Dedicated Cloud Gateways reference

Uses: Kong Gateway

How do Dedicated Cloud Gateways work?

When you create a Dedicated Cloud Gateway, Konnect creates a Control Plane. This Control Plane, like other Konnect Control Planes, is hosted by Konnect. You can then deploy Data Planes in different regions.

Dedicated Cloud Gateways support two different configuration modes:

Autopilot Mode: Configure expected requests per second, and Konnect pre-warms and autoscales the Data Plane nodes automatically.
Custom Mode: Manually specify the instance size, type, and number of nodes per cluster.

 
flowchart TD
A(Dedicated Cloud Gateway Control Plane)
B(Managed Data Plane Node 
 Region 1)
C(Managed Data Plane Node 
 Region 2)

subgraph id1 [Konnect]
A
end

A --auto-scale configuration---> B
A --auto-scale configuration---> C

How do I provision a Control Plane?

Create a Dedicated Cloud Gateway Control Plane using by issuing a POST request to the Control Plane API:

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "cloud-gateway-control-plane",
       "description": "A test Control Plane for Dedicated Cloud Gateways.",
       "cluster_type": "CLUSTER_TYPE_CONTROL_PLANE",
       "cloud_gateway": true,
       "proxy_urls": [
         {
           "host": "example.com"
         },
         {
           "port": 443
         },
         {
           "protocol": "https"
         }
       ]
     }'

Create a Dedicated Cloud Gateway Data Plane by issuing a PUT request to the Cloud Gateways API:

curl -X PUT "$KONNECT_CONTROL_PLANE_URL/v2/cloud-gateways/configurations" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "control_plane_id": "'$CONTROL_PLANE_ID'",
       "version": 3.9,
       "control_plane_geo": "ap-northeast-1",
       "dataplane_groups": [
         {
           "provider": "aws"
         },
         {
           "region": "na"
         },
         {
           "cloud_gateway_network_id": "'$CLOUD_GATEWAY_NETWORK_ID'"
         },
         {
           "autoscale": [
             {
               "kind": "autopilot"
             },
             {
               "base_rps": 100
             }
           ]
         }
       ]
     }'

Custom DNS

Konnect integrates domain name management and configuration with Dedicated Cloud Gateways.

Konnect configuration

Open Gateway Manager, choose a Control Plane to open the Overview dashboard, then click Connect.

The Connect menu will open and display the URL for the Public Edge DNS. Save this URL.
Select Custom Domains from the side navigation, then New Custom Domain, and enter your domain name.

Save the value that appears under CNAME.

Dedicated Cloud Gateways domain registrar configuration

The following settings must be configured in your domain registrar using the values in Konnect. For example, in AWS Route 53, it would look like this:

Host Name	Record Type	Routing Policy	Alias	Evaluate Target Health	Value	TTL
`_acme-challenge.example.com`	CNAME	Simple			`_acme-challenge.9e454bcfec.acme.gateways.konghq.com`	300
`example.com`	CNAME	Simple			`9e454bcfec.gateways.konghq.com`	300

Securing backend communication

Dedicated Cloud Gateways only support public networking. If your use case requires private connectivity, consider using Dedicated Cloud Gateways with AWS Transit Gateways.

To securely connect a Dedicated Cloud Gateway to your backend, you can inject a shared secret into each request using the Request Transformer plugin.

Ensure the backend accepts a known token like an Authorization header.

Attach the Request Transformer plugin to the Control Plane and Gateway Service that you want to secure:

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/core-entities/services/$SERVICE_ID/plugins" \
     -H "accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "request-transformer",
       "config": {
         "add": {
           "headers": [
             "Authorization:Bearer '$SECRET_TOKEN_VALUE'"
           ]
         }
       }
     }'

AWS Transit Gateway

If you are using Dedicated Cloud Gateways and your upstream services are hosted in AWS, AWS Transit Gateway is the preferred method for most users. For more information and a guide on how to attach your Dedicated Cloud Gateway, see the Transit Gateways documentation.

Azure VNet Peering

If you are using Dedicated Cloud Gateways and your upstream services are hosted in Azure, VNet Peering is the preferred method for most users. For more information and a guide on how to attach your Dedicated Cloud Gateway, see the Azure Peering documentation.

Custom plugins

With Dedicated Cloud Gateways, Konnect can stream custom plugins from the Control Plane to the Data Plane. This means that the Control Plane becomes a single source of truth for plugin versions. You only need to upload a plugin once, to the Control Plane, and Konnect handles distributing the plugin code to all Data Planes in that Control Plane.

How does custom plugin streaming work?

With Dedicated Cloud Gateways, Konnect can stream custom plugins from the Control Plane to the Data Plane. The Control Plane becomes the single source of truth for plugin versions. You only need to upload the plugin once, and Konnect handles distribution to all Data Planes in the same Control Plane.

A custom plugin must meet the following requirements:

Unique name per plugin
One handler.lua and one schema.lua file
Cannot run in the init_worker phase or create timers
Must be written in Lua
A personal or system access token for the Konnect API

How do I add a custom plugin?

Plugins can be uploaded to Konnect using the Konnect UI. You can also use jq with the following request template to add the plugin using the API:

curl -X POST $KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/core-entities/custom-plugins \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $KONNECT_TOKEN" \
  -d "$(jq -n \
      --arg handler "$(cat handler.lua)" \
      --arg schema "$(cat schema.lua)" \
      '{"handler":$handler,"name":"streaming-headers","schema":$schema}')" \
    | jq

Once uploaded, you can manage custom plugins using any of the following methods:

Limits

Serverless Gateways have the following limits:

Request rate limit: Serverless Gateways support up to 100 requests per second (RPS) per gateway.
Maximum request size: Incoming requests are limited to a maximum payload size of 10MB.

For workloads that exceed these limits, consider using Dedicated Cloud Gateways for higher throughput and larger request sizes.

FAQs

Why is my custom domain attachment failing in Konnect?

A common reason is a missing or misconfigured Certificate Authority Authorization (CAA) record. Konnect uses Google Cloud Public CA (pki.goog) to issue certificates. If your domain’s CAA record does not authorize this CA, attachment will fail.

What should I do if my custom domain fails to attach in Konnect?

If your custom domain fails to attach, check whether your domain has a Certificate Authority Authorization (CAA) record that restricts certificate issuance. Konnect uses Google Cloud Public CA (pki.goog) to provision SSL/TLS certificates. If the CAA record doesn’t include pki.goog, certificate issuance will fail.

To resolve the issue:

Run dig CAA yourdomain.com +short to check for existing CAA records.
If a record exists but doesn’t allow pki.goog, update it.
```
yourdomain.com.    CAA    0 issue "pki.goog"
```
Wait for DNS propagation and try attaching your domain again.

If no CAA record exists, no changes are needed. For more details, see the Let’s Encrypt CAA Guide.

How often is DNS validation refreshed for Dedicated Cloud Gateways?

DNS validation statuses for Dedicated Cloud Gateways are refreshed every 5 minutes.

How do I delete a custom domain in Konnect?

In Konnect, go to Gateway Manager, choose a Control Plane, click Custom Domains, and use the action menu to delete the domain.

How does network peering work with Dedicated Cloud Gateway nodes?

Each Cloud Gateway node is part of a dedicated network for its region (e.g., us-east-1). You can securely peer this network with your AWS network using AWS Transit Gateway.

What happens if Konnect goes down?

If the Kong-hosted Control Plane goes down, you won’t be able to access it or update configuration. However, connected Data Plane nodes continue to route traffic normally using the last cached configuration.

Why isn’t AWS PrivateLink recommended for connecting Dedicated Cloud Gateway to my upstream services?

AWS PrivateLink offers secure and private connectivity by routing traffic through an endpoint, but it only supports unidirectional communication. This means that Dedicated Cloud Gateway can send requests to your upstream services, but your upstream services cannot initiate communication back to the gateway. For many use cases requiring bidirectional communication—such as callbacks or dynamic interactions between the gateway and your upstream services—this limitation is a blocker. For this reason, PrivateLink is not generally recommended for secure connectivity to your upstream services.

How do I manage custom plugins after uploading them?