Conduktor Gateway Route. Protect. Transform.

An abstraction layer that gives platform teams the Kafka controls they've always wanted - without asking developers to change a single line of code.

Book a Demo

Conduktor Gateway Route. Protect. Transform.

Augment Your Infrastructure.

Kafka is powerful, but it wasn't built for everything your organization needs. Gateway adds the capabilities that aren't there natively so you can tailor Kafka to your requirements, not the other way around.

For Platform Teams Scale Kafka across teams without multiplying infrastructure or complexity.

For Security & Compliance Enforce encryption and data policies at the infrastructure layer—not in application code.

Connect without code changes Migrate and test resilience safely Decouple tenants from clusters Handle load efficiently

Prevent misconfigurations Stop bad data at the source Encrypt consistently across apps Share data securely

Client Routing & Access Control

Connect without code changes

Remove network barriers, centralize authentication, and get finer access control than native Kafka ACLs allow.

  • Cross-network connectivity without client configuration changes or firewall complexity
  • Simplified security management with centralized authentication across hybrid deployments
  • Identity-based multi-tenancy enabling secure isolation without separate clusters
  • Compliance-ready audit trails meeting SOC2, ISO 27001, and GDPR requirements

Learn more about client routing →

Route Clients
# Gateway Configuration
gateway:
  environment:
    GATEWAY_SECURITY_MODE: GATEWAY_MANAGED
    GATEWAY_SECURITY_PROTOCOL: SASL_PLAINTEXT

    # OIDC Provider Settings
    GATEWAY_OAUTH_JWKS_URL: "https://your-idp.com/.well-known/jwks.json"
    GATEWAY_OAUTH_EXPECTED_ISSUER: "https://your-idp.com"
    GATEWAY_OAUTH_EXPECTED_AUDIENCES: "kafka-gateway"
    GATEWAY_OAUTH_SUB_CLAIM_NAME: "sub"

# Map OIDC identities to Gateway Service Accounts
apiVersion: gateway/v2
kind: GatewayServiceAccount
metadata:
  name: my-application
spec:
  type: EXTERNAL
  externalNames:
    - "oauth-subject-id-from-token"  # Value from 'sub' claim in JWT
// Audit log event
{
  "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "type": "APIKEYS_REQUEST",
  "time": "2024-10-15T14:30:45.123Z",
  "source": "//kafka/cluster/production",
  "authenticationPrincipal": "tenant-acme",
  "userName": "order-service",
  "connection": {
    "localAddress": "172.17.0.2:6969",
    "remoteAddress": "192.168.1.42:52341"
  },
  "eventData": {
    "apiKeys": "PRODUCE",
    "topics": [
      { "name": "orders", "partition": 0 },
      { "name": "orders", "partition": 1 }
    ]
  },
  "specVersion": "0.1.0"
}
Application Resilience

Migrate and test resilience safely

Execute infrastructure changes confidently while applications continue running unchanged.

  • Zero-downtime migrations switching clusters without application config changes or team coordination
  • Seamless failover maintaining continuity when infrastructure fails
  • Safe resilience testing injecting latency, errors, and corruption without production risk

Learn more about application resilience →

# Gateway cluster configuration
config:
  main:
    bootstrap.servers: kafka-primary:9092
    security.protocol: SASL_SSL
    sasl.mechanism: PLAIN

  failover:
    bootstrap.servers: kafka-secondary:9092
    gateway.roles: failover

# Switch from main → failover
curl -X POST 'http://localhost:8888/gateway/v2/cluster-switching' \
  -H 'Content-Type: application/json' \
  -d '{"fromPhysicalCluster": "main", "toPhysicalCluster": "failover"}'
Failover Traffic
# Chaos testing interceptor
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: chaos-broken-broker
spec:
  pluginClass: io.conduktor.gateway.interceptor.chaos.SimulateBrokenBrokersPlugin
  priority: 100
  config:
    rateInPercent: 100
    errorMap:
      FETCH: UNKNOWN_SERVER_ERROR
      PRODUCE: CORRUPT_MESSAGE
Multi-tenancy & Virtualization

Decouple tenants from clusters

Serve multiple teams from shared infrastructure with independent namespaces and naming conventions.

  • Lower infrastructure costs through cluster consolidation with isolated logical environments per team
  • 90%+ partition reduction by concentrating low-volume topics and lowering broker overhead
  • Rename topics transparently without client changes or exposing internal naming to consumers

Learn more about multi-tenancy →

apiVersion: gateway/v2
kind: VirtualCluster
metadata:
  name: payments-team
spec:
  type: Standard
  aclEnabled: true
  superUsers:
    - payments-admin

apiVersion: gateway/v2
kind: VirtualCluster
metadata:
  name: orders-team
spec:
  type: Standard
  aclEnabled: true
  superUsers:
    - orders-admin
Concentrate Topics
apiVersion: gateway/v2
kind: AliasTopic
metadata:
  name: customers
  vCluster: partner-team
spec:
  physicalName: internal-crm-customers

apiVersion: gateway/v2
kind: AliasTopic
metadata:
  name: orders
  vCluster: partner-team
spec:
  physicalName: internal-billing-orders
Performance & Efficiency

Handle load efficiently

Lighten broker load and serve filtered topic views without duplicating data or adding infrastructure.

  • Filtered views without duplication using SQL-based projections instead of stream processing pipelines
  • Faster high-frequency reads by caching messages and reducing broker load
  • Transparent large payload handling offloading oversized messages to S3 or Azure Blob automatically

Learn more about performance →

apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: sql-filter-adults
spec:
  pluginClass: io.conduktor.gateway.interceptor.VirtualSqlTopicPlugin
  priority: 100
  config:
    virtualTopic: customers-adult
    statement: |
      SELECT firstName, lastName, email, country
      FROM customers
      WHERE age >= 18 AND country = 'US'
    schemaRegistryConfig:
      host: http://schema-registry:8081
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: cache-high-traffic-topics
spec:
  pluginClass: io.conduktor.gateway.interceptor.CacheInterceptorPlugin
  priority: 100
  config:
    topic: "events.*"
    cacheConfig:
      type: IN_MEMORY
      inMemConfig:
        cacheSize: 1000
        expireTimeMs: 60000
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: offload-large-messages-s3
spec:
  pluginClass: io.conduktor.gateway.interceptor.LargeMessageHandlingPlugin
  priority: 100
  config:
    topic: "media.*"
    minimumSizeInBytes: 1048576
    localDiskDirectory: /tmp/kafka-offload
    s3Config:
      bucketName: kafka-large-messages
      region: us-east-1
Platform Guardrails

Prevent misconfigurations

Enforce organizational standards and prevent destabilizing changes before they reach production.

  • Prevent production issues by enforcing data contracts and config standards before deployment
  • Eliminate noisy neighbors with bandwidth and rate limits per tenant or cluster
  • Enforce best practices ensuring acks, compression, and idempotence across all producers
  • Control metadata centrally transforming headers without application changes

Learn more about platform guardrails →

apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: topic-governance-policy
spec:
  pluginClass: io.conduktor.gateway.interceptor.safeguard.CreateTopicPolicyPlugin
  priority: 100
  config:
    namingConvention:
      value: "^[a-z]+-[a-z]+-[a-z]+$"
      action: BLOCK
    numPartition:
      min: 3
      max: 12
      action: OVERRIDE
      overrideValue: 6
    replicationFactor:
      min: 3
      max: 3
      action: BLOCK
    retentionMs:
      min: 86400000
      max: 604800000
      action: OVERRIDE
      overrideValue: 259200000
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: producer-rate-limit
  scope:
    vCluster: payments-team
spec:
  pluginClass: io.conduktor.gateway.interceptor.safeguard.ProducerRateLimitingPolicyPlugin
  priority: 100
  config:
    maximumBytesPerSecond: 10485760
    action: BLOCK

apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: consumer-rate-limit
  scope:
    vCluster: payments-team
spec:
  pluginClass: io.conduktor.gateway.interceptor.safeguard.ConsumerRateLimitingPolicyPlugin
  priority: 100
  config:
    maximumBytesPerSecond: 52428800
Data Quality

Stop bad data at the source

Validate data as it flows through—not after it's caused problems downstream.

  • Detect degradation early by evaluating messages against validation rules in real-time
  • Block bad data from entering Kafka by enforcing quality rules at the source
  • Eliminate consumer failures by ensuring only valid data reaches downstream systems

Learn more about data quality →

{
  "name": "myDataQualityProducerPlugin",
  "pluginClass": "io.conduktor.gateway.interceptor.safeguard.DataQualityProducerPlugin",
  "priority": 100,
  "config": {
    "statement": "SELECT x FROM orders WHERE amount_cents > 0 AND amount_cents < 1000000",
    "schemaRegistryConfig": {
       "host": "http://schema-registry:8081"
    },
    "action": "BLOCK_WHOLE_BATCH",
    "deadLetterTopic": "dead-letter-topic",
    "addErrorHeader": false
  }
}
Enforce Quality
Data Confidentiality

Encrypt consistently across apps

Define encryption once and apply it uniformly, without touching application code.

  • Prevent config drift with centralized encryption and standardized KMS connections
  • Meet compliance requirements integrating with Vault, AWS KMS, Azure Key Vault, GCP KMS, or Fortanix
  • Protect fields selectively encrypting sensitive data while keeping the rest readable
  • Enable analytics on protected data using tokenization that preserves format without exposing values

Learn more about data confidentiality →

apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: encrypt-pii-fields
spec:
  pluginClass: io.conduktor.gateway.interceptor.EncryptPlugin
  priority: 100
  config:
    topic: "customers.*"
    recordValue:
      fields:
        - fieldName: ssn
          keySecretId: "vault-kms://vault:8200/transit/keys/pii-key"
          algorithm: AES256_GCM
        - fieldName: creditCard.number
          keySecretId: "vault-kms://vault:8200/transit/keys/payment-key"
          algorithm: AES256_GCM
        - fieldName: email
          keySecretId: "in-memory-kms://email-key"
          algorithm: AES128_GCM
    kmsConfig:
      vault:
        uri: http://vault:8200
        type: TOKEN
        token: ${VAULT_TOKEN}
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: encrypt-with-kms
spec:
  pluginClass: io.conduktor.gateway.interceptor.EncryptPlugin
  priority: 100
  config:
    topic: ".*"
    recordValue:
      fields:
        - fieldName: ssn
          keySecretId: "vault-kms://..."
        - fieldName: payment.cardNumber
          keySecretId: "aws-kms://..."
        - fieldName: healthRecord
          keySecretId: "azure-kms://..."
    kmsConfig:
      vault:
        uri: http://vault:8200
        type: APP_ROLE
      aws:
        basicCredentials:
          accessKey: ${AWS_ACCESS_KEY}
      azure:
        tokenCredential:
          tenantId: ${AZURE_TENANT_ID}
Partner Access & Data Sharing

Share data securely

Give partners access to the data they need without exposing your full cluster or duplicating pipelines.

  • Control external access through isolated virtual clusters with topic mappings and rate limits
  • Share without duplication using topic views tailored for partner-specific access
  • Adapt formats automatically transforming data for external consumption without dual-write patterns
  • Track usage for billing with consumption metrics that enable cost allocation and chargeback

Learn more about partner data sharing →

Track Usage
apiVersion: gateway/v2
kind: VirtualCluster
metadata:
  name: partner-a
spec:
  type: Partner
  aclEnabled: true
  superUsers:
    - partner-admin

apiVersion: gateway/v2
kind: GatewayServiceAccount
metadata:
  name: partner-admin
  vCluster: partner-a
spec:
  type: LOCAL

apiVersion: gateway/v2
kind: AliasTopic
metadata:
  name: orders
  vCluster: partner-a
spec:
  physicalName: internal-orders

Measurable Impact

Real results from platform teams using Gateway.

1
25 clusters migrated

European airline moved to Confluent Cloud in 9 months with zero downtime.

2
PCI DSS compliant

Payment processor achieved MasterCard and VISA certification with Gateway encryption.

3
50+ teams, one proxy

FlixBus scaled multi-tenancy without multiplying infrastructure.

4
Zero code changes

Encryption, routing, and policies applied at the proxy layer—not in applications.

Read more customer stories

European Airline: 25 Clusters to Cloud

Banking: PCI DSS Compliance

FlixBus: 50+ Teams Data Mesh

Ready to Try Gateway?

See how platform teams use Gateway to add encryption, multi-tenancy, and traffic control to their Kafka clusters without changing application code.

Book a Demo