HTTP API to extract data without interrupting service. The built-in consul snapshot command also works on live clusters but briefly pauses writes during the snapshot operation.