Reference for plugin compatibility with Kong Gateway and Konnect deployment topologies, network protocols, and entity scopes.
Deployment topologies
Kong Gateway can be deployed in the following modes:
-
Self-managed: Use any hosting service of your choice or host Kong Gateway on-premises,
with any of the following network configurations:
- Traditional: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes.
-
DB-less:
Deployed without a database (available in Kong Gateway (OSS)
1.1 and Kong Gateway Enterprise 2.4 onward). Admin API is read-only,
except for the
/configendpoint. Refers to a DB-less deployment on any platform, including Kubernetes. - Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Gateway (OSS) 2.0 and Kong Gateway Enterprise 2.1 onward).
-
Konnect (Kong-hosted cloud):
- Hybrid: Nodes are split into control plane and data plane roles. Kong provides and hosts the control plane and a database with Kong Konnect, and you provide the Kong Gateway data plane nodes (no databases required).
- Dedicated Cloud Gateways: Kong manages both the control plane and the data plane nodes through Kong Konnect.
- Serverless Gateways: Kong manages both the control plane and the data plane through Kong Konnect.
AI
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| AI Azure Content Safety |
– |
||||||
| AI Prompt Decorator |
– |
||||||
| AI Prompt Guard |
– |
||||||
| AI Prompt Template |
– |
||||||
| AI Proxy |
– |
||||||
| AI Proxy Advanced |
– |
||||||
| AI RAG Injector |
– |
||||||
| AI Rate Limiting Advanced |
In DB-less, hybrid mode, and Konnect, the |
||||||
| AI Request Transformer |
– |
||||||
| AI Response Transformer |
– |
||||||
| AI Sanitizer |
– |
||||||
| AI Semantic Cache | |||||||
| AI Semantic Prompt Guard |
– |
Authentication
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| Portal Application Registration |
Application registration is available in Konnect, but doesn’t require this plugin. |
||||||
| Basic Authentication |
– |
||||||
| Header Cert Authentication |
– |
||||||
| HMAC Auth |
– |
||||||
| JWE Decrypt |
– |
||||||
| JWT |
– |
||||||
| Kong JWT Signer |
– |
||||||
| Key Auth |
The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid. |
||||||
| Key Authentication - Encrypted |
This plugin is not available in Konnect, and has limitations in hybrid mode:
|
||||||
| LDAP Authentication |
– |
||||||
| LDAP Authentication Advanced |
– |
||||||
| Mutual TLS Authentication |
Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup. |
||||||
| OAuth 2.0 Authentication |
This plugin can’t be used in Konnect, hybrid, or DB-less modes. It needs to generate and delete tokens, and commit those changes to a database on the same node. |
||||||
| OAuth 2.0 Introspection |
– |
||||||
| OpenID Connect |
In Serverless gateways only the |
||||||
| SAML |
In Serverless gateways only the |
||||||
| Session |
– |
||||||
| Upstream OAuth |
In Serverless gateways only the |
||||||
| Vault Authentication |
– |
Security
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| ACME |
Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup. |
||||||
| Bot Detection |
– |
||||||
| CORS |
– |
||||||
| Injection Protection | |||||||
| IP Restriction |
– |
||||||
| JSON Threat Protection |
– |
||||||
| OPA |
– |
||||||
| TLS Handshake Modifier |
Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup. |
||||||
| TLS Metadata Headers |
Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup. |
Traffic Control
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| ACL |
– |
||||||
| Canary Release |
The Canary plugin is not designed for a Kubernetes-native framework, and shouldn’t be used with the Kong Ingress Controller. Instead, use the Gateway API to manage canary deploys. |
||||||
| Confluent Consume |
– |
||||||
| Forward Proxy Advanced |
– |
||||||
| GraphQL Proxy Caching Advanced |
This plugin’s API doesn’t work in hybrid mode, as it targets data that only exists on data planes,
and data planes can’t use Kong’s Admin API. In Serverless gateways only the |
||||||
| GraphQL Rate Limiting Advanced |
In DB-less, hybrid mode, and Konnect, the |
||||||
| Kafka Consume |
– |
||||||
| Mocking |
– |
||||||
| OAS Validation |
– |
||||||
| Proxy Cache |
– |
||||||
| Proxy Caching Advanced |
In Serverless gateways only the |
||||||
| Rate Limiting |
In Konnect, DB-less, and hybrid modes, the |
||||||
| Rate Limiting Advanced |
In Konnect, DB-less, and hybrid modes, the |
||||||
| Redirect |
– |
||||||
| Request Size Limiting |
– |
||||||
| Request Termination |
– |
||||||
| Request Validator |
– |
||||||
| Response Rate Limiting |
In Konnect, DB-less, and hybrid modes, the |
||||||
| Route By Header |
– |
||||||
| Service Protection |
This plugin doesn’t support cluster policies. If you want to use this plugin in hybrid mode or in Konnect, use Redis for storage. |
||||||
| Standard Webhooks | |||||||
| Upstream Timeout |
– |
||||||
| WebSocket Size Limit |
– |
||||||
| WebSocket Validator |
– |
||||||
| XML Threat Protection |
– |
Serverless
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| AWS Lambda |
Dedicated Cloud Gateways: If you use the IAM assumeRole functionality with this plugin, it must be configured differently than for hybrid deployments in Konnect. |
||||||
| Azure Functions |
– |
||||||
| Apache OpenWhisk |
Not bundled with Kong Gateway.
|
||||||
| Kong Functions (Post-Plugin) | |||||||
| Kong Functions (Pre-Plugins) |
Analytics & Monitoring
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| AppDynamics |
Dedicated Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways. |
||||||
| Datadog |
– |
||||||
| Dynatrace | |||||||
| OpenTelemetry |
– |
||||||
| Prometheus |
Dedicated and Serverless Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on the Admin API and the Status API, which aren’t accessible in that setup. |
||||||
| StatsD |
– |
||||||
| StatsD Advanced |
– |
||||||
| Zipkin |
– |
Transformations
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| Confluent |
– |
||||||
| Correlation ID |
– |
||||||
| DeGraphQL |
– |
||||||
| Exit Transformer |
– |
||||||
| gRPC-gateway |
– |
||||||
| gRPC-Web |
– |
||||||
| jq |
– |
||||||
| Kafka Upstream |
– |
||||||
| Request Callout |
– |
||||||
| Request Transformer |
– |
||||||
| Request Transformer Advanced |
– |
||||||
| Response Transformer |
– |
||||||
| Response Transformer Advanced |
– |
||||||
| Route Transformer Advanced |
– |
Logging
| Plugin | Traditional | DB-less | Self-managed hybrid | Konnect hybrid | Dedicated Cloud Gateways | Serverless Gateways | Notes |
|---|---|---|---|---|---|---|---|
| File Log |
Dedicated Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways. |
||||||
| HTTP Log |
– |
||||||
| Kafka Log |
– |
||||||
| Loggly |
– |
||||||
| Syslog |
Dedicated and Serverless Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways. |
||||||
| TCP Log |
– |
||||||
| UDP Log |
– |
Protocols
Kong Gateway and Konnect plugins are compatible with the following protocols:
Scopes
Plugins can be scoped or global (without scope):
- Scoped plugin: Plugin applied to a specific service, route, or consumer.
- Global plugin: Plugin applies either to your entire environment, or if running Kong Gateway Enterprise, your entire workspace.
See the following table for plugins and their compatible scopes: