Considerations for Deploying a Multi-Cloud Architecture with Kong Gateway, Kuma Service Mesh and Aviatrix

Introduction

Building a multi-region or multi-cloud environment for your applications requires a lot of attention.

In a typical deployment, you would have an API gateway running close to the several application runtimes. You should enhance your deployment to support different regions in a given cloud, or in an even more distributed and hybrid scenario, multiple services running across other public clouds and on-premise environments.

The task gets even more challenging when we consider service mesh-based applications implementing canary releases, A/B testings, blue-green deployments, etc. Moreover, a zero-trust network requirement for distributed environments should be considered mandatory.

1. Architecting a Global, Multi-Cloud Transit Network

From the networking perspective, the multi-cloud environment should address critical requirements. For example, it should:

• Be scalable and not require redesign or have scaling impact when it adds/removes new VPC/VNets. As such, it should avoid direct VPC/VNet peering and use a hub-and-spoke-based transit architecture.
• Support various communication requirements, including public and private IPs, direct peering with two clouds, etc.
• Provide a scalable networking capability to be consumed by all application components, including the API gateway and service mesh.
• Assist additional network services, like next-gen firewall (NGFW), IPS, IDS, DPI, etc., that one can insert transparently without re-architecting any aspect of the deployment or changing the application.

In summary, we recommend pursuing three key attributes:

1. Networking: A repeatable architecture, be it single cloud or multi-cloud
2. Security: Flexible network architecture to implement connections across different security domains/zones
3. Operations: Visibility, control and troubleshooting capabilities that don't require in-depth cloud knowledge

Aviatrix provides complete and easy-to-manage connectivity solutions to support all typical networking requirements for single cloud and multi-cloud application development.

2. Implementing Microservice-Based Application Topologies

From the distributed application perspective, you should consider and address all topics listed above. Furthermore, all the necessary networking connectivity requirements should be in place already so you can implement all diverse topologies on top of the multi-region/multi-cloud platform.

Among these topologies and architecture, we could mention:

• A distributed service mesh deployment with microservices running on different clouds
• API gateway implementing a single point of contact to microservices running on different environments and all sorts of runtimes like Linux, Docker, Kubernetes, etc.
• Distributed API gateway layer having a control plane running on a cloud and multiple data planes across different environments and clouds

3. Referencing Architecture Layers

Kong provides technologies to implement both layers in enterprise architecture:

• Kong API gateway: For multi-cloud and hybrid, optimized for microservices and distributed architectures
• Kuma: A service mesh implementation for distributed service connectivity

The following picture describes a reference architecture:

Notice the reference architecture focuses on the communication between the service mesh components from the application perspective only.

With the extensible list of networking requirements listed above, we recommend implementing a multi-cloud deployment with a combination of both companies' technologies. The picture below describes an example of a hybrid application platform:

While Kong and Kuma are implementing an application platform composed of both an API gateway and service mesh, Aviatrix solves all networking connectivity idiosyncrasies across multiple clouds.

4. Controlling Your Architecture with Kong and Aviatrix

A multi-region/multi-cloud application platform implementation must deal with multiple abstraction layers, including different network infrastructure and services running across multiple runtimes.

The synergistic use of network support technologies provided by Aviatrix, combined with products designed for cloud environments provided by Kong, allows architects to create topologies for their applications to address their technical and business requirements. In other words, customers conduct the technological decision-making process for the application architecture design. The products used must support the process and not the other way around.