Plugin Compatibility
Introduction
Each subscription tier gives you access to a subset of plugins:
- Free tier: Open-source Kong plugins
- Plus tier: Open-source and Plus-specific plugins
- Enterprise tier: All Kong plugins
Network configuration options
Konnect can be configured in the following ways:
-
Kong-hosted cloud: Hybrid deployment. Nodes are split into control plane and data plane roles. Kong provides and hosts the control plane and a database with Konnect Cloud, and you provide the data plane nodes (no databases required).
-
Self-managed: Use any hosting service of your choice or host on-premises, with any of the following network configurations:
- Classic: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes.
- DB-less: Deployed without a database (available in Kong Gateway (OSS)
1.1 and Kong Gateway 2.4 onward). Admin API is read-only,
except for the
/configendpoint. Refers to a DB-less deployment on any platform, including Kubernetes. - Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Gateway (OSS) 2.0 and Kong Gateway 2.1 onward).
For the differences between deployment types when running on Kubernetes, see Kong Gateway for Kubernetes Deployment Options.
Plugin tiers and supported network configurations
Authentication
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| Application Registration | ❌ | ❌ | ✅ | Self-managed classic, DB-less, and hybrid |
Application registration is available in Konnect Cloud, but doesn't require this plugin. Learn how to Enable Application Registration in Konnect Cloud. |
| Basic Auth | ✅ | ✅ | ✅ | All | -- |
| HMAC Auth | ✅ | ✅ | ✅ | All | -- |
| JWT | ✅ | ✅ | ✅ | All | -- |
| JWT Signer | ❌ | ✅ | ✅ | All | -- |
| Key Auth | ✅ | ✅ | ✅ | All | -- |
| Key Auth Encrypted | ❌ | ❌ | ✅ | Self-managed classic, DB-less, and hybrid | The time-to-live (ttl) does not work in hybrid mode. This setting determines the length of time a credential remains valid. |
| LDAP Auth | ✅ | ✅ | ✅ | All | -- |
| LDAP Auth Advanced | ❌ | ✅ | ✅ | All | -- |
| Mutual TLS | ❌ | ✅ | ✅ | All | -- |
| OAuth 2 | ✅ | ❌ | ✅ | Self-managed classic only | This plugin can't be used in hybrid or DB-less modes. It needs to generate and delete tokens, and commit those changes to a database on the same node. |
| OAuth 2 Introspection | ❌ | ✅ | ✅ | All | -- |
| OpenID Connect | ❌ | ✅ | ✅ | All | -- |
| Session | ✅ | ✅ | ✅ | All | -- |
| Vault Auth | ❌ | ❌ | ✅ | Self-managed classic, DB-less, and hybrid | -- |
Security
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| Acme | ✅ | ✅ | ✅ | All | -- |
| Bot Detection | ✅ | ✅ | ✅ | All | -- |
| CORS | ✅ | ✅ | ✅ | All | -- |
| IP Restriction | ✅ | ✅ | ✅ | All | -- |
| OPA | ❌ | ✅ | ✅ | All | -- |
Traffic Control
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| ACL | ✅ | ✅ | ✅ | All | -- |
| Canary | ❌ | ❌ | ✅ | All | -- |
| Forward Proxy | ❌ | ❌ | ✅ | All | -- |
| GraphQL Proxy Caching Advanced | ❌ | ✅ | ✅ | All | -- |
| GraphQL Rate Limiting Advanced | ❌ | ❌ | ✅ | Self-managed classic, DB-less, and hybrid |
In DB-less and hybrid modes, the cluster config strategy
is not supported. Use redis instead.
|
| Proxy Caching | ✅ | ✅ | ✅ | All | -- |
| Proxy Caching Advanced | ❌ | ✅ | ✅ | All | -- |
| Rate Limiting | ✅ | ✅ | ✅ | All |
In DB-less and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for hybrid mode, use redis, or local for data
planes only.
|
| Rate Limiting Advanced | ❌ | ❌ | ✅ | All |
In DB-less and hybrid modes, the cluster config strategy
is not supported. Use redis instead.
|
| Request Size Limiting | ✅ | ✅ | ✅ | All | -- |
| Request Termination | ✅ | ✅ | ✅ | All | -- |
| Request Validator | ❌ | ✅ | ✅ | All | -- |
| Response Rate Limiting | ✅ | ✅ | ✅ | All |
In DB-less and hybrid modes, the cluster config policy
is not supported.
For DB-less mode, use one of redis or local;
for hybrid mode, use redis, or local for data
planes only.
|
| Route By Header | ❌ | ✅ | ✅ | All | -- |
| Mocking | ❌ | ✅ | ✅ | All | -- |
Serverless
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| AWS Lambda | ✅ | ✅ | ✅ | All | -- |
| Azure Functions | ✅ | ✅ | ✅ | All | -- |
| Serverless Functions | ✅ | ✅ | ✅ | All | -- |
| OpenWhisk | ✅ | ✅ | ✅ | Self-managed classic, DB-less, and hybrid |
Not bundled with Kong Gateway.
Installed as a LuaRocks package. |
Analytics and Monitoring
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| Datadog | ✅ | ✅ | ✅ | All | -- |
| Prometheus | ✅ | ✅ | ✅ | All | -- |
| Zipkin | ✅ | ✅ | ✅ | All | -- |
Transformations
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| Correlation ID | ✅ | ✅ | ✅ | All | -- |
| DeGraphQL | ❌ | ❌ | ✅ | Self-managed classic, DB-less, and hybrid | -- |
| Exit Transformer | ❌ | ✅ | ✅ | All | -- |
| gRPC Gateway | ✅ | ✅ | ✅ | All | -- |
| gRPC Web | ✅ | ✅ | ✅ | All | -- |
| jq | ❌ | ❌ | ✅ | All | -- |
| Kafka Upstream | ❌ | ✅ | ✅ | All | -- |
| Request Transformer | ✅ | ✅ | ✅ | All | -- |
| Request Transformer Advanced | ❌ | ❌ | ✅ | All | -- |
| Response Transformer | ✅ | ✅ | ✅ | All | -- |
| Response Transformer Advanced | ❌ | ❌ | ✅ | All | -- |
| Route Transformer Advanced | ❌ | ❌ | ✅ | All | -- |
Logging
| Plugin | Free | Plus | Enterprise | Supported network configuration | Notes |
|---|---|---|---|---|---|
| File Log | ✅ | ✅ | ✅ | All | -- |
| HTTP Log | ✅ | ✅ | ✅ | All | -- |
| Kafka Log | ❌ | ✅ | ✅ | All | -- |
| Loggly | ✅ | ✅ | ✅ | All | -- |
| StatsD | ✅ | ✅ | ✅ | All | -- |
| StatsD Advanced | ❌ | ✅ | ✅ | All | -- |
| Syslog | ✅ | ✅ | ✅ | All | -- |
| TCP Log | ✅ | ✅ | ✅ | All | -- |
| UDP Log | ✅ | ✅ | ✅ | All | -- |
Deployment
Deployment plugins are not bundled with any version of Konnect, and are simply tools to help you deploy Kong Gateway in various environments.