Home / Dedicated Cloud Gateways
Edit
Report

Set up an AWS resource endpoint connection

Uses: Kong Gateway
Incompatible with
on-prem
Related Documentation
Gateway Documentation
Related Resources
Dedicated Cloud Gateways
AWS VPC endpoint documentation
TL;DR

AWS resource endpoints with Dedicated Cloud Gateway enables secure, one-way connectivity from Konnect’s managed infrastructure to your upstream services without requiring VPC peering or Transit Gateway. First, configure a resource share in AWS and set your Konnect AWS account ID as a principal on the resource share. Configure private networking for you Dedicated Cloud Gateway and select Resource endpoint connection. Enter your resource share ARN from AWS as well as your resource configuration ID and domain name.

Prerequisites

Dedicated Cloud Gateway

This is a Konnect tutorial that requires Dedicated Cloud Gateways access.

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
    • Dedicated Cloud Gateway Control Plane Dedicated Cloud Gateway: You can use an existing Dedicated Cloud Gateway or create a new one to use for this tutorial.
    • Network ID: The default Dedicated Cloud Gateway network ID can be found in API Gateway > Network
  2. Set these values as environment variables: 
     export KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export KONNECT_NETWORK_ID='KONNECT NETWORK ID'

AWS

You need an AWS IAM user account with permissions to create AWS Resource Configuration Groups, Resource Gateways, and to use AWS Resource Access Manager (RAM).

You also need:

  • A configured VPC and subnet
  • A resource gateway

  • A resource configuration group

    Copy and save the resource configuration ID and resource definition domain name for each resource configuration. Konnect will use these to create a mapping of upstream domain names and resource configuration IDs.

Export your AWS resource configuration domain name:

export RESOURCE_DOMAIN_NAME='http://YOUR-RESOURCE-DOMAIN-NAME/anything'

We’ll use this to connect to our Dedicated Cloud Gateway service.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. In the Konnect sidebar, navigate to API Gateway.
  2. Click your Dedicated Cloud Gateway.
  3. In the API Gateway sidebar, click Gateway Services.
  4. Click New gateway service.
  5. In the Full URL field, enter your resource domain, appended with /anything. For example: http://YOUR-RESOURCE-DOMAIN-NAME/anything
  6. In the Name field, enter example-service.
  7. Click Save.
  8. Click the Routes tab.
  9. Click New route.
  10. In the Name field, enter example-route.
  11. In the Path field, enter /anything.
  12. Click Save.

To learn more about entities, you can read our entities documentation.

AWS resource endpoints with Dedicated Cloud Gateway enables secure, one-way connectivity from Konnect’s managed infrastructure to your upstream services without requiring VPC peering or Transit Gateway.

AWS VPC endpoints, part of the AWS VPC Lattice offering, allow services in one AWS account to be securely shared with and accessed from another account via a single VPC endpoint. This eliminates the need for:

  • Multiple PrivateLinks
  • Individual TLS workarounds for each service
  • Complex two-way handshakes

Copy and save your Konnect Account ID

Before you can configure AWS, you’ll need your account ID for AWS in Konnect. AWS uses this account ID to configure the connection between your resource share in AWS and Konnect.

  1. In the Konnect sidebar, click Networks.
  2. Click the settings icon next to your network.
  3. Click Configure private networking.
  4. Click Resource endpoint connection.
  5. Copy and save the ID in the Kong AWS Account ID field.

Create a resource share in AWS

To use AWS resource endpoints with Dedicated Cloud Gateways, you must first create a resource share with your resource configuration group and resource gateway in AWS.

  1. In the AWS console, navigate to RAM.
  2. Click Create resource share.
  3. In the Name field, enter Kong-DCGW-Resource-Share.
  4. From the Resource type dropdown menu, select “VPC Lattice Resource Configurations”.
  5. Select the ARN of your resource configuration.
  6. In the Selected resources settings, select your resource group IDs.
  7. Click Next.
  8. Click Next.
  9. In the Principals settings, select Allow sharing with anyone.
  10. From the Select principal type dropdown menu, select “AWS Account”.
  11. In the AWS Account field, enter your account ID from Konnect.
  12. Click Next.
  13. Click Create resource share.

Configure the resource endpoint connection in Konnect

Now that the resource share is configured in AWS, you can connect it with Konnect to enable the resource endpoint connection.

  1. In the Konnect sidebar, click Networks.
  2. Click the action menu icon next to your network.
  3. Click Configure private networking.
  4. Click Resource endpoint connection.
  5. In the Resource links configuration name field, enter AWS-Resource-Share.
  6. In the AWS RAM share ARN field, enter your ARN.

  7. Click Submit.

    It may take a few minutes for Konnect’s automation to accept the RAM share and create VPC endpoints. You can check the status of your resource endpoints in the table.

  8. Click the action menu icon. Now you need to manually map your resource configuration IDs from AWS to Konnect once your resource endpoint is marked as Ready.
  9. Click Edit.

  10. In the Resource configuration ID field, enter your enter your resource configuration ID from AWS.

    Note: If your resource configuration has a child resource configuration, use the ID from the child resource.

  11. In the Domain name field, enter your resource configuration domain name from AWS.

    Note: If your resource configuration has a child resource configuration, use the domain name from the child resource.

  12. Click Submit.

It may take a few minutes for automation to update the private hosted zones and DNS settings before upstream routing will work.

Validate

Once the resource configuration mapping displays as Ready, your resource endpoint connection is set up successfully.

Additionally, you can validate that the resource endpoint connections in Konnect are working correctly by navigating to your Gateway Service configured in the prerequisites:

curl -i -X GET "http://$RESOURCE_DOMAIN_NAME/anything"

FAQs

Which Availability Zones (AZs) does AWS resource endpoints support for Dedicated Cloud Gateway?

Dedicated Cloud Gateways supports specific Availability Zones (AZs) in the supported AWS regions.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support