Overview
Kong Gateway can be deployed in four different modes:
- Konnect (hosted control plane)
- Hybrid
- Traditional (database)
- DB-less and declarative
Each mode has benefits and limitations, so it is important to consider them carefully when deciding which mode to use to install Kong Gateway in production.
The following sections briefly describe each mode.
Konnect
Konnect is the fastest way to get started when using Kong Gateway. It allows you to deploy your own data plane nodes (DP) to handle customer traffic without needing to deploy your own control plane (CP) or database.
Konnect is a hybrid mode deployment, where Kong hosts the control plane for you. This means that you get all of the benefits of a hybrid mode deployment without needing to run multiple control plane nodes yourself.
flowchart TD A(Dev Portal • Gateway Manager • Analytics • Service Catalog) B( Control plane \n #40;Kong Gateway instance#41;) B2( Control plane \n #40;Kong Gateway instance#41;) C( Data plane 3\n #40;Kong Gateway instance#41;) D( Data plane 1\n #40;Kong Gateway instance#41;) E( Data plane 2\n #40;Kong Gateway instance#41;) subgraph id1 [Konnect] A --- B & B2 end id1 --Kong proxy configuration---> id2 & id3 subgraph id2 [Kong-managed cloud node] C end subgraph id3 [Self-managed local and cloud nodes] D E end style id1 stroke-dasharray:3,rx:10,ry:10 style id2 stroke-dasharray:3,rx:10,ry:10 style id3 stroke-dasharray:3,rx:10,ry:10 style B stroke:none,fill:#0E44A2,color:#fff style B2 stroke:none,fill:#0E44A2,color:#fff
Figure 1: In Konnect, Kong hosts your control planes and all of the related applications: Dev Portal, Gateway Manager, Analytics, Service Catalog, and so on. You attach data planes to Konnect to process traffic, which get all of their configuration from the control planes.
Configuration changes can be made using the Konnect UI and configuration wizards, or applied in an automated way using decK.
As with self-managed hybrid mode, your data plane nodes will continue to process traffic even if the control plane is offline. In addition, you no longer need to worry about securing the control plane because Kong Gateway does it for you.
Finally, Konnect supports cloud-managed control planes and control plane groups, which allows you to segment your configuration in any way that you need. It could be by business unit, or environment. Achieving this using hybrid mode requires you to deploy one control plane per segment, while Konnect allows you to manage multiple configuration sets through the same UI and API.
Get started with Konnect for free today.
Hybrid mode
In hybrid mode, Kong Gateway nodes in a cluster are split into two roles: control plane (CP), where configuration is managed and the Admin API is served from, and data plane (DP), which serves traffic for the proxy. Many DP nodes are connected to a single CP node. Instead of accessing the database contents directly like in the traditional deployment method, the DP nodes maintain connection with CP nodes, and receive the latest configuration in real-time.
flowchart TD A[(Database)] B( Control plane \n #40;Kong Gateway instance#41;) C( Data plane 3\n #40;Kong Gateway instance#41;) D( Data plane 1\n #40;Kong Gateway instance#41;) E( Data plane 2\n #40;Kong Gateway instance#41;) subgraph id1 [Self-managed control plane node] A---B end B --Kong proxy configuration---> id2 & id3 subgraph id2 [Self-managed on-premise node] C end subgraph id3 [Self-managed cloud nodes] D E end style id1 stroke-dasharray:3,rx:10,ry:10 style id2 stroke-dasharray:3,rx:10,ry:10 style id3 stroke-dasharray:3,rx:10,ry:10 style B stroke:none,fill:#0E44A2,color:#fff
Figure 2: In self-managed hybrid mode, the control plane and data planes are hosted on different nodes. The control plane connects to the database, and the data planes receive configuration from the control plane.
Hybrid mode deployments have the following benefits:
- Users can deploy groups of data planes in different data centers, geographies, or zones without needing a local clustered database for each DP group.
- The availability of the database does not affect the availability of the data planes. If a control plane is offline, data planes will run using their last known configuration.
- Drastically reduces the amount of traffic to and from the database, since only CP nodes need a direct connection to the database.
- If one of the DP nodes is compromised, an attacker won’t be able to affect other nodes in the Kong Gateway cluster.
Traditional (database) mode
In traditional mode, Kong Gateway requires a database to store configured entities such as routes, services, and plugins. See supported databases.
flowchart TD A[(Database)] B( Kong Gateway instance) C( Kong Gateway instance) D( Kong Gateway instance) A <---> B & C & D style B stroke:none,fill:#0E44A2,color:#fff style C stroke:none,fill:#0E44A2,color:#fff style D stroke:none,fill:#0E44A2,color:#fff
Figure 3: In a traditional deployment, all Kong Gateway nodes connect to the database. Each node manages its own configuration.
Running Kong Gateway in traditional mode is the simplest way to get started with Kong, and it is the only deployment topology that supports plugins that require a database, like rate-limiting with the cluster strategy, or OAuth2. However, there are some downsides too.
When running in traditional mode, every Kong Gateway node runs as both a Control Plane (CP) and Data Plane (DP). This means that if any of your nodes are compromised, the entire running gateway configuration is compromised. In contrast, hybrid mode has distinct CP and DP nodes reducing the attack surface.
In addition, if you’re running Kong Gateway Enterprise with Kong Manager, request throughput may be reduced on nodes running Kong Manager due to expensive calculations being run to render analytics data and graphs.
You can use the Admin API or declarative configuration files (decK) to configure the Kong Gateway in traditional mode.
DB-less and declarative mode
You can enable DB-less mode to reduce complexity of and create more flexible deployment patterns. In this mode, configured entities such as routes, services and plugins are stored in-memory on the node.
flowchart TD A( Kong Gateway instance) B( Kong Gateway instance) C( Kong Gateway instance) A2(fa:fa-file kong1.yml) B2(fa:fa-file kong2.yml) C2(fa:fa-file kong3.yml) A2 --> A B2 --> B C2 --> C style A stroke:none,fill:#0E44A2,color:#fff style B stroke:none,fill:#0E44A2,color:#fff style C stroke:none,fill:#0E44A2,color:#fff
Figure 4: In DB-less mode, configuration is applied via YAML files. Kong Gateway nodes aren’t connected to a database, or to each other.
When running in DB-less mode, configuration is provided to Kong Gateway using a second file. This file contains your configuration in YAML or JSON format using Kong’s declarative configuration syntax.
DB-less mode is also used by the Kong Ingress Controller, where the Kubernetes API server uses Kong’s /config
endpoint to update the running configuration in memory any time a change is made.
The combination of DB-less mode and declarative configuration has a number of benefits:
- Reduced number of dependencies: no need to manage a database installation if the entire setup for your use-case fits in memory.
- Your configuration is always in a known state. There is no intermediate state between creating a service and a route using the Admin API.
- It is a good fit for automation in CI/CD scenarios. Configuration for entities can be kept in a single source of truth managed via a Git repository.
Here are a few limitations of this mode:
- The Admin API is read only.
- Any plugin that stores information in the database, like rate limiting (cluster mode), do not fully function.