Automate Everything: Kong Gateway + API Management with Terraform Across Any Cloud

Too many organizations manually manage their API gateways and policy enforcement today. As humans, we make mistakes. You’ve got one team manually configuring Kong or another gateway on AWS, another fiddling with policies in Azure, and someone else applying governance rules by hand in GCP. That’s a recipe for drift, inconsistency, and eventual chaos.

What you need is consistency, repeatability, and control across all environments, in all clouds, at all times.

Enter Kong Konnect and the Konnect Terraform Operator

This year is the year of Kong Dedicated Cloud Gateways. There, I said it! Kong’s Dedicated Cloud Gateways (DCGW) give you fully isolated, high-performance API gateways running on dedicated infrastructure. No noisy neighbors, no shared tenancy. Just your APIs, your traffic, and your control. That's huge! 

And because DCGWs are fully managed by Kong but deployed in your preferred cloud region, they give you all the benefits of a hosted solution without giving up performance or reliability. 

Here’s where it gets really powerful: you can provision those Dedicated Cloud Gateways using Terraform across AWS, Azure, and GCP. Across any supported region. Within a couple of minutes, your organization can be serving APIs across the globe.

But it doesn’t stop there. You can also define your Kong Gateway API configurations, routes, rate-limiting policies, authentication methods, and even governance rules all in Terraform code. 

• Want to do business in Europe? Deploy a new gateway in Ireland.
• Want to onboard a new API? Define it in a Terraform module.
• Need to apply global authentication policies? Push a config update with terraform apply.
• Want to validate compliance across environments? Bake that logic right into your CI/CD pipeline.

With this approach, everything becomes version-controlled, testable, and portable. Your API infrastructure is no longer dependent on tribal knowledge or a handful of screenshots in Confluence. Instead, it’s code. PR reviewed. Auditable. Reproducible.

What it looks like in action

Set up the Dedicated Cloud Control Plane

So here is the link to the Terraform code I’ve written. This is what the file structure should look like. Add your own terraform.tfvars:

What this will do is:

1. Set up a connection to Konnect

• Configures the Konnect Terraform Provider
• You can use a Personal Access token or System account token to authenticate

2. Creates the API runtime infrastructure

• Creates a new Cloud Control plane called “Global Control Plane”
• Configures gateways in AWS (East) and Azure (West)
• Enables Autopilot for autoscaling

3. Define and secure the API:

• Sets our Gateway Services to point to https://httpbin.konghq.com
• Creates a route for /anything using GET requests.

• Applies a rate-limiting plugin to that route

  • Allows max 5 requests per minute 

All are managed by code.

Generate Konnect Authentication credentials

Create either a Personal Access token or System account token.

Update terraform.tfvars file with the token.

Note: I’m setting “cloud_gateway_network_id” in control-plane.tf. You can update this with your network IDs or create your own new network in Konnect. The easiest way to get the network ID is by calling the admin api. 

Spin up DCGW in AWS And Azure Using Terraform

Once in the GitHub directory, run:

When prompted, type yes. Once it’s successfully, you should get a message like this:

Log in to Konnect and search for the “Global Control Plane.” It can take a few minutes for the gateways to spin up. Go grab a coffee!

We can see here that we have deployed Kong Gateways across two different cloud providers, AWS and Azure. One on the east and one in a western US-based data center. But they could also be across different regions and even in GCP. 

If you click on “Connect,” it will also give you regional and top-level DNS records for the gateway proxy. Try routing to all of them.

The regional ones (as you might have guessed) will route to the regional gateways. While the top-level one will route to the closest one to you based on latency. I’m on the West Coast, so I'll be routed to the West Coast gateways. While some of my colleagues on the East Coast would be routed to the East Coast ones. 

With the configuration we defined in service-config.tf this will deploy the Gateway Service, Route, and Rate Limiting plugin. All in Terraform as code.

Wrapping it: Your APIs Deserve Better

Most teams are still managing APIs like it’s 2013. You can change that.

By combining Kong’s Dedicated Cloud Gateways, Konnect, and Terraform, you can see tremendous value

• Automation: Automating gateway provisioning, API lifecycle, policy enforcement, and governance reduces manual errors and increases efficiency.
• Consistency and Repeatability: Using Terraform ensures consistent configurations across all environments and clouds, eliminating drift and chaos.
• Multi-Cloud Deployment: Deploying API gateways across multiple clouds (AWS, Azure, GCP) and regions provides flexibility and global reach.
• Scalability: Enabling Autopilot for autoscaling ensures the API infrastructure can handle varying traffic loads.
• Version Control and Auditability: Managing API infrastructure as code allows for version control, PR reviews, and auditing, improving security and compliance.
• Reduced Tribal Knowledge Dependence: Infrastructure is defined in code, reducing reliance on individual knowledge and improving maintainability.
• Faster Deployment: Provisioning gateways and configuring APIs using Terraform is quicker than manual methods, enabling faster time-to-market.
• Cost Efficiency: Optimized resource utilization and reduced manual effort can lead to cost savings.

All from a single source of truth. Have more questions or need a real demo? Let's chat! Or learn more about Kong Konnect with Terraform here.