diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml
index bc3c329..577efde 100644
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@@ -77,8 +77,14 @@ consul_base_conf:
     prometheus_retention_time: 1h
 
   connect:
+    # Enable consul service mesh on servers
     enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
 
+  acl:
+    enabled: False
+    # The default_policy is also used for intentions in the service mesh
+    default_policy: deny
+
 consul_extra_conf: {}
 consul_host_conf: {}
 consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"
diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2
index 4369660..e6688c0 100644
--- a/roles/consul/templates/consul.hcl.j2
+++ b/roles/consul/templates/consul.hcl.j2
@@ -71,3 +71,8 @@ connect {
   enabled = true
 }
 {% endif %}
+
+acl {
+  enabled = {{ consul_conf.acl.enabled | ternary('true', 'false') }}
+  default_policy = "{{ consul_conf.acl.default_policy }}"
+}