diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2abf7660..381d97ef 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -162,10 +162,10 @@ workflows:
       # We have a limit of 6 HCP Consul clusters.
       # The following controls whether to enable HCP when testing release branches.
       # HCP is always disabled for tests on PRs.
-      - acceptance: {name: "acceptance-1.12-FARGATE-HCP", consul_version: '1.12.6', enable_hcp: true, launch_type: FARGATE, <<: *acceptance-common}
-      - acceptance: {name: "acceptance-1.13-FARGATE", consul_version: '1.13.3', enable_hcp: false, launch_type: FARGATE, <<: *acceptance-common}
-      - acceptance: {name: "acceptance-1.14-FARGATE-HCP", consul_version: '1.14.1', enable_hcp: true, launch_type: FARGATE, <<: *acceptance-common}
-      - acceptance: {name: "acceptance-1.12-EC2", consul_version: '1.12.6', enable_hcp: false, launch_type: EC2, <<: *acceptance-common}
-      - acceptance: {name: "acceptance-1.13-EC2-HCP", consul_version: '1.13.3', enable_hcp: true, launch_type: EC2, <<: *acceptance-common}
-      - acceptance: {name: "acceptance-1.14-EC2", consul_version: '1.14.1', enable_hcp: false, launch_type: EC2, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.15-FARGATE-HCP", consul_version: '1.15.1', enable_hcp: true, launch_type: FARGATE, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.13-FARGATE", consul_version: '1.13.7', enable_hcp: false, launch_type: FARGATE, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.14-FARGATE-HCP", consul_version: '1.14.5', enable_hcp: true, launch_type: FARGATE, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.15-EC2", consul_version: '1.15.1', enable_hcp: false, launch_type: EC2, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.13-EC2-HCP", consul_version: '1.13.7', enable_hcp: true, launch_type: EC2, <<: *acceptance-common}
+      - acceptance: {name: "acceptance-1.14-EC2", consul_version: '1.14.5', enable_hcp: false, launch_type: EC2, <<: *acceptance-common}
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d1b366ac..aa444ea9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
 ## Unreleased
 
 FEATURES
+* modules/mesh-task and modules/gateway-task: Add support for Consul 1.15.x.
+  [[GH-159]](https://github.com/hashicorp/terraform-aws-consul-ecs/pull/159)
 * modules/mesh-task: Add `envoy_public_listener_port` variable to set Envoy's public listener port.
 * modules/acl-controller: Add `additional_execution_role_policies` variable to support attaching custom policies to the task's execution role.
 * modules/mesh-task: Improve the logic behind the `defaulted_check_containers` local creation in order to prevent enabling health checks when
diff --git a/modules/gateway-task/main.tf b/modules/gateway-task/main.tf
index 9012cff0..81db1db4 100644
--- a/modules/gateway-task/main.tf
+++ b/modules/gateway-task/main.tf
@@ -202,7 +202,7 @@ resource "aws_ecs_task_definition" "this" {
               },
             ]
             healthCheck = {
-              command  = ["nc", "-z", "127.0.0.1", tostring(local.lan_port)]
+              command  = ["/consul/consul-ecs", "net-dial", format("127.0.0.1:%d", local.lan_port)]
               interval = 30
               retries  = 3
               timeout  = 5
diff --git a/modules/gateway-task/templates/consul_client_command.tpl b/modules/gateway-task/templates/consul_client_command.tpl
index 2bd2ad22..4abbaacb 100644
--- a/modules/gateway-task/templates/consul_client_command.tpl
+++ b/modules/gateway-task/templates/consul_client_command.tpl
@@ -36,12 +36,16 @@ consul_login() {
 }
 
 read_token_stale() {
-    consul acl token read -http-addr ${ consul_http_addr } \
+    # Attempt to read the token via the HTTP API. We don't use the `consul` CLI to read
+    # the token here because there is an issue in Consul 1.15.0 that causes the read to
+    # fail even for valid requests. The issue is fixed in Consul > 1.15.0 but in order
+    # to support 1.15.0 we use the HTTP API in all cases.
+    curl '${ consul_http_addr }/v1/acl/token/self?stale' \
+      -H "X-Consul-Token: \$(cat /consul/client-token)" \
     %{ if https ~}
-      -ca-file /consul/consul-https-ca-cert.pem \
+      --cacert /consul/consul-https-ca-cert.pem \
     %{ endif ~}
-      -stale -self -token-file /consul/client-token \
-      > /dev/null
+      -sS -o /dev/null
 }
 
 # Retry in order to login successfully.
diff --git a/modules/gateway-task/variables.tf b/modules/gateway-task/variables.tf
index 61be6c7f..2b676b6a 100644
--- a/modules/gateway-task/variables.tf
+++ b/modules/gateway-task/variables.tf
@@ -97,7 +97,7 @@ variable "consul_ecs_image" {
 variable "envoy_image" {
   description = "Envoy Docker image."
   type        = string
-  default     = "envoyproxy/envoy-alpine:v1.21.4"
+  default     = "envoyproxy/envoy-distroless:v1.23.1"
 }
 
 variable "log_configuration" {
diff --git a/modules/mesh-task/main.tf b/modules/mesh-task/main.tf
index dad45fbb..296a7bce 100644
--- a/modules/mesh-task/main.tf
+++ b/modules/mesh-task/main.tf
@@ -294,7 +294,7 @@ resource "aws_ecs_task_definition" "this" {
               },
             ]
             healthCheck = {
-              command  = ["nc", "-z", "127.0.0.1", tostring(var.envoy_public_listener_port)]
+              command  = ["/consul/consul-ecs", "net-dial", format("127.0.0.1:%d", var.envoy_public_listener_port)]
               interval = 30
               retries  = 3
               timeout  = 5
diff --git a/modules/mesh-task/templates/consul_client_command.tpl b/modules/mesh-task/templates/consul_client_command.tpl
index 2bd2ad22..4abbaacb 100644
--- a/modules/mesh-task/templates/consul_client_command.tpl
+++ b/modules/mesh-task/templates/consul_client_command.tpl
@@ -36,12 +36,16 @@ consul_login() {
 }
 
 read_token_stale() {
-    consul acl token read -http-addr ${ consul_http_addr } \
+    # Attempt to read the token via the HTTP API. We don't use the `consul` CLI to read
+    # the token here because there is an issue in Consul 1.15.0 that causes the read to
+    # fail even for valid requests. The issue is fixed in Consul > 1.15.0 but in order
+    # to support 1.15.0 we use the HTTP API in all cases.
+    curl '${ consul_http_addr }/v1/acl/token/self?stale' \
+      -H "X-Consul-Token: \$(cat /consul/client-token)" \
     %{ if https ~}
-      -ca-file /consul/consul-https-ca-cert.pem \
+      --cacert /consul/consul-https-ca-cert.pem \
     %{ endif ~}
-      -stale -self -token-file /consul/client-token \
-      > /dev/null
+      -sS -o /dev/null
 }
 
 # Retry in order to login successfully.
diff --git a/modules/mesh-task/variables.tf b/modules/mesh-task/variables.tf
index d7bed1d7..b4a4f5a0 100644
--- a/modules/mesh-task/variables.tf
+++ b/modules/mesh-task/variables.tf
@@ -151,7 +151,7 @@ variable "consul_ecs_image" {
 variable "envoy_image" {
   description = "Envoy Docker image."
   type        = string
-  default     = "envoyproxy/envoy-alpine:v1.21.4"
+  default     = "envoyproxy/envoy-distroless:v1.23.1"
 }
 
 variable "envoy_public_listener_port" {