Reference for plugin compatibility with Kong Gateway and Konnect deployment topologies, network protocols, and entity scopes.
If you’re looking for plugin availability by subscription tier, see Plugin License Tiers.
Deployment topologies
Kong Gateway can be deployed in the following modes:
-
Self-managed: Use any hosting service of your choice or host Kong Gateway on-premises,
with any of the following network configurations:
- Traditional: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes.
-
DB-less:
Deployed without a database (available in Kong Gateway (OSS)
1.1 and Kong Enterprise 2.4 onward). Admin API is read-only,
except for the
/configendpoint. Refers to a DB-less deployment on any platform, including Kubernetes. - Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Gateway (OSS) 2.0 and Kong Enterprise 2.1 onward).
- Konnect (Kong-hosted cloud): Hybrid deployment. Nodes are split into control plane and data plane roles. Kong provides and hosts the control plane and a database with Kong Konnect, and you provide the Kong Gateway data plane nodes (no databases required).
Authentication
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| Application Registration |
Application registration is available in Konnect Cloud, but doesn't require this plugin. Learn how to Enable Application Registration in Konnect Cloud. |
||||
| Basic Auth | -- | ||||
| HMAC Auth | -- | ||||
| JWT | -- | ||||
| JWT Signer | -- | ||||
| JWE Decrypt | -- | ||||
| Key Auth | The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid. | ||||
| Key Auth Encrypted | The time-to-live (ttl) does not work in Konnect or hybrid mode. This setting determines the length of time a credential remains valid. | ||||
| LDAP Auth | -- | ||||
| LDAP Auth Advanced | -- | ||||
| Mutual TLS | -- | ||||
| OAuth 2 | This plugin can't be used in Konnect, hybrid, or DB-less modes. It needs to generate and delete tokens, and commit those changes to a database on the same node. | ||||
| OAuth 2 Introspection | -- | ||||
| OpenID Connect | -- | ||||
| SAML | -- | ||||
| Session | -- | ||||
| Vault Auth | -- |
Security
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| Acme | -- | ||||
| Bot Detection | -- | ||||
| CORS | -- | ||||
| IP Restriction | -- | ||||
| OPA | -- | ||||
| TLS Handshake Modifier | -- | ||||
| TLS Metadata Headers | -- |
Traffic Control
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| ACL | -- | ||||
| Canary | -- | ||||
| Forward Proxy | -- | ||||
| GraphQL Proxy Caching Advanced | -- | ||||
| GraphQL Rate Limiting Advanced |
In DB-less and hybrid modes, the cluster config strategy
is not supported. Use redis instead.
|
||||
| Mocking | -- | ||||
| OAS Validation | -- | ||||
| Proxy Caching | -- | ||||
| Proxy Caching Advanced | -- | ||||
| Rate Limiting |
In Konnect, DB-less, and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Rate Limiting Advanced |
In Konnect, DB-less, and hybrid modes, the cluster config strategy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Request Size Limiting | -- | ||||
| Request Termination | -- | ||||
| Request Validator | -- | ||||
| Response Rate Limiting |
In Konnect, DB-less, and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for Konnect and hybrid mode, use redis, or local for data
planes only.
|
||||
| Route By Header | -- | ||||
| Upstream Timeout | -- | ||||
| WebSocket Size Limit | -- | ||||
| WebSocket Validator | -- | ||||
| XML Threat Protection | -- |
Serverless
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| AWS Lambda | -- | ||||
| Azure Functions | -- | ||||
| Serverless Functions | -- | ||||
| OpenWhisk |
Not bundled with Kong Gateway.
Installed as a LuaRocks package. |
Analytics and Monitoring
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| AppDynamics | -- | ||||
| Datadog | -- | ||||
| OpenTelemetry | -- | ||||
| Prometheus | -- | ||||
| Zipkin | -- |
Transformations
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| Correlation ID | -- | ||||
| DeGraphQL | -- | ||||
| Exit Transformer | -- | ||||
| gRPC Gateway | -- | ||||
| gRPC Web | -- | ||||
| jq | -- | ||||
| Kafka Upstream | -- | ||||
| Request Transformer | -- | ||||
| Request Transformer Advanced | -- | ||||
| Response Transformer | -- | ||||
| Response Transformer Advanced | -- | ||||
| Route Transformer Advanced | -- |
Logging
| Plugin | Traditional | DB-less | Hybrid mode | Konnect | Notes |
|---|---|---|---|---|---|
| File Log | -- | ||||
| HTTP Log | -- | ||||
| Kafka Log | -- | ||||
| Loggly | -- | ||||
| StatsD | -- | ||||
| StatsD Advanced | -- | ||||
| Syslog | -- | ||||
| TCP Log | -- | ||||
| UDP Log | -- |
Deployment
Deployment plugins are not bundled with any version of Kong Gateway or Konnect, and are simply tools to help you deploy Kong Gateway in various environments.
Protocols
Kong Gateway and Konnect plugins are compatible with the following protocols:
Scopes
Plugins can be scoped or global (without scope):
- Scoped plugin: Plugin applied to a specific service, route, or consumer.
- Global plugin: Plugin applies either to your entire environment, or if running Kong Enterprise, your entire workspace.
See the following table for plugins and their compatible scopes: