Initially, Cigna used a single-tier API gateway where all inbound traffic passed through one layer in the DMZ. But as the business scaled, this model became a bottleneck. Each new API required manual firewall requests, slowing onboarding and increasing risk.

The team introduced a “gateway-of-gateways” architecture, a two-hop pattern that separates external and internal traffic. External API flows now pass through a public Kong Gateway in the DMZ, which communicates securely via mutual TLS (mTLS) with an internal gateway.

“This design added an extra layer of protection. Even if the external gateway was compromised, no one can reach the internal systems directly. Only the internal Kong gateway can access upstream targets,” Gnanaprakasam said.

Cigna further optimized performance through a multi-lane model.

• Fast lane for APIs handling small payloads (<5MB) and response times under 30 seconds.

• Slow lane for be for batch or AI workloads, file transfers, and aggregations taking minutes.

• Dedicated gateways for mission-critical APIs requiring custom policies or ultra-low latency (as little as 5–6ms).

“Each API runs in the lane it deserves,” Gnanaprakasam said. “That way, no heavy process can slow down a time-sensitive one.”

As Cigna continued to acquire healthcare businesses, it inherited dozens of legacy patterns. Standardizing security was essential.

The new design enforced mTLS and OIDC (OpenID Connect) for authentication, while supporting 20+ custom plugins built for healthcare-specific compliance. Gnanaprakasam said, “Extensibility was non-negotiable. We have use cases no other enterprise has.”

Observability was centralized with Kong’s HTTP Log and Prometheus plugins, sending telemetry to enterprise logging and APM systems.

As adoption grew, so did the configuration size. The team consolidated environments using a non-production control plane and multiple data planes. But within two months, configuration files reached two gigabytes, resulting in sluggish deployments and sequential build bottlenecks.

“The control plane was constantly pushing out updates,” Sakthi said. “Hundreds of applications were deploying at once, but it had to happen sequentially. We needed a smarter way.”

The answer was Kong Konnect. Konnect provided centralized management, isolated control planes, and a single UI for visibility across all environments. 

“Instead of managing separate control planes and logging into multiple dashboards, we can now see everything in one view,” Sakthi said.

With control plane groups, Cigna could group shared and dedicated gateways while maintaining isolation. Each environment received only the configurations it needed, reducing deployment times and eliminating the massive configuration push problem.

Cigna also expanded globally, launching new control planes in the Middle East to comply with data-localization laws.

Perhaps the most transformative shift came from embracing GitOps as the operational model.

“Nothing should be manual anymore,” Gnanaprakasam said. “Developers should have the freedom to innovate without waiting on infrastructure teams.”

Today, when a developer wants to onboard a new API, they submit a self-service request through a GitHub workflow. Within minutes, a new control plane and scaffolded GitHub repository are created automatically. Developers push their service definitions, which are validated through automated pipelines before deployment.

The process enforces policies, validates YAMLs, performs dry runs, and records every change in the audit log. 

“If something goes wrong, rollback is instant,” Gnanaprakasam said. “GitHub is the source of truth. And with declarative configurations and pre-built service templates, onboarding is seamless.”