Ross Kukulinski

By on November 12, 2022

Simplifying Production-Scale API Management With Kong Konnect

When we first launched Kong Konnect Cloud last year, we provided developers and API owners a powerful way to secure and manage their API products powered by the world’s fastest API gateway. Users flocked to Konnect to reduce their operational costs by using our hosted runtime manager, service catalog, developer portal and analytics platform. Since the initial launch, we have partnered with our enterprise customers and co-design partners to further simplify the production-scale adoption of Konnect. 

Today, we’re excited to announce these customer-driven enhancements to Kong Konnect. These improvements enable enterprise adoption of Kong Konnect to manage Kong Gateway data planes operating on-prem and in the public cloud – either as a centralized APIOps platform or federated experience across business units. We’ve been validating these new capabilities in private beta with our design partners and are excited to make them generally available today at cloud.konghq.com/register

Kong Konnect

Kong Konnect

Runtime Groups & Runtime Manager

A top request from customers is the ability to configure and manage access to multiple independent Kong Gateway instances through Kong Konnect. Users want to securely isolate different environments (e.g., production, staging, development) as well as business units or product teams.

Our users typically solve this by operating multiple independent deployments of Kong Gateway. Each unique instance requires them to provision a new Postgres database, deploy a Kong Gateway control plane, secure the environment, then deploy one or more data planes to serve API traffic. 

In this release, we are introducing a new Kong Konnect capability: Runtime Groups. Runtime Groups allow users to organize and configure clusters of API gateway runtimes for different environments and lines of businesses with just a few clicks. Each Runtime Group represents a collection of Kong Gateway dataplane instances sharing the same configuration: services, routes, certificates, plugins and other Kong Gateway configurations. Each Runtime Group represents a Kong Gateway control plane, offers a Kong Admin API endpoint that can be used directly or with decK, can manage hundreds of Gateway dataplanes and supports minor version compatibility across multiple data planes.

Runtime Groups not only reduce infrastructure costs and operational headcount budget to manage Kong Gateway deployments, but it also accelerates time to market by equipping business units and development teams with self-service access to the API infrastructure they need.

runtime-groups-environment-example

Example of secure multi-tenancy across different environments

runtime-groups-LOB-example

Example of secure multi-tenancy across different LoBs

When paired with our new custom teams and permissions, Runtime Groups offer a complete API management platform for organizations scaling from one development team to thousands. For more information, you can read the documentation here.

In addition to Runtime Groups, we’ve brought a re-envisioned Gateway configuration UI to Kong Konnect, allowing existing Kong Enterprise users a familiar way to manage their API gateways. We’re excited to make this user experience available to all Kong Konnect users, regardless of product tier!

New-Gateway-UI-Konnect

New Gateway management UI in Kong Konnect

Custom Teams and Per-Entity Permissions 

Kong Konnect has traditionally offered role-based access control (RBAC) to ensure a secure-by-default platform. Users were assigned permissions based on a handful of pre-defined roles for common use cases. As we’ve partnered with our larger customers, we’ve seen a strong demand to support team-based permissions as well as fine-grained control over access to particular entities.

Launching today for Kong Konnect Enterprise users are Custom Teams and Per-Entity permissions. Our existing RBAC roles have been converted to pre-defined Teams, which are available for all Konnect organizations to ensure business continuity. Kong Konnect Enterprise users are now able to create additional Teams and configure their access permissions to individual Services or Runtime Groups as well as across all Services or Runtime Groups.

kong-konnect-teams

Custom Teams and Per-Entity Permissions

Runtime Groups, when paired with Teams and fine-grained permissions, enable several powerful use cases:

  • Per-tenant/line of business dataplanes – Many customers need to manage different configurations for each line of business to better suit their operational models. With Runtime Groups and Team permissions, only the correct users will have access to each runtime configuration.
  • Environment segmentation with a common API and CLI experience – Many customers need to operate different environments (e.g., Development, Staging, Production) of their API gateways. Runtime Groups allow API platform teams to safely configure and operate gateway data planes for each environment without worrying about accidentally exposing APIs to the wrong end users. 

Declarative Gateway Management With decK 

decK is a popular way for organizations to drive declarative and distributed configuration to their Kong Gateways. Today, we’re excited to announce that as of decK 1.12, we updated the standard deck commands like dump, sync, diff and ping to work out of the box with Kong Konnect’s Runtime Groups. Each Runtime Group can be represented as a single decK configuration file that is interchangeable with Kong Enterprise and Kong Gateway (OSS) installations.

decK-Konnect

Declaratively configure Runtime Groups using decK

This new experience makes it trivial to export a configuration from an existing Kong Gateway installation (`deck dump`) and to import into Kong Konnect (`deck sync –konnect-runtime-group production`). It also offers an incredibly powerful mechanism to promote configuration between environments (e.g., development to production) or to ensure consistent configuration across multiple clouds. 

Please note that as of decK 1.12, we deprecated the `deck konnect` commands in lieu of being able to directly manage Konnect Runtime Groups through standard deck sync, dump, and sync commands.

Developer Portal and Kong Vitals Updates

On top of the innovation to the core Konnect platform, we’ve also shipped a number of improvements to our developer portal and Kong Vitals modules. 

Kong Konnect’s developer portal has always offered an integrated self-service developer and registration process. In this release, we’re introducing a configurable single sign-on experience for developers powered by OpenID Connect. Portal administrators can keep or disable the existing built-in identity provider and configure the preferred OpenID Connect identity provider. Developers will be presented with a Login with SSO option, which will redirect them to the configured identity provider for authentication, and then they will be logged directly into the developer portal. 

konnect-dev-portal-login

Developer portal login options

We’ve also simplified the custom portal domain experience by offloading the SSL certificate generation experience. Portal administrators just need to enter their desired custom portal URL (e.g., portal.companyname.com) and set up a CNAME record to their Konnect Developer Portal domain. Kong Konnect takes care of the rest!

Vitals-overview-traffic-insights

Vitals overview traffic insights

Finally, we’re excited to introduce a new Vitals overview page which offers at-a-glance insight to the traffic throughput and error-rate across all your services cataloged by Service Hub. Users will also be delighted to see revamped contextual-specific graphs throughout Kong Konnect to better understand the golden signals of their API traffic.

Get Started Today! 

New Kong Konnect users can register for a free trial of Konnect Plus here. If you’re interested in exploring some of the new Konnect Enterprise capabilities, schedule a personalized demo today! 

Existing Kong Konnect customers will have their environments upgraded to these new capabilities over the next month. New accounts will start automatically in our new environment with these features out of the box.

Note: Hayden Lam also contributed to this post.

Share Post

Tags: