Getty Images/iStockphoto

Kong tightens links between API gateway, service mesh

Kong adds support for Istio and Envoy integration with its API gateway to consolidate network management between traditional and cloud-native apps.

Kong Inc.'s API gateway now supports Istio service mesh and WebAssembly extensions that match with the Envoy proxy as traditional and cloud-native networking tools converge.

Kong began as an API gateway vendor in 2017. API gateways facilitate requests and delivery of data and services through REST-based APIs, a construct that arose in the early days of cloud computing to manage communications between web apps.

Over the last five years, service meshes also arose within cloud infrastructures. Service mesh is a network management pattern in which a centralized control plane directs a data plane made up of distributed software components called proxies. Google's Istio is among the most prominent open source service mesh projects. Kong also created the Kuma service mesh to compete with Istio in 2019, donated it to the Cloud Native Computing Foundation (CNCF), and began to offer a supported version with Kong Mesh.

Since then, the layers of cloud-native infrastructure that support container-based microservices apps have begun to converge, with increased integration between network management layers such as API gateways, load balancers and service meshes. This year, for example, VMware added load-balancer integration to its Tanzu service mesh, and integrated its Gloo Edge API gateway with Istio.

Kong had previously included its API gateway, which can also be used as a Kubernetes ingress controller, with Kuma and Kong Mesh, but hadn't offered the same integration for Istio until this week. The new support for Istio means IT pros can manage APIs both inside and outside the Istio service mesh in the same place.  

"Istio has a load balancer that allows a user to expose a service or an API," said Marco Palladino, CTO and co-founder at Kong. "But that doesn't give [users] any governance on ... controlling [API] traffic, managing the users, the consumers, [data] transformations and so on."

Staff engineers at Checkr Inc., an online background check company in San Francisco, had been working on linking Kong Gateway and Istio themselves to provide simplified network management to internal app developers, but this week's update spared them that effort.

Ivan Rylach, CheckrIvan Rylach

"Service mesh is generally useful for internal service-to-service communication, where you need to establish security and other system-level performance controls for development teams, and in a perfect world, the whole thing is going to be completely transparent [to developers]," said Ivan Rylach, senior staff software engineer at Checkr. "But at the same time, they need to be able to route certain subsets of requests between services, and working within the API gateway makes that a little bit easier."

Managing the API gateway and service mesh will also enhance security Defense in depth, since API servers are split into many distributed instances within the Istio service mesh, each of which can independently verify that requests they receive actually traversed the API gateway, rather than coming from a malicious host, Rylach said.

Kong adds WebAssembly to API gateway

WebAssembly (Wasm), a standard for adding executable code modules to web apps, has made news within the Istio community because it allows developers to customize the Envoy proxy -- and through it, Istio service mesh functions. Wasm enables customizations to be created using familiar programming languages, and without having to maintain a separate version of the sidecar. Istio began to add support for Envoy extensions using Wasm last year in version 1.9.

Marco Palladino, KongMarco Palladino

The Kong API gateway also added Wasm support this week, in another move that brings it into closer alignment with service mesh. Both Istio and Kuma use Envoy, and Kong Gateway Wasm support means broader portability for customers' Wasm modules. This portability will mean they can customize network functions beyond service mesh using the same filters, routes and data transformations, Palladino said.

"Now we support this entire WebAssembly ecosystem on top of the native plug-in ecosystem that we already support," he said. "[Users] can potentially run the same filter on the gateway layer as well [as the service mesh] so they build it once and run it in both places."

Kuma gains service mesh momentum

Istio and its closest rival, Linkerd, still claim the most awareness and adoption among enterprises, but open source Kuma has also begun to accrue a following over the last year, Palladino said. Kuma now has about 1,000 user organizations, including American Airlines, which presented at this week's virtual Kong Summit conference.

Most other service mesh providers needed to add additional components for all the functionality that Kuma offered.
Karl HaworthPrincipal engineer, American Airlines

"Most other service mesh providers needed to add additional components for all the functionality that Kuma offered," said Karl Haworth, developer experience product technical lead and principal engineer at American Airlines, in a Kong Summit presentation. "Kuma automatically syncs our certificates daily with mTLS [mutual TLS so] we don't have to worry about that. Tracing is automatically included along with ... traffic policies, [as well as] being able to span multiple regions and multiple cloud providers."

Kong Inc. has 400 paying enterprise customers, but the vast majority of those are still using Kong Gateway; Palladino estimated Kong Mesh has between 50 to 60 enterprise customers. Kong Mesh requires a Kong Enterprise license, the price tag for which Kong does not publicly disclose, but it was enough to send Checkr's Rylach toward using Istio instead.

"We wanted to use [HashiCorp's] Vault as a root [certificate authority] and to have mTLS between control plane nodes, which are supported only with Kong Mesh," he said. "We worked with the Kong account management and sales team to understand the cost of Kong Enterprise, and the price tag was too high for us."

Other API gateway users at Summit said they'd consider Kong Mesh, however, in part because of the appeal of its integration with Kong Gateway.

"We are evaluating [Kong Mesh and App Mesh] at the moment and plan to adopt one in the next few months," said Patrick Farry, senior director of systems design and architecture at San Diego-based video telematics company Lytx, during an online Q&A session at Kong Summit. "[Kuma] is a second-generation product and may not have the baggage that Istio has in terms of complex configuration and management."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center