Konnect deployments run either in either managed or Hybrid Mode, which means that there is a separate Control Plane attached to a Data Plane consisting of one or more Data Plane nodes. Konnect Control Planes and Data Plane nodes rely on specific ports and hostnames for secure communication and configuration. The following tables detail the required ports for cluster communication, audit logging, and the hostnames for connecting to regional Control Plane and telemetry endpoints.
Networking in Konnect
Uses:
Konnect Platform
Related Documentation
Incompatible with
on-prem
Control plane ports
The Konnect Control Plane uses the following ports:
|
Port |
Protocol |
Description |
|---|---|---|
443
|
TCP HTTPS |
Cluster communication port for configuration and telemetry data. The Konnect Control Plane uses this port to listen for connections and to communicate with Data Plane nodes. The cluster communication port must be accessible to Data Plane nodes within the same cluster. This port is protected by mTLS to ensure end-to-end security and integrity. |
8071
|
TCP UDP |
Port used for audit logging. |
Kong Gateway’s hosted Control Plane expects traffic on these ports, so they can’t be customized.
Note: If you can’t make outbound connections using port
443, you can use an existing proxy in your network to make the connection. See Use a forward proxy to secure communication across a firewall for details.
Data plane node ports
The proxy ports are the only ports that should be made available to your clients. Upstream services are accessible via the proxy interface and ports, so make sure that these values only grant the access level you require.
Your proxy will need rules added for any HTTP/HTTPS and TCP/TLS stream listeners that you configure. For example, if you want Kong Gateway to manage traffic on port 4242, your firewall must configure the Route to allow traffic on that port.
The following are the default proxy ports:
|
Port |
Protocol |
|
Description |
|---|---|---|---|
8000
|
HTTP |
proxy_listen
|
Takes incoming HTTP traffic from Consumers, and forwards it to upstream services. |
8443
|
HTTPS |
proxy_listen
|
Takes incoming HTTPS traffic from Consumers, and forwards it to upstream services. |
You can also proxy TCP/TLS streams, which is disabled by default. If you want to proxy this traffic, see stream_listen in the Kong configuration reference for more information about stream proxy listen options and how to enable it.
Hostnames
The following geographic regions and their hostname region identifiers are supported:
- AU (Australia):
au - EU (Europe):
eu - ME (Middle East):
me - IN (India):
in - US (United States):
us
Depending on the regions your organization uses, you’ll need to allowlist the hostnames and include the region-specific identifier in the hostname in place of {region}:
|
Hostname |
Description |
|---|---|
cloud.konghq.com
|
The Konnect platform. |
global.api.konghq.com
|
The Konnect API for platform authentication, identity, permissions, teams, and organizational entitlements and settings. |
REGION.api.konghq.com
|
The Konnect API for the geo. Necessary if you are using decK in your workflow, decK uses this API to access and apply configurations. |
PORTAL_ID.REGION.portal.konghq.com
|
The URL for the Dev Portal in the geo. |
CONTROL_PLANE_DNS_PREFIX.REGION.cp0.konghq.com
|
Handles configuration for a Control Plane in the geo. Data plane nodes connect to this host to receive configuration updates. This hostname is unique to each organization and Control Plane. |
CONTROL_PLANE_DNS_PREFIX.REGION.tp0.konghq.com
|
Gathers telemetry data for a Control Plane in the geo. This hostname is unique to each organization and Control Plane. |
Mesh Manager hostnames
If you use Mesh Manager to manage your Kong service mesh, you must add the {geo}.mesh.sync.konghq.com:443 hostname to your firewall allowlist. The geo can be au, eu, us, or global.
FAQs
What types of data travel between the Konnect Control Plane and the Data Plane nodes, and how?
Two types of data travel between planes using secure TCP port 443:
- Configuration – The Control Plane sends config data to the Data Plane nodes.
- Telemetry – Data plane nodes send usage data to the Control Plane for Analytics and billing.
Telemetry includes traffic metrics by Service, Route, and consuming application. It does not include any customer data. All telemetry is encrypted using mTLS.
How frequently do Data Planes send telemetry data to the Control Plane?
Telemetry data is sent at different intervals depending on the Data Plane version:
- 2.x – Every 10 seconds by default
- 3.x – Every 1 second by default
You can customize this interval using the analytics_flush_interval setting.
How long can Data Plane nodes remain disconnected from the Control Plane?
Data plane nodes continue pinging the Control Plane until reconnected or stopped. They use cached config and function normally, unless:
- The license expires
- The cached config file (
config.json.gzordbless.lmdb) is deleted
Where is configuration cached on Data Plane nodes?
When a Data Plane node receives new configuration from the Control Plane, it immediately loads it into memory and also caches it to disk. The cache location depends on the Gateway version:
-
2.x Gateway – Configuration is stored in an unencrypted cache file,
config.json.gz, located in the Kong Gateway prefix path. -
3.x Gateway – Configuration is stored in an unencrypted LMDB database directory,
dbless.lmdb, also in the Kong Gateway prefix path.
What happens if the Control Plane and Data Plane nodes disconnect?
Data plane nodes use the cached configuration until they can reconnect. Once reconnected, the Control Plane sends the latest configuration. It does not queue or replay any older configuration changes.
Can I restart a Data Plane node if the Control Plane is down or disconnected?
Yes. Restarting a Data Plane node will load its cached configuration and resume normal function.
Can I change a Data Plane node’s configuration when it’s disconnected from the Control Plane?
Yes:
- Copy the configuration cache file or directory from a working node
- Remove the cache and use
declarative_config
If the Data Plane loses communication with the Control Plane, what happens to telemetry data?
The Data Plane buffers request data locally. If the buffer fills up (default: 100000 requests), older data is dropped.
You can configure the buffer size using the analytics_buffer_size_limit setting.
How do the Control Plane and Data Plane communicate?
Data traveling between Control Planes and Data Planes is secured through a mutual TLS handshake. Data plane nodes initiate the connection to the Konnect Control Plane. Once the connection is established, the Control Plane can send configuration data to the connected Data Plane nodes.
Each Data Plane node maintains a persistent connection with the Control Plane and sends a heartbeat every 30 seconds. If the Control Plane doesn’t respond, the Data Plane node attempts to reconnect after a 5–10 second delay.
What IP addresses are associated with Konnect regional hostnames?
Visit https://ip-addresses.origin.konghq.com/ip-addresses.json for the list of IPs associated to regional hostnames. You can also subscribe to https://ip-addresses.origin.konghq.com/rss for updates.