This blog post is part two of a two-part series on how we broke down our monolith to scale our API management with Kong Gateway, the world's most popular open-source API gateway. (Here's part one.)
At NexJ, the pioneer of intelligent customer management with client engagement products designed for the financial services industry, we sought to capture the full addressable market by breaking down the monolith and going API-first. At the core, many organizations choose to shift this direction for scalability and connectivity, but the value-add can be exponential. Here is a deeper dive into our implementation journey with Kong.
Let's zero-in on the most critical feature that Kong offers us: security. Since NexJ applications are built for the financial services industry, zero-trust security is the number one priority. NexJ has very strict API and security standards, some based on open web application security project (OWASP) standards. We integrated Kong with our identity provider by using the OpenID Connect (OIDC) plugin so that for each request, the JWT token is validated on the gateway level.
We implemented validation of the API key for each tenant or client by using the Key Authentication plugin. We use two-way SSL, mutual TLS, between our microservices, and we hardened cross-origin resource sharing (CORS) by using Kong's CORS plug-in. Since our microservices are running on Kubernetes, we use the Kong Ingress Controller to route our services and set up the load balancer per cluster. We use Kong's plugin, Requests Transformer Advanced, to transform our requests for health checks.
Each microservice in our infrastructure is built and deployed independently, so it is in its own Docker container that runs in a Kubernetes cluster, an orchestrator and internal network where the containers can communicate and make use of their resources. We use all important Kubernetes objects such as:
We used a declarative approach to set up Kong Gateway and the Kong Ingress Controller, as well as all other resources. We used YAML files to configure pod services and ingress resources, and we used custom resource definitions (CRDs) and Kubernetes-native tooling to configure Kong. That kind of approach is Kubernetes-friendly because it has the ability for version and automate control, and it is simpler and faster to roll back.
We used Kubernetes ingress resources to set up Kong’s workspaces, routes, services, and consumers. In our case, Kong’s workspaces are mapped to our environments, Kong services are mapped to our microservices, Kong's routes are mapped to the endpoints to access our applications, and Kong’s consumers are our applications with tenants that subscribe to them. With a declarative approach through YAML files, we configured plugins for authentication, authorization, transformations of requests and responses, CORS, etc.
The architecture of our applications is set up in a standard, containerized way. We followed the best practices of both Kubernetes and Kong’s set up to be able to integrate with third-party cloud applications in the simplest way. In our cloud environment, the Kong Ingress Controller and Kong Gateway are set up per Kubernetes cluster. When requests come from outside our cloud, they first reach the web application firewall (WAF), then they go through the load balancer, which is configured by the Kong Ingress Controller.
From the load balancer, the requests are distributed over the gateway to the applications. The load balancer is configured by Kong proxy service. Since all access to the APIs is managed through the gateway and ingress resources, our Kubernetes services have cluster IP type, which means you can't access them directly from the outside of the wall, enabling strong security measures.
As each of our applications consists of multiple microservices that are running as containers and pods, they are exposed through Kubernetes services. Each of our environments are in their own Kubernetes cluster. Some databases that we use are managed services, and some are deployed in our clusters.
Since each environment is in its own cluster, the data is not shared between environments - one of our critical security requirements. The communication between microservices is done through mutual TLS. We also have a cert manager deployed in the cluster that manages certifications, their expirations and set up.
Looking toward our roadmap, we aim to extend our Kong Gateway setup. We want to expand the usage of the Development Portal to enable API tracing to increase observability and enhance the troubleshooting process. We are also looking into bringing the Dev Portal to our teams to enable them to subscribe to our own products and services, get the dedicated API key - just as it is with regular clients - and use it for the development of their applications.
This approach would promote our engineering transformation to the API-first approach. With the shift toward GitOps and infrastructure as code, we are trying out Argo CD and automating our pipelines for easy cluster set up. Finally, we are evaluating Kong's recently announced generally available service connectivity platform, Kong Konnect.
As Konnect becomes Kong's standard SaaS enterprise platform, we are looking into how to offload all NexJ operations and maintenance costs by having Kong Gateway and its Postgres database as a managed solution.
Be sure to also check out our webinar where Kong's CTO and Co-Founder, Marco Palladino, and VP of Product, Reza Shafii, discuss how you can transform your organization for API and microservices success.
As of May 2024, Kong Gateway Enterprise 3.3.x.x will enter its End Of Life (EOL) phase and will no longer be a part of the full support cycle. Following this, Kong Gateway Enterprise 3.3.x.x will enter a 12-month sunset support period, exclusively f
Open Banking is a phrase used around the world that describes a new way of engaging with banks. If we consider the 20-plus countries that have embraced the concept, they all have taken a slightly different approach than the UK, the first territory
In the Open Banking ecosystem, Kong Gateway emerges as a pivotal tool. It ensures that financial institutions can comply with stringent regulatory standards and leverage the opportunities presented by this new, data-driven landscape. This article wi
Whether ordering groceries online, checking your bank balance, or tracking a delivery, APIs are behind the scenes making it all possible. They're the backbone of the digital experiences that drive our interconnected global economy. You may know that
How businesses can prepare for the real possibilities of artificial intelligence Everyone’s talking AI — or artificial intelligence. But much of that talk falls into one of two extremes: AI will fix everything or AI will ruin everything. But let’
APIs are at the backbone of every modern application that powers our day-to-day lives. As a matter of fact, API traffic today is at least 83% of the world’s global internet traffic [1], which underlines the importance of modern API infrastructure th
You would think in the Internet age, primary sources for a widely discussed event — one that's helped define cloud computing and today's cascading digital transformation of enterprises — would be easy to track down. The original footprint must be
