Kong Enterprise 3.3 delivers enhanced security, usability, and platform reliability. Learn more

Separating Control and Data Planes in Kong

This post has been archived. For more relevant information, please review our hybrid mode documentation.


Starting with Kong CE 0.13 and the upcoming EE 0.32, it is possible to separate control and data planes in a Kong cluster.

So what are those planes? The control plane is how we instrument the system (pushing configs, fetching logs), whereas the data plane is the traffic that is actually being proxied by the system.

Consider a factory. The factory has a conveyor belt, and on this belt the parts are added, the products assembled and finally packed and shipped. But to run this factory we need a lot more: logistics, work schedules, maintenance, quality reports, and what not. In this example the conveyor belt would be the data plane, where all the auxiliary stuff to enable the belt to deliver the products would be the control plane.

Kong works as a cluster of independent, stateless, nodes. All the Kong nodes in a given cluster are connected to the same database, from which the nodes get their configuration information. Up till now each Kong node would expose a port where it would serve traffic for the proxy (data plane), and another for configuration (the RESTful management API, the control plane).

With the new release we have refactored the way the ports are configured which allows for greater flexibility in infrastructure architecture and system control. This will enable the following uses:

  • disable the proxy all together (making a node a control-plane only node)
  • disable the management API all together (making a node a data-plane only node)
  • define multiple ports for either the proxy or admin api (not explored on this post, but worth mentioning)

This now opens up the possibility to proxy API traffic through Kong via one network segment, while administering Kong via a different network segment, which provides better isolation of the components, without risking accidentally opening up the Kong admin API to the whole internet.

To achieve this we removed the following (default) settings:

# Proxy
proxy_listen =
proxy_listen_ssl =
ssl = on
http2 = off

# Admin API
admin_listen =
admin_listen_ssl =
admin_ssl = on
admin_http2 = off

The format changed into a comma separated list of addresses with flags:

proxy_listen = [off] | <ip>:<port> [ssl] [http2] [proxy_protocol], ...
admin_listen = [off] | <ip>:<port> [ssl] [http2] [proxy_protocol], ... 

This format allows for multiple address/port combinations and flags to configure each of those. The new defaults, mimicking the exact same behavior of the old settings are:

proxy_listen =, ssl
admin_listen =, ssl

Given the new configuration properties we can now simply create a data-plane node by starting Kong with the `admin_listen` setting disabled:

$ KONG_ADMIN_LISTEN=off && kong start

Similarly for a control-plane node we can disable the `proxy_listen` setting:

$ KONG_PROXY_LISTEN=off && kong start


Read more about configuration options

Share Post

Subscribe to Our Newsletter!