What's New in Kong Gateway 3.7?

We're thrilled to announce the general availability of Kong Gateway 3.7 and Kong Gateway Enterprise 3.7. Along with enhancements and new features for both OSS and enterprise users, this version comes with the general availability of our edge AI Gateway. This release offers a brand new context propagation module, security features for highly regulated environments, and performance improvements. In addition, the release offers a migration path to use the efficient and user-friendly expressions router.

Let’s explore the enhancements and the tangible benefits these new features bring to your organization. 

Accelerate AI adoption with an AI Gateway (OSS + Enterprise)

Our AI Gateway is now production-ready! In Kong Gateway 3.6, we announced Kong AI Gateway as a beta offering in OSS. With Kong AI Gateway, customers regained control over their employees using AI with the following capabilities:

• A single API to leverage multiple large language models (LLMs)
• Centralized AI API keys
• Visibility of LLM usage within the organization
• No-code prompt modifications 
• Data loss prevention with a powerful AI firewall 

With Kong Gateway 3.7, we are promoting the AI Gateway to GA. The AI gateway enables organizations to secure, scale, and observe all of their AI traffic. 

The Kong Gateway 3.7 release includes the following new AI Gateway capabilities and improvements: 

• AI Streaming Support
• Advanced AI Token Rate Limiting
• AI Azure Content Safety
• Dynamic URL-sourced LLM model
• Support for Anthropic Claude 2.1 Messages API
• Updated AI analytics format

Full details can be found in the AI Gateway GA blog.  

Fine control over propagating tracing headers (OSS + Enterprise)

With context propagation, traces can be used to build information about the system and visualize end-to-end flow across network boundaries. This enables organizations to correlate traces in a distributed system and turn them into actionable insights. 

With Kong Gateway 3.7, we released a brand new trace propagation module to link traces between services and enable context propagation.

The new propagation module in Kong Gateway 3.7 allows for flexible handling of trace headers. In addition to allowing extraction and injection of headers, the new module allows for configuring the priority of tracing context extraction. After extractions, headers can be cleared from the request to gain full control of what is propagated upstream. 

Efficiency gains and migration path with flexible expressions router (OSS + Enterprise)

Support for Expressions and JSON-based route definitions: In Kong Gateway Enterprise 3.0, we shipped a brand new Rust-based router that supported DSL-based configuration language called Expressions. The router was optimized for short-circuiting expensive checks (such as regular expressions checks) and provided control over the ordering of the checks. This led to great performance improvement. 

Here is an example of the order of processing a route defined in expressions format:

While the new expression-based router has been a resounding success, migration from the legacy JSON-based configuration was not straightforward. The biggest pain point was that Kong Gateway could only process JSON or Expressions, and the risk of a cut-over with such a critical piece of configuration made everyone uneasy.

Today, we’re excited to announce a new migration path that allows customers to run both the legacy JSON-based routing as well as the new expression router in tandem.

With 3.7, Kong Gateway provides the ability to configure both JSON and Expression routes in a single control plane. This allows your teams to gradually migrate the routes over to the Expression language based on your business needs.

Investing in learning the Expressions format can lead to great performance improvements. 

Performance improvement (OSS + Enterprise)

With improvements to Kong’s cache key generation algorithm, Kong Gateway 3.7 gained a 7% improvement in throughput over previous versions. Details can be found in this blog.

Improve security and privacy with request objects (Enterprise)

Elevated security with request objects: To safeguard against authorization request attacks, we now enable OAuth and OIDC to be standardized on the JWT-secured authorization framework to allow requests and responses to be encoded into JWTs. 

In 3.5, we introduced support for Pushed Authorization Requests (PAR) in Kong’s OIDC plugin which secured the authorization initiation/request flow. With Kong Gateway Enterprise 3.7, we enhance that with the ability to use request objects (JWTs) in the authorization request flows as well as extend support for JWT response mode.  

• JWT Secured Authorization Requests (JAR) — Authorization requests are traditionally sent using URL query string parameters. This presents a security risk where the requests could be intercepted and manipulated in a man-in-the-middle scenario. To safeguard against such authorization request attacks, Kong Gateway Enterprise 3.7 introduces the ability to encode request parameters into a JWT. With this ability, the authorization servers can verify the authenticity of the request originating from Kong, as well as verify the integrity of the request. In addition, the request can remain confidential in transit.
• JWT Secured Authorization Response Mode (JARM) — In addition to securing the authorization requests with JAR, we extend support for securing authorization responses with JARM. Kong can instruct the authorization servers to respond to authorization requests using JWTs, thus mitigating the risk of response manipulation in the middle.

Together with PAR, JAR, and JARM, Kong Gateway Enterprise 3.7 offers powerful security and privacy measures to secure APIs in highly regulated environments.

Prevent unauthorized use of access tokens (Enterprise)

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP): Demonstrating Proof of Possession (DPoP) is an application-level mechanism for sender-constraining OAuth access and refresh tokens. Sender-constrained access tokens are a suitable implementation for any environment with high security requirements such as finance,  e-gov, and e-health. The solution forces the sender to prove they are the rightful owner of the token. This added layer of security mitigates the risk of token misuse as they can't be used without proof of possession.

In Kong Gateway Enterprise 3.5, we introduced Mutual TLS Sender-constrained tokens. Now, we're supporting OAuth 2.0 DPoP at the application layer, leveraging asymmetric cryptography and JSON Web Tokens.

Next steps

Kong Gateway Enterprise 3.7 is more than just an update: it's a strategic enhancement to your enterprise's security, efficiency, and compliance posture. We're excited for you to experience these benefits firsthand and look forward to your feedback as we continue to innovate and lead in the API management space.

Begin your journey with Kong by signing up for Kong Konnect for free!

If you’re interested in Kong Gateway Enterprise 3.7 you can download it for free here. Check out the docs for more info. To explore the comprehensive list of features, fixes, and updates, please see the available CHANGELOG for Kong Gateway Enterprise here and Kong Gateway OSS here.