This page defines core concepts in Kong Mesh.
Concepts
Uses:
Kong Mesh
Related Documentation
Minimum Version
Kong Mesh - 2.7
Tags
Related Resources
Mesh
A mesh is the top-level resource that represents an isolated service mesh deployment. The mesh serves as the parent resource for all policies, services, and data planes, providing a separate domain of configuration and communication.
For more information, see the Mesh resource reference.
Zone
A zone is a deployment unit that represents a distinct infrastructure environment, typically a Kubernetes cluster, VPC, or data center. All data plane proxies within a zone must be able to communicate with each other. Kong Mesh supports multi-zone deployments where zones can span different regions, clouds, or data centers while remaining part of the same mesh. Multi-zone deployments enable automatic service discovery and failover across zones.
For more information, see the single-zone and multi-zone deployment references.
Control plane
The control plane is the central management layer of Kong Mesh. The control plane configures and manages the behavior of the data plane, which handles the actual traffic between services.
For more information, see the control plane configuration reference.
Data plane
The data plane handles traffic between services. In practice, the data plane consists of the data plane proxies, or sidecars, that run alongside the applications in your service mesh.
For more information, see the Kong Mesh architecture reference.
Data plane proxy / sidecar
The data plane proxy, or sidecar, is the instance of Envoy that runs alongside the application and sends and receives traffic from the rest of the service mesh. The proxy connects to the control plane, which computes a configuration specific to it.
For more information, see the data plane proxy reference.
flowchart LR Clients Servers subgraph Data plane App subgraph Data plane proxy Inbounds Outbounds end end Inbounds -.Local traffic.-> App App -.Local traffic.-> Outbounds Clients --> Inbounds Outbounds --> Servers
Inbound
An inbound is the part of the data plane proxy that receives traffic from clients for a specific port. Inbounds are usually grouped across different data planes to form a service.
For more information, see Inbounds in the data plane proxy reference.
Outbound
An outbound is the part of the data plane proxy that sends traffic to servers for a specific service. Outbounds group multiple remote inbounds as endpoints.
For more information, see Outbounds in the data plane proxy reference.
Resource
A resource is an object or entity that you can create, manage, and interact with in Kong Mesh. Resources are the building blocks that define the behavior and state of your service mesh. Each resource is a type of API object that has a specific purpose and is represented by its state and configuration.
A resource is most often expressed as YAML and can have two formats:
-
Kuberneteswhen the backing control plane runs on Kubernetes. In this case, Kong Mesh resources are defined as Kubernetes Custom Resource Definitions. -
Universalin other cases or when you access resources through the Kong Mesh REST API.
Policy
Policies are a specific type of resource that controls the behavior and communication of applications running inside your service mesh. Policies can enable traffic management, security, observability, and traffic reliability.
For more information, see the policies introduction.
Identity
A workload’s identity is the name encoded in its certificate. An identity is considered valid only if the certificate is signed by a trust.
Trust
A trust defines which identities you accept as valid. Trust is established through trusted certificate authorities (CAs) that issue those identities. A trust is attached to a trust domain, and a cluster can contain multiple trusts.