SNIs

Uses: Kong Gateway Admin API decK KIC Konnect API Terraform

What is an SNI?

An SNI (Server Name Indication) is used to map multiple hostnames to a Certificate. It allows Kong Gateway to select which SSL/TLS Certificate to use based on the hostname in the client request. This feature ensures that multiple domains can be securely served through the same gateway.

SNI routing

When configuring a Route with a secure protocol, like HTTPS, gRPC, or TLS, you can use an SNI for routing. The SNI is determined during the TLS handshake process and will remain unchanged for the duration of the connection, so all requests will contain the same SNI regardless of the defined Header in the Route configuration. For more information on how routing priorities are assigned read the Expressions Router documentation.

Wildcards

Valid wildcard positions for configuring SNIs are:

mydomain.*
*.mydomain.com
*.www.mydomain.com

This is especially useful when configuring TLS Routes.

Prioritization matching

The prioritization for matching SNIs to Certificates follows this order:

Exact SNI matching certificate
Search for a certificate by an SNI prefix wildcard
Search for a certificate by an SNI suffix wildcard
Search for a certificate associated with the SNI *
The default certificate on the file system

Schema

Set up an SNI

_format_version: "3.0"
snis:
  - name: example-sni
    certificate:
      id: 2e013e8-7623-4494-a347-6d29108ff68b

curl -i -X POST http://localhost:8001/snis/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "example-sni",
      "certificate": {
        "id": "2e013e8-7623-4494-a347-6d29108ff68b"
      }
    }
    '

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/snis/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "example-sni",
      "certificate": {
        "id": "2e013e8-7623-4494-a347-6d29108ff68b"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongSni
metadata:
  name: example-sni
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
name: example-sni
certificate:
  id: 2e013e8-7623-4494-a347-6d29108ff68b
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

resource "konnect_gateway_sni" "my_sni" {
  certificate = {
    id = "2e013e8-7623-4494-a347-6d29108ff68b"
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

The following creates a new SNI with basic configuration:

In Kong Manager or Gateway Manager, go to SNIs.
On the SNIs tab, click New SNI.
In the Name field, enter a name for the SNI:
```
 example-sni
```
In the SSL Certificate ID field, enter the ID for an existing Certificate: ``` 2e013e8-7623-4494-a347-6d29108ff68b