Access public and private endpoints differently

Hi, I have setup kong inside my kubernetes cluster using the official kong helm chart. I have two types of urls that I want to access through kong gateway:

  1. Public urls accessible to everyone. For this I have created a Public Load Balancer by setting the proxy service type to LoadBalancer and adding a CNAME record -> elb-address

  2. Internal URLS that i want accessible only to employees within company (preferably using VPN).

My idea of setting up 2) was to setup an internal load balancer and map the internal urls to that load balancer. The issue with that approach being official kong chart doesn’t let me create multiple load balancers. Moreover, even if I setup two load balancers by modifying the helm chart, the internal urls will still be accessible from public elb since they share the same kong cluster.

I am sure, i am missing something basic here. All, I want is to use same kong cluster for two different types or urls, preferably with vpn only access for private urls

Have you considered using ip-restrictions plugin in Kong to solve the problem?

You use the DNS to point the two sites to the same Kong cluster.

Yes. But I found setting up separate kongs a cleaner and easier to manage approach. Now i have two kongs with their separate ingress controllers(kong-internal, kong-public) within my k8s cluster. I control the ingress by using separate ingress annotations.

1 Like

Glad it worked out and that indeed is a much saner way to manage your Ingress on Kubernetes. :slight_smile:

I have a similar problem: I need two load-balancers (privater and public). It’s easy to achieve in the way @mukesh did but the problem is that resources like KongPlugin, KongConsumer and so on would have to be duplicated since all of them require <ingress-class> which ties them to specific controller. Better solution would be to have a single KIC and two k8s LoadBalancer services (one that creates public lb and the other one internal lb). Ingress-nginx has controller.service.internal.* config which allows doing exactly that.

@hbagdi I’m happy to open PR with this functionality added for KIC if you think it’s OK to implement it.

Please open a Github issue with your problem, and then propose a solution before writing any doc or code.

@hbagdi done