Kong Gateway: what enterprises keep getting wrong

Kong Gateway is one of the most deployed API gateways in the enterprise, and that's partly because it does a lot out of the box. The trouble is that 'a lot out of the box' is also how many estates drift into a state that looks correct from the console but will not scale past the next organisational growth spurt. Here are the three patterns we see most often when a Kong estate lands in an ANKASOFT managed-services engagement.

1. Plugin sprawl

It is very easy to add a Kong plugin. It is much harder to remove one. Over time, routes accumulate rate-limit plugins with three different buckets, auth plugins from two different vendors, custom Lua plugins that nobody on the team can confidently explain, and observability plugins that export to a logging pipeline that was decommissioned last year.

The fix is a plugin inventory by route, grouped by plugin type, with each one tagged to an owner and a justification. What isn't owned gets archived. What isn't justified goes to a change review. This one exercise typically cuts plugin count by 30–50% and reveals plugins that have been silently failing for months.

2. Control-plane sprawl

Kong ships a control plane, and teams often end up running one per environment, per region, per business unit, per 'pilot' that never got decommissioned. Each control plane is another upgrade cadence, another RBAC model, another set of secrets, another thing to page someone about at 3am.

The target is usually one control plane per environment (dev / staging / prod) and data planes distributed by region. If you are running more than that, the starting question is why — and the answer is almost always 'a migration we never finished.' Finish it.

3. Environment separation that isn't

We find Kong estates where the same control plane serves prod and non-prod traffic, where secrets leak from staging consumer groups to production, or where a tired engineer at 2am changed a staging route and cut a prod customer off. These are not Kong bugs. They are governance gaps that the platform happily reflects back to you.

Hardened environment separation looks like: separate control planes per environment, separate secret stores, separate identity for plugin administration, and automated drift detection that flags when a non-prod plugin configuration gets promoted to prod without review. None of this is exotic. All of it is typically missing on the estates we take over.

The gateway is not the product. The gateway is the boundary where your product meets everyone else's. Treat it like a boundary, not like a toolbox.

Where this lands

ANKASOFT is a Kong Certified Partner and most of our engagements that start with 'a Kong review' turn into a deeper conversation about plugins, control planes and governance. If any of the three patterns above sound like your estate, our 45-minute architecture review is the right first step. We either tell you that your shape is fine, or we ship a prioritised list of things that will matter during your next scaling event.