At Kong, we're always looking to expand the experience of running our products in the AWS cloud. As we steadily move into 2023, we want to continue this streak because we see firsthand the tremendous growth and success it provides our customers.
Today, we're excited to announce that the Kong API management platforms, Kong Enterprise and Kong Konnect, are validated integrations with Amazon VPC Lattice.
When designing your AWS environments, the best practice is to build a multi-account multi-VPC strategy to organize the AWS environments (See: Organizing Your AWS Environment Using Multiple Accounts Whitepaper). Example use cases of this are different lines of business or application lifecycle management distributed across accounts and VPCs. This type of isolation is imperative because it narrows the scope of impact and overall provides better security and reliability and enables cost optimization.
But as organizations drive more workloads to AWS, with the multi-account multi-VPC strategy two new issues unfold. It's very common that multiple lines of business need to cross-communicate in order to provide a more holistic experience.
First, how do you best manage service-to-service communication across account and VPC boundaries without taking unnecessary risks?
Second, how do you provide a simple and centralized API management strategy into (ingress) and out of (egress) the multi-account AWS ecosystem while again minimizing risks?
This is where a Kong API management and AWS VPC Lattice integration can be a game changer.
Amazon VPC Lattice Launch Partner
The mission statement of VPC Lattice is to "simplify service-to-service connectivity, security, and monitoring" in the AWS cloud.
With VPC Lattice, customers can solve complex use cases such as multi-VPC Kubernetes integrations, or multi-account Lambda and EKS integrations.
There are a couple of interesting use cases of how to handle the ingress and egress of services in a VPC Lattice network.
- Consolidate VPC and AWS Account Exposure: VPC Lattice can be used to build a secure and simple cross-VPC connectivity, thereby improving developer productivity. Only the Kong Gateway is exposed externally, and all the upstream microservices stay isolated and made callable to the gateway.
- Gateway-to-Service Connectivity: With VPC Lattice's capabilities to mix-and-match workloads, it's easier to manage gateway-to-service communication. VPC Lattice abstracts away connectivity concerns such as exposing microservices on EKS or Lambda functions to clients such as the gateway.
To this effect, Kong collaborated with AWS to validate the integration of the Kong Gateway with VPC Lattice.
Let's dive into a sample reference architecture to discuss this further.
Kong and VPC Lattice Reference Architecture
The architecture below will focus on one possible variation of Kong Gateway as ingress into a VPC Lattice network.
The overall benefit of this reference architecture is using VPC Lattice non-intrusively to expose backend microservices to the gateway. The gateway can reside within its own AWS environment and simply call out to microservices available on the VPC Lattice irrespective of where those services are running (another account, another VPC) or what type of AWS platform (EKS, ECS, Lambda). Because VPC Lattice also abstracts the AWS runtime away as just a DNS entry, from the perspective of the gateway it's simply calling another upstream service.
Let's visualize this with the diagram below.
Single Entry Point: The Kong Gateway, either self-managed with Kong Enterprise or as a SaaS offering with Kong Konnect data plane, can run in separate AWS infrastructure dedicated to the gateway as the only component accessible to your API consumers.
Abstract Isolated Environments: VPC Lattice has the concept of a Service Network and Services. These abstract away any AWS environment design from the gateway so that the backend microservices can run in extremely isolated environments (multi-account or multi-VPC design). Development teams define what services should be accessible to the gateway in a simplified way.
Leverage any Runtime: We have three different AWS runtimes (EKS, ECS, and Lambda) that the gateway is reaching out to without additional networking concerns. VPC Lattice takes care of exposing EKS services to the Lattice network, as well as the other AWS runtimes.
Why Kong Konnect and Kong Enterprise
Kong Enterprise and Kong Konnect are best-in-class API management platforms that are designed for the cloud native era.
Today, Kong supports running on numerous AWS platforms including EC2, ECS, Lambda, EKS, and even EKS Anywhere. And the list of support continues to expand year over year. (See: Supercharge API Management on AWS.)
Kong Enterprise and Kong Konnect products are a great fit to enhance and extend a VPC Lattice architecture. Kong provides a powerful, cloud native gateway to serve as the entrypoint to VPC Lattice, the smallest attack surface to AWS services, thereby providing a secure entry point into the AWS services. Kong employs a modern plugin architecture for solutions such as OIDC integration and rate-limiting, which give fine-grained control to services ensuring compliance while maintaining performance. With built-in tools, such as DecK to support API lifecycle management, exposing VPC Lattice services gains a high level of automation and reliability.
Kong Konnect is Available on AWS Marketplace
Moreover, it's easy to get started with Kong Konnect on AWS.
Kong Konnect is our SaaS API management platform, where the control plane is hosted in the cloud by Kong, while the runtimes, Kong Gateway, run in your environment.
By having Kong Konnect available in the AWS Marketplace, it shortens the procurement process to just a few clicks. This may seem small in stature but has been shown to have a tremendous impact on time to market, and cost savings.
We're so excited to be a part of the VPC Lattice Partner Launch. In this post, we reviewed one of many possible interesting reference architectures of Kong API Management Platform with VPC Lattice and how quickly you can get started with Kong Konnect in the AWS Marketplace.