Announcing Kong Gateway 3.8

Kong Gateway 3.8 Hits Major Milestone for Enhanced Performance, Accelerated AI Adoption, Comprehensive Security, Extensibility, and Ease of Use

We're excited to announce the release of Kong Gateway 3.8, a significant update that marks a major milestone in the evolution of our API management platform. This release is packed with enhancements designed to boost performance, fortify security, and provide greater flexibility and ease of use for our customers.

The big takeaway

Kong Gateway 3.8 delivers dramatically faster configuration processing, offering a more efficient way to manage your APIs. This version also introduces a greater choice of access controls to secure connections to and from the gateway, granular visibility into API performance through enhanced observability tools, and a single source of configuration and cache information that reduces the cost of ownership. 

Additionally, the AI Gateway has received major new updates, including the introduction of new semantic intelligence to accelerate GenAI performance, lower computational overhead, and improve LLM security. 

Incremental Configuration Sync (Tech Preview)

Prior to Kong Gateway 3.8, when customers sent configuration updates from their control planes to the data planes, they would transmit the entire configuration payload — regardless of the size or scope of the change. For example, if a customer had 10,000 routes, 3,000 services, and 50,000 consumers, a change to a single route would trigger the control plane to resend all routes, services, and consumers to the data plane.

This process forced the data plane to reload the entire configuration into memory and process it, consuming memory and CPU resources. The result was slower configuration processing, higher resource contention, and a suboptimal experience for API users.

Incremental Config Sync is our answer to efficient configuration updates. This feature is coming soon as a tech preview which will be available to everyone in a separate image for testing while we continue to work on making it generally available. Now, when a customer makes a change — such as updating a single route — only the relevant change is sent from the control plane to the data plane. This results in significantly less data being transmitted, reduced memory and CPU usage, and much faster propagation of configuration changes. The overall impact is a more responsive and efficient API management experience. Stay tuned for more updates on the availability of the tech preview image.

Figure 1: Reduced latency driven by Incremental Configuration Update in Kong Gateway 3.8

Enhanced security and flexibility

APIs are part of the critical IT infrastructure for any company as they form the central nervous system of how organizations operate. APIs are also one of the most vulnerable endpoints for attackers to target. Security is a critical focus of Kong Gateway 3.8, and this release offers even more robust protection for your APIs. 

We're very excited to announce the availability of our JSON Threat Protection plugin that enables administrators to enforce strict content inspection policies. This plugin allows you to define limits for various JSON elements, such as arrays, objects, and strings, ensuring that incoming payloads conform to your security policies. Users can easily configure policies around what the general "shape" of a JSON object is allowed to be. For instance, a common attack vector is to send an extremely large array of objects encoded in JSON. With the new plugin, we make it trivial to stop traffic that exceeds a particular length in the gateway. Non-conforming requests are automatically rejected, protecting your APIs from potential threats.

Figure 2: JSON Threat Protection plugin

With the upstream-oauth plugin, Kong Gateway 3.8 provides the ability to safely consume an external API. The plugin supports OAuth flow between Kong and an external service allowing Kong to authenticate and consume an OAuth-protected API. 

To support various deployment patterns and continue limiting access to APIs with strong certificate-based consumer authentication, Kong Gateway 3.8 offers the header-cert-auth plugin. This plugin offers mutual certificate-based authentication (MTLS) when TLS is terminated at a web application firewall (WAF) or load balancer (LB). It verifies the MTLS certificate passed in the header by WAF or LB and authenticates the API consumer. The plugin supports a couple of common encodings (base64-encoded, url-encoded) for header-based certificates and can be limited to accept certificates from trusted sources only. 

Granular visibility with OpenTelemetry support

Observability plays a critical role in issue detection and resolution. Three key datasets are typically used to aid in tracking how well systems and APIs are performing: logging, tracing (spans) and metrics. 

• Logging, perhaps the most simple, is a set of loglines that correspond to a particular HTTP request. These typically give some information on what occurred whilst processing the request and any possible error messages. 
• Traces is where it starts to become interesting: a detailed breakdown of how long each processing step took inside a system. For Gateway, this would include the duration of each plugin execution as well as how long it took to connect to an upstream. 
• Metrics periodically give an overview of overall performance — for example, how many requests were handled, error rates, and overall latency. 

These datasets are integral for organizations to keep track of how their APIs are running. However, observability platforms such as Datadog, AppDynamics, Dynatrace, or Grafana each offer their own ways of ingesting data and their own agents to collect this data. 

Kong Gateway 3.8 brings full support for OpenTelemetry, the industry standard for observability. With this update, you can now collect and export comprehensive telemetry data, including logs, metrics, and traces. This enhanced observability allows developers and DevOps teams to gain deeper insights into API performance, enabling more effective monitoring, troubleshooting, and optimization.

In Kong Gateway 3.8, we offer a completely rewritten plugin that delivers higher performance and includes support for logging and metrics. The new OpenTelemetry plugin has been tested against major platforms such as Datadog, Honeycomb, and Appdynamics. Configuring and enabling is just one single click from either your control plane or Konnect.

New Kong Konnect functionality

In addition to the above-mentioned enhancements to the Kong Gateway, we're also delivering new functionality on the Kong Konnect front. These include:

Seamless configuration of Konnect service consumers (Tech Preview)

We're excited to announce a significant enhancement to Kong Konnect with Konnect Consumers, now in tech preview and available as a separate Gateway image. This new feature improves how you manage service consumers by allowing you to configure them once and apply the configuration across multiple control planes in Konnect. No more duplicative efforts or configuration conflicts — Consumers streamlines your workflow, enhancing productivity, centralizing security, and making consumer management easier and more efficient. 

Consumers marks a significant shift in how consumer entities are handled within the Konnect platform. Traditionally, service consumers were tied to individual control planes, requiring developers to replicate configurations across different environments. This inadvertently led to inefficiencies and potential conflicts. With Consumers, we’ve reimagined this approach by elevating the consumer entity to a top-level status, making it accessible across all control planes within its defined regions in Konnect. This is achieved by storing consumer data centrally in an external database, ensuring that it adheres to strict data residency requirements.

Technically, this means that your dataplanes can retrieve consumer information in real-time, and then cache it locally for optimal performance. This reduces the overhead associated with managing consumer configurations and ensures that your Kong gateways are always up-to-date with the latest consumer data. Moreover, with built-in security measures such as mTLS authentication and data protection both in motion and at rest, Consumers offers a secure and compliant solution for managing your API consumers at scale in Konnect. 

If you're interested in trying out this feature, please reach out to us at konnect-feedback@konghq.com. 

Simplified management with Konnect Config Store

Managing sensitive information for API configuration across multiple data planes can be complex and costly. Kong Konnect simplifies this with the Konnect Config Store, a cloud-based repository that enables secret management with Konnect. Config Store is a single source of truth that reduces the need for external secret managers like Hashicorp, lowers the cost of ownership, and streamlines vendor management. Konnect Config Store will be generally available by the end of September.

Figure 3: Konnect Config Store

Accelerate GenAI innovation with semantic intelligence

In Kong Gateway 3.7, we promoted the AI Gateway to general availability, enabling organizations to accelerate the development of multi-LLM applications while securing and observing AI traffic at scale. 

In 3.8, we're introducing semantic intelligence to the AI Gateway via Semantic Prompt Guard, Semantic Caching, and Semantic Routing to dramatically improve GenAI performance, reduce computational overhead, and enhance LLM security. Additionally, this release introduces a new class of intelligent semantic plugins, several new advanced load-balancing capabilities for LLMs, and official support for AWS Bedrock and GCP Vertex. See the AI Gateway 3.8 blog for more information.

Why upgrade to Kong Gateway 3.8?

Kong Gateway 3.8 represents a major leap forward in API management. By upgrading to Kong Gateway 3.8, you'll optimize the operational efficiency of APIs by reducing latency, conserving resources, and ensuring robust observability across diverse infrastructures. The latest release introduces critical enhancements including incremental configuration, updates, and enhanced OpenTelemetry support. The new Config Store functionality will further streamline the secure management of API configurations, making it easier for teams to run their services reliably at scale.

Getting started with Kong Gateway 3.8 

Want to learn more? It's not too late to register for API Summit where we’ll discuss all things APIs and AI. Or, dig into our documentation for more technical details. 

If you have any questions about Kong Gateway 3.8 or API Summit, reach out to us on LinkedIn or X!