Home / Dedicated Cloud Gateways
Edit
Report

Dedicated Cloud Gateways private network architecture and security

Uses: Kong Gateway
Related Documentation
Gateway Documentation
Incompatible with
on-prem
Tags
#dedicated-cloud-gateways
Related Resources
Dedicated Cloud Gateways
Dedicated Cloud Gateways network architecture
Dedicated Cloud Gateways public network architecture and security
Multi-cloud Dedicated Cloud Gateway network architecture
Private hosted zones
Outbound DNS resolver
Kong Gateway WAF capabilities

In private mode, Dedicated Cloud Gateway endpoints have private IP addresses only. There’s no public listener. All inbound traffic must arrive through your own edge infrastructure over a private network connection. Your CDN, WAF, or Application Load Balancer terminates public traffic and handles TLS, then forwards requests to the Kong Gateway data plane using its private IP address. The data plane has no public listener and is unreachable from the internet directly.

Use a private Dedicated Cloud Gateway when you:

  • Deploy upstream services on one or more private networks (VPC or VNet)
  • Don’t expose services to the public internet
  • Require network isolation or full edge control
  • Operate under regulated security requirements

Note: The inbound path (your edge to the Dedicated Cloud Gateway) and the upstream path (the Dedicated Cloud Gateway to your backend services) are independent network hops and can use different connectivity methods. For example, your edge may reach the Dedicated Cloud Gateway over a Transit Gateway while the Dedicated Cloud Gateway reaches upstream services over a separate VNet peering connection.

Private connectivity options

When you want a private connection from your Dedicated Cloud Gateway to your managed cloud infrastructure, you can choose from three connectivity types depending on your use case:

Connectivity type

Use when

Supported clouds
Network peering
  • Your upstream services are in a single VPC or VNet
  • You want a direct, low-overhead connection without a transit hub
  • Your CIDR ranges don’t overlap
 AWS, Azure, GCP
Hub-and-spoke network
  • Your upstream services are spread across multiple VPCs or VNets, including across accounts
  • You want a scalable, centrally managed connectivity model
  • You already operate a hub-and-spoke network topology
 AWS, Azure
Private endpoints
  • Your security model requires a defined network boundary
  • You want to avoid VPC-level peering while still connecting to one or many upstream services
  • Your upstreams sit behind ALBs or other load balancers that handle L7 routing
 AWS

Your team is responsible for the following components regardless of which connectivity type you use:

Component

Your responsibility
Public entry point CDN, WAF, or ALB in your cloud account
TLS termination At your edge (with re-origination to Kong Gateway) or L4 passthrough directly to Kong Gateway
Private connectivity VPC peering, Transit Gateway, VNet peering, or Virtual Hub to the Konnect-managed network
DNS CNAME from your hostname to your edge, not directly to Kong Gateway
Firewall rules Allow your edge to reach Dedicated Cloud Gateway private IPs on the gateway port

Dedicated Cloud Gateway private IPs: Dedicated Cloud Gateway data plane private IP addresses are static. You can retrieve them from the Konnect UI or API to use as targets in your ALB target group or firewall rules.

Network peering

Network peering establishes a direct, private connection between the Konnect-managed network and a single VPC or VNet in your cloud account. Traffic routes over the cloud provider’s internal network without traversing the public internet. Konnect initiates the peering request from the managed network. You accept it in your cloud account and update your route tables to route traffic across the peering connection.

The following diagram shows an example of a VPC peering network: 

 
flowchart LR

A(API or Service)
B(API or Service)
C(API or Service)
E( AWS VPC peering)
G(Konnect #40;fully-managed Data Plane#41;)
H(Konnect #40;fully-managed Data Plane#41;)
I(Konnect #40;fully-managed Data Plane#41;)
J(Internet)

subgraph 1 [User AWS Cloud]
    subgraph 2 [Region]
        subgraph 3 [Virtual Private Cloud #40;VPC#41;]
        A
        B
        C
        end
        A & B & C <--> E
    end
end

subgraph 4 [Kong AWS Cloud]
    subgraph 5 [Region]
        E <--private API access--> G & H & I
        subgraph 6 [Virtual Private Cloud #40;VPC#41;]
        G
        H
        I
        end
    end
end

G & H & I <--public API access--> J

To set up network peering, use the following tutorials:

After you’ve configured network peering in Konnect, do the following:

  • Update your route tables to route the Konnect-managed network CIDR via the peering connection.
  • Configure security groups or network security group rules to allow inbound traffic from the Kong Gateway data plane private IPs on your service ports.
  • Configure private DNS so Kong Gateway can resolve your service hostnames to private IPs.

Hub-and-spoke network

A hub-and-spoke network uses a centrally managed hub that all networks connect to once. The hub handles routing between all attached networks, so a single connection from the Konnect-managed network can reach services across multiple VPCs or VNets without requiring individual peering connections to each one. Route tables on the hub let you define precisely which networks can communicate with each other, limiting Kong Gateway’s reachability to specific networks.

The following diagram shows an example of a transit gateway hub-and-spoke network: 

 
flowchart LR

A(API or Service)
B(API or Service)
C(API or Service)
D(AWS Transit Gateway attachment)
E( AWS Transit Gateway)
F(AWS Transit Gateway attachment)
G(Konnect #40;fully-managed Data Plane#41;)
H(Konnect #40;fully-managed Data Plane#41;)
I(Konnect #40;fully-managed Data Plane#41;)
J(Internet)

subgraph 1 [User AWS Cloud]
    subgraph 2 [Region]
        subgraph 3 [Virtual Private Cloud #40;VPC#41;]
        A
        B
        C
        end
        A & B & C <--> D
    end
   D<-->E
end

subgraph 4 [Kong AWS Cloud]
    subgraph 5 [Region]
        E<-->F
        F <--private API access--> G & H & I
        subgraph 6 [Virtual Private Cloud #40;VPC#41;]
        G
        H
        I
        end
    end
end

G & H & I <--public API access--> J

To set up a hub-and-spoke network, use the following tutorials:

After you’ve configured the hub-and-spoke network in Konnect, do the following:

  • Update your route tables to route traffic between the Konnect-managed network CIDR and your spoke networks.
  • Configure security groups or network security group rules to allow inbound traffic from Kong Gateway data plane private IPs on your service ports.
  • Configure private DNS so Kong Gateway can resolve your service hostnames to private IPs.

Private endpoints

Private endpoints provide one-way private connectivity from the Konnect-managed network to resources in your AWS account using AWS VPC Lattice resource configurations. There’s no VPC-level network access, only what you explicitly expose via a resource configuration is reachable from the Konnect-managed network. A resource configuration can be a single endpoint or a group configuration with multiple child resource configurations, each pointing to a different service endpoint.

The following diagram shows an example of an AWS resource endpoint connection: 

 
flowchart LR

A(API or Service)
B(API or Service)
C(API or Service)
E( AWS Resource Endpoint)
G(Konnect #40;fully-managed Data Plane#41;)
H(Konnect #40;fully-managed Data Plane#41;)
I(Konnect #40;fully-managed Data Plane#41;)
J(Internet)

subgraph 1 [User AWS Cloud]
    subgraph 2 [Region]
        subgraph 3 [Virtual Private Cloud #40;VPC#41;]
        A
        B
        C
        end
        A & B & C --- E
    end
end

subgraph 4 [Kong AWS Cloud]
    subgraph 5 [Region]
        E --private API access--> G & H & I
        subgraph 6 [Virtual Private Cloud #40;VPC#41;]
        G
        H
        I
        end
    end
end

G & H & I <--public API access--> J

To set up private endpoints, use the Set up an AWS resource endpoint connection tutorial.

After you’ve set up the AWS resource endpoint in Konnect, ensure your service is reachable via the configured domain name within the shared resource.

DNS for private upstream services

Regardless of the connectivity type you use, Kong Gateway must be able to resolve your upstream service hostnames to private IP addresses. Using private IPs directly in service configuration is possible but not recommended for services that require TLS, since certificates are typically issued to hostnames, not IPs.

There are two DNS options for private Dedicated Cloud Gateways depending on where your authoritative DNS records live:

  • Private hosted zone: Use this when your DNS records live in your cloud provider’s managed DNS service. DNS traffic travels over the cloud provider’s backbone network. See Private hosted zones.
  • Outbound DNS resolver: Use this when your DNS records live on an on-premises or self-managed DNS server outside your cloud provider. DNS traffic travels through your VPC peering or Transit Gateway connection. See Outbound DNS resolver.

WAF

You can use a Web Application Firewall (WAF) in front of your Dedicated Cloud Gateway as a first-line defense that filters and blocks malicious traffic before it reaches Kong Gateway. A WAF provides Layer 7 protection for HTTP(S) traffic and helps protect APIs against:

  • OWASP Top 10 vulnerabilities
  • Malicious bot traffic
  • IP reputation threats
  • Rate-based abuse
  • Geo-based access restrictions

Kong strongly recommends configuring a WAF for private Dedicated Cloud Gateways.

For more information about all Kong Gateway WAF configurations and plugins, see Kong Gateway WAF capabilities.

AWS WAF

In a private deployment, your Application Load Balancer (ALB) is the internet-facing entry point. AWS WAF attaches directly to the ALB and inspects all inbound HTTP(S) traffic before it reaches your Dedicated Cloud Gateway. Traffic flows from the ALB to the Dedicated Cloud Gateway’s static private IP addresses over your private network connection (VPC peering or Transit Gateway).

To configure AWS WAF for a private Dedicated Cloud Gateway:

  1. Create an internet-facing ALB in your AWS account.
  2. Create an AWS WAF Web ACL and associate it with the ALB. Configure AWS managed rule groups and any custom rules you need, such as IP blocklists or rate limiting.
  3. Create a target group with the following settings:
    • Target type: IP
    • Targets: The static private IP addresses of your Dedicated Cloud Gateway data plane nodes. You can find these by sending a GET request to the /cloud-gateways/configurations endpoint.
  4. Configure ALB listener rules based on host headers and path patterns to route traffic to the correct target group.
  5. Enable HTTPS on your ALB listener using AWS Certificate Manager (ACM).
  6. Ensure your VPC peering or Transit Gateway route tables are updated to direct ALB traffic to the Dedicated Cloud Gateway private IP addresses.
  7. Validate connectivity by sending a test request to the ALB DNS name and confirming it routes through WAF, the ALB, and the Dedicated Cloud Gateway to your upstream API.

Optionally, enable AWS Shield Advanced on the ALB for DDoS mitigation.

Azure WAF

In a private deployment, Azure Front Door Premium acts as the internet-facing entry point with a built-in WAF policy. Traffic flows from Azure Front Door to an Internal Load Balancer (ILB) in your Azure VNet over Private Link, then reaches the Dedicated Cloud Gateway over VNet peering.

To configure Azure WAF for a private Dedicated Cloud Gateway:

  1. Deploy Azure Front Door Premium with a custom domain for your APIs.
  2. Configure a WAF policy on the Front Door profile. Include managed rulesets such as OWASP 3.2 and any custom rules for IP allow/deny, rate limiting, or bot control. Set the mode to Prevention for production or Detection when testing rules.
  3. Create an Internal Load Balancer in your Azure VNet. Add the static private IP addresses of your Dedicated Cloud Gateway data plane nodes as backend targets. You can find these by sending a GET request to the /cloud-gateways/configurations endpoint.
  4. Enable Private Link for the Front Door origin configuration. Azure Front Door creates a managed private endpoint that connects to the ILB over Microsoft’s private backbone network.
  5. Ensure your VNet peering or Virtual WAN connection is configured between your VNet and the Konnect-managed VNet. Update your Network Security Group (NSG) rules and route tables to allow inbound traffic from the ILB subnet to the Dedicated Cloud Gateway private IP addresses.
  6. Validate connectivity by making test API calls from Azure Front Door through to your upstream API and confirming end-to-end request flow.

Next Steps

Dedicated Cloud Gateways production readiness checklist
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support