Reference for plugin compatibility with Kong Gateway and Konnect deployment topologies, network protocols, and entity scopes.
If you’re looking for plugin availability by subscription tier, see Plugin License Tiers.
Deployment topologies
Kong Gateway can be deployed in the following modes:
-
Self-managed: Use any hosting service of your choice or host Kong Gateway on-premises,
with any of the following network configurations:
- Traditional: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes.
-
DB-less:
Deployed without a database (available in Kong Gateway (OSS)
1.1 and Kong Enterprise 2.4 onward). Admin API is read-only,
except for the
/configendpoint. Refers to a DB-less deployment on any platform, including Kubernetes. - Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Gateway (OSS) 2.0 and Kong Enterprise 2.1 onward).
- Konnect (Kong-hosted cloud): Hybrid deployment. Nodes are split into control plane and data plane roles. Kong provides and hosts the control plane and a database with Kong Konnect, and you provide the Kong Gateway data plane nodes (no databases required).
Authentication
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| Portal Application Registration |
Application registration is available in Konnect, but doesn't require this plugin. Learn how to Enable Application Registration in Konnect. |
||||
| Basic Authentication | -- | ||||
| HMAC Auth | -- | ||||
| JWE Decrypt | -- | ||||
| JWT | -- | ||||
| Kong JWT Signer | -- | ||||
| Key Auth | The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid. | ||||
| Key Authentication - Encrypted | The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid. | ||||
| LDAP Authentication | -- | ||||
| LDAP Authentication Advanced | -- | ||||
| Mutual TLS Authentication | -- | ||||
| OAuth 2.0 Authentication | This plugin can't be used in Konnect, hybrid, or DB-less modes. It needs to generate and delete tokens, and commit those changes to a database on the same node. | ||||
| OAuth 2.0 Introspection | -- | ||||
| OpenID Connect | -- | ||||
| SAML | -- | ||||
| Session | -- | ||||
| Vault Authentication | -- |
Security
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| ACME | -- | ||||
| Bot Detection | -- | ||||
| CORS | -- | ||||
| IP Restriction | -- | ||||
| OPA | -- | ||||
| TLS Handshake Modifier | -- | ||||
| TLS Metadata Headers | -- |
Traffic Control
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| ACL | -- | ||||
| Canary Release | -- | ||||
| Forward Proxy Advanced | -- | ||||
| GraphQL Proxy Caching Advanced | -- | ||||
| GraphQL Rate Limiting Advanced |
In DB-less, hybrid mode, and Konnect, the cluster config strategy
is not supported. Use redis instead.
|
||||
| Mocking | -- | ||||
| OAS Validation | -- | ||||
| Proxy Cache | -- | ||||
| Proxy Caching Advanced | -- | ||||
| Rate Limiting |
In Konnect, DB-less, and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Rate Limiting Advanced |
In Konnect, DB-less, and hybrid modes, the cluster config strategy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Request Size Limiting | -- | ||||
| Request Termination | -- | ||||
| Request Validator | -- | ||||
| Response Rate Limiting |
In Konnect, DB-less, and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Route By Header | -- | ||||
| Upstream Timeout | -- | ||||
| WebSocket Size Limit | -- | ||||
| WebSocket Validator | -- | ||||
| XML Threat Protection | -- |
Serverless
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| AWS Lambda | -- | ||||
| Azure Functions | -- | ||||
| Apache OpenWhisk |
Not bundled with Kong Gateway.
Installed as a LuaRocks package. |
||||
| Kong Functions (Post-Plugin) | |||||
| Kong Functions (Pre-Plugins) |
Analytics & Monitoring
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| AppDynamics | |||||
| Datadog | -- | ||||
| OpenTelemetry | -- | ||||
| Prometheus | -- | ||||
| Zipkin | -- |
Transformations
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| Correlation ID | -- | ||||
| DeGraphQL | -- | ||||
| Exit Transformer | -- | ||||
| gRPC-gateway | -- | ||||
| gRPC-Web | -- | ||||
| jq | -- | ||||
| Kafka Upstream | -- | ||||
| Request Transformer | -- | ||||
| Request Transformer Advanced | -- | ||||
| Response Transformer | -- | ||||
| Response Transformer Advanced | -- | ||||
| Route Transformer Advanced | -- |
Logging
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| File Log | -- | ||||
| HTTP Log | -- | ||||
| Kafka Log | -- | ||||
| Loggly | -- | ||||
| StatsD | -- | ||||
| StatsD Advanced | -- | ||||
| Syslog | -- | ||||
| TCP Log | -- | ||||
| UDP Log | -- |
Protocols
Kong Gateway and Konnect plugins are compatible with the following protocols:
Scopes
Plugins can be scoped or global (without scope):
- Scoped plugin: Plugin applied to a specific service, route, or consumer.
- Global plugin: Plugin applies either to your entire environment, or if running Kong Enterprise, your entire workspace.
See the following table for plugins and their compatible scopes: