►
Description
The Kong community is very familiar with using Kong as an ingress gateway, but what about as an egress gateway? Checkr, a Kong open source user, managed to migrate 90 percent of its egress traffic using Kong. In this Kong Summit 2019 session, Checkr Software Engineer Zhuojie Zhou will cover the benefits of building out an egress gateway pattern, how Kong supports egress, and how he and his team built a solution of efficient HTTP auditing through the egress gateway.
A
A
So
why
are
we
here
today
we're
here
today,
because
we're
living
a
word
of
API
integrations
and
everything
is
abstracted
into
api's
in
api's
are
indeed
the
biggest
wave
of
software
as
a
surface
source
platform.
An
egress
gateway
from
a
client-side
point.
Standpoint
really
helps
to
solve
some
of
the
biggest
pain
points
from
the
client
sign
of
API
equation.
So
Before
we
jump
into
the
content.
Let
me
briefly
introduce
myself,
obviously
I'm
a
cat
lover
I'm
a
super
big
fan
of
open
source
I'm,
a
crater
of
flagger
in
open
mock.
A
So
if
you
google
them,
these
are
some
of
the
open
source
tools
we
created
and
use
in
our
internal
services
and,
of
course,
I'm
a
proud
comm
contributor,
although
it's
just
like
a
few
one-liner
changes,
I
currently
work
at
checker
and
previously
over
and
here
comes
checker.
We
are
a
API
company,
we're
also
a
data
platform
running
background
tracks.
We
understand
the
back
on
track,
industry,
hiring
industry
and
we
help
our
clients
to
make
hiring
more
inclusive
and
more
efficient.
So
you
can
also
check
out
our
public
API
document
to
get
a
sense.
A
What
we
are
doing
here
so
today
we're
going
to
cover
three
things.
First,
the
advantage
of
egress
gave
a
pattern
in
second
we're
going
to
talk
about
HTTP
auditing
for
like
the
raw
HP
request
and
the
response
body
and
then
last
but
not
least,
we're
going
to
talk
about
future
u.s.
gateway
data
usage,
and
we
will
have
dedicating
time
at
the
end
of
the
talk,
answer,
questions
and
feel
free
to
step
up
to
the
microphone
and
ask
questions
at
the
end
after
this
talk
cool.
A
So
you
may
ask
why
and
how
to
implement
this
eQuest
gateway?
What
if
I
say
that
we
already
have
something?
That's
pretty
much
production
ready
for
egress
gateway,
so
from
from
that
solution,
everything
feels
organized.
They
have
parking
systems,
modulized
operations
can
be
codified
and
logging,
observability
or
just
natively
supported,
and
even
some
low-level
route.
Wise
are
there
for
free.
A
So
why
egrets
gateway
pattern
before
we
talk
about
egress,
let's
record
the
definition
of
ingress
and
egress
ingress
is
a
very
simple
but
super
powerful
idea
that
most
of
our
companies
are
using
it
right
now,
for
example,
like
API
dot,
Stratcom
or
API
checker
comm
you're,
building
this
gateway
to
control,
what's
flowing
into
your
cluster
I.
Believe
most
of
us
are
familiar
with
this
concept,
especially
the
con
community.
A
A
On
the
other
hand,
egress
gateway
pattern
is
that
our
bound
requests
are
going
through
strict
our
policies
that
must
through
go
through
a
gateway
and
as
a
client
you're
consuming
this
other
other
people's
api's
in
an
egress
gateway
patent
enforces
like
this
network
policy
for
Alva
API
request,
so
I
won't
highlight
this
is
the
fact
that
number
of
API
is
consumed,
equals
number
of
API
cert?
Is
it's
pretty
natural
for
us,
for
example,
put
as
much
energy
as
possible
in
building
a
good
ingress
gateway
to
serve
our
customers?
A
We
add
logging
to
the
ingress
so
that
you
know
who
you
call
the
API
from
your
firm,
the
server
side.
You
add,
for
example,
open
tracing
so
that
you
know
how
api's
flow
into
your
micro
source
in
touch
all
the
different
parts
within
your
cluster.
You
add,
authentication
authorization
so
that
you
can.
You
are
serving
the
right
customers
with
the
right
permissions
and-
and
you
add,
relating
to
your
ingress,
so
that
you
block
excessive
assets
from
to
protect
your
internal
services,
however,
think
about
it,
just
as
standing
from
your
customer
side.
A
So
normally,
if
we
don't
pay
attention
to
outbound
traffic,
what
could
go
wrong?
I
want
to
highlight
tracker
story
here.
What's
special
about
tracker?
Is
that
Charter
integrates
with
order
systems
together
back
on
track
data?
For
example,
we
talk
to
county
courts,
federal
courts,
DMVs
national
databases,
international
providers
and
these
integrations
are
in
all
various
different
forms:
xml
they
use
em,
XML
JSON,
so
synchronized
HTTP
calls
asynchronous
web
hooks
and
you
may
even
need
to
implement
to
periodically
check
data
availability
for
those
providers
into
add-on.
A
That
we'd
like
to
have
a
complete
visibility
solution
into
this
outbound
api's
for
debugging
and
compliance
reasons.
I'm
thinking
can
we
do
something
about
this
mess
of
egress
control.
A
So
let's
talk
about
some
of
the
pain
points
that
we
saw
before
we
move
to
egress
gateway.
So
here
are
five
pinpoints.
We
learn
from
our
experience.
Log
is
standard
crossing
wyman
configuration
officer,
ability,
security
and
HCV
auditing.
So
let's
go
through
them.
One
by
one
take
a
look
at
locking
standard.
First
locking
is
hard.
Logging
consistently
is
even
harder,
so
you
want
to
lock
something
about
outbound
traffic,
for
example,
the
status
code.
The
retry
come
some
simple,
500
400
hours
that
you
got.
How
are
you
going
to
do
that?
A
Imagine
you
have,
for
example,
six
different
programming
languages
in
your
in
your
engineering
org.
Imagine
you
you're
using
two
to
three
different
HTTP
clients
in
Java,
sewage,
TV,
clients
in
Ruby
and
let
alone
or
different
kinds
of
SDKs,
with
different
building
HTTP
clients,
because
you
are
using
their
SDKs
and
you
want
to
log
outbound
requests.
A
So
it's
really
hard
to
capture
the
logs
and
have-have
having
logs
in
the
standard
way.
The
second
ten
point
is
crossing
Wyman
configuration.
It's
pretty
common,
that
you're
talking
to
API
does
something
in
production,
API,
sandbox,
something
in
staging
and
localhost
something
mark
in
integration,
environment
or
your
local
dev.
Of
course
I
mean
you
can
leverage
environment
variables
to
define
different
URLs
for
different
environments,
however,
we're
probably
abusing
environment
variables,
and
course
the
line
a
little
bit.
A
A
The
management
of
environment
variables
itself
then
becomes
a
new
burden.
What?
If
what?
If
the
configuration
of
egress
gave
a
traffic
live
happily
with
into
a
centralized
egress
gateway,
the
forwarding
urls,
so
called
upstream
URLs
are
defined
as
configuration
configurable
in
women
variables
within
the
u.s.
itself
entitling
why
myself
and
abstracted
away
from
applications.
A
This
is
really
why,
for
example,
we
have
search
discovery
because
you
just
need
to
know
the
name
of
the
service.
You
don't
need
to
know
what
exactly
and
where
to
find
a
service.
I
mean
we
build
service
discovery
for
for
internal
services.
Why
couldn't
we
just
build
another
like
service
discovery
for
our
external
IP
is
in
the
same
way
we're
decentralized
eQuest
gateway.
A
The
egress
gateway
simply
simplifies
the
observability
stack
into
just
one
domain
and
in
one
gateway,
for
example,
adding
adding
new
api's
external
API
integrations
may
look,
may
just
look
like
adding
a
new
routes
or
a
new
endpoints.
It's
it's
much
simpler,
which
is
almost
always
supported
in
average
observability
solution.
A
The
first
one
is
security:
if
you
want
to
limit
the
external
domains
that
your
application
can
talk
to,
you
can
wireless
them.
I
mean
one
by
one
with
your
in
our
policies
and
but
but
then
there
are
definitely
a
lot
of
maintenance
calls
for
DevOps
team
to
set
up
kind
of
this
enforcement
of
such
restriction
and
to
solve
this.
This
idea
is
really
really
simple:
just
reduce
the
service
stack
desert
the
surface
of
attack
from
n21,
so,
for
example,
Kong
or
stom
oi.
A
Last
but
not
least,
once
you
have
standardized
logs
observability
security
and
centralized
equals
gateway.
The
pin
point
is
that
sometimes
simple
and
genetics
access
log
of
HTTP
access
is
sometimes
it's
not
enough.
I
got
like
a
lot
of
requirement
from
parallel
engineer
teams.
They
asked
what,
if
I,
want
to
see
the
raw
body
of
a
request
in
response.
A
What,
if
I,
want
to
log
the
headers,
even
the
most
sensitive
ones,
like
authorization
headers,
and
by
doing
so,
how
can
I
securely
store?
The
logs
I
mean
the
raw
request
and
respond,
but
rocks
with
compliance
in
privacy
regulation
in
mind?
Do
we
really
want
to
implement
this
again
again
again,
every
single
application?
A
So
in
the
next
section,
let's
see
how
checker
uses
Kong
and
how
confessing
the
picture
of
solving
these
five
pimples
since
we're
already
using
Kong
as
AE
in
West
gateway?
We
are
wondering
hey.
Why
not
just
use
it
as
a
West
Gateway
as
well
I
mean
natively
call
themselves
logging
standard
by
having
all
the
traffic
going
through
Kong
and
it's
very
easy
to
you
enable
a
lot
of
official
logging
related
plugins,
and
then
they
use
exactly
the
same
logging
standard
crossing
wyman
configuration
right
now
they
support
beautifully
like
the
DeBellis
mode.
A
A
A
Security
can
also
be
solved
by
having
just
one
whitelist
domain
and
that
serves
as
the
eQuest
dns
and
all
the
external
api's
will
be
listed
as
the
upstream
urls
inside
that
eQuest
gateway
home.
One
thing
I
do
want
to
highlight
here
is
that
for
auditing,
the
raw
HTTP
request
and
the
response
we
do
need
to
build
something
in
addition
to
what
Kong
offers.
We
will
talk
about
that
in
the
next
section.
A
So
this
is
like
the
architectural
overview
of
what
we
have
a
tracker.
So
it's
actually
recommend
that
you
deploy
to
instance
or
to
clusters
of
Kong
one
is
for
ingress.
The
other
one
is
for
egress
and
contrast
works,
and
you
can
deploy
a
cone
like
right
now
with
ingress
and
egress.
The
symmetry
come
actually
like
a
shell
protects
or
Custer
in
in
or
directions,
and,
and
we
and
I
really
recommend
that
you
have
like
different
deployments
for
in
graduating
requests.
A
You
can
see
how
similar
like
ingress
compared
to
equals
so
ingress.
You
are
just
using
internal
services
as
the
option.
Url
egress.
On
the
other
hand,
you're
using
external
api's
as
the
option
URL.
They
are
bad
by
definition
later
natively
supported
income.
So
here's
an
example
of
configuring
ingress
gateway
income.
You
can
see
your
we're
using
kind
of
the
latest
DB,
less
yellow
fires,
the
demo
here
and
you
can
see
the
definition
of
two
services
with
two
routes
and
one
points
to
internal
users,
my
cursors
and
the
other
one
points
to
internal
payment
services.
A
Equals
examples
are
almost
identical
with
up
streams
URLs
pointing
to
external
api's,
for
example.
One
can
points
to
something
like
a
PID
mail
to
come.
Imagine
that
email
becomes
like
your
email,
sending
email,
vendors,
the
other
ones
like
points
to
a
PID
bill
income.
Like
imagine
some
other
API
external
applies
handles
really
invoices
on
earth,
so
you
can
just
send
album
API
requests
to
the
egress
gateway
DNS
like
egress
dog,
sir
star
cluster,
the
local.
A
A
After
doing
that,
after
doing
that,
you
realize
a
very
nice
thing
that
you
can
now
treat
your
internal
surges
as
con
consumers,
just
like
normal
external
consumers,
in
let's
dive
into
some
detailed
examples
here,
a
lot
of
familiar
plugins
originally
designed
for
external
consumers,
just
work
for
your
internal
sources.
For
example,
you
can
use
or
sort
of
authentication
related
plugins
to
control
which
internal
sources
can
talk
to
external
api's.
You
can
use
ACLs
to
even
implement
a
simple
authorization
framework
for
your
internal
services.
A
You
can
enable
data
dark
or
Prometheus
for
kind
of
like
instant
observability
into
your
internal
service,
outbound
traffic.
You
can
enable
correlation
ID
into
the
headers,
adding
more
information
for
you
to
tracing
the
logging
to
the
edge
of
outbound
traffic.
You
can
also
do
request
for
response
transformation
for
some
of
the
common
logic
that
are
going
through
the
u.s.
gateway.
A
You
know
that
the
first
time
I
discovered
this
I
thought
might
blow
it.
It
opens
a
new
word
to
me
because
all
the
familiar
plugins
that
are
applying
to
external
consumers
in
now
they
are
or
all
of
sudden
I'm
a
fingertip
for
internal
services.
Consumers
I
really
love
this
rich
blogging
system.
That
gave
me
so
much
convenience
by
doing
so.
A
So
to
recap,
from
the
experience
of
using
Kong
as
egress
gateway,
we
quickly
learn
that
counts
of,
for
example,
the
first
four
pin
ports
and
we
are
going
to
cover
the
pin
points
of
doing
HTTP,
auditing
ie,
getting
or
inspecting
the
R
or
HTTP
request
and
response
body.
So
let's
talk
about
it,
HP
auditing.
If
you
remember
what
we
have
discussed
about
record,
we
are
exhausting
all
possible
data
sources
to
reach
the
maximum
accuracy
of
background
tracks,
as
we
can,
and
the
problem
we're
facing
is
all
the
thing.
A
The
raw
is
full
of
outgoing
HTTP
request
and
response
so
that
we
can
debug
or
or
comply
with
regulations
in
in
store
the
Warlocks
in
a
secure
and
efficient
manner,
and
we
don't
want
to
implement
this,
like
HTTP
auditing
logic,
for
every
single
application.
This
is
where
Connie
egress
gateway,
step,
saying
so
again.
A
If
I
have
time,
I'd
really
like
to
dive
into
what
like
HTV
logger
is
in,
and
there
is
soon
to
be
open,
sourced,
search,
docking,
HP,
raw
h,
HP
body
locks,
and
then
you
can
see
some
of
the
performance.
That's
here,
the
whole
HP
auditing
stack
is
designed
to
handle
in
securely
store
raw
HP
body
locks
from
calm.
It
was,
it
was
really
low.
Latency,
like
less
than
the
p50,
is
less
than
one
millisecond,
because
it's
stored
the
locks,
asynchronously
and
it
doesn't
add
much
overhead
to
the
e
quest
gateway.
A
So
if
you
have
performance
concerns
or
considerations
of
the
quest
gateway,
please
track
with
me
offline,
so
going
forward,
we
have
egress
gateway.
How
do
we
use
it?
I
can
think
of
now
we
have
a
lot
of
egress
data.
We
can
leverage
the
u.s.
gateway
data
in
our
non
production
environment.
So
here
are
some
ideas
that
we
are
actively
working
on
a
trucker
I'm,
going
to
throw
some
ideas
that
we
are
thinking
of
extending
the
egress
gateway.
A
That's
the
key.
Real
data
in
production
is
really
me.
We
don't.
We
don't
want,
like
real
data,
real
PII
personally
identifiable
data
in
non
production
environment.
However,
real
data
I
mean
it's
usually
a
luxury
to
have
in
non
production
environment.
On
the
other
hand,
they
can
be
very
costly
and
we're
facing
privacy
NPI
concerns
in
numbers.
So
with
with
us,
we
talk
about
HP
auditing.
A
We
lock
a
lot
of
data
and
standardize
the
album
api's
real
data
from
production
that
going
through
a
egress
gateway
can
be
redacted
into
useful
data
in
non
production
environment,
and
we
can
now
enable
a
lot
of
like
very
nice
features
like
marking
the
data
generate
marking
the
data
generator
and
do
a
lot
of
things
like
back
testing,
so
mocking
generator
for
our
integration
test
or
for
our
unit
has
for
staging
new
environment.
It's
really
critical
to
us.
A
Here's,
a
shameless
plug
for
another
open
source
project
that
we
built
a
tracker
called
open,
lock,
it's
a
very
flexible
micro
source,
behavior
marking
framework
that
supports
not
only
HTTP
but
also
Kafka
and
AMQP,
like
rabi
mq,
and
we
are
actively
using
it
in
our
integration,
environment
in
staging
environment
and,
of
course,
I.
Just
learned,
Mach
Bank
this
morning
from
Khan's
key
keynote
speaker,
that's
also
really
great
and
back
to
tap
and
back
testing.
A
With
the
redacted
data
like
we
will
remove
some
of
the
real
pies
with
some
fake
generated
pis
anywhere
in
our
staging
environment.
You
can
now
replay,
like
this
egressed
auditing
locks
and
egress
requests
and
test
our
new
business
logic
or
your
new
machine
learning
algorithms.
So
this
is
like
really
powerful
tools,
given
the
data
from
a
West
Gateway,
and
it
can
name
more.
B
A
More
use
cases
of
eQuest
gateway,
I
think
we're
going
to
quickly
summarize
what
we
discussed
today,
egress
gateway.
So
some
of
the
pain
points
in
the
integration
of
external
api's.
From
our
experience,
it
really
works
well
in
solving
the
spy
ten
points.
I
don't
want
to
call
out
some
limitations
and
restrictions
in
the
process
of
building
the
egress
gateway
at
record.
I'd
like
to
have,
for
example,
I'd
really
like
to
have
better
mutual
TOS
as
client
certificate
at
a
time
because
a
lot
of
providers
or
external
api's
they
may
they
may
require
some
usual.
A
A
A
They
are
equally
important
to
a
healthy
engineering
organization
and
it's
really
the
beauty
of
symmetry.
Here.
A
lot
of
reasoning
about
building
api's
ingress
gateway
also
can
also
apply
to
building
equals
gateway.
Do
not
repeat
yourself
in
consolidating
the
repeatable
common
modules
into
just
one
gateway.
A
We
have
simple
angry
ideas
of
reworks
posse
in
Grasse
gateway.
We
can
also
have
the
same
simple
and
implementation
for
our
equal
scale,
a
traffic
thanks
guys
at
the
end,
we're
hiring
senior
engineer
for
API
path,
home
team
in
SF
and
Denver.
We
just
closed
a
new
funding,
Ron
travis
me
offline,
if
you're
interesting.
Thank
you
so
much
thanks
for
having
me.
A
Yeah,
that's
a
very
good
question,
so
keys
in
all
security
related
things
are
still
we're
seeing
the
application.
So,
for
example,
let's
say
service
a
needs
to
talk
to
external
API
a
and
then
the
keys
and
password
to
talk
to
API
a
will
start
still
managed
by
service
a
not
the
proxy,
not
the
inquest
gateway,
so
eager
scary
is
like
a
transparent,
eQuest
gateway
that
didn't
need
to
handle
those
kind
of
applications
secret,
because
not
not
everyone
needs
to
leverage
that
secret
with
application
aid.