Networking in Konnect

Konnect deployments run either in either managed or Hybrid Mode, which means that there is a separate Control Plane attached to a Data Plane consisting of one or more Data Plane nodes. Konnect Control Planes and Data Plane nodes rely on specific ports and hostnames for secure communication and configuration. The following tables detail the required ports for cluster communication, audit logging, and the hostnames for connecting to regional Control Plane and telemetry endpoints.

Control plane ports

The Konnect Control Plane uses the following ports:

Port

Protocol

Description

443 TCP
HTTPS
Cluster communication port for configuration and telemetry data. The Konnect Control Plane uses this port to listen for connections and to communicate with Data Plane nodes.
The cluster communication port must be accessible to Data Plane nodes within the same cluster. This port is protected by mTLS to ensure end-to-end security and integrity.
8071 TCP
UDP
Port used for audit logging.

Kong Gateway’s hosted Control Plane expects traffic on these ports, so they can’t be customized.

Note: If you can’t make outbound connections using port 443, you can use an existing proxy in your network to make the connection. See Use a forward proxy to secure communication across a firewall for details.

Data plane node ports

The proxy ports are the only ports that should be made available to your clients. Upstream services are accessible via the proxy interface and ports, so make sure that these values only grant the access level you require.

Your proxy will need rules added for any HTTP/HTTPS and TCP/TLS stream listeners that you configure. For example, if you want Kong Gateway to manage traffic on port 4242, your firewall must configure the Route to allow traffic on that port.

The following are the default proxy ports:

Port

Protocol

kong.conf setting

Description

8000 HTTP proxy_listen Takes incoming HTTP traffic from Consumers, and forwards it to upstream services.
8443 HTTPS proxy_listen Takes incoming HTTPS traffic from Consumers, and forwards it to upstream services.

You can also proxy TCP/TLS streams, which is disabled by default. If you want to proxy this traffic, see stream_listen in the Kong configuration reference for more information about stream proxy listen options and how to enable it.

Hostnames

The following geographic regions and their hostname region identifiers are supported:

  • AU (Australia): au
  • EU (Europe): eu
  • ME (Middle East): me
  • IN (India): in
  • US (United States): us

Depending on the regions your organization uses, you’ll need to allowlist the hostnames and include the region-specific identifier in the hostname in place of {region}:

Hostname

Description

cloud.konghq.com The Konnect platform.
global.api.konghq.com The Konnect API for platform authentication, identity, permissions, teams, and organizational entitlements and settings.
REGION.api.konghq.com The Konnect API for the geo. Necessary if you are using decK in your workflow, decK uses this API to access and apply configurations.
PORTAL_ID.REGION.kongportals.com The URL for the Dev Portal in the geo.
CONTROL_PLANE_DNS_PREFIX.REGION.cp0.konghq.com Handles configuration for a Control Plane in the geo. Data plane nodes connect to this host to receive configuration updates. This hostname is unique to each organization and Control Plane.
CONTROL_PLANE_DNS_PREFIX.REGION.tp0.konghq.com Gathers telemetry data for a Control Plane in the geo. This hostname is unique to each organization and Control Plane.

Important: Visit https://ip-addresses.origin.konghq.com/ip-addresses.json for a full list of regional and service ingress IPs. The ingressIPs section contains a list of all ingress IPs per geo and consolidated IPs per service. To avoid coupling firewall rules to specific services or DNS suffixes (such as cp0, tp0), we recommend allowlisting the values in the ingressIPs block for each region. This ensures your setup is more resilient to future infrastructure or DNS changes. You can also subscribe to https://ip-addresses.origin.konghq.com/rss for updates.

Mesh Manager hostnames

If you use Mesh Manager to manage your Kong service mesh, you must add the {geo}.mesh.sync.konghq.com:443 hostname to your firewall allowlist. The geo can be au, eu, us, or global.

FAQs

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!