By on August 29, 2017

Secure and Manage AWS Lambda Endpoints with Kong

Kong is the most popular open-source API management layer. It`s extendable through a curated list of plugins and you can write your own plugins as well. Kong scales horizontally, runs on all infrastructure types, and its core is built on top of OpenResty, which is one of the most performant web application servers.

1. Introduction to Kong and AWS Lambda

In this quickstart tutorial, we will walk you through the steps to setup Kong with AWS Lambda and  build a simple “Hello World” app as a demonstration. Kong can help you secure and manage your AWS Lambda services. It includes support for popular authentication services, access control lists, rate limiting, and more. It gives you the tools publish APIs that you can safely share with your customers.

If you haven’t heard of AWS Lambda, it’s a serverless computing platform that allows you to run functions in the cloud using an event-driven solution. AWS Lambda allows you to concentrate only on code, while all provisioning is handled by AWS. The main benefits are pay per use, automatic scaling, reliable availability, and integrated security.

2. Why Use Kong?

The main features that allow Kong to outperform other API management services are:

  • Well written documentation and an active large community with a chat on Gitter
  • The core of Kong, OpenResty, is built to solve the problem of handling 10K ~  1000K+ connections in a single server
  • Extensibility through many plugins and the ability to write custom ones make Kong a highly customizable API layer solution
  • With horizontal scaling, you can grow by adding more lower-cost machines rather than expensive resources (CPU, RAM) to existing machines
  • Kong allows you to write Lua scripts, which are lightweight and powerful

3. Set up Kong using Cloud Formation

Let’s build a simple app to demonstrate how to set up Kong and Lambda. We’ll create a web page that displays “Hello World”. It will retrieve this message through a Lambda service, which will be managed by Kong. To make the setup process easier, we will use a CloudFormation template, which will automatically configure servers and databases to host Kong.

Step 3.1. Make sure you have an EC2 Key Pair or create a new one from either the AWS CLI or AWS Console. You can find more information here.

Step 3.2. Open up Kong’s AWS Cloudformation installation guide. Pick the template Kong with PostgreSQL with the HVM AMI. For testing purposes, we will use small instance types which are lower cost and use HVM. Also, choose the same region where you created your key.

On the opened AWS CloudFormation page to create a stack, click Next. Now we specify the Parameters of the CloudFormation stack. For testing purposes, the default options are sufficient. Only the following parameters need to be changed:

  • DBClass = the size of database to use. Choose a smaller instance like db.t2.small for testing.
  • KongKeyName = the EC2 Key pair created in the previous step
  • KongFleetDesiredSize = the number of instances for the API server. For testing we can set this to 1.
  • KongInstanceType = the size of API server to use. Choose a smaller instance like t2.small for testing.

Click Next. After reviewing the details of your stack, press Create. It takes CloudFormation about 20 minutes to create a stack. You can view the status of your stack by clicking the update icon in the right top corner. For more details, refer to Kong CloudFormation Stack on GitHub.

4. Configure Kong

Once the status of the stack is in the CREATE_COMPLETE state, your EC2 instance is ready. Now we need to configure the Kong API.

Step 4.1. Connect to the created EC2 instance that contains Kong. You can connect through a web browser or SSH on the command line. For SSH on the command line, replace the values in the below command with your own:

$ ssh -i /path_to_your_EC2_key_pair.pem ec2-user@ec2-52-34-126.us-west-2.compute.amazonaws.com

  • ec2-user – default username; yours should be the same
  • ec2-52-34-126.us-west-2.compute.amazonaws.com – replace with the domain name of your new instance. You can find this under Services -> EC2 -> Description Tab.

 

Step 4.2. Find your load balancer DNS name by clicking Load Balancers in the left-hand menu of the EC2 console, and then view the properties. It should be in this format:
kong-elb-KongLoad-17MEBDUYHKYFQ-826186380.us-west-2.elb.amazonaws.com. This is the default public domain name where your service is available. It’s long and hard to read, but you can change it later!

Step 4.3. Follow the instructions in Kong’s documentation to add an example API. Replace the host field with the DNS name of your load balancer created above, but convert it to lowercase. Kong API is case-sensitive and will raise an error, “no API found with those values” if your browser calls with a different case. You can use the provided name and upstream_url. The value of upstream_url does not matter since the Lambda plugin will not use this field.

Step 4.4. We also want to add the CORS plug-in which will help us test from our browser on a local page. It gives our browser permission to call our load balancer’s domain. We want to accept all origins by setting –data “config.origins=*”.

5. Configure Lambda

Step 5.1. Open Lambda service from the AWS Console. Click on Create Function and then Author from scratch. Skip adding a trigger for now. After that, give it a name and copy the contents of the below script. This script will respond with the string “Hello, World!”.

‘use strict’;
exports.handler = (event, context, callback) => {
   var greeting = ‘Hello, World!’;
callback(null, greeting);
};

Step 5.2. Next we will create an IAM user that will grant Kong permission to call our Lambda function. Under Services click on IAM, then Users, then Add User. Type “kong-example” as the username, click Programmatic access, then Next. Click the button “Attach existing policies directly” and select AWSLambdaFullAccess as shown in the screenshot below. When done, click Create User and then save the access credentials for the next step.

 

Step 5.3. Follow the linked instructions to add the AWS Lambda Plugin to Kong which will trigger the AWS Lambda function. Use the lambda function name from step 5.1 and the IAM credentials created in the previous step. Verify the API endpoint works as expected by running the following command from the CLI of the instance. It should respond with “Hello, World!”

$ curl -iX GET –url http://localhost:8000 \
–header “Host: kong-elb-kongload-17mebduyhkyfq-826186380.us-west-2.elb.amazonaws.com”

6. Run a sample app

Lastly, we are going to create an example web page. It will use axios as an HTTP client to call the Kong API endpoint. Kong will call the Lambda function and send the response back to the page.

Step 6.1. Open a text editor, paste in the below code but replace the domain name with your own. When you’re done save it as index.html.

Step 6.2. Open the index.html file you just created in your browser and verify it says “Hello World!”. If you have any problem, open your browser‘s Developer Console to check for errors.

 

If you made it this far, then congratulations! You now have a good understanding of how to configure Kong with Lambda. You also have a local environment to test the capabilities of Kong and extend it for your own needs!

7. Next Steps

Next I encourage you to repeat the above steps with your own app! Use your own Lambda function and client application. Instead of naming your API “example-api”, give it a name unique to your application. Consider configuring your DNS with an alias for the load balancer so that you don’t need to use the long default name. Experiment with adding some additional plugins to add security and traffic management capabilities.

Before moving your Kong service to production, please change the default password for the database, and choose appropriate instances and fleet size when using CloudFormation. If you need help, please join the conversation on Gitter or our Google Group.