Serverless gateways are lightweight API gateways. Their Control Plane is hosted by Konnect and Data Plane nodes are automatically provisioned. Serverless gateways are ideal for developers who want to test or experiment in a pre-production environment.
You can manage your serverless gateway nodes in Gateway Manager.
When you create a serverless gateway, Konnect creates a Control Plane that is hosted by Konnect. Then, a hosted Data Plane is provisioned automatically and configured to connect to the Control Plane.
flowchart TD
A(Dev Portal • Gateway Manager • Advanced Analytics • Service Catalog)
B(
Kong-managed Control Plane #40;Kong Gateway instance#41;)
C( Data Plane #40;Kong Gateway instance#41;)
subgraph id1 [Konnect]
A --- B
end
B --Kong proxy
configuration---> id2
subgraph id2 [Fully-managed cloud nodes]
C
end
style id1 stroke-dasharray:3,rx:10,ry:10
style id2 stroke-dasharray:3,rx:10,ry:10
Provisioning a serverless gateway includes creating the serverless Control Plane and hosted Data Plane.
Create a serverless gateway Control Plane by issuing a POST request to the Control Plane API.
curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "serverless-gateway-control-plane",
"description": "A test Control Plane for Serverless Gateways.",
"cluster_type": "CLUSTER_TYPE_SERVERLESS",
"cloud_gateway": false,
"auth_type": "pinned_client_certs"
}'
Create a hosted Data Plane by issuing a PUT request to the Cloud Gateways API:
curl -X PUT "$KONNECT_CONTROL_PLANE_URL/v2/cloud-gateways/configurations" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"control_plane_id": "'$CONTROL_PLANE_ID'",
"control_plane_geo": "us",
"dataplane_groups": [
{
"region": "na"
}
],
"kind": "serverless.v0"
}'
Konnect integrates domain name management and configuration with Serverless Gateways.
Open Gateway Manager, choose a Control Plane to open the Overview dashboard, then click Connect.
The Connect menu will open and display the URL for the Public Edge DNS. Save this URL.
Select Custom Domains from the side navigation, then New Custom Domain, and enter your domain name.
Save the value that appears under CNAME.
|
Host Name |
Record Type |
Routing Policy |
Alias |
Evaluate Target Health |
Value |
TTL |
|---|---|---|---|---|---|---|
my.example.com
|
CNAME | Simple |
9e454bcfec.kongcloud.dev
|
300 |
Once a Serverless Gateway custom DNS record has been validated, it will not be refreshed or re-validated. Remove and re-add the custom domain in Konnect to force a re-validation.
Serverless gateways only support public networking. If your use case requires private connectivity, consider using Dedicated Cloud Gateways with AWS Transit Gateways.
To securely connect a serverless gateway to your backend, you can inject a shared secret into each request using the Request Transformer plugin.
curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins" \
-H "accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "request-transformer",
"config": {
"add": {
"headers": [
"Authorization:Bearer '$SECRET_TOKEN_VALUE'"
]
}
}
}'
Will a new Serverless Gateway be provisioned in the same region as Konnect?
Deployment on the same region is not guaranteed.
What Kong Gateway version do Serverless Gateways run?
The Kong Gateway version can’t be configured. The default is always latest and will be automatically upgraded.
Can Control Planes contain both Serverless Gateway Data Planes and self-managed Data Planes?
No. Control Planes that use Serverless Gateways can’t mix types of Data Planes.
Can I configure the size of the Data Planes?
No, configuration is handled automatically during the provisioning of the Serverless Gateway Control Plane.
Does Serverless Gateway support private networking?
No, serverless gateways only supports public networking. There are currently no capabilities for private networking between your data centers and hosted Kong Data Planes. For use cases where private networking is required, Dedicated Cloud Gateways configured with AWS is a better choice.
Does plugin functionality change with serverless gateways?
My serverless custom domain attachment failed, how do I troubleshoot it?
If your custom domain attachment fails, check if your domain has a Certificate Authority Authorization (CAA) record restricting certificate issuance. Serverless Gateways use Let’s Encrypt CA to provision SSL/TLS certificates. If your CAA record doesn’t include the required CA, certificate issuance will fail. You can resolve this issue by doing the following:
dig CAA yourdomain.com +short.
If a CAA record exists but doesn’t allow Let’s Encrypt (letsencrypt.org), update it.yourdomain.com. CAA 0 issue "letsencrypt.org"
If no CAA record exists, no changes are needed. For more information, see the Let’s Encrypt CAA Guide.