HashiCorp · Consul-Associate
Validates knowledge of HashiCorp Consul for service networking, covering Consul architecture and deployment, service registration and discovery, health checking, service mesh with intentions and traffic management, and the key/value store for configuration management.
Questions
629
Duration
60 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this Consul-Associate practice exam to prepare for HashiCorp Certified: Consul Associate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 629 questions for HashiCorp Consul-Associate, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The HashiCorp Certified: Consul Associate (003) validates foundational knowledge and practical skills with HashiCorp Consul, an open-source service networking platform. The certification covers the full spectrum of Consul capabilities, including service discovery, health monitoring, service mesh with sidecar proxies, access control lists (ACLs), gossip and TLS encryption, and key/value store usage for configuration management. Candidates are expected to understand Consul's architecture across single and multi-datacenter deployments, as well as its deployment on both virtual machines and Kubernetes environments.
The exam tests against Consul version 1.15 and includes objectives spanning 10 domains with 35 specific objectives. It distinguishes between Consul Community Edition and Consul Enterprise features, ensuring certified professionals can identify the boundaries of open-source capabilities versus commercial offerings. The certification is valid for two years, with recertification available starting six months before expiration by passing the current 003 version of the exam.
The Consul Associate certification targets cloud engineers who specialize in security, development, networking, or operations. Typical candidates include site reliability engineers (SREs), solutions architects, DevOps engineers, and platform engineers who work with service networking infrastructure in production environments.
Candidates should have foundational familiarity with Consul concepts and basic hands-on experience. While professional production experience with Consul is the ideal preparation baseline, HashiCorp acknowledges that candidates who have practiced all exam objectives in a personal lab or demo environment may also be sufficiently prepared. The exam is not suited for complete beginners to networking or distributed systems.
There are no formal prerequisites or required prior certifications to sit for the Consul Associate exam. However, HashiCorp recommends that candidates possess practical knowledge of containerization, basic terminal and CLI skills, networking fundamentals (TCP/IP, DNS, load balancing), an understanding of access control lists (ACLs), and familiarity with the TLS certificate lifecycle including certificate issuance, rotation, and revocation.
Candidates benefit most from hands-on experience deploying and operating Consul in real environments, including configuring Consul agents, registering services, setting up intentions in the service mesh, and managing gossip and RPC encryption. Prior exposure to Kubernetes is also advantageous given the exam covers Consul deployment on Kubernetes clusters.
The Consul Associate (003) exam consists of approximately 57 questions to be completed within 60 minutes. Question types include true/false, multiple choice (single answer), and multiple answer (select all that apply) formats. The exam is delivered online through a proctored testing environment and can be taken remotely. The passing score is 70%, and the exam fee is $70.50 USD. Retake policies allow one free retake if the candidate does not pass on the first attempt.
The exam is computer-based and does not include hands-on or lab components — it is a knowledge assessment only. Upon passing, candidates receive a digital badge via Credly and a downloadable certificate. Certifications are valid for two years from the date of passing.
The Consul Associate certification is valued by organizations adopting service mesh architectures, microservices, and zero-trust networking on cloud-native and hybrid infrastructure. Certified professionals are well-positioned for roles such as platform engineer, cloud infrastructure engineer, site reliability engineer, DevOps engineer, and solutions architect at companies standardizing on HashiCorp's product stack. Consul expertise is particularly sought after in enterprises running large-scale Kubernetes or multi-cloud deployments where service discovery and secure east-west traffic management are critical.
HashiCorp certifications are recognized across the industry as a signal of practical tool knowledge, and the Consul Associate complements adjacent certifications such as the Terraform Associate and Vault Associate for professionals building a broad HashiCorp credential portfolio. While specific salary premiums for Consul alone are not independently published, DevOps and cloud infrastructure engineers with HashiCorp certifications and service mesh expertise typically command salaries in the $110,000–$160,000+ USD range in North American markets, reflecting strong demand for professionals who can design and operate secure, scalable service networking platforms.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 629 questions.
Preview — answers shown1. A platform team deploys Consul on Kubernetes and wants to reduce operational overhead by eliminating client agents on worker nodes while maintaining service mesh functionality. Which Consul architecture component should they use? (Select one!)
Explanation
Consul Dataplane is a lightweight process that replaces client agents on Kubernetes, reducing resource consumption and operational complexity while maintaining full service mesh capabilities. Dataplane communicates directly with Consul servers via gRPC for service discovery and configuration. Consul Connect Native requires application code changes to handle mTLS directly and still requires agents. Envoy sidecar proxies alone cannot replace the agent's role in service registration and health checking. Server agents should only run on dedicated control plane nodes, not every worker node, as this wastes resources.
2. An operations team needs to rotate the Consul gossip encryption key across a five-server cluster without downtime. Which sequence of commands correctly performs the rotation? (Select one!)
Explanation
Gossip key rotation requires a three-step process to maintain cluster communication throughout the change. First, consul keyring -install <new-key> adds the new key to all nodes while keeping the old key active, allowing nodes to decrypt messages with either key. Second, consul keyring -use <new-key> changes the primary encryption key cluster-wide so all new messages use the new key. Third, consul keyring -remove <old-key> removes the old key after confirming all nodes are using the new key. Skipping the install step would cause communication failures when the key switches. Removing the old key first would break gossip immediately. Restarting agents is not necessary and would cause unnecessary downtime.
3. A development team registers a service with a health check that has deregister_critical_service_after set to 90m. The service fails its health check and enters critical state. After 85 minutes, the service recovers and passes its health check. What happens to the service registration? (Select one!)
Explanation
The deregister_critical_service_after parameter only triggers automatic deregistration if the service remains in critical state continuously for the specified duration. When the service recovers and passes its health check before reaching 90 minutes, the timer is cancelled and the service remains registered. Deregistration only occurs if the critical state persists for the full duration. The timer does not reset on recovery. Passing a check does not trigger deregistration.
4. A security team implements service intentions for their microservices architecture. They create the following intentions: (1) web → api with Action = allow, (2) * → api with Action = deny, (3) web → * with Action = deny. When the web service attempts to connect to the api service, what happens? (Select one!)
Explanation
Consul evaluates intentions based on precedence levels calculated from source and destination specificity. The intention web → api (exact source, exact destination) has higher precedence than both * → api (wildcard source, exact destination) and web → * (exact source, wildcard destination). Consul uses a precedence system where exact matches on both source and destination have precedence level 9, which is the highest. The most specific matching intention is applied, and evaluation stops. Wildcard intentions only apply when no more specific intention exists.
5. A security team creates an ACL policy with the following rules: key_prefix config/ with policy write, and key secret/api with policy deny. A token with this policy attempts to write to the key secret/api/prod. What is the expected outcome? (Select one!)
Explanation
ACL policy rules differentiate between exact key matches and prefix matches. The rule key secret/api with policy deny applies only to that exact key path, not to keys underneath that path like secret/api/prod. To deny access to all keys under a path, the rule must use key_prefix secret/api with policy deny. Deny rules at the same specificity level take precedence, but this rule does not match secret/api/prod. Consul ACL policies have well-defined evaluation rules; missing rules default to the default_policy, not undefined behavior.
$17.99
One-time access to this exam