Blog
Engineering
September 8, 2021
5 min read

Deploying Hybrid Kong API Gateway with EKS Anywhere

Claudio
Claudio Acquaviva
Principal Architect, Kong

Modern microservices-based architectures require companies to change not just the way they build applications but also how to deploy them. Basically, the new microservices foundation should be based on two main pillars: hybrid deployments and Kubernetes orchestrator.

With the complete separation of the control plane (CP) and data plane (DP), Kong Gateway fully supports hybrid deployments. In this context, the control plane is responsible for administration tasks, while the data plane is exclusively used by API consumers. In a hybrid deployment, the control plane and data planes run in completely separate environments.

On the other hand, Amazon Elastic Kubernetes Service (EKS) is one of the most solid and robust Kubernetes distribution services in the marketplace today, providing highly available and secure clusters for mission-critical systems. In this sense, a Kong Konnect Gateway deployment running on AWS EKS clusters is a natural technology combination and an ideal platform to run new microservices-based applications.

Benefits of Hybrid EKS-Based Kong Deployment

Considering the capabilities provided by the Kubernetes platform, running data planes on this platform delivers a powerful environment. Here are some capabilities leveraged by the data plane on Kubernetes:

  • High Availability: One of the main capabilities of Kubernetes is “self-healing.” If a “pod” crashes, Kubernetes takes care of it by reinitializing the “pod.”
  • Scalability/Elasticity: HPA (“Horizontal Pod Autoscaler”) is the capability to initialize and terminate “pod” replicas based on previously defined policies. The policies define “thresholds” to tell Kubernetes the conditions where it should initiate a brand new “pod” replica or terminate a running one.
  • Load Balancing: The Kubernetes Service notion defines an abstraction level on top of the “pod” replicas that might have been up or down (due HPA policies, for instance). Kubernetes keeps all the “pod” replicas hidden from the “callers” through services.

Kong Konnect and Amazon EKS Anywhere

The synergy of the two products just got stronger with the launch of Amazon EKS Anywhere. Based on EKS Distro (Amazon’s open source distribution for Kubernetes) and the Cluster API Project (https://github.com/kubernetes-sigs/cluster-api), EKS Anywhere gives you the flexibility to start, run and scale Kubernetes applications in the AWS Cloud or on-prem.

This capability is particularly important for the Kong Konnect data plane. That is, new instances of the data plane can be created to support the workload movement that the microservices project might decide along the way.

The diagram below illustrates the scenario:

  • The control plane runs on an EKS cluster in AWS Cloud. It is used by admins to create APIs, policies and API documentation based on Swagger, OpenAPI, etc.
  • Data plane #1 runs on an on-prem EKS Anywhere cluster to expose the services and microservices deployed in all environments we may have, including application servers, legacy systems and EKS Anywhere clusters.
  • Data Plane #1 leverages AWS services like Cognito for OIDC-based authentication processes, Elasticsearch for log processing, etc. to implement policies to make sure the microservices or services are being safely consumed.
  • The architecture includes Data Plane #2, which is running on the AWS Cloud along with the control plane, to support the microservices and services that have been migrated from the on-prem environment or new microservices developed in cloud environments like ECS, EC2/ASG, etc.
  • The communication between the control plane and the data planes is based on mTLS tunnels. The control plane publishes APIs and policies across all existing data planes using a specific tunnel. On the other hand, using another tunnel, each data plane reports back the control plane with metrics regarding API request processing.

Control Plane and Data Plane Deployment

The control plane and data planes can be deployed using usual Kubernetes mechanisms, including YAML declarations, Helm Charts, DevOps, etc.

For example, a control plane can be deployed using Helm commands like this:

From the data plane communication perspective, the most important settings are:

  • env.role=control_plane to configure this Kong Konnect instance as the control plane
  • cluster.type=LoadBalancer to expose the control plane with a load balancer, while the data planes refer to it to get the mTLS tunnels in place
  • cluster.tls.servicePort=8005 as the API and policy publication mTLS tunnel port
  • clustertelemetry.type=LoadBalancer to expose the telemetry endpoint to the data plane
  • clustertelemetry.tls.servicePort=8006 as the tunnel port that the data plane will use to report back the control plane with metrics

A data plane can be deployed with a Helm command similar to this:

Again, the most important settings are:

  • env.role=data_plane to configure this Kong Konnect instance as a data plane
  • env.database=off , which unlike the control plane, does not require a database to store its metadata and instead gets all API and policy definition using the specific mTLS tunnel it builds with the control plane.
  • env.cluster_control_plane=<Control_Plane_LoadBalancer>:8005 referring to the exposed control plane IP and port
  • env.cluster_telemetry_endpoint=<Control_Plane_LoadBalancer>:8006 referring to the second control plane IP and port
  • proxy.type=NodePort to define how to expose the data plane to the API consumers

Conclusion

Kong Konnect Enterprise and Amazon EKS Anywhere make it easy to run services in hybrid deployments across multiple platforms, supporting on-prem and cloud workloads. You can learn more about products showcased in this blog through the official documentation: Amazon Elastic Kubernetes Services and Konnect Enterprise.

Feel free to apply and experiment your API policies like caching with AWS ElastiCache for Redis, log processing with AWS Elasticsearch Services, OIDC-based authentication with AWS Cognito, canary, GraphQL integration and more with the extensive list of plugins provided by Kong Konnect.

This is Part 1 of the Kong Konnect Enterprise and AWS EKS Anywhere blog post series. Part 2 will give a detailed tutorial on how to deploy Konnect on EKS Anywhere.

Tags:Tutorials