All Gateway Documentation

This page is an introduction to Kong Gateway.

Extend Kong Gateway and Kong Konnect with powerful plugins and easy integrations.

This page is an introduction to the Kong Gateway Admin API.

This page lists the different entities that make up Kong Gateway.

The Kong Gateway configuration file kong.conf can be used to configure individual properties of your Kong Gateway instance.

Changelog for supported Kong Gateway Enterprise versions.

Review Kong Gateway version breaking changes before upgrading.

The Kong Gateway version support policy outlines the Kong Gateway versioning scheme and version lifecycle, from release to sunset support.

This reference lists all of the tested and supported versions of Kong Gateway's third-party dependencies.

Learn how Kong handles vulnerabilities or potential vulnerabilities in Kong Gateway or third-party code, and how to report any security issues.

Learn how to set up a local Kong Gateway installation and configure it for some common API management tasks.

Kong Gateway installation options.

Create a Control Plane in Konnect, then deploy a Data Plane to your Kubernetes cluster using Helm.

Use Docker Compose to install Kong Gateway

Kong offers a quickstart script that launches a local instance of Kong Gateway for testing.

Gateway Services represent the upstream services in your system. These applications are the business logic components of your system responsible for responding to requests.

A Route uses specific URL patterns and HTTP verbs to match incoming requests and pass them to a Gateway Service. This determines which upstream services will process a given request.

A Consumer typically refers to an entity that consumes or uses the APIs managed by Kong Gateway.

Plugins are modules that extend the functionality of Kong Gateway.

An Upstream enables load balancing by providing a virtual hostname and collection of Targets (upstream service instances).

A Target identifies an instance of an upstream service using an IP address or hostname with a port.

This page is an introduction to rate limiting with Kong Gateway.

Learn how to load balancing traffic with Kong Gateway

Learn how Kong Gateway listens for, routes, and proxies traffic.

Learn how Control Planes communicate with Data Planes and how you can secure them.

This page lists the different modes that you can deploy Kong Gateway in.

Hybrid mode is a deployment model that splits all Kong Gateway nodes in a cluster into Control Planes and Data Plane nodes.

Explains how Kong Gateway clustering and caching works in traditional mode.

Explains how Kong Gateway can be run without a database using only in-memory storage for entities.

This page lists the different Data Plane hosting options for different Kong Gateway deployment topologies.

Decide which Data Plane node strategy to use based on your use case.

Lightweight API gateways, where the Control Plane is hosted by Konnect and Data Plane nodes are automatically provisioned.

Learn how Dedicated Cloud Gateways work and how to configure them.

Host your own Data Plane nodes on the supported system of your choice.

Create a serverless Control Plane and hosted Data Plane.

Konnect integrates domain name management and configuration with serverless gateways.

Frequently asked questions about serverless gateways.

Use the Konnect Cloud Gateways API to provision a Control Plane.

Stream custom plugins from the Control Plane to the Data Plane.

Supported geos for Dedicated Cloud Gateways.

Upgrade Data Plane nodes in a Dedicated Cloud Gateway.

Konnect API for managing Dedicated Cloud Gateways infrastructure.

Create a private connection between your AWS environment and Konnect using AWS PrivateLink.

Connect Konnect Dedicated Cloud Gateways to AWS Transit Gateway for private, secure connectivity.

Konnect can leverage Azure to create virtual networks, and ingest data from your Azure services and expose them to the internet via Konnect.

Dedicated Cloud Gateways are Data Plane nodes that are fully managed by Kong in Konnect.

A License entity allows you manage self-managed Kong Gateway Enterprise licenses.

Kong Gateway installation options.

Review Kong's recommended resource allocation sizing guidelines for Kong Gateway based on configuration and traffic patterns.

Kong provides a software bill of materials (SBOM) for every minor release, starting with 3.3.0.0.

Introduces ways you can secure Kong Gateway

Learn how to secure the Admin API.

This reference explains DNS clients, CORS, and cookie management in Kong Gateway.

Learn which ports Kong Gateway uses and how to configure them.

Configure Data Plane resilience in case of a Control Plane outage.

Use incremental configuration sync to send only the changed entity configuration to Data Plane nodes instead of sending the entire configuration set.

This guide walks you through upgrade paths for Kong Gateway and helps you prepare for an upgrade.

Learn how to back up and restore your Kong Gateway data.

Learn how to perform a blue-green upgrade for Kong Gateway.

Learn how to perform a dual-cluster upgrade for Kong Gateway.

Learn how to perform a in-place upgrade for Kong Gateway.

Learn how to perform a rolling upgrade for Kong Gateway.

This guide walks you through upgrade paths for Kong Gateway 2.8 LTS to 3.4 LTS and helps you prepare for an upgrade.

Learn how to migrate from self-managed Kong Gateway to Konnect.

Learn about storing, using, and rotating secrets with Kong Gateway.

Vaults allow you to securely store and then reference secrets from within other entities, ensuring that secrets aren't visible in plaintext throughout the platform.

Learn how to set up AWS Secrets Manager as a Vault in Kong Gateway and reference a secret stored there.

Learn how to store a secret in Google Cloud Secret Manager, configure GCP as a Vault entity, and reference the stored secret in Kong Gateway.

Learn how to reference HashiCorp Vault secrets from Kong Gateway.

Learn how to use the Konnect Config Store vault.

Learn how to set up Konnect Config Store as a Vault backend and store a Mistral API key.

Learn how to store and rotate secrets in Google Cloud with Kong Gateway, Mistral, and the AI Proxy plugin.

Learn how to store Keyring data in a HashiCorp Vault.

Learn how to store your Kong Gateway PostgreSQL credentials in AWS Secrets Manager.

A Keyring is a mechanism that encrypts sensitive data fields, such as consumer secrets, before storing them in the database. This provides for encryption-at-rest security controls in a Kong Gateway cluster.

A Key object holds a representation of asymmetric keys in various formats.

A Key Set is a collection of Kong Gateway Keys.

Kong Gateway audit logs provide details about HTTP requests handled by the Admin API, as well as database changes.

Set up an OPA policy in Kong Gateway to block unauthorized requests.

Create a JSON Web Key and add it to a Key Set using the /key-sets API endpoint.

Create a PEM Key and add it to a Key Set using the /key-sets API endpoint.

Enable Keyring encryption in Kong Gateway to encrypt sensitive data in Gateway and plugin configuration.

Enable the IP Restriction plugin to instruct Kong Gateway to only accept requests from specific IP addresses.

Use a key pair to sign audit logs in Kong Gateway.

Use ngrok and the ACME plugin to test certificate generation locally.

Use the AI Sanitizer plugin to protect sensitive information in requests.

Restrict access to your resources based on Consumer Groups with the ACL plugins.

Use the JSON Threat Protection plugin to enforce a JSON threat protection policy.

Learn how Kong Gateway listens for, routes, and proxies traffic.

A Route uses specific URL patterns and HTTP verbs to match incoming requests and pass them to a Gateway Service. This determines which upstream services will process a given request.

The expressions router is a collection of Routes that are all evaluated against incoming requests until a match can be found.

The traditional router is a collection of Routes that are all evaluated against incoming requests until a match can be found.

You can set up blue-green deployments for Kong Gateway using Upstreams and Targets, and switching the Gateway Service to point to one Upstream or the other.

Use health check probes to monitor availability.

Kong Gateway supports two kinds of health checks, which can be used separately or in conjunction: active and passive (also known as circuit breakers).

Learn how to load balance requests to upstream services with Kong Gateway

Proxying is when Kong Gateway matches an HTTP request with a registered Route and forwards the request.

Learn how to configure a fallback Route to redirect 404s to a specific upstream service.

Use the Pre-Function plugin to detect headers in a request, and either let the request through or terminate it.

Use the Route by Header plugin to route requests based on a header value.

Restrict access to your resources based on Consumer Groups with the ACL plugins.

Gateway plugins for controlling traffic

This page is an introduction to rate limiting with Kong Gateway.

This page describes the rate limiting strategies supported by Kong Gateway plugins.

This page describes the rate limiting window types supported by Kong Gateway plugins.

Change the names of headers sent in a request using the Post-Function plugin.

Learn how to configure the Rate Limiting Advanced plugin to apply multiple rate limits and window sizes.

Enforce customized rate limiting tiers by setting individual rate limits for different groups of Consumers.

Learn how to rate limit a Consumer with the Rate Limiting and Key Authentication plugins.

Learn how to configure rate limiting for a Gateway Service.

Using the Pre-function and the Rate Limiting Advanced plugins, set the rate limit based on peak or non-peak time.

Use the Rate Limiting and Service Protection plugins to set different rate limits for Services and Consumers.

A Certificate object represents a public certificate, and can be optionally paired with the corresponding private key.

A CA Certificate object represents a trusted certificate authority. These objects are used by Kong Gateway to verify the validity of a client or server certificate.

An SNI object represents a many-to-one mapping of hostnames to a certificate.

How to define SSL Certificates and where you can use them.

An introduction to authentication with Kong Gateway.

Learn about using OpenID Connect with Kong Gateway.

Learn how to allow different clients to access an upstream service with different authentication types, and forbid access to any unauthenticated clients.

Use the Basic Authentication plugin to allow Consumers to authenticate with a username and password.

Learn how to authenticate Consumers with a signed JWT credential.

Authenticate Consumers with key authentication and session cookies.

Set up OpenID Connect to verify tokens issued by Kong OAuth 2.0 plugin against an IdP.

Use the Vault Authentication plugin to secure access to your Kong Gateway resources.

Secure a Gateway Service with the Key Auth Encrypted plugin.

Enable the Key Authentication plugin on a Gateway Service to require Consumers to authenticate with an API key.

Create an OAuth 2.0 Client Credentials flow for a WebSocket Gateway Service.

Create an OAuth 2.0 Client Credentials flow for a Gateway Service.

Workspaces provide a way to segment Kong Gateway entities. Entities in a Workspace are isolated from those in other Workspaces.

RBAC manages Kong Gateway roles and permissions for Kong Manager and the Admin API.

Admins can manage Kong Gateway entities inside Workspaces, including users and their roles.

Groups are a resource for RBAC and can be used to assign Roles across sets of users.

Learn how to create a Kong Gateway RBAC user and configure it with roles and permissions.

Configure the OpenID Connect and ACL plugins together to apply auth flows to ACL allow or deny lists.

Configure the OpenID Connect plugin for claims-based authorization.

Configure the OpenID Connect plugin together with Consumers to map Consumers to IdP users.

Learn how to create a Super Admin for Kong Gateway.

Learn how to enable Role-Based Access Control for Kong Gateway using the Admin API.

Use Dynatrace SaaS to send analytics and monitoring data to Dynatrace dashboards.

Use the OpenTelemetry plugin to send Kong Gateway analytics and monitoring data to Jaeger dashboards.

Gateway plugins for monitoring your deployments.

This page is an introduction to custom plugins for Kong.

Create a simple custom plugin project for Kong Gateway.

Set up a testing environment for your custom plugin.

Add features to your custom plugin.

Consume data from external services in your custom plugin using an HTTP client and parsing JSON values.

Deploy your custom plugin to Kong Gateway.

Learn about how to develop custom plugins for Kong Gateway.

Kong Manager is the graphical user interface (GUI) for Kong Gateway.

Strengthen security in Kong Manager by setting a Content Security Policy (CSP).

Kong Manager is the graphical user interface (GUI) for Kong Gateway.

Learn about managing Control Planes and Data Plane nodes with Gateway Manager.

A Control Plane Group is a read-only Control Plane that combines configuration from its members, which are standard Control Planes.

Manage Data Plane nodes in Konnect, including platform support, proxy access, version upgrades, certificate renewal, required parameters, and custom metadata labels.

In Gateway Manager, every Konnect Control Plane has a default resource limit per Gateway entity.

Running multiple versions of Data Plane nodes with a single Control Plane can cause version compatibility issues.

Review logs for Data Plane activity in Konnect.

Learn about labels in Konnect

Reference for Kong Gateway configuration parameters. Set these parameters in kong.conf.

The Kong CLI allows you to start, stop, and manage your Kong instances.

Reserved and unusable Kong Gateway entity names.

Tags are strings associated with entities in Kong Gateway, which you can use to filter entities on most GET endpoints.

View Kong's benchmark for the current Kong Gateway version and learn about Kong Gateway performance testing using Kong's test suite.

Establish a benchmark for your Kong Gateway instance.

Review recommendations for improving Kong Gateway performance

See where Kong Gateway logs are located, the different log levels, and how to configure logs and log levels.

Consumer Groups let you apply common configurations to groups of Consumers, such as rate limiting policies or request and response transformation.

Event Hooks allow Kong Gateway monitor to communicate with target services or resources, notifying the target resource that an event was triggered.

Partials allow you to extract shared configurations into reusable entities that can be linked to multiple plugins

Restart the Kong Gateway container without killing it.

Learn which Nginx directives you can use in the `kong.conf` file and how to adjust them.