Introduction to Kong Gateway
Last updated
Last updated
A self-managed Kong Gateway is a version of the Kong API Gateway that you deploy and manage on your own infrastructure. It provides features for securing, managing, and scaling APIs but requires you to handle installation, configuration, and maintenance yourself, giving you full control over the gateway's environment and setup.
A plugin, in the context of Kong Gateway, is a module or add-on, typically written in Lua or Go, that extends the base functionality of the gateway. These plugins can be standard ones bundled with Kong Gateway or custom ones developed by the community. They are designed to be loaded and executed by the Kong Gateway application, allowing users to add new features or modify existing behavior.
Hybrid mode refers to a deployment configuration where Kong's control plane and data plane are separated. The control plane, responsible for configuration and management tasks, is isolated from the data plane, which handles the actual API traffic. This separation enhances both security and performance, as it allows for more flexible and scalable deployments.
The kong gateway application is a single light-weight binary that consists of modular components.
Kong is built on top of nginx where nginx serves as the underlying engine that handles routing and load balancing, kong extends nginx capabilities making it a powerful tool for managing APIs and microservices.
OpenResty is a powerful framework that extends nginx web server with additional programming capabilities through the lua programming language.
Kong uses the OpenResty framework to extend nginx behaviour.
PostgreSQL is an advanced, open source relational database management system (RDBMS).
Kong uses PostgreSQL for managing and storing data related to various entities and configurations such as in a single instance deployment, or in a clustered environment.
Authentication
Security
Traffic Control
Transformations
Logging
It is a modular piece of code tasked with intercepting, inspecting and manipulating HTTP requests and responses, using languages such as lua, python, javascript or go.
Kong gateway comes with an internal restful admin API that is used to configure and manage the gateway.
Adding/Updating new APIs or services
Adding/Configuring plugins
Managing consumers of the APIs
The kong admin API enables automation by letting you manage and configure the API gateway through scripts or code making it useful to update configuration without manual intervention streamlining the process of maintaining and scaling the API environment.
Self-managed: Organization deploy kong on their own environment and have full control over gateway configuration, scaling and security.
Managed with konnect: The global control plane is hosted in the cloud by kong and organizations manage the individual gateway instances within their own network environment.
Each of these models has their pros and cons, where the self managed approach offers more flexibility and integration with existing systems but require more resources, management and maintenance overhead
A deployment configuration that uses a relational database to store various configuration data, in this mode the kong gateway functions as both the control and data plane, its responsible for managing and distributing configuration data and proxying traffic.
Kong manager
Admin API
Declaratively using configuration files with decK
This mode is useful for simple setups that rely on kong plugins needing a database such as rate limiting with cluster strategies or OAuth2 for authentication
This mode has downsides regarding security and performance, the combined roles control plane and data plane in each node can increase the risk of a security breach affecting entire system.
Also, the kong manager and developer portal could impact performance of the data plane
Storing configuration in memory on the node itself, so there is no need for a database.
In DB-Less mode, kong gateway receives its configuration through a config.yaml file instead of relying on a database, this file can be in yaml or json format and utilizes kong's declarative configuration syntax and then kong gateway loads it in memory.
DB-Less mode is suitable for automation, In CI/CD scenarios you can store the configuration file in a git repository
This is not limited to kong gateway, but is also used in kong ingress controller in kubernetes.
The kube API server interacts with kong's config endpoint, whenever a kubernetes environment changes, it updates the kong configuration running in memory ensuring the gateway is in sync with the kubernetes state.
In DB-Less mode, the admin API becomes read only, you cannot use it to make changes to the configuration
Some plugins that require database storage lirate limiting in cluster mode may not function correctly or limited functionality
In hybrid mode, kong operates with control plane and data plane separation, this means that the configuration and management of the gateway are separated from traffic processing
The control plane is the component where gateway configuration and management occur, its responsible for administrative tasks such as defining routes, services, plugins etc...
The control plane doesn't handle any actual API traffic, instead it configures the data plane
In kong, this can be interacted with through the kong manager UI, restful admin API or a declarative configuration file
The data plane is the component that proxies API requests and responses to the upstream APIs, it is where the API traffic is routed, transformed and processed based on the configuration set in the control plane
In kong, the data plane can execute the configured plugins like authentication, rate limiting or any custom plugins
Instead of accessing the database contents directly, the data plane maintains a connection with the control plane to receive the latest configuration
Deployment flexibility: Users can deploy groups of data planes in different data centers or zones without needing a local cluster database for each data plane group
Increased reliability: The availability of the database doesn't affect the availability of the data planes, each data plane caches latest configuration it received from control plane on local disk storage
Traffic reduction: Reduce traffic to and from the database since only control plane nodes need a direct connection to the database
Increased security: If one of the data planes nodes is compromised, an attacker won't be able to affect other nodes in the kong cluster
Ease of management: Admins only need to interact with control plane nodes to control and monitor the status of the entire kong cluster
Hybrid mode is beneficial in large-distributed environments and where in scenarios where strong separation of concerns and security is important
The control plane is hosted on the kong konnect cloud simplifying management and configuration
The data plane can be setup in various environments like AWS, Azure, GCP, On-premise etc...
Client: Any individual or system that send requests to the kong gateway
Consumer: A specific entity that uses the services provided through the kong gateway, it typically represent a user or an external application that interacts with the services registered in kong
Route: A configuration object that specifies how requests are matched and forwarded to a service, it defines rules for routing client requests based on different various criteria like URLs, HTTP methods or headers
Service: It's the endpoint to which kong routes requests that match the associated routes, service encapsulate the details of the backend server
Load balancer: Distribute incoming requests across multiple instances of a service
Upstream API: Refers to the target services or APIs that kong gateway forwards client requests to, these are the ultimate destination of requests processed by kong typically representing internal micro services or external APIs
Open-Source Plugins: Extensions available in the community edition that can used to enhance and customize the functionality of the gateway
Enterprise Plugins: More advanced plugins that open source plugins, they offer enhanced analytics, security and support for complex deployment architectures
Admin API: Allows admins to configure and administer the gateway, it provides endpoints to setup routes, consumers, plugins and other configurations
Manager: User interface for managing the kong gateway
Vitals: Real time analytics and monitoring capabilities, track API performance, req and res times etc...
Dev Portal: Centralized hub for developers to access, explore and test APIs
Kong Konnect has more managed and ease of use services like gateway manager that adds data planes and control plane with few clicks
