- Overview
- Enterprise Plugins
- Role-based access control (RBAC)
- Secrets management
- Keyring and data encryption
- Audit logging
- FIPS support
- Workspaces
- Dynamic plugin ordering
- Event hooks
- Consumer groups
- Provisioning new data planes in the event of a control plane outage
- Docker container image signing
- Docker container image build provenance
- More information
Overview
Kong Gateway Enterprise is the scalable, secure, and flexible API management solution that extends Kong Gateway, the fastest, most adopted API gateway. It adds enterprise plugins, advanced security features, GUI’s, and 24/7 support. It is the only solution that helps you accelerate your cloud journey by managing, securing, and monitoring connections between applications across hybrid and multi-cloud architectures, to help you scale faster and boost developer productivity.
Enterprise Plugins
Kong Gateway Enterprise offers access to 400+ out-of-box enterprise and community plugins. It offers exclusive versions of OSS plugins like the Rate Limiting Advanced plugin with added functionality such as the use of consumer groups, and database specific strategy. It also provides Enterprise-exclusive functionality, such as authentication with OpenID Connect, which lets you standardize identity provider (IdP) integrations.
Kong Gateway Enterprise also natively supports gRPC and REST, WebSockets, and integrates with Apollo GraphQL server and Apache Kafka services. These plugins can be leveraged to provide advanced connectivity features and solutions to Kong Gateway such as:
- OpenID Connect (OIDC)
- Event gateways with Kafka
- GraphQL
- Mocking
- Advanced data transformation
- OPA Policy driven traffic management
- API product tiers
Role-based access control (RBAC)
Kong Gateway Enterprise lets you configure users, roles, and permissions with built-in role-based access control (RBAC). With RBAC, you can streamline developer onboarding, and create apply fine-grained security and traffic policies using the Admin API, or Kong Manager.
Secrets management
Kong Gateway Enterprise offers out of the box secrets management with the following backends:
To configure secrets management, Kong Gateway consumes your key for the backend provider, authenticates with the backend provider, and uses the backend to centrally manage and store application secrets, sensitive data, passwords, keys, certifications, tokens, and other items.
Secure your application secrets →
Keyring and data encryption
Keyring and data encryption functionality provides transparent, symmetric encryption of sensitive data fields at rest. When enabled, Kong Gateway encrypts and decrypts data immediately before writing, or immediately after reading, from the database. Responses generated by the Admin API that contain sensitive fields continue to show data as plaintext, and Kong Gateway runtime elements (such as plugins) that require access to sensitive fields do so transparently, without requiring additional configuration.
Kong Gateway allows you to store sensitive data fields, such as consumer secrets, in an encrypted format within the database. This provides encryption-at-rest security controls in a Kong Gateway cluster.
Set up keyring and data encryption →
Audit logging
Kong Gateway provides granular logging of the Admin API. You can keep detailed track of changes made to the cluster configuration throughout its lifetime, for compliance efforts and for providing valuable data points during forensic investigations. Generated audit log trails are workspace and RBAC-aware, providing Kong Gateway operators a deep and wide look into changes happening within the cluster.
Get started with audit logging →
FIPS support
Kong Gateway Enterprise features a self-managed FIPS 140-2 gateway package, making it ideal for highly regulated industries with strict compliance and security considerations. Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors.
Learn more about FIPS support →
Workspaces
Workspaces provide a way to segment or group Kong Gateway entities. Entities in a workspace are isolated from those in other workspaces. Kong Gateway (OSS) is limited to one workspace. With Kong Gateway Enterprise, you can leverage multiple workspaces to allow developers to easily transition between projects, and to separate services and routes belonging to different upstreams.
Dynamic plugin ordering
Dynamic plugin ordering allows you to override the priority for any Kong Gateway plugin using each plugin’s ordering
field. This determines plugin ordering during the access
phase and lets you create dynamic dependencies between plugins.
Get started with dynamic plugin ordering →
Event hooks
Event hooks are outbound calls from Kong Gateway. With event hooks, the Kong Gateway can communicate with target services or resources, letting the target know that an event was triggered. When an event is triggered in the Kong Gateway, it calls a URL with information about that event. Event hooks add a layer of configuration for subscribing to worker events using the admin interface.
In Kong Gateway, these callbacks can be defined using one of the following handlers:
- webhook
- webhook-custom
- log
- lambda
You can configure event hooks through the Admin API.
Learn more about event hooks →
Consumer groups
Consumer groups enable the organization and categorization of consumers (users or applications) within an API ecosystem. By grouping consumers together, you eliminate the need to manage them individually, providing a scalable, efficient approach to managing configurations.
For example, you could use consumer groups to define rate limiting tiers and apply them to subsets of consumers, instead of managing each consumer individually.
Provisioning new data planes in the event of a control plane outage
Starting in version 3.2, Kong Gateway can be configured to support configuring new data planes in the event of a control plane outage. For more information, read the How to Manage New Data Planes during Control Plane Outages documentation, or the Control Plane Outage Management FAQ.
Docker container image signing
Starting with Kong Gateway Enterprise 3.5.0.2, Docker container images are signed, and can be verified using cosign
with signatures published to a Docker Hub repository. Read the Verify signatures for Signed Kong Images documentation to learn more.
Docker container image build provenance
Kong produces build provenance for docker container images, which can be verified using cosign
/ slsa-verifier
with attestations published to a Docker Hub repository. Read the Verify Build Provenance for Signed Kong Images documentation to learn more.
More information
See Plugin Compatibility for more information about Enterprise-only plugins.