See what makes Kong the fastest, most-adopted API gateway
Check out the latest Kong feature releases and updates
Single platform for SaaS end-to-end connectivity
Enterprise service mesh based on Kuma and Envoy
Collaborative API design platform
API and Microservices Security for Gateways, Service Mesh, and Beyond
Call for speakers & sponsors, Kong API Summit 2023!
2 MIN READ
Starting with Kong CE 0.13 and the upcoming EE 0.32, it is possible to separate control and data planes in a Kong cluster.
So what are those planes? The control plane is how we instrument the system (pushing configs, fetching logs), whereas the data plane is the traffic that is actually being proxied by the system.
Consider a factory. The factory has a conveyor belt, and on this belt the parts are added, the products assembled and finally packed and shipped. But to run this factory we need a lot more: logistics, work schedules, maintenance, quality reports, and what not. In this example the conveyor belt would be the data plane, where all the auxiliary stuff to enable the belt to deliver the products would be the control plane.
Kong works as a cluster of independent, stateless, nodes. All the Kong nodes in a given cluster are connected to the same database, from which the nodes get their configuration information. Up till now each Kong node would expose a port where it would serve traffic for the proxy (data plane), and another for configuration (the RESTful management API, the control plane).
With the new release we have refactored the way the ports are configured which allows for greater flexibility in infrastructure architecture and system control. This will enable the following uses:
This now opens up the possibility to proxy API traffic through Kong via one network segment, while administering Kong via a different network segment, which provides better isolation of the components, without risking accidentally opening up the Kong admin API to the whole internet.
To achieve this we removed the following (default) settings:
proxy_listen = 0.0.0.0:8000
proxy_listen_ssl = 0.0.0.0:8443
ssl = on
http2 = off
# Admin API
admin_listen = 127.0.0.1:8001
admin_listen_ssl = 127.0.0.1:8444
admin_ssl = on
admin_http2 = off
The format changed into a comma separated list of addresses with flags:
proxy_listen = [off] | <ip>:<port> [ssl] [http2] [proxy_protocol], ...
admin_listen = [off] | <ip>:<port> [ssl] [http2] [proxy_protocol], ...
This format allows for multiple address/port combinations and flags to configure each of those. The new defaults, mimicking the exact same behavior of the old settings are:
proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl
admin_listen = 127.0.0.1:8000, 127.0.0.1:8443 ssl
Given the new configuration properties we can now simply create a data-plane node by starting Kong with the `admin_listen` setting disabled:
$ KONG_ADMIN_LISTEN=off && kong start
Similarly for a control-plane node we can disable the `proxy_listen` setting:
$ KONG_PROXY_LISTEN=off && kong start
Read more about configuration options
Want more details on the latest updates?
Read the docs