Home / Dedicated Cloud Gateways
Edit
Report

AWS PrivateLink peering

Uses: Kong Gateway
Related Documentation
All Gateway Documentation
OpenAPI Specifications
Konnect Control Planes Config
Incompatible with
on-prem
Tags
#aws #security
Related Resources
Dedicated Cloud Gateways
AWS PrivateLink Interface Endpoints
Amazon VPC Documentation

You can establish a private connection between Konnect and your AWS environment using AWS PrivateLink. This provides secure communication between your Data Plane and the Control Plane, reducing data transfer costs and ensuring compliance.

You can configure this instead of AWS Transit Gateways to secure your connection.

PrivateLink support is currently available in the following AWS regions:

  • us-east-2
  • us-west-2
  • eu-central-1
  • eu-west-1
  • eu-west-2
  • ap-southeast-1
  • ap-southeast-2

If your AWS region is not listed, contact Kong Support.

Before creating a PrivateLink connection, ensure that you have a VPC, subnets, and a security group configured in your AWS account. For instructions, see the Amazon VPC documentation.

  1. Navigate to VPC > Endpoints in the AWS Console.
  2. Select Create Endpoint.
  3. Choose the service category Endpoint services that use Network Load Balancers and Gateway Load Balancers.
  4. Enter a name tag for the endpoint (for example, konnect-us-geo) indicating the Konnect geo.
  5. Locate the appropriate PrivateLink service name from the tables in the following section based on your AWS region and Konnect geo.
  6. Select your VPC, subnets, and security group for the endpoint. Ensure the following settings are configured:
    • The security group allows inbound TCP traffic on port 443.
    • Private DNS is enabled in the additional settings.
  7. Create the endpoint and wait until the status is available. We recommend waiting 10 minutes before using the endpoint.

  8. After your PrivateLink endpoint is available, update your Data Plane configuration in the kong.conf file to connect to the Konnect Control Plane using the private DNS name for your region.

    Here’s an example kong.conf configuration for the US region:

    cluster_control_plane = us.svc.konghq.com/cp/$CLUSTER_PREFIX
cluster_server_name = us.svc.konghq.com
cluster_telemetry_endpoint = us.svc.konghq.com:443/tp/$CLUSTER_PREFIX
cluster_telemetry_server_name = us.svc.konghq.com

The following tables show the PrivateLink service name and DNS name for each supported AWS region and Konnect geo:

Konnect Geo

PrivateLink Service Name

DNS Name
AP com.amazonaws.vpce.us-east-2.vpce-svc-03da89378358921bc ap.svc.konghq.com
EU com.amazonaws.vpce.us-east-2.vpce-svc-0cb28c923823735ac eu.svc.konghq.com
IN com.amazonaws.vpce.us-east-2.vpce-svc-0b439785c0b06bb97 in.svc.konghq.com
ME com.amazonaws.vpce.us-east-2.vpce-svc-0f1c86fb6399d4fe5 me.svc.konghq.com
US com.amazonaws.vpce.us-east-2.vpce-svc-096fe7ba54ebc32db us.svc.konghq.com
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support