☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • The Kong API Platform
  • What is the Kong Gateway?
  • Kong Gateway Application Architecture
  • Nginx
  • OpenResty
  • Kong Clustering and Datastore
  • Plugins
  • RESTful Administration API
  • Kong Installation Options
  • Kong Gateway Deployment Modes
  • Pricing Packages
  • Kong Gateway Deployment Options
  • Traditional Mode
  • DB-Less Mode
  • Hybrid Mode
  • Hybrid Mode in Konnect
  • Kong Gateway Request Flow
  • Kong Gateway Components
  1. Certifications
  2. (KGAC-101) Kong Gateway Foundations

Introduction to Kong Gateway

PreviousIntroduction to APIs and API ManagementNextGetting Started with Kong Enterprise

Last updated 1 year ago

A self-managed Kong Gateway is a version of the Kong API Gateway that you deploy and manage on your own infrastructure. It provides features for securing, managing, and scaling APIs but requires you to handle installation, configuration, and maintenance yourself, giving you full control over the gateway's environment and setup.

A plugin, in the context of Kong Gateway, is a module or add-on, typically written in Lua or Go, that extends the base functionality of the gateway. These plugins can be standard ones bundled with Kong Gateway or custom ones developed by the community. They are designed to be loaded and executed by the Kong Gateway application, allowing users to add new features or modify existing behavior.

Hybrid mode refers to a deployment configuration where Kong's control plane and data plane are separated. The control plane, responsible for configuration and management tasks, is isolated from the data plane, which handles the actual API traffic. This separation enhances both security and performance, as it allows for more flexible and scalable deployments.

The Kong API Platform

What is the Kong Gateway?

Kong Gateway Application Architecture

The kong gateway application is a single light-weight binary that consists of modular components.

Nginx

Kong is built on top of nginx where nginx serves as the underlying engine that handles routing and load balancing, kong extends nginx capabilities making it a powerful tool for managing APIs and microservices.

OpenResty

OpenResty is a powerful framework that extends nginx web server with additional programming capabilities through the lua programming language.

Kong uses the OpenResty framework to extend nginx behaviour.

Kong Clustering and Datastore

PostgreSQL is an advanced, open source relational database management system (RDBMS).

Kong uses PostgreSQL for managing and storing data related to various entities and configurations such as in a single instance deployment, or in a clustered environment.

Plugins

A plugin allow you to easily add new features to your API such as:

  • Authentication

  • Security

  • Traffic Control

  • Transformations

  • Logging

It is a modular piece of code tasked with intercepting, inspecting and manipulating HTTP requests and responses, using languages such as lua, python, javascript or go.

RESTful Administration API

Kong gateway comes with an internal restful admin API that is used to configure and manage the gateway.

The admin API can be used to perform range of actions:

  • Adding/Updating new APIs or services

  • Adding/Configuring plugins

  • Managing consumers of the APIs

The kong admin API enables automation by letting you manage and configure the API gateway through scripts or code making it useful to update configuration without manual intervention streamlining the process of maintaining and scaling the API environment.

Kong Installation Options

Kong Gateway Deployment Modes

There are 2 modes in which kong can be deployed:

  • Self-managed: Organization deploy kong on their own environment and have full control over gateway configuration, scaling and security.

  • Managed with konnect: The global control plane is hosted in the cloud by kong and organizations manage the individual gateway instances within their own network environment.

Each of these models has their pros and cons, where the self managed approach offers more flexibility and integration with existing systems but require more resources, management and maintenance overhead

Pricing Packages

Kong Gateway Deployment Options

Traditional Mode

A deployment configuration that uses a relational database to store various configuration data, in this mode the kong gateway functions as both the control and data plane, its responsible for managing and distributing configuration data and proxying traffic.

Configuration in this mode can be done with:

  • Kong manager

  • Admin API

  • Declaratively using configuration files with decK

This mode is useful for simple setups that rely on kong plugins needing a database such as rate limiting with cluster strategies or OAuth2 for authentication

This mode has downsides regarding security and performance, the combined roles control plane and data plane in each node can increase the risk of a security breach affecting entire system.

Also, the kong manager and developer portal could impact performance of the data plane

DB-Less Mode

Storing configuration in memory on the node itself, so there is no need for a database.

In DB-Less mode, kong gateway receives its configuration through a config.yaml file instead of relying on a database, this file can be in yaml or json format and utilizes kong's declarative configuration syntax and then kong gateway loads it in memory.

DB-Less mode is suitable for automation, In CI/CD scenarios you can store the configuration file in a git repository

This is not limited to kong gateway, but is also used in kong ingress controller in kubernetes.

The kube API server interacts with kong's config endpoint, whenever a kubernetes environment changes, it updates the kong configuration running in memory ensuring the gateway is in sync with the kubernetes state.

In DB-Less mode, the admin API becomes read only, you cannot use it to make changes to the configuration

Some plugins that require database storage lirate limiting in cluster mode may not function correctly or limited functionality

Hybrid Mode

In hybrid mode, kong operates with control plane and data plane separation, this means that the configuration and management of the gateway are separated from traffic processing

The control plane is the component where gateway configuration and management occur, its responsible for administrative tasks such as defining routes, services, plugins etc...

The control plane doesn't handle any actual API traffic, instead it configures the data plane

In kong, this can be interacted with through the kong manager UI, restful admin API or a declarative configuration file

The data plane is the component that proxies API requests and responses to the upstream APIs, it is where the API traffic is routed, transformed and processed based on the configuration set in the control plane

In kong, the data plane can execute the configured plugins like authentication, rate limiting or any custom plugins

Instead of accessing the database contents directly, the data plane maintains a connection with the control plane to receive the latest configuration

Benefits of using hybrid mode:

  • Deployment flexibility: Users can deploy groups of data planes in different data centers or zones without needing a local cluster database for each data plane group

  • Increased reliability: The availability of the database doesn't affect the availability of the data planes, each data plane caches latest configuration it received from control plane on local disk storage

  • Traffic reduction: Reduce traffic to and from the database since only control plane nodes need a direct connection to the database

  • Increased security: If one of the data planes nodes is compromised, an attacker won't be able to affect other nodes in the kong cluster

  • Ease of management: Admins only need to interact with control plane nodes to control and monitor the status of the entire kong cluster

Hybrid mode is beneficial in large-distributed environments and where in scenarios where strong separation of concerns and security is important

Hybrid Mode in Konnect

The control plane is hosted on the kong konnect cloud simplifying management and configuration

The data plane can be setup in various environments like AWS, Azure, GCP, On-premise etc...

Kong Gateway Request Flow

Kong Gateway Components

Client: Any individual or system that send requests to the kong gateway

Consumer: A specific entity that uses the services provided through the kong gateway, it typically represent a user or an external application that interacts with the services registered in kong

Route: A configuration object that specifies how requests are matched and forwarded to a service, it defines rules for routing client requests based on different various criteria like URLs, HTTP methods or headers

Service: It's the endpoint to which kong routes requests that match the associated routes, service encapsulate the details of the backend server

Load balancer: Distribute incoming requests across multiple instances of a service

Upstream API: Refers to the target services or APIs that kong gateway forwards client requests to, these are the ultimate destination of requests processed by kong typically representing internal micro services or external APIs

Open-Source Plugins: Extensions available in the community edition that can used to enhance and customize the functionality of the gateway

Enterprise Plugins: More advanced plugins that open source plugins, they offer enhanced analytics, security and support for complex deployment architectures

Admin API: Allows admins to configure and administer the gateway, it provides endpoints to setup routes, consumers, plugins and other configurations

Manager: User interface for managing the kong gateway

Vitals: Real time analytics and monitoring capabilities, track API performance, req and res times etc...

Dev Portal: Centralized hub for developers to access, explore and test APIs

Kong Konnect has more managed and ease of use services like gateway manager that adds data planes and control plane with few clicks

💌
Page cover image