Kong Gateway Plugins in Konnect
Plugins let you extend Konnect functionality.
You can choose from any number of bundled plugins
in Konnect, or write your own custom plugins.
You can manage both bundled and custom plugins through the
You can scope a plugin to a specific Kong Gateway entity, or apply it globally
within a control plane:
A scoped plugin applies configuration only to a specific service, route,
consumer, or consumer group.
A global plugin applies to all services, routes, consumers, and consumer
groups in a control plane.
In both cases, plugins are managed within a specific control plane. If you need a plugin to
apply to multiple control planes, configure a plugin instance separately for each one,
or create a control plane group.
Open the Plugins menu from within a control plane to access and manage its list of plugins:
You can also apply your own custom plugins
through the Gateway Manager.
The Konnect control plane only needs a Lua schema file. Using that
schema, it creates a plugin configuration object in Konnect, which you
can access via the Konnect UI or the custom plugins API. This means that Konnect
only sees a custom plugin’s configuration options, and does not see any other data.
To run in Konnect, every custom plugin must meet the following requirements:
- Each custom plugin must have a unique name.
- All plugin files must also be deployed to each Kong Gateway data plane node.
File structure requirements:
- Admin API extensions must not contain an
- Custom plugin database tables must not contain a
- The plugin must not have a
Code and language requirements:
- The schema for your custom plugin must be written in Lua.
- Custom validation functions must be written in Lua and be self-contained within the schema.
schema.lua file must not contain any
- Plugins that require third-party libraries must reference them in the
Application registration plugins
Application registration is built into API Products.
When you enable application registration on an API product version,
Konnect also automatically enables two plugins in read-only mode:
ACL, and either Key Auth or OpenID Connect.
These plugins appear in the service’s plugin list, and you can view their
configurations, but you can’t edit or delete them directly.
Some bundled Kong Gateway plugins are not available in Konnect, or
have configuration requirements specific to Konnect.
Rate limiting plugins default to the
redis strategy, which you must
provide your own Redis server for. You can also use
local to apply rate limiting
per individual data plane node.
A small number of Kong Gateway plugins are not available in Konnect. See the plugin compatibility chart
for the full list, as well as a breakdown of the pricing tiers that each plugin is available in, and for specific Konnect notes for each plugin.
Kong bundled plugins