• The API Platform for AI.

      Explore More
      Platform Runtimes
      Kong Gateway
      • Kong Cloud Gateways
      • Kong Ingress Controller
      • Kong Operator
      • Kong Gateway Plugins
      Kong AI Gateway
      Kong Event Gateway
      Kong Mesh
      Platform Core Services
      • Gateway Manager
      • Mesh Manager
      • Service Catalog
      Platform Applications
      • Developer Portal
      • API and AI Analytics
      • API Products
      Development Tools
      Kong Insomnia
      • API Design
      • API Testing and Debugging
      Self-Hosted API Management
      Kong Gateway Enterprise
      Kong Open Source Projects
      • Kong Gateway OSS
      • Kuma
      • Kong Insomnia OSS
      • Kong Community
      Get Started
      • Sign Up for Kong Konnect
      • Documentation
    • Featured
      Open Banking SolutionsMobile Application API DevelopmentBuild a Developer PlatformAPI SecurityAPI GovernanceKafka Event StreamingAI GovernanceAPI Productization
      Industry
      Financial ServicesHealthcareHigher EducationInsuranceManufacturingRetailSoftware & TechnologyTransportation
      Use Case
      API Gateway for IstioBuild on KubernetesDecentralized Load BalancingMonolith to MicroservicesObservabilityPower OpenAI ApplicationsService Mesh ConnectivityZero Trust SecuritySee all Solutions
      Demo

      Learn how to innovate faster while maintaining the highest security standards and customer trust

      Register Now
  • Customers
    • Documentation
      Kong KonnectKong GatewayKong MeshKong AI GatewayKong InsomniaPlugin Hub
      Explore
      BlogLearning CentereBooksReportsDemosCase StudiesVideos
      Events
      API SummitWebinarsUser CallsWorkshopsMeetupsSee All Events
      For Developers
      Get StartedCommunityCertificationTraining
    • Company
      About UsWhy Kong?CareersPress RoomInvestorsContact Us
      Partner
      Kong Partner Program
      Security
      Trust and Compliance
      Support
      Enterprise Support PortalProfessional ServicesDocumentation
      Press Release

      Kong Expands with New Headquarters in Downtown San Francisco

      Read More
  • Pricing
  • Login
  • Get a Demo
  • Start for Free
Blog
  • Engineering
  • Enterprise
  • Learning Center
  • Kong News
  • Product Releases
    • API Gateway
    • Service Mesh
    • Insomnia
    • Kubernetes
    • API Security
    • AI Gateway
  • Home
  • Blog
  • Engineering
  • Separating Control and Data Planes in Kong
Engineering
March 28, 2018
2 min read

Separating Control and Data Planes in Kong

Thijs Schreijer

This post has been archived. For more relevant information, please review our hybrid mode documentation.

Starting with Kong CE 0.13 and the upcoming EE 0.32, it is possible to separate control and data planes in a Kong cluster.

So what are those planes? The control plane is how we instrument the system (pushing configs, fetching logs), whereas the data plane is the traffic that is actually being proxied by the system.

Consider a factory. The factory has a conveyor belt, and on this belt the parts are added, the products assembled and finally packed and shipped. But to run this factory we need a lot more: logistics, work schedules, maintenance, quality reports, and what not. In this example the conveyor belt would be the data plane, where all the auxiliary stuff to enable the belt to deliver the products would be the control plane.

Kong works as a cluster of independent, stateless, nodes. All the Kong nodes in a given cluster are connected to the same database, from which the nodes get their configuration information. Up till now each Kong node would expose a port where it would serve traffic for the proxy (data plane), and another for configuration (the RESTful management API, the control plane).

With the new release we have refactored the way the ports are configured which allows for greater flexibility in infrastructure architecture and system control. This will enable the following uses:

  • disable the proxy all together (making a node a control-plane only node)
  • disable the management API all together (making a node a data-plane only node)
  • define multiple ports for either the proxy or admin api (not explored on this post, but worth mentioning)

This now opens up the possibility to proxy API traffic through Kong via one network segment, while administering Kong via a different network segment, which provides better isolation of the components, without risking accidentally opening up the Kong admin API to the whole internet.

To achieve this we removed the following (default) settings:

The format changed into a comma separated list of addresses with flags:

This format allows for multiple address/port combinations and flags to configure each of those. The new defaults, mimicking the exact same behavior of the old settings are:

Given the new configuration properties we can now simply create a data-plane node by starting Kong with the `admin_listen` setting disabled:

Similarly for a control-plane node we can disable the `proxy_listen` setting:

Read more about configuration options

Topics:API Gateway
|
Decentralization
|
Thought Leadership
Powering the API world

Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Sign up for Kong newsletter

Platform
Kong KonnectKong GatewayKong AI GatewayKong InsomniaDeveloper PortalGateway ManagerCloud GatewayGet a Demo
Explore More
Open Banking API SolutionsAPI Governance SolutionsIstio API Gateway IntegrationKubernetes API ManagementAPI Gateway: Build vs BuyKong vs PostmanKong vs MuleSoftKong vs Apigee
Documentation
Kong Konnect DocsKong Gateway DocsKong Mesh DocsKong AI GatewayKong Insomnia DocsKong Plugin Hub
Open Source
Kong GatewayKumaInsomniaKong Community
Company
About KongCustomersCareersPressEventsContactPricing
  • Terms•
  • Privacy•
  • Trust and Compliance
  • © Kong Inc. 2025