Trust/security between kong gateway and upstream backend service


We are using Kong as Open API gateway for our partners, and enable HMAC-Auth policy. Kong gateway append an “X-Consumer-Custom-ID” header for all valid request automatically, and upstream service check the “X-Consumer-Custom-ID” header to identify Consumer. Currently, our upstream service always trust the request from Kong gateway server IP, without any other authentication mechanism.

Now, we want enhance security between our Kong gateway and upstream service, what should we do?


Hi Walker, depending on the level of security required and the capabilities of your upstream, you have various options.

  • The simplest option (& low security but not too bad) is to configure Kong to send a “pre shared secret” (like an api-key) in every request to the upstream. You can do this by using the request-transformer plugin (Request Transformer - Plugin | Kong Docs). Your upstream can check for this new header and can check that the value of the header matches the pre-configured “secret”.

  • If your Kong gateway nodes have fixed IPs, you can configure your upstream to reject requests from any other IPs. You can do this using a firewall in front of the upstream, or by even checking the incoming (src ip) in your upstream code and reject non-whitelisted IPs.

  • If your upstream is able to do TLS termination, it can check the certificate being presented by Kong during the TLS handshake. You can upgrade the TLS certificate checking to full mTLS for “zero-trust” level of security. Here is a good article on this topic to get you going (Mutual TLS Downstream and Upstream with API Gateway | Kong Inc.)

There are more ways to solve the problem of upstream security, but hopefully the options above can get you going in the right direction.