The stateless perimeter: why ephemeral gateways are the right fit for enterprise Kafka
The DMZ pattern only delivers its full value when the gateway at the crossing point is itself easy to operate. A stateful gateway — one that holds connection state, caches credentials locally, or embeds configuration in its runtime — defeats the purpose. If the gateway becomes a fragile, hand-managed component, you've just moved operational complexity from MSK to the gateway.
Kong Event Gateway on ECS Fargate sidesteps this entirely: the gateway is stateless and ephemeral by design.
All configuration lives in Konnect, not on the gateway. Virtual Clusters, ACL policies, authentication settings, listener configuration — none of it is stored on the running container. An ECS task is a pure data plane: it connects to Konnect on startup, pulls its full configuration over an mTLS-authenticated channel, and starts serving. Terminate the task and start a new one — it's fully operational in seconds, with no warm-up and no state migration. Scale from one task to five — all five have identical configurations immediately. This means:
- Gateway upgrades are container replacements, not migrations
- Auto-scaling adds and removes tasks without any operator involvement
- A failing availability zone loses gateway tasks; ECS replaces them; configuration is pulled again; clients reconnect
The enterprise Kafka backbone stays untouched. Internal teams — data engineers, application teams, ML pipelines — connect to MSK directly or through their own internal paths. Their credentials, ACLs, consumer group configurations, and broker-side policies are theirs. External access is a perimeter concern. Adding it doesn't require touching any of that.
When you need to onboard a new external partner, the sequence is:
- Create a Virtual Cluster in Konnect
- Create a Kong Identity client with the appropriate scope and topic claims
- Hand the partner a token endpoint, client ID, and client secret
- Done — zero MSK changes, zero disruption to existing internal consumers
When a partner relationship ends or a credential is compromised:
- Delete the Virtual Cluster or revoke the Kong Identity client
- Done — access is gone immediately, no MSK ACL cleanup, no credential rotation across broker nodes, no internal team notifications
The blast radius of external access is bounded. Because the gateway's SCRAM service account is the only identity MSK ever sees from the external direction, a security incident on the external perimeter — a leaked client credential or an over-permissioned Virtual Cluster — cannot propagate into MSK's ACL space. The gateway service account holds exactly the permissions the gateway needs to proxy traffic; it doesn't inherit the permissions of any external client.
Audit and compliance are concentrated at the perimeter. Every external connection enters through one place. OpenTelemetry traces carry the client identity, the Virtual Cluster, the topic accessed, the operation, and the outcome — all emitted by the gateway before the request ever touches a broker. Compliance teams audit one log stream, not a mix of MSK CloudWatch metrics, broker-side ACL logs, and per-team credential audit trails scattered across accounts.
The MSK cluster grows in stability as external access grows in complexity. That's the core property this architecture is designed to deliver. Onboarding a tenth external partner is as simple as the first: one Virtual Cluster, one set of credentials, and one policy. The enterprise Kafka backbone never knows it happened.
Where to go next
The full Terraform implementation of this architecture — VPC, security groups, MSK cluster, ECS Fargate service, NLB, and all Konnect resources — is available in the companion repository at [github.com/hguerrero/kong-event-gw-aws](https://github.com/hguerrero/kong-event-gw-aws)github.com/hguerrero/kong-event-gw-aws. Deploy the complete stack against a real MSK cluster in two terraform apply steps.
The Kong Konnect Terraform provider covers all Event Gateway resources — Backend Clusters, Virtual Clusters, Listeners, Kong Identity, and ACL policies — making this architecture fully GitOps-compatible from day one.
Kong Konnect has a free trial at [cloud.konghq.com](https://cloud.konghq.com)cloud.konghq.com. Full Event Gateway reference documentation is at [https://developer.konghq.com/event-gateway/](https://developer.konghq.com/event-gateway/)https://developer.konghq.com/event-gateway/.
Kong Event Gateway deploys as a standard container workload on ECS Fargate and connects to AWS MSK via SASL/SCRAM over TLS on port 9096.