Starting with Kong CE 0.13 and the upcoming EE 0.32, it is possible to separate control and data planes in a Kong cluster.
So what are those planes? The control plane is how we instrument the system (pushing configs, fetching logs), whereas the data plane is the traffic that is actually being proxied by the system.
Consider a factory. The factory has a conveyor belt, and on this belt the parts are added, the products assembled and finally packed and shipped. But to run this factory we need a lot more: logistics, work schedules, maintenance, quality reports, and what not. In this example the conveyor belt would be the data plane, where all the auxiliary stuff to enable the belt to deliver the products would be the control plane.
Kong works as a cluster of independent, stateless, nodes. All the Kong nodes in a given cluster are connected to the same database, from which the nodes get their configuration information. Up till now each Kong node would expose a port where it would serve traffic for the proxy (data plane), and another for configuration (the RESTful management API, the control plane).
With the new release we have refactored the way the ports are configured which allows for greater flexibility in infrastructure architecture and system control. This will enable the following uses:
This now opens up the possibility to proxy API traffic through Kong via one network segment, while administering Kong via a different network segment, which provides better isolation of the components, without risking accidentally opening up the Kong admin API to the whole internet.
To achieve this we removed the following (default) settings:
The format changed into a comma separated list of addresses with flags:
This format allows for multiple address/port combinations and flags to configure each of those. The new defaults, mimicking the exact same behavior of the old settings are:
Given the new configuration properties we can now simply create a data-plane node by starting Kong with the `admin_listen` setting disabled:
Similarly for a control-plane node we can disable the `proxy_listen` setting:
Stop me if you’ve heard this one before, but there’s a lot of data out there — and the amount is only growing. Estimates typically show persistent data growth roughly at a 20% annual compounded rate. Capturing, storing, analyzing, and actioning data
The Challenge: Securing Distributed Systems Netflix operates over 1,000 microservices handling two billion daily requests (Microservices architecture: from Netflix to APIs). One security gap can trigger cascading breaches. Traditional perimeter sec
The golden triangle: Kong, Okta, and FHIR Together, these three technologies enable healthcare organizations to connect systems with confidence, manage identities responsibly, and share data securely. FHIR Server: Your source of truth. It houses th
This blog post is part two of a two-part series on how we broke down our monolith to scale our API management with Kong Gateway, the world's most popular open-source API gateway . ( Here's part one .) At NexJ , the pioneer of intelligent customer
The challenges of an acquisition frequently appear in a number of critical areas, especially when dealing with a platform as important as Kafka: API Instability and Change : Merged entities frequently rationalize or re-architect their services, whic