Kong Gateway Plugins Compatibility

Uses: Kong Gateway

Related Documentation

Related Resources

Plugin Hub

See the following table for supported deployment topologies and Data Plane hosting options in Konnect per plugin:

Plugin	Self-managed	Konnect	Notes
ACL	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
ACME	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`	Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup.
AI AWS Guardrails	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Azure Content Safety	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Prompt Compressor	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Prompt Decorator	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Prompt Guard	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Prompt Template	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Proxy	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Proxy Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI RAG Injector	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Rate Limiting Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In DB-less, hybrid mode, and Konnect, the `cluster` config strategy is not supported. Use `redis` instead. In Serverless gateways only the `local` config strategy is supported.
AI Request Transformer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Response Transformer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Sanitizer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Semantic Cache	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AI Semantic Prompt Guard	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
AppDynamics	`hybrid` `db-less` `traditional`	`hybrid`	Dedicated Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways.
AWS Lambda	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	Dedicated Cloud Gateways: If you use the IAM assumeRole functionality with this plugin, it must be configured differently than for hybrid deployments in Konnect.
Azure Functions	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Basic Auth	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Bot Detection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Canary Release	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	The Canary plugin is not designed for a Kubernetes-native framework, and shouldn’t be used with the Kong Ingress Controller. Instead, use the Gateway API to manage canary deploys.
Confluent	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Confluent Consume	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Correlation ID	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
CORS	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Datadog	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Datakit	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
DeGraphQL	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Exit Transformer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
File Log	`hybrid` `db-less` `traditional`	`hybrid`	Dedicated Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways.
Forward Proxy Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
GraphQL Proxy Caching Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	This plugin’s API doesn’t work in hybrid mode, as it targets data that only exists on data planes, and data planes can’t use Kong’s Admin API. In Serverless gateways only the `memory` config strategy is supported.
GraphQL Rate Limiting Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`	In DB-less, hybrid mode, and Konnect, the `cluster` config strategy is not supported. Use `redis` instead.
gRPC-Gateway	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
gRPC-Web	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Header Cert Authentication	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`
HMAC Auth	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
HTTP Log	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Injection Protection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
IP Restriction	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
jq	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
JSON Threat Protection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
JWE Decrypt	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
JWT	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
JWT Signer	`hybrid` `db-less` `traditional`	Not supported in Konnect.
Kafka Consume	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Kafka Log	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Kafka Upstream	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Key Auth	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid.
Key Authentication - Encrypted	`hybrid` `db-less` `traditional`	Not supported in Konnect.	This plugin is not available in Konnect, and has limitations in hybrid mode: Konnect automatically encrypts key authentication credentials at rest, so encryption via this plugin is not necessary. Use the regular Key Auth plugin instead. The time-to-live (ttl) does not work in hybrid mode. This setting determines the length of time a credential remains valid.
LDAP Authentication	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
LDAP Authentication Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Loggly	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Mocking	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Mutual TLS Authentication	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`	Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup.
OAS Validation	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
OAuth 2.0 Authentication	`traditional`	Not supported in Konnect.	This plugin can’t be used in Konnect, hybrid, or DB-less modes. It needs to generate and delete tokens, and commit those changes to a database on the same node.
OAuth 2.0 Introspection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
OPA	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
OpenID Connect	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Serverless gateways only the `cookie` config session storage is supported.
OpenTelemetry	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Post-Function	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Pre-Function	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Prometheus	`hybrid` `db-less` `traditional`	`hybrid`	Dedicated and Serverless Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on the Admin API and the Status API, which aren’t accessible in that setup.
Proxy Cache	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Proxy Caching Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Serverless gateways only the `memory` config strategy is supported.
Rate Limiting	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Konnect, DB-less, and hybrid modes, the `cluster` config policy is not supported. For DB-less mode, use one of `redis` or `local`; for Konnect and hybrid mode, use `redis`, or `local` for data planes only. In Serverless gateways only the `local` config policy is supported.
Rate Limiting Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Konnect, DB-less, and hybrid modes, the `cluster` config strategy is not supported. For DB-less mode, use one of `redis` or `local`; for Konnect and hybrid mode, use `redis`, or `local` for data planes only. In Serverless gateways only the `local` config strategy is supported.
Redirect	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Callout	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Size Limiting	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Termination	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Transformer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Transformer Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Request Validator	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Response Rate Limiting	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Konnect, DB-less, and hybrid modes, the `cluster` config policy is not supported. For DB-less mode, use one of `redis` or `local`; for Konnect and hybrid mode, use `redis`, or `local` for data planes only. In Serverless gateways only the `local` config policy is supported.
Response Transformer	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Response Transformer Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Route By Header	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Route Transformer Advanced	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
SAML	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Serverless gateways only the `cookie` config session storage is supported.
Service Protection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	This plugin doesn’t support cluster policies. If you want to use this plugin in hybrid mode or in Konnect, use Redis for storage.
Session	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Solace Upstream	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Standard Webhooks	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
StatsD	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Syslog	`hybrid` `db-less` `traditional`	`hybrid`	Dedicated and Serverless Cloud Gateways: This plugin is not supported in Dedicated or Serverless Cloud Gateways because it depends on a local agent, and there are no local nodes in Dedicated or Serverless Cloud Gateways.
TCP Log	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
TLS Handshake Modifier	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`	Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup.
TLS Metadata Headers	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways`	Serverless Gateways: This plugin is not supported in serverless gateways because the TLS handshake does not occur at the Kong layer in this setup.
UDP Log	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Upstream OAuth	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`	In Serverless gateways only the `memory` cache strategy is supported.
Upstream Timeout	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Vault Authentication	`hybrid` `db-less` `traditional`	Not supported in Konnect.
WebSocket Size Limit	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
WebSocket Validator	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
XML Threat Protection	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`
Zipkin	`hybrid` `db-less` `traditional`	`hybrid` `cloud-gateways` `serverless`

Kong Gateway Plugins Compatibility

Did this doc help?

Help us make these docs great!

Still need help