Hi,
I could not find any recommendations of the physical deployment in a data center, such as if it’s recommended to deploy Kong in DMZ or not. And if so, where should other depending components such as Cassandra/Postgres be deployed to, in trusted zone?
Hello @chienhsingwu
if it’s recommended to deploy Kong in DMZ or not.
Personally, I feel this seems a question specific to an organization’s policies and how you’re using Kong. It make sense to deploy Kong in DMZ so that traffic get filtered early.
And if so, where should other depending components such as Cassandra/Postgres be deployed to, in trusted zone?
Kong’s datastore should be reachable from all Kong nodes in the cluster. It probably is not a good idea to keep a data-store in the DMZ. It makes sense to deploy the DB in a private or a DB subnet, and setup routing such that the Kong nodes in DMZ can reach the DB.
I think Kong in the DMZ is fine, but you will need a WAF solution fronting the Gateway as Kong does not handle malicious payload scans for example. Agree with ^ comment on seperating your DB to a diff subnet and setting up firewall rules/routing between the kong + DB hosts.
Thanks for the help. About WAF, I saw there is a lua-resty-waf and ModSecurity module in nginx. Would it be simpler to include one of them in kong?