Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.1.x (latest)
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • Introduction to Kong Mesh
    • What is Service Mesh?
    • How Kong Mesh works
    • Deployments
    • Version support policy
    • Stability
    • Release notes
    • Installation Options
    • Kubernetes
    • Helm
    • OpenShift
    • Docker
    • Amazon ECS
    • Amazon Linux
    • Red Hat
    • CentOS
    • Debian
    • Ubuntu
    • macOS
    • Windows
    • Explore Kong Mesh with the Kubernetes demo app
    • Explore Kong Mesh with the Universal demo app
    • Standalone deployment
    • Multi-zone deployment
    • License
    • Overview
    • Data plane proxy
    • Data plane on Kubernetes
    • Data plane on Universal
    • Gateway
    • Zone Ingress
    • Zone Egress
    • CLI
    • GUI
    • Observability
    • Inspect API
    • Kubernetes Gateway API
    • Networking
    • Service Discovery
    • DNS
    • Kong Mesh CNI
    • Transparent Proxying
    • IPv6 support
    • Secure access across Kong Mesh components
    • Secrets
    • Kong Mesh API Access Control
    • API server authentication
    • Data plane proxy authentication
    • Zone proxy authentication
    • Data plane proxy membership
    • Dataplane Health
    • Fine-tuning
    • Control Plane Configuration
    • Upgrades
    • Requirements
    • Introduction
    • General notes about Kong Mesh policies
    • Applying Policies
    • How Kong Mesh chooses the right policy to apply
    • Understanding TargetRef policies
    • Protocol support in Kong Mesh
    • Mesh
    • Mutual TLS
    • Traffic Permissions
    • Traffic Route
    • Traffic Metrics
    • Traffic Trace
    • Traffic Log
    • Locality-aware Load Balancing
    • Fault Injection
    • Health Check
    • Circuit Breaker
    • Proxy Template
    • External Service
    • Retry
    • Timeout
    • Rate Limit
    • Virtual Outbound
    • MeshGateway
    • MeshGatewayRoute
    • Service Health Probes
    • MeshTrace (Beta)
    • MeshAccessLog (Beta)
    • MeshTrafficPermission (Beta)
    • Overview
    • HashiCorp Vault CA
    • Amazon ACM Private CA
    • cert-manager Private CA
    • OPA policy support
    • Multi-zone authentication
    • FIPS support
    • Certificate Authority rotation
    • Role-Based Access Control
    • UBI Images
    • Windows Support
    • Auditing
    • HTTP API
    • Annotations and labels in Kubernetes mode
    • Kong Mesh data collection
      • Mesh
      • CircuitBreaker
      • ExternalService
      • FaultInjection
      • HealthCheck
      • MeshGateway
      • MeshGatewayRoute
      • ProxyTemplate
      • RateLimit
      • Retry
      • Timeout
      • TrafficLog
      • TrafficPermission
      • TrafficRoute
      • TrafficTrace
      • VirtualOutbound
      • Dataplane
      • ZoneEgress
      • ZoneIngress
      • kuma-cp
      • kuma-dp
      • kumactl
    • Kuma-cp configuration reference

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • HTTP/2 support
  • TLS support
  • Websocket support
Kong Mesh
2.0.x
  • Home
  • Kong Mesh
  • Policies
  • Protocol support in Kong Mesh
You are browsing documentation for an outdated version. See the latest documentation here.

Protocol support in Kong Mesh

At its core, Kuma distinguishes between the following major categories of traffic: http, grpc, kafka and opaque tcp traffic.

For http, grpc and kafka traffic Kong Mesh provides deep insights down to application-level transactions, in the latter tcp case the observability is limited to connection-level statistics.

So, as a user of Kong Mesh, you’re highly encouraged to give it a hint whether your service supports http , grpc, kafka or not.

By doing this,

  • you will get richer metrics with Traffic Metrics policy
  • you will get richer logs with Traffic Log policy
  • you will be able to use Traffic Trace policy
Kubernetes
Kubernetes (deprecated)
Universal

On Kubernetes, to give Kong Mesh a hint that your service supports HTTP protocol, you need to add an appProtocol to the k8s Service object.

E.g.,

apiVersion: v1
kind: Service
metadata:
  name: web
  namespace: kuma-example
spec:
  selector:
    app: web
  ports:
  - port: 8080
    appProtocol: http # let Kong Mesh know that your service supports HTTP protocol

On Kubernetes, to give Kong Mesh a hint that your service supports HTTP protocol, you need to add a <port>.service.kuma.io/protocol annotation to the k8s Service object.

E.g.,

apiVersion: v1
kind: Service
metadata:
  name: web
  namespace: kuma-example
  annotations:
    8080.service.kuma.io/protocol: http # let Kong Mesh know that your service supports HTTP protocol
spec:
  selector:
    app: web
  ports:
  - port: 8080

On Universal, to give Kong Mesh a hint that your service supports the http protocol, you need to add a kuma.io/protocol tag to the inbound interface of your Dataplane.

E.g.,

type: Dataplane
mesh: default
name: web
networking:
  address: 192.168.0.1 
  inbound:
  - port: 80
    servicePort: 8080
    tags:
      kuma.io/service: web
      kuma.io/protocol: http # let Kong Mesh know that your service supports HTTP protocol

HTTP/2 support

Kong Mesh by default upgrades connection between Dataplanes to HTTP/2. If you want to enable HTTP/2 on connections between a dataplane and an application, use kuma.io/protocol: http2 tag.

TLS support

Whenever a service already initiates a TLS request to another service - and mutual TLS is enabled - Kong Mesh can enforce both TLS connections end-to-end as long as the service that is generating the TLS traffic is explicitly tagged with tcp protocol (ie: kuma.io/protocol: tcp).

Effectively kuma-dp will send the raw original TLS request as-is to the final destination, while in the meanwhile it will be enforcing its own TLS connection (if mutual TLS is enabled). Hence, the traffic must be marked as being tcp, so kuma-dp won’t try to parse it.

Note that in this case no advanced HTTP or GRPC statistics or logging are available. As a best practice - since Kong Mesh will already secure the traffic across services via the mutual TLS policy - we suggest disabling TLS in the original services in order to get L7 metrics and capabilities.

Websocket support

Kong Mesh out of the box support’s Websocket protocol. The service exposing Websocket should be marked as tcp.

As Websockets use pure TCP connections under the hood, your service have to be recognised by Kuma as the TCP one. It’s also the default behavior for Kong Mesh to assume the service’s inbound interfaces are the TCP ones, so you don’t have to do anything, but if you want to be explicit, you can configure your services exposing Websocket endpoints with appProtocol property. I.e.:

Kubernetes
Universal
apiVersion: v1
kind: Service
metadata:
  name: websocket-server
  namespace: kuma-example
spec:
  selector:
    app: websocket-server
  ports:
  - port: 8080
    appProtocol: tcp
type: Dataplane
mesh: default
name: websocket-server
networking:
  address: 192.168.0.1 
  inbound:
  - port: 80
    servicePort: 8080
    tags:
      kuma.io/service: websocket-server
      kuma.io/protocol: tcp
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023