Capgemini
Solution for internal services
So the way it is at the moment as the haproxy template is very simplistic every service will be exposed to the outside as service-name.example.com via the elb using the port 80 both the elb and the haproxies. Could create another "haproxy fronted" bound to a different port (e.g 1234) so no accessible from the outside and populate the backends according to consul tags, then in the bastion put in place a solution for resolving your chosen “haproxy_internal_domain” to a given slave so your interal services would be available in the bastion VPN via “app.haproxy_internal_domain:1234”. Other possibilty would be to expose a given weave subnetwork to the bastion so all the internal services would be accesible via consul DNS as in your case like *.service.consul. We are pending on https://github.com/weaveworks/weave/issues/117#issuecomment-124075671 so we can be more granular at the time of creating weave subnets.
