Appearance
Kong → Gatez Plugin Mapping
Automatic Translation (handled by kong-to-gatez.sh)
| Kong Plugin | Gatez (APISIX) Plugin | Notes |
|---|---|---|
| rate-limiting | limit-count | Fixed window. For sliding window, use tenant-rate-limit |
| rate-limiting-advanced | limit-count | Enterprise-only in Kong. Available to all in Gatez |
| key-auth | key-auth | Direct equivalent |
| jwt | jwt-auth | Direct equivalent |
| basic-auth | basic-auth | Direct equivalent |
| cors | cors | Direct equivalent |
| ip-restriction | ip-restriction | Direct equivalent |
| request-transformer | proxy-rewrite | Header/path rewriting |
| response-transformer | response-rewrite | Header/body rewriting |
| http-log | http-logger | Direct equivalent |
| tcp-log | tcp-logger | Direct equivalent |
| udp-log | udp-logger | Direct equivalent |
| prometheus | prometheus | Direct equivalent |
| opentelemetry | opentelemetry | Direct equivalent |
| request-size-limiting | limit-req | Request rate/size limiting |
| grpc-gateway | grpc-transcode | gRPC-HTTP transcoding |
| grpc-web | grpc-web | gRPC-Web support |
| request-termination | serverless-pre-function | Custom Lua response |
Handled by Gatez L2 (AI Gateway) — No L1 Plugin Needed
| Kong Plugin | Gatez Equivalent | Layer |
|---|---|---|
| ai-proxy | L2 multi-model routing (OpenAI, Anthropic, Gemini, Ollama) | L2 |
| ai-proxy-advanced | L2 with fallback chains + circuit breaker | L2 |
| ai-prompt-guard | L2 PII redaction (regex: SSN, email, credit card, phone, IP) | L2 |
| ai-rate-limiting-advanced | L2 token budget enforcement ({tenant_id}:budget:tokens in Redis) | L2 |
| ai-semantic-cache | L2 two-tier cache (Redis exact → Qdrant similarity) | L2 |
| ai-rag-injector | Not yet implemented (tracked as gap) | L2 |
Handled by Gatez L3 (Agent Gateway)
| Kong Plugin | Gatez Equivalent | Layer |
|---|---|---|
| ai-mcp-proxy | L3 MCP protocol implementation (server registry, tool discovery) | L3 |
| ai-mcp-oauth2 | L3 session auth + Keycloak OIDC | L3 |
No Direct Equivalent — Manual Migration Required
| Kong Plugin | Recommended Approach |
|---|---|
| oauth2 | Use Keycloak as IdP + APISIX openid-connect plugin |
| ldap-auth | Use Keycloak LDAP federation + jwt-auth |
| acl | Use Gatez tenant-based isolation (tenant_id in JWT) |
| bot-detection | Implement as custom Lua plugin or use L2 middleware |
| proxy-cache | Use L2 semantic cache for AI requests; for HTTP cache, use APISIX proxy-cache (available but not enabled by default) |
| session | Use Keycloak session management |
| hmac-auth | Custom Lua plugin (APISIX has hmac-auth available) |
| mtls-auth | APISIX ssl/client-certificate verification (requires TLS config) |
| canary | Use APISIX traffic-split plugin (now enabled in Gatez) |
| statsd | Use APISIX prometheus plugin + Prometheus StatsD exporter |
| datadog | Use APISIX opentelemetry plugin → OTel Collector → Datadog exporter |
| zipkin | Use APISIX opentelemetry plugin → OTel Collector → Zipkin exporter |
Kong Enterprise-Only → Gatez Free
These features require Kong Enterprise license ($50K+/yr) but are available in Gatez for all tenants:
| Feature | Kong | Gatez |
|---|---|---|
| Per-tenant rate limiting | Enterprise (Workspaces) | All tenants, day one (tenant-rate-limit Lua plugin) |
| Token-aware rate limiting | Enterprise (ai-rate-limiting-advanced) | All tenants (L2 token budget in Redis) |
| Sliding window rate limiting | Enterprise (rate-limiting-advanced) | All tenants (tenant-rate-limit with Redis sliding window) |
| RBAC | Enterprise (Workspaces + roles) | Keycloak-based (platform-admin, tenant-admin, analyst) |
| Audit logging | Enterprise | ClickHouse audit trail (agent_audit_log, no TTL) |
| Developer portal | Enterprise (Dev Portal v3) | Gatez Developer Portal (separate React app) |