Dedicated Cloud Gateways domain breaking changes: Review domain breaking changes for Dedicated Cloud Gateways and migrate to the new domain before September 30, 2025.
Dedicated Cloud Gateways reference
Uses:
Kong Gateway
Related Documentation
Incompatible with
on-prem
How do Dedicated Cloud Gateways work?
When you create a Dedicated Cloud Gateway, Konnect creates a Control Plane. This Control Plane, like other Konnect Control Planes, is hosted by Konnect. You can then deploy Data Planes in different regions.
Dedicated Cloud Gateways support two different configuration modes:
- Autopilot Mode: Configure expected requests per second, and Konnect pre-warms and autoscales the Data Plane nodes automatically.
- Custom Mode: Manually specify the instance size, type, and number of nodes per cluster.
flowchart TD A(Dedicated Cloud Gateway Control Plane) B(Managed Data Plane Node
Region 1) C(Managed Data Plane Node
Region 2) subgraph id1 [Konnect] A end A --auto-scale configuration---> B A --auto-scale configuration---> C
How do I provision a Control Plane?
-
Create a Dedicated Cloud Gateway Control Plane using by issuing a
POSTrequest to the Control Plane API:curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/" \ -H "Accept: application/json"\ -H "Content-Type: application/json"\ -H "Authorization: Bearer $KONNECT_TOKEN" \ --json '{ "name": "cloud-gateway-control-plane", "description": "A test Control Plane for Dedicated Cloud Gateways.", "cluster_type": "CLUSTER_TYPE_CONTROL_PLANE", "cloud_gateway": true, "proxy_urls": [ { "host": "example.com" }, { "port": 443 }, { "protocol": "https" } ] }' -
Create a Dedicated Cloud Gateway Data Plane by issuing a
PUTrequest to the Cloud Gateways API:curl -X PUT "$KONNECT_CONTROL_PLANE_URL/v2/cloud-gateways/configurations" \ -H "Accept: application/json"\ -H "Content-Type: application/json"\ -H "Authorization: Bearer $KONNECT_TOKEN" \ --json '{ "control_plane_id": "'$CONTROL_PLANE_ID'", "version": 3.9, "control_plane_geo": "ap-northeast-1", "dataplane_groups": [ { "provider": "aws" }, { "region": "na" }, { "cloud_gateway_network_id": "'$CLOUD_GATEWAY_NETWORK_ID'" }, { "autoscale": [ { "kind": "autopilot" }, { "base_rps": 100 } ] } ] }'
Custom DNS
Konnect integrates domain name management and configuration with Dedicated Cloud Gateways.
Konnect configuration
-
Open Gateway Manager, choose a Control Plane to open the Overview dashboard, then click Connect.
The Connect menu will open and display the URL for the Public Edge DNS. Save this URL.
-
Select Custom Domains from the side navigation, then New Custom Domain, and enter your domain name.
Save the value that appears under CNAME.
Dedicated Cloud Gateways domain registrar configuration
The following settings must be configured in your domain registrar using the values in Konnect. For example, in AWS Route 53, it would look like this:
|
Host Name |
Record Type |
Routing Policy |
Alias |
Evaluate Target Health |
Value |
TTL |
|---|---|---|---|---|---|---|
_acme-challenge.example.com
|
CNAME | Simple |
_acme-challenge.9e454bcfec.acme.gateways.konggateway.com
|
300 | ||
example.com
|
CNAME | Simple |
9e454bcfec.gateways.konggateway.com
|
300 |
Securing backend communication
Dedicated Cloud Gateways only support public networking. If your use case requires private connectivity, consider using Dedicated Cloud Gateways with AWS Transit Gateways.
To securely connect a Dedicated Cloud Gateway to your backend, you can inject a shared secret into each request using the Request Transformer plugin.
- Ensure the backend accepts a known token like an Authorization header.
-
Attach the Request Transformer plugin to the Control Plane and Gateway Service that you want to secure:
curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/core-entities/services/$SERVICE_ID/plugins" \ -H "accept: application/json"\ -H "Content-Type: application/json"\ -H "Authorization: Bearer $KONNECT_TOKEN" \ --json '{ "name": "request-transformer", "config": { "add": { "headers": [ "Authorization:Bearer '$SECRET_TOKEN_VALUE'" ] } } }'
AWS Transit Gateway
If you are using Dedicated Cloud Gateways and your upstream services are hosted in AWS, AWS Transit Gateway is the preferred method for most users. For more information and a guide on how to attach your Dedicated Cloud Gateway, see the Transit Gateways documentation.
Azure VNet Peering
If you are using Dedicated Cloud Gateways and your upstream services are hosted in Azure, VNet Peering is the preferred method for most users. For more information and a guide on how to attach your Dedicated Cloud Gateway, see the Azure Peering documentation.
Custom plugins
With Dedicated Cloud Gateways, Konnect can stream custom plugins from the Control Plane to the Data Plane. This means that the Control Plane becomes a single source of truth for plugin versions. You only need to upload a plugin once, to the Control Plane, and Konnect handles distributing the plugin code to all Data Planes in that Control Plane.
How does custom plugin streaming work?
With Dedicated Cloud Gateways, Konnect can stream custom plugins from the Control Plane to the Data Plane. The Control Plane becomes the single source of truth for plugin versions. You only need to upload the plugin once, and Konnect handles distribution to all Data Planes in the same Control Plane.
A custom plugin must meet the following requirements:
- Unique name per plugin
- One
handler.luaand oneschema.luafile - Cannot run in the
init_workerphase or create timers - Must be written in Lua
- A personal or system access token for the Konnect API
How do I add a custom plugin?
Plugins can be uploaded to Konnect using the Konnect UI. You can also use jq with the following request template to add the plugin using the API:
curl -X POST $KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/core-entities/custom-plugins \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $KONNECT_TOKEN" \
-d "$(jq -n \
--arg handler "$(cat handler.lua)" \
--arg schema "$(cat schema.lua)" \
'{"handler":$handler,"name":"streaming-headers","schema":$schema}')" \
| jq
Once uploaded, you can manage custom plugins using any of the following methods:
FAQs
Why is my custom domain attachment failing in Konnect?
A common reason is a missing or misconfigured Certificate Authority Authorization (CAA) record.
Konnect uses Google Cloud Public CA (pki.goog) to issue certificates.
If your domain’s CAA record does not authorize this CA, attachment will fail.
What should I do if my custom domain fails to attach in Konnect?
If your custom domain fails to attach, check whether your domain has a Certificate Authority Authorization (CAA) record that restricts certificate issuance.
Konnect uses Google Cloud Public CA (pki.goog) to provision SSL/TLS certificates. If the CAA record doesn’t include pki.goog, certificate issuance will fail.
To resolve the issue:
- Run
dig CAA yourdomain.com +shortto check for existing CAA records. - If a record exists but doesn’t allow
pki.goog, update it.yourdomain.com. CAA 0 issue "pki.goog" - Wait for DNS propagation and try attaching your domain again.
If no CAA record exists, no changes are needed. For more details, see the Let’s Encrypt CAA Guide.
How often is DNS validation refreshed for Dedicated Cloud Gateways?
DNS validation statuses for Dedicated Cloud Gateways are refreshed every 5 minutes.
How do I delete a custom domain in Konnect?
In Konnect, go to Gateway Manager, choose a Control Plane, click Custom Domains, and use the action menu to delete the domain.
How does network peering work with Dedicated Cloud Gateway nodes?
Each Cloud Gateway node is part of a dedicated network for its region (e.g., us-east-1).
You can securely peer this network with your AWS network using AWS Transit Gateway.
What happens if Konnect goes down?
If the Kong-hosted Control Plane goes down, you won’t be able to access it or update configuration. However, connected Data Plane nodes continue to route traffic normally using the last cached configuration.
Why isn’t AWS PrivateLink recommended for connecting Dedicated Cloud Gateway to my upstream services?
AWS PrivateLink offers secure and private connectivity by routing traffic through an endpoint, but it only supports unidirectional communication. This means that Dedicated Cloud Gateway can send requests to your upstream services, but your upstream services cannot initiate communication back to the gateway. For many use cases requiring bidirectional communication—such as callbacks or dynamic interactions between the gateway and your upstream services—this limitation is a blocker. For this reason, PrivateLink is not generally recommended for secure connectivity to your upstream services.
How do I manage custom plugins after uploading them?
Once uploaded, you can manage custom plugins using any of the following methods: