Kong Gateway 3.9 OSS API gateway on Ubuntu 24.04 LTS by cloudimg. PostgreSQL 16 backend, decK CLI, key-auth example route, Admin API on loopback only. Apache 2.0 licensed.
## Kong Gateway 3 OSS on Ubuntu 24.04 by cloudimg
Kong Gateway is the most widely deployed open-source API gateway — a high-performance reverse proxy that sits in front of your APIs and microservices and handles authentication, rate limiting, request transformation, traffic shaping, observability, and policy enforcement. Built on top of NGINX and OpenResty, Kong is written in Lua and has a 100+ plugin ecosystem covering OAuth 2, JWT, key-auth, basic-auth, ACL, IP restriction, request/response transforming, Prometheus metrics, OpenTelemetry tracing, AWS Lambda invocation, gRPC, GraphQL, and more.
The cloudimg image installs Kong Gateway 3.9.1 OSS Community Edition (Apache 2.0) from the official Kong APT repository, configured in DB-backed mode against PostgreSQL 16. The Admin API is bound to 127.0.0.1:8001 ONLY — Kong OSS Admin API has no built-in auth, so loopback is the security boundary. The proxy listener runs on TCP 8000 (HTTP) and 8443 (HTTPS, with Kong's bundled self-signed cert) on every interface so customer apps can route real traffic through it from launch.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response. support@cloudimg.co.uk
* Production Ready from Launch Pre-configured, security-patched, validated
* Azure Native Integration Azure Linux Agent, cloud-init, Gen2 Hyper-V, TrustedLaunch
* Per VM credentials at first boot PostgreSQL kong role password and a sample consumer API key are rotated uniquely on every customer VM via kong-firstboot.service
* Loopback-only Admin API Kong OSS Admin API has no auth; cloudimg hard-codes admin_listen = 127.0.0.1:8001 in /etc/kong/kong.conf and the cleanup contract verifies it before SIG capture
What is Included
* Kong Gateway 3.9.1 OSS from packages.konghq.com/public/gateway-310 (Apache 2.0)
* PostgreSQL 16 from Ubuntu noble main with kong role + kong database, listening on 127.0.0.1 only
* decK 1.59.1 (Kong's declarative config CLI) at /usr/local/bin/deck for managing Kong entities via YAML/JSON in git
* Pre-wired example service + route + key-auth plugin + cloudimg consumer at first boot — curl -H 'apikey: $KEY' http://
* kong.service systemd unit auto-starting on boot
* kong-firstboot.service oneshot rotating per-VM PostgreSQL password and consumer API key
* /etc/kong/kong.conf with admin_listen = 127.0.0.1:8001 (loopback only — security boundary)
* Ubuntu 24.04 LTS base with latest security patches applied at build time
* 24/7 cloudimg support with guaranteed 24 hour response SLA
No Plugins Pre-Installed Beyond Bundled
Kong ships with 30+ plugins bundled in the OSS package. Customers enable the ones they want via the Admin API or decK YAML. Common starter plugins are key-auth, jwt, rate-limiting, prometheus, cors, ip-restriction, and request-transformer.
Use Cases
* API gateway in front of internal microservices (auth + rate limit + observability)
* Public API edge with key-auth or JWT authentication and quota enforcement
* Multi-team API platform with per-consumer rate limits and ACLs
* Plugin-driven request/response transformation (header injection, body rewriting)
* Observability proxy collecting Prometheus metrics + OpenTelemetry traces from every API call
* Drop-in replacement for self-managed Kong on EC2 or on-premises during cloud migration
Technical Specifications
* Operating System: Ubuntu 24.04 LTS (Noble Numbat)
* Kong Version: 3.9.1 OSS Community Edition (latest stable on the gateway-310 channel)
* Database: PostgreSQL 16 (Ubuntu noble main), DB-backed mode
* Proxy Ports: 8000 (HTTP), 8443 (HTTPS with Kong's bundled self-signed cert)
* Admin API Port: 8001 (loopback only — do not expose without an authenticated reverse proxy)
* Default User: azureuser (sudo enabled, OS); cloudimg (Kong consumer with key-auth)
* Service Management: systemd (kong.service, kong-firstboot.service, postgresql.service)
* Recommended Size: Standard_B2s (2 vCPU, 4 GB) for dev/test; Standard_D2s_v5 or D4s_v5 for production
* VM Generation: Hyper-V Gen2 with UEFI boot
Notes on TLS and Hardening
Kong's 8443 listener uses Kong's bundled self-signed cert by design. For production, terminate real TLS at an upstream Application Gateway / Front Door, replace the bundled cert with a Let's Encrypt cert via certbot, or use a Kong-managed cert via the /certificates Admin API endpoint. The Admin API on 8001 must remain loopback only; if remote admin is needed, tunnel it via SSH or front it with an authenticated reverse proxy. The cloudimg `nginx-ssl-certbot-ubuntu-24-04` image makes a good companion proxy for both the proxy listener and a future authenticated Admin API surface.
Support
cloudimg provides 24/7/365 expert technical support. Contact support@cloudimg.co.uk or visit www.cloudimg.co.uk for the latest documentation and deployment guides.