You are browsing documentation for an older version. See the latest documentation here.
Gateway
When services need to receive traffic from the outside, commonly called North/South, the Kong Mesh Gateway enables routing network traffic from outside a Kong Mesh mesh to services inside the mesh. The gateway is also responsible for security at the entrance of the Mesh.
Kong Mesh Gateway deploys as a Kong Mesh Dataplane
, that’s an instance of the kuma-dp
process.
Like all Kong Mesh Dataplanes
, the Kong Mesh Gateway Dataplane
manages an Envoy proxy process that does the actual network traffic proxying.
You can distinguish two types of gateways:
- delegated: Allows users to use any existing gateway like Kong.
- builtin: Configures the data plane proxy to expose external listeners to drive traffic inside the mesh.
Gateways exist within a mesh. If you have multiple meshes, each mesh requires its own gateway. You can easily connect your meshes together using cross-mesh gateways.
Below visualization shows the difference between delegated and builtin gateways:
Builtin with Kong Gateway to handle the inbound traffic:
Delegated with Kong Gateway:
The blue lines represent traffic not managed by Kong Mesh, which needs configuring in the Gateway.
Delegated
The Dataplane
entity can operate in gateway
mode. This way you can integrate Kong Mesh with existing API Gateways like Kong.
The gateway
mode lets you skip exposing inbound listeners so it won’t be intercepting ingress traffic. When you use a data plane proxy with a service, both inbound traffic to a service and outbound traffic from the service flows through the proxy. In the gateway
mode, you want inbound traffic to go directly to the gateway, otherwise, clients require dynamically generated certificates for communication between services within the mesh. The gateway itself should handle security at an entrance to the mesh.
Usage
Builtin
The builtin gateway is integrated into the core Kong Mesh control plane. You can configure gateway listeners and routes to service directly using Kong Mesh policies.
The builtin gateway is configured on a Dataplane
:
type: Dataplane
mesh: default
name: gateway-instance-1
networking:
address: 127.0.0.1
gateway:
type: BUILTIN
tags:
kuma.io/service: edge-gateway
A builtin gateway Dataplane
does not have either inbound or outbound configuration.
To configure your gateway Kong Mesh has these resources:
- MeshGateway is used to configure listeners exposed by the gateway
- MeshGatewayRoute is used to configure route to route traffic from listeners to other services.
Kong Mesh gateways are configured with the Envoy best practices for edge proxies.
Usage
You can create and configure a gateway that listens for traffic from outside of your mesh and forwards it to the demo app frontend.
Now let’s create a MeshGateway
to configure the listeners:
The MeshGateway
creates a listener on port 8080 and will accept any traffic which has the Host
header set to foo.example.com
.
Notice that listeners have tags like Dataplanes
. This will be useful when binding routes to listeners.
These are Kong Mesh policies so if you are running on multi-zone they need to be created on the Global CP. See the dedicated section for using builtin gateways on multi-zone.
Now, you can define a MeshGatewayRoute
to forward your traffic based on the
matched URL path.
TCP
The builtin gateway also supports TCP MeshGatewayRoutes
:
type: MeshGateway
mesh: default
name: edge-gateway
selectors:
- match:
kuma.io/service: edge-gateway
conf:
listeners:
- port: 8080
protocol: TCP
tags:
port: tcp/8080
---
type: MeshGatewayRoute
mesh: default
name: edge-gateway-route
selectors:
- match:
kuma.io/service: edge-gateway
port: tcp/8080
conf:
tcp:
rules:
- backends:
- destination:
kuma.io/service: redis_kuma-demo_svc_6379
The TCP configuration only supports the backends
key (no matches
or filters
). There are no TCP-generic ways to filter or match traffic so it can only load balance.
Multi-zone
The Kong Mesh Gateway resource types, MeshGateway
and MeshGatewayRoute
, are synced across zones by the Kong Mesh control plane.
If you have a multi-zone deployment, follow existing Kong Mesh practice and create any Kong Mesh Gateway resources in the global control plane.
Once these resources exist, you can provision serving capacity in the zones where it is needed by deploying builtin gateway Dataplanes
(in Universal zones) or MeshGatewayInstances
(Kubernetes zones).
See the multi-zone docs for a refresher.
Cross-mesh
The Mesh
abstraction allows users
to encapsulate and isolate services
inside a kind of submesh with its own CA.
With a cross-mesh MeshGateway
,
you can expose the services of one Mesh
to other Mesh
es by defining an API with MeshGatewayRoute
s.
All traffic remains inside the Kong Mesh data plane protected by mTLS.
All meshes involved in cross-mesh communication must have mTLS enabled.
To enable cross-mesh functionality for a MeshGateway
listener,
set the crossMesh
property.
...
mesh: default
selectors:
- match:
kuma.io/service: cross-mesh-gateway
conf:
listeners:
- port: 8080
protocol: HTTP
crossMesh: true
hostname: default.mesh
Hostname
If the listener includes a hostname
value,
the cross-mesh listener will be reachable
from all Mesh
es at this hostname
and port
.
In this case, the URL http://default.mesh:8080
.
Otherwise it will be reachable at the host:
internal.<gateway-name>.<mesh-of-gateway-name>.mesh
.
Without transparent proxy
If transparent proxy isn’t set up, you’ll have to add the listener explicitly as
an outbound to your Dataplane
objects if you want to access it:
...
outbound
- port: 8080
tags:
kuma.io/service: cross-mesh-gateway
kuma.io/mesh: default
Limitations
Cross-mesh functionality isn’t supported across zones at the moment but will be in a future release.
The only protocol
supported is HTTP
.
Like service to service traffic,
all traffic to the gateway is protected with mTLS
but appears to be HTTP traffic
to the applications inside the mesh.
In the future, this limitation may be relaxed.
There can be only one entry in selectors
for a MeshGateway
with crossMesh: true
.
Policy support
Not all Kong Mesh policies are applicable to Kong Mesh Gateway (see table below). Kong Mesh connection policies are selected by matching the source and destination expressions against sets of Kong Mesh tags. In the case of Kong Mesh Gateway the source selector is always matched against the Gateway listener tags, and the destination expression is matched against the backend destination tags configured on a Gateway Route.
When a Gateway Route forwards traffic, it may weight the traffic across multiple services.
In this case, matching the destination for a connection policy becomes ambiguous.
Although the traffic is proxied to more than one distinct service, Kong Mesh can only configure the route with one connection policy.
In this case, Kong Mesh employs some simple heuristics to choose the policy.
If all the backend destinations refer to the same service, Kong Mesh will choose the oldest connection policy that has a matching destination service.
However, if the backend destinations refer to different services, Kong Mesh will prefer a connection policy with a wildcard destination (i.e. where the destination service is *
).
Kong Mesh may select different connection policies of the same type depending on the context. For example, when Kong Mesh configures an Envoy route, there may be multiple candidate policies (due to the traffic splitting across destination services), but when Kong Mesh configures an Envoy cluster there is usually only a single candidate (because clusters are defined to be a single service). This can result in situations where different policies (of the same type) are used for different parts of the Envoy configuration.
Policy | GatewaySupport |
---|---|
Circuit Breaker | Full |
External Services | Full |
Fault Injection | Full |
Health Check | Full |
Proxy Template | Full |
Rate Limits | Full |
Retries | Full |
Traffic Permissions | Full |
Traffic Routes | None |
Traffic Log | Partial |
Timeouts | Full |
VirtualOutbounds | None |
You can find in each policy’s dedicated information with regard to builtin gateway support.