Skip to content
Kong Gateway 2.8 Increases Security and Simplifies API Management.  —Learn More →
|
search
Kong Mesh
1.7.x (latest)

Kong Mesh

A modern control plane built on top of Envoy and focused on simplicity, security, and scalability

Demo: To see Kong Mesh in action, you can request a demo and we will get in touch with you.

Welcome to the official documentation for Kong Mesh!

Kong Mesh is an enterprise-grade service mesh that runs on both Kubernetes and VMs on any cloud. Built on top of CNCF’s Kuma and Envoy and focused on simplicity, Kong Mesh enables the microservices transformation with:

  • Out-of-the-box service connectivity and discovery
  • Zero-trust security
  • Traffic reliability
  • Global observability across all traffic, including cross-cluster deployments

Kong Mesh extends Kuma and Envoy with enterprise features and support, while providing native integration with Kong Gateway for a full-stack connectivity platform for all of your services and APIs, across every cloud and environment.

Kuma itself was originally created by Kong and donated to CNCF to provide the first neutral Envoy-based service mesh to the industry. Kong still maintains and develops Kuma, which is the foundation for Kong Mesh.


Kong Mesh extends CNCF's Kuma and Envoy to provide an enterprise-grade service mesh with unique features in the service mesh landscape, while still relying on a neutral foundation.
Kuma Kuma Start Free Kong Mesh Kong Mesh Contact Sales
Core Service Mesh Capabilities
All Kuma Policies
All Traffic Management Policies
All Observability Policies
Multi-Zone & Multi-Cluster
Multi-Zone Security
Zero-Trust and mTLS
Built-in CA
Provided CA
Hashicorp Vault CA
AWS Certificate Manager CA
GUI Dashboard for TLS and CA
Data Plane Certificate Rotation
CA Automatic Rotation
Enterprise Application Security
FIPS-140 Encryption
Embedded OPA Agent
Native OPA Policy
Enterprise Security and Governance
Roles and permissions (RBAC)
Audit Logs
Universal Platform Distributions
Containers, Kubernetes & OpenShift
Kubernetes Operator
Virtual Machine Support
Virtual Machine Transparent Proxying
Native AWS ECS Controller
Windows Distributions
UBI Federal Distributions
Support and Customer Success
Enterprise Support and SLA
Customer Success Packages
Envoy Support


Kong Mesh provides a unique combination of strengths and features in the service mesh ecosystem, specifically designed for the enterprise architect, including:

  • Universal support for both Kubernetes and VM-based services.
  • Single and Multi Zone deployments to support multi-cloud and multi-cluster environments with global/remote control plane modes, automatic Ingress connectivity, and service discovery.
  • Multi-Mesh to create as many service meshes as we need, using one cluster with low operational costs.
  • Easy to install and use and turnkey, by abstracting away all the complexity of running a service mesh with easy-to-use policies for managing services and traffic.
  • Full-Stack Connectivity by natively integrating with Kong and Kong Gateway for end-to-end connectivity that goes from the API gateway to the service mesh.
  • Powered by Kuma and Envoy to provide a modern and reliable CNCF open source foundation for an enterprise service mesh.

When used in combination with Kong Gateway, Kong Mesh provides a full stack connectivity platform for all of our L4-L7 connectivity, for both edge and internal API traffic.


Two different applications - "Banking" and "Trading" - run in their own meshes "A" and "B" across different datacenters. In this example, Kong Gateway is being used both for edge communication and for internal communication between meshes.

Why Kong Mesh?

Organizations are transitioning to distributed software architectures to support and accelerate innovation, gain digital revenue, and reduce costs. A successful transition to microservices requires many pieces to fall into place: that services are connected reliably with minimal latency, that they are protected with end-to-end security, that they are discoverable and fully observable. However, this presents challenges due to the need to write custom code for security and identity, a lack of granular telemetry, and insufficient traffic management capabilities, especially as the number of services grows.

Leading organizations are looking to service meshes to address these challenges in a scalable and standardized way. With a service mesh, you can:

  • Ensure service connectivity, discovery, and traffic reliability: Apply out-of-box traffic management to intelligently route traffic across any platform and any cloud to meet expectations and SLAs.
  • Achieve Zero-Trust Security: Restrict access by default, encrypt all traffic, and only complete transactions when identity is verified.
  • Gain Global Traffic Observability: Gain a detailed understanding of your service behavior to increase application reliability and the efficiency of your teams.

Kong Mesh is the universal service mesh for enterprise organizations focused on simplicity and scalability with Kuma and Envoy. Kong’s service mesh is unique in that it allows you to:

  • Start, secure, and scale with ease:
    • Deploy a turnkey service mesh with a single command.
    • Group services by attributes to efficiently apply policies.
    • Manage multiple service meshes as tenants of a single control plane to provide scale and reduce operational costs.
  • Run anywhere:
    • Deploy the service mesh across any environment, including multi-cluster, multi-cloud, and multi-platform.
    • Manage service meshes natively in Kubernetes using CRDs, or start with a service mesh in a VM environment and migrate to Kubernetes at your own pace.
  • Connect services end-to-end:
    • Integrate into the Kong Gateway platform for full stack connectivity, including Ingress and Egress traffic for your service mesh.
    • Expose mesh services for internal or external consumption and manage the full lifecycle of APIs.

Thanks to the underlying Kuma runtime, with Kong Mesh, you can easily support multiple clusters, clouds, and architectures using the multi-zone capability that ships out of the box. This — combined with multi-mesh support — lets you create a service mesh powered by an Envoy proxy for the entire organization in just a few steps. You can do this for both simple and distributed deployments, including multi-cloud, multi-cluster, and hybrid Kubernetes/VMs:


Kong Mesh can support multiple zones (like a Kubernetes cluster, VPC, datacenter, etc.) together in the same distributed deployment. Then, you can create multiple isolated virtual meshes with the same control plane in order to support every team and application in the organization.


Learn more about the standalone and multi-zone deployment modes in the Kuma documentation.