Migrating from Kong Gateway to Kong Konnect

techhadoop

Migrating from Kong Gateway (self-managed/on-prem) to Kong Konnect (cloud-managed) involves a combination of:

  • Exporting your current Kong configuration
  • Translating any on-prem customizations or plugins
  • Importing services and routes into Konnect
  • Updating auth, plugins, and Dev Portal configuration
  • Re-pointing your traffic and observability tools

Here’s a step-by-step migration plan with optional tooling for automation:

Step 1: Inventory Your Current Kong Gateway

Start by identifying all current components:

  • Services
  • Routes
  • Plugins
  • Consumers & credentials
  • RBAC users & roles
  • Custom plugins (if any)
  • Certificates
  • Upstreams / Targets
  • Rate limiting or security policies

You can use:

deck dump --kong-addr http://<admin-api>:8001 --output-file kong-export.yaml

This uses decK, a declarative config tool for Kong.

Step 2: Set Up Kong Konnect

  1. Sign up for Kong Konnect
  2. Create a Runtime Group (this is where your data plane will connect)
  3. Install Kong Gateway (with Konnect mode) as the Data Plane: curl -O https://download.konghq.com/gateway-3.x-centos/Packages/k/kong-3.x.rpm Configure it with: yamlCopyEditrole: data_plane cluster_control_plane: <Konnect CP endpoint> cluster_telemetry_endpoint: <Telemetry CP endpoint>

Step 3: Translate & Import Configuration

Use decK to sync into Konnect:

bashCopyEditdeck sync --konnect-runtime-group <runtime-group-name> \
          --konnect-token <your-token> \
          --state kong-export.yaml

DecK v1.16+ supports direct Konnect import via --konnect flags.

Note: decK does not migrate:

  • RBAC user roles
  • Developer Portal assets (you’ll need to re-upload manually)
  • Custom plugins (must be re-implemented and built for Konnect if supported)

Step 4: Migrate Authentication & Plugins

  • Consumers / Auth: Recreate consumers in Konnect or use Konnect Dev Portal to register apps
  • Certificates: Re-upload any TLS certs to Konnect
  • Custom Plugins: Migrate only if they are supported on Kong Konnect. Otherwise, consider rewriting logic using Lua/Python and submit to Kong support if needed.

Step 5: Reconfigure Observability

Kong Konnect offers built-in integrations:

  • Logs: Datadog, HTTP log, Splunk (via plugin)
  • Metrics: Prometheus, Kong Vitals
  • Use the Konnect GUI or API to configure logging plugins

Step 6: Redirect Traffic to Konnect Runtime

  • Update DNS or Load Balancer to send traffic to new Konnect Data Plane IPs
  • Perform traffic shadowing/canary if needed

Final Step: Validation & Cutover

  • Smoke test all endpoints
  • Test rate limits, auth flows, consumer access
  • Validate logs and metrics collection
  • Disable/decommission legacy Kong Gateway only after validation

Leave a comment