You are browsing unreleased documentation. See the latest documentation here.
Cloud Gateways Networks
In this guide you’ll learn how to use the KonnectCloudGatewayNetwork
custom resource to
manage Kong Konnect Dedicated Cloud Gateways Networks natively from your Kubernetes cluster.
Prerequisites: Install Kong Gateway Operator and create a valid KonnectAPIAuthConfiguration in your cluster.
Prerequisites
Install Kong Gateway Operator
Update the Helm repository:
helm repo add kong https://charts.konghq.com
helm repo update kong
Install Kong Gateway Operator with Helm:
helm upgrade --install kgo kong/gateway-operator -n kong-system --create-namespace \
--set image.repository=kong/nightly-gateway-operator \
--set image.tag=nightly \
--set kubernetes-configuration-crds.enabled=true \
--set env.ENABLE_CONTROLLER_KONNECT=true
You can wait for the operator to be ready using kubectl wait
:
kubectl -n kong-system wait --for=condition=Available=true --timeout=120s deployment/kgo-gateway-operator-controller-manager
Create an access token in Konnect
You may create either a Personal Access Token (PAT) or a Service Account Token (SAT) in Konnect. Please refer to the
Konnect authentication documentation for more information. You will need this token
to create a KonnectAPIAuthConfiguration
object that will be used by the Kong Gateway Operator to authenticate
with Konnect APIs.
Create a Kong Konnect API auth configuration
Depending on your preferences, you can create a KonnectAPIAuthConfiguration
object with the token specified
directly in its spec or as a reference to a Kubernetes Secret. The serverURL
field should be set to the Konnect API
URL in a region where your Kong Konnect account is located. Please refer to the list of available API URLs
for more information.
You can verify the KonnectAPIAuthConfiguration
object was reconciled successfully by checking its status.
kubectl get konnectapiauthconfiguration konnect-api-auth
The output should look like this:
NAME VALID ORGID SERVERURL
konnect-api-auth True <your-konnect-org-id> https://us.api.konghq.tech
Provider Account
In order to mange Cloud Gateway networks you need to have a Cloud Gateway Provider Account associated with your Kong Konnect account.
To create one, please contact your Kong Account Manager.
If you already have one, you can use the Konnect’s /cloud-gateways/provider-accounts
API
to get the id
of the provider account.
curl -s -H 'Content-Type: application/json' -H "Authorization: Bearer ${KONNECT_TOKEN}" -XGET https://global.api.konghq.com/v2/cloud-gateways/provider-accounts | jq
This should return a list of provider accounts, you can use the id
of the account you want to use to create a Cloud Gateway Network.
{
"data": [
{
"id": "11111111-1111-1111-1111-111111111111",
"provider": "aws",
"provider_account_id": "001111111111",
"created_at": "2023-07-06T18:40:12.172Z",
"updated_at": "2023-07-06T18:40:12.172Z"
}
],
"meta": {
"page": {
"total": 1,
"size": 100,
"number": 1
}
}
}
Create a Cloud Gateway Network
Creating the KonnectCloudGatewayNetwork
object in your Kubernetes cluster will provision a new Konnect Dedicated Cloud Gateway Network.
You can refer to the KonnectCloudGatewayNetwork
CRD API
for all the available fields.
To create a KonnectCloudGatewayNetwork
object you can use the following YAML manifest:
echo '
kind: KonnectCloudGatewayNetwork
apiVersion: konnect.konghq.com/v1alpha1
metadata:
name: konnect-network-1
namespace: default
spec:
name: network1
cloud_gateway_provider_account_id: "001111111111"
availability_zones:
- euw1-az1
- euw1-az2
- euw1-az3
cidr_block: "192.168.0.0/16"
region: eu-west-1
konnect:
authRef:
name: konnect-api-auth
' | kubectl apply -f -
After creating the network object you can check the status of the network by running:
kubectl get konnectcloudgatewaynetworks.konnect.konghq.com konnect-network-1 -o=jsonpath='{.status}' | yq -p json
Which should return the status of the network:
conditions:
- lastTransitionTime: "2025-03-13T09:16:49Z"
message: KonnectAPIAuthConfiguration reference default/konnect-api-auth is resolved
observedGeneration: 3
reason: ResolvedRef
status: "True"
type: APIAuthResolvedRef
- lastTransitionTime: "2025-03-13T09:16:49Z"
message: referenced KonnectAPIAuthConfiguration default/konnect-api-auth is valid
observedGeneration: 3
reason: Valid
status: "True"
type: APIAuthValid
- lastTransitionTime: "2025-03-13T09:18:05Z"
message: ""
observedGeneration: 3
reason: Programmed
status: "True"
type: Programmed
id: 1111111-111111111111-11111111111111111
organizationID: 222222222-22222222-2222222222222222222
serverURL: https://global.api.konghq.com
state: initializing
Since creating a network can take some time, you can monitor the status of the network by checking the state
field.