Network & Firewall
In this section you will find a summary about the recommended network and firewall settings for Kong.
Kong uses multiple connections for different purposes.
- management api
The proxy ports is where Kong receives its incoming traffic. There are two ports with the following defaults;
8000for proxying. This is where Kong listens for HTTP traffic. Be sure to change it to
80once you go to production. See proxy_listen.
8443for proxying HTTPS traffic. Be sure to change it to
443once you go to production. See proxy_listen_ssl.
These are the only ports that should be made available to your clients.
This is the port where Kong exposes its management api. Hence in production this port should be firewalled to protect it from unauthorized access.
8001provides Kong's Admin API that you can use to operate Kong. See admin_api_listen.
8444provides the same Kong Admin API but using HTTPS. See admin_api_listen_ssl.
Below are the recommended firewall settings:
- The upstream APIs behind Kong will be available on proxy_listen and proxy_listen_ssl. Configure these ports according to the access level you wish to grant to the upstream APIs.
- Protect admin_api_listen and admin_api_listen_ssl, to only allow trusted sources that can access the Admin API. See also Securing the Admin API.