Home / Kong Mesh
Edit
Report

Kong Mesh zone ingress

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Related Resources
Zone Egress
MeshMultiZoneService
Kong Mesh data plane on Kubernetes
Kong Mesh data plane proxy
Kong Mesh data plane on Universal

In a multi-zone deployment, you can use the ZoneIngress proxy to manage cross-zone communication. These proxies are not attached to any specific workloads, they are bound to a specific zone. A zone ingress can proxy traffic between all meshes, so you only need one deployment in each zone.

All requests that are sent from one zone to another will be directed to the proper instance by the zone ingress.

Since the ZoneIngress proxy uses Server Name Indication (SNI) to route traffic, mTLS is required to handle cross-zone communication.

The ZoneIngress entity includes the following parameters:

  • type: Must be ZoneIngress.
  • name: The name of the zone ingress instance, it must be unique for any given zone.
  • networking: The networking parameters of the zone ingress.
    • address: The address of the network interface that the zone ingress is listening on. It can be the address of either the public or private network interface, but the latter must be used with a load balancer.
    • port: The port that the zone ingress is listening on. The default is 10001.
    • advertisedAddress: An IP address or hostname that will be used to communicate with the zone ingress. The zone ingress doesn’t listen on this address. If the zone ingress is exposed using a load balancer, then the address of the load balancer should be used. If the zone ingress is listening on the public network interface, then the address of the public network interface should be used.
    • advertisedPort: A port that will be used to communicate with the zone ingress. The zone ingress doesn’t listen on this port.
    • admin: The parameters related to the Envoy Admin API.
      • port: The port that the Envoy Admin API will listen to.
  • availableServices The list of services that could be consumed through the zone ingress. This is auto-generated on the Kong Mesh control plane.
  • zone: The zone where the zone ingress is running. This is auto-generated on the Kong Mesh control plane.

The advertisedAddress and advertisedPort parameters are required to allow data plane proxies from other zones to access the zone ingress. If a zone ingress doesn’t have values set for these fields, it’s not taken into account in the Envoy configuration.

To install the ZoneIngress proxy in Kubernetes:

  • With kumactl, add the --ingress-enabled flag to your kumactl install control-plane command.
  • With Helm, add the kuma.ingress.enabled: true parameter to your values.yaml.

Kong Mesh sets advertisedAddress and advertisedPort automatically by checking the Service associated with the zone ingress.

If the Service type is Load Balancer, Kong Mesh will wait for public IP to be resolved. It may take a couple of minutes to receive public IP depending on the LB implementation of your Kubernetes provider. If the Service type is Node Port, Kong Mesh will take an external IP of the first Node in the cluster and combine it with the Node Port.

You can provide your own public address and port using the following annotations on the ingress deployment:

  • kuma.io/ingress-public-address
  • kuma.io/ingress-public-port

A ZoneIngress deployment can be scaled horizontally. Many instances can have the same advertised address and advertised port because they can be behind one load balancer.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support