When you want a private connection from your Dedicated Cloud Gateway to your managed cloud infrastructure, you can choose from three connectivity types depending on your use case:
|
Connectivity type
|
Use when
|
Supported clouds
|
|
Network peering
|
- Your upstream services are in a single VPC or VNet
- You want a direct, low-overhead connection without a transit hub
- Your CIDR ranges don’t overlap
|
AWS, Azure, GCP
|
|
Hub-and-spoke network
|
- Your upstream services are spread across multiple VPCs or VNets, including across accounts
- You want a scalable, centrally managed connectivity model
- You already operate a hub-and-spoke network topology
|
AWS, Azure
|
|
Private endpoints
|
- Your security model requires a defined network boundary
- You want to avoid VPC-level peering while still connecting to one or many upstream services
- Your upstreams sit behind ALBs or other load balancers that handle L7 routing
|
AWS
|
Your team is responsible for the following components regardless of which connectivity type you use:
|
Component
|
Your responsibility
|
|
Public entry point
|
CDN, WAF, or ALB in your cloud account
|
|
TLS termination
|
At your edge (with re-origination to Kong Gateway) or L4 passthrough directly to Kong Gateway
|
|
Private connectivity
|
VPC peering, Transit Gateway, VNet peering, or Virtual Hub to the Konnect-managed network
|
|
DNS
|
CNAME from your hostname to your edge, not directly to Kong Gateway
|
|
Firewall rules
|
Allow your edge to reach Dedicated Cloud Gateway private IPs on the gateway port
|
Dedicated Cloud Gateway private IPs:
Dedicated Cloud Gateway data plane private IP addresses are static.
You can retrieve them from the Konnect UI or API to use as targets in your ALB target group or firewall rules.
Network peering establishes a direct, private connection between the Konnect-managed network and a single VPC or VNet in your cloud account.
Traffic routes over the cloud provider’s internal network without traversing the public internet.
Konnect initiates the peering request from the managed network.
You accept it in your cloud account and update your route tables to route traffic across the peering connection.
The following diagram shows an example of a VPC peering network:
flowchart LR
A(API or Service)
B(API or Service)
C(API or Service)
E(
AWS VPC peering)
G(
Konnect #40;fully-managed Data Plane#41;)
H(
Konnect #40;fully-managed Data Plane#41;)
I(
Konnect #40;fully-managed Data Plane#41;)
J(Internet)
subgraph 1 [User AWS Cloud]
subgraph 2 [Region]
subgraph 3 [Virtual Private Cloud #40;VPC#41;]
A
B
C
end
A & B & C <--> E
end
end
subgraph 4 [Kong AWS Cloud]
subgraph 5 [Region]
E <--private API access--> G & H & I
subgraph 6 [Virtual Private Cloud #40;VPC#41;]
G
H
I
end
end
end
G & H & I <--public API access--> J
To set up network peering, use the following tutorials:
After you’ve configured network peering in Konnect, do the following:
- Update your route tables to route the Konnect-managed network CIDR via the peering connection.
- Configure security groups or network security group rules to allow inbound traffic from the Kong Gateway data plane private IPs on your service ports.
- Configure private DNS so Kong Gateway can resolve your service hostnames to private IPs.
A hub-and-spoke network uses a centrally managed hub that all networks connect to once.
The hub handles routing between all attached networks, so a single connection from the Konnect-managed network can reach services across multiple VPCs or VNets without requiring individual peering connections to each one.
Route tables on the hub let you define precisely which networks can communicate with each other, limiting Kong Gateway’s reachability to specific networks.
The following diagram shows an example of a transit gateway hub-and-spoke network:
flowchart LR
A(API or Service)
B(API or Service)
C(API or Service)
D(
AWS Transit Gateway attachment)
E(
AWS Transit Gateway)
F(
AWS Transit Gateway attachment)
G(
Konnect #40;fully-managed Data Plane#41;)
H(
Konnect #40;fully-managed Data Plane#41;)
I(
Konnect #40;fully-managed Data Plane#41;)
J(Internet)
subgraph 1 [User AWS Cloud]
subgraph 2 [Region]
subgraph 3 [Virtual Private Cloud #40;VPC#41;]
A
B
C
end
A & B & C <--> D
end
D<-->E
end
subgraph 4 [Kong AWS Cloud]
subgraph 5 [Region]
E<-->F
F <--private API access--> G & H & I
subgraph 6 [Virtual Private Cloud #40;VPC#41;]
G
H
I
end
end
end
G & H & I <--public API access--> J
To set up a hub-and-spoke network, use the following tutorials:
After you’ve configured the hub-and-spoke network in Konnect, do the following:
- Update your route tables to route traffic between the Konnect-managed network CIDR and your spoke networks.
- Configure security groups or network security group rules to allow inbound traffic from Kong Gateway data plane private IPs on your service ports.
- Configure private DNS so Kong Gateway can resolve your service hostnames to private IPs.
Private endpoints provide one-way private connectivity from the Konnect-managed network to resources in your AWS account using AWS VPC Lattice resource configurations.
There’s no VPC-level network access, only what you explicitly expose via a resource configuration is reachable from the Konnect-managed network.
A resource configuration can be a single endpoint or a group configuration with multiple child resource configurations, each pointing to a different service endpoint.
The following diagram shows an example of an AWS resource endpoint connection:
flowchart LR
A(API or Service)
B(API or Service)
C(API or Service)
E(
AWS Resource Endpoint)
G(
Konnect #40;fully-managed Data Plane#41;)
H(
Konnect #40;fully-managed Data Plane#41;)
I(
Konnect #40;fully-managed Data Plane#41;)
J(Internet)
subgraph 1 [User AWS Cloud]
subgraph 2 [Region]
subgraph 3 [Virtual Private Cloud #40;VPC#41;]
A
B
C
end
A & B & C --- E
end
end
subgraph 4 [Kong AWS Cloud]
subgraph 5 [Region]
E --private API access--> G & H & I
subgraph 6 [Virtual Private Cloud #40;VPC#41;]
G
H
I
end
end
end
G & H & I <--public API access--> J
To set up private endpoints, use the Set up an AWS resource endpoint connection tutorial.
After you’ve set up the AWS resource endpoint in Konnect, ensure your service is reachable via the configured domain name within the shared resource.