Kong Mesh

A modern control plane built on top of Envoy and focused on simplicity, security, and scalability

Demo: To see Kong Mesh in action, you can request a demo and we will get in touch with you.

Welcome to the official documentation for Kong Mesh!

Kong Mesh is an enterprise-grade service mesh that runs on both Kubernetes and VMs on any cloud. Built on top of CNCF’s Kuma and Envoy and focused on simplicity, Kong Mesh enables the microservices transformation with:

Out-of-the-box service connectivity and discovery
Zero-trust security
Traffic reliability
Global observability across all traffic, including cross-cluster deployments

Kong Mesh extends Kuma and Envoy with enterprise features and support, while providing native integration with Kong Gateway Enterprise for a full-stack connectivity platform for all of your services and APIs, across every cloud and environment.

Kuma itself was originally created by Kong and donated to CNCF to provide the first neutral Envoy-based service mesh to the industry. Kong still maintains and develops Kuma, which is the foundation for Kong Mesh.

Kong Mesh extends CNCF's Kuma and Envoy to provide an enterprise-grade service mesh with unique features in the service mesh landscape, while still relying on a neutral foundation.

	Kuma Start Free	Kong Mesh Contact Sales
Core Service Mesh Capabilities
All Kuma Policies
All Traffic Management Policies
All Observability Policies
Multi-Zone & Multi-Cluster
Multi-Zone Security Allows you to secure multi-zone deployments with a JWT-based authentication that ensures only approved zones can join the cluster.
Multi-Mesh support
Zero-Trust and mTLS
Built-in CA
Provided CA
HashiCorp Vault CA Allows you to enable HashiCorp Vault as an additional third-party backend for mTLS CAs that are used to setup zero-trust security, without storing the CAs in Kong Mesh proper.
AWS Certificate Manager CA Allows you to enable AWS Certificate Manager as an additional third-party backend for the mTLS CAs that are used to setup zero-trust security, without storing the CAs in Kong Mesh proper.
Kubernetes cert-manager CA Allows you to enable Kubernetes cert-manager as an additional third-party backend for the mTLS CAs that are used to setup zero-trust security, without storing the CAs in Kong Mesh proper.
GUI Dashboard for TLS and CA Provides you with additional visual reports that display the rotation status of the data plane proxy certificates and the rotation of the CAs themselves, in a zero-trust service mesh.
Data Plane Certificate Rotation
CA Automatic Rotation Provides automatic rotation across different CAs with no downtime in addition to providing automatic rotation and certificate lifecycle management to the data plane proxy mTLS certificates. This feature combined with the GUI Dashboard for TLS and CA provides a complete solution for managing the entire lifecycle of zero-trust service meshes.
Enterprise Application Security
FIPS-140 Encryption By default, FIPS-140 compliant encryption is automatically enabled in Kong Mesh on the Envoy-based data plane proxies. This doesn't require any additional steps other than running Kong Mesh itself.
Embedded OPA Agent Kong Mesh ships with an embedded OPA agent in the data plane proxy sidecars, without requiring the user to run an additional dedicated sidecar for the OPA agent. This simplifies the roll out of OPA across the entire organization and lowers operational costs.
Native OPA Policy This exposes a native OPA policy resource that can be used to store and automatically propagate OPA policies across a multi-zone deployment natively with Kong Mesh. We also support the ability to connect to a third-party OPA store like Styra.
Enterprise Security and Governance
Roles and permissions (RBAC) Allows you to manage complex RBAC rules to allow or deny access to Kong Mesh policies and functions in a sophisticated and fine grained way. This works across multi-zone and multi-mesh natively.
Audit Logs Allows you to store and fetch auditing logs for operations that were performed on the cluster. When used with RBAC, it allows us to have full visibility into how the system is being governed and configured by the users.
Signed Images Kong Mesh container images are signed and verifiable in accordance with SLSA guidelines.
Build Provenance Kong Mesh container images and binaries generate build level provenance and are verifiable in accordance with SLSA guidelines.
Universal Platform Distributions
Containers, Kubernetes & OpenShift
Virtual Machine Support
Virtual Machine Transparent Proxying
Native AWS ECS Controller Allows you to natively support AWS ECS workloads with a built-in controller that automatically integrates ECS workloads within one or more service meshes powered by Kong Mesh. This simplifies the expansion of service mesh in the cloud.
UBI Federal Distributions Provides officially supported distributions based on the Red Hat Universal Base Images (UBI).
Support and Customer Success
Enterprise Support and SLA With Kong Mesh, we provide 24/7/365 enterprise support with different SLAs, powered by Kong's global customer success and technical support team across all world regions. This also provides access to a vast network of partners for local language support as well. This is recommended for enterprise mission-critical deployments.
Customer Success Packages With Kong Mesh, we provide access to our implementation and training programs to accelerate the roll out of a service mesh across every team, and to properly train and educate the organization on how to effectively drive business outcomes with the product.
Envoy Support With Kong Mesh, we provide access to the Envoy contributors at Kong to further expand the capabilities of the underlying data plane proxy technology (Envoy) with features that are not currently available in upstream Envoy. This can be used to remove road blocks and cater to unique enterprise requirements and use-cases.

Kong Mesh provides a unique combination of strengths and features in the service mesh ecosystem, specifically designed for the enterprise architect, including:

Universal support for both Kubernetes and VM-based services.
Single and Multi Zone deployments to support multi-cloud and multi-cluster environments with global/remote control plane modes, automatic Ingress connectivity, and service discovery.
Multi-Mesh to create as many service meshes as we need, using one cluster with low operational costs.
Easy to install and use and turnkey, by abstracting away all the complexity of running a service mesh with easy-to-use policies for managing services and traffic.
Full-Stack Connectivity by natively integrating with Kong and Kong Gateway Enterprise for end-to-end connectivity that goes from the API gateway to the service mesh.
Powered by Kuma and Envoy to provide a modern and reliable CNCF open source foundation for an enterprise service mesh.

When used in combination with Kong Gateway Enterprise, Kong Mesh provides a full stack connectivity platform for all of our L4-L7 connectivity, for both edge and internal API traffic.

Diagram showing how Kong Gateway and Kong Mesh work together to run two products on two data centers. Kong Gateway is used to manage communication between the client and the products in each data center, but also between two different products. Kong Mesh is used to allow different services within a product to communicate with one another.

Two different applications - "Banking" and "Trading" - run in their own meshes "A" and "B" across different data centers. In this example, Kong Gateway is being used both for edge communication and for internal communication between meshes.

Why Kong Mesh?

Organizations are transitioning to distributed software architectures to support and accelerate innovation, gain digital revenue, and reduce costs. A successful transition to microservices requires many pieces to fall into place: that services are connected reliably with minimal latency, that they are protected with end-to-end security, that they are discoverable and fully observable. However, this presents challenges due to the need to write custom code for security and identity, a lack of granular telemetry, and insufficient traffic management capabilities, especially as the number of services grows.

Leading organizations are looking to service meshes to address these challenges in a scalable and standardized way. With a service mesh, you can:

Ensure service connectivity, discovery, and traffic reliability: Apply out-of-box traffic management to intelligently route traffic across any platform and any cloud to meet expectations and SLAs.
Achieve Zero-Trust Security: Restrict access by default, encrypt all traffic, and only complete transactions when identity is verified.
Gain Global Traffic Observability: Gain a detailed understanding of your service behavior to increase application reliability and the efficiency of your teams.

Kong Mesh is the universal service mesh for enterprise organizations focused on simplicity and scalability with Kuma and Envoy. Kong’s service mesh is unique in that it allows you to:

Start, secure, and scale with ease:
- Deploy a turnkey service mesh with a single command.
- Group services by attributes to efficiently apply policies.
- Manage multiple service meshes as tenants of a single control plane to provide scale and reduce operational costs.
Run anywhere:
- Deploy the service mesh across any environment, including multi-cluster, multi-cloud, and multi-platform.
- Manage service meshes natively in Kubernetes using CRDs, or start with a service mesh in a VM environment and migrate to Kubernetes at your own pace.
Connect services end-to-end:
- Integrate into the Kong Gateway Enterprise platform for full stack connectivity, including Ingress and Egress traffic for your service mesh.
- Expose mesh services for internal or external consumption and manage the full lifecycle of APIs.

Thanks to the underlying Kuma runtime, with Kong Mesh, you can easily support multiple clusters, clouds, and architectures using the multi-zone capability that ships out of the box. This — combined with multi-mesh support — lets you create a service mesh powered by an Envoy proxy for the entire organization in just a few steps. You can do this for both simple and distributed deployments, including multi-cloud, multi-cluster, and hybrid Kubernetes/VMs:

Diagram showing a global control plane communicating with multiple zones. The global Kuma control plane manages three zones that each have their own control plane and contain four services. Each zone uses Kuma Ingress to communicate with the other zones.

Kong Mesh can support multiple zones (like a Kubernetes cluster, VPC, data center, etc.) together in the same distributed deployment. Then, you can create multiple isolated virtual meshes with the same control plane in order to support every team and application in the organization.

Learn more about the standalone and multi-zone deployment modes.

Example of a multi-zone deployment for multiple Kubernetes clusters, or a hybrid Kubernetes/VM cluster:

Diagram showing a deployment with two zones, East and West. Each zone has a Kuma control plane, a zone ingress and a zone egress to communicate with the other zone, and four services with data plane proxies.

Support policy

Kong primarily follows a semantic versioning (SemVer) model for its products.

For the latest version support information for Kong Mesh, see our version support policy.

Contribute

You can contribute to the development of Kong Mesh by contributing to Kuma. For more information, see the contribution guide.