Network and Firewall

    Kong uses multiple connections for different purposes.

    • proxy
    • admin api

    The proxy ports is where Kong receives its incoming traffic. There are two ports with the following defaults:

    • for proxying HTTP traffic, and
    • 8443 for proxying HTTPS traffic

    See proxy_listen for more details on HTTP/HTTPS proxy listen options. For production environment it is common to change HTTP and HTTPS listen ports to 80 and 443.

    In general the proxy ports are the only ports that should be made available to your clients.

    Admin API

    This is the port where Kong exposes its management API. Hence in production this port should be firewalled to protect it from unauthorized access.

    • 8444 provides the same Kong Admin API but using HTTPS. See admin_listen and the suffix.

    Firewall

    Below are the recommended firewall settings:

    • The upstream Services behind Kong will be available via the proxy_listen interface/port values. Configure these values according to the access level you wish to grant to the upstream Services.
    • If you are binding the Admin API to a public-facing interface (via ), then protect it to only allow trusted clients to access the Admin API. See also Securing the Admin API.
    • Your proxy will need have rules added for any HTTP/HTTPS and TCP/TLS stream listeners that you configure. For example, if you want Kong to manage traffic on port 4242, your firewall will need to allow traffic on said port.

    Transparent Proxying