Kong Status

Kong

Major outage in Konnect Middle East region due to loss of mutliple availability zones

Update - Konnect Middle East Region: Indefinite Outage

The Konnect Middle East Region is undergoing a prolonged outage due to the operational loss of AWS datacenters in the region. The duration of this outage is undetermined. As a result, we have no timeline for service restoration in the ME Region

Customers are encouraged to migrate to one of our other Konnect control plane hosting regions in the EU, Australia, India or the United States. If assistance is required, please reach out to your Kong support representative.
Apr 02, 2026 - 19:48 UTC

Update - We are observing increased error rates across services in the Konnect Middle East region. Data plane proxy traffic is not impacted.

We are actively working with AWS to resolve the issue and will provide updates as more information becomes available.
Mar 23, 2026 - 23:19 UTC

Update - Customers in the Middle East (Bahrain) region are operating in a reduced Availability Zone (AZ) configuration due to an ongoing AWS infrastructure issue.

The platform remains available, but some customers in this region may experience intermittent performance degradation or elevated error rates. Data plane proxy traffic is not impacted.

We are actively working with AWS to resolve the issue and will provide updates as more information becomes available.
Mar 20, 2026 - 21:12 UTC

Update - It was discovered that DNS for KIC reconciliation endpoints were still pointing to the out-of-service region. We have failed over these DNS records now to properly point to our new region. Customers using KIC would have seen 500s' during the reconciliation to Konnect. This was resolved at 10:30 UTC on March 5th.
Mar 05, 2026 - 13:16 UTC

Update - Current Status Summary for Konnect Middle East Region:

All services have been moved to our failover region in Middle East
Almost all services are operational, with 2 caveats:
- Analytics data is delayed several hours. Konnect is accepting and persisting Analytics data, but it is not yet visible or queryable as we continue investigating restoring service.
- The Debugger is operational including trace data; however session logs will not be available in this region.
- Observability is operational; however UUID to display name resolution will not be available in this region.

Everything else is back online. The team will update as we make progress on these remaining items.
Mar 03, 2026 - 08:53 UTC

Update - Current Status Summary for Konnect Middle East Region:

All services have been moved to our failover region in Middle East
Almost all services are operational, with 2 caveats:
- Analytics data is delayed several hours. Konnect is accepting and persisting Analytics data, but it is not yet visible or queryable as we continue investigating restoring service.
- Debugger is unable to accept incoming trace data. While debugging sessions can be started, none of the trace data will be persisted in Konnect until the datastore for traces is restored.

Everything else is back online. The team will update as we make progress on these remaining items.
Mar 03, 2026 - 05:35 UTC

Update - The data store for traces sent to Debugger is still experiencing issues in the Middle East region. Debugging sessions can be started but no spans will be able to be ingested. The team will update as they bring that service online.
Mar 03, 2026 - 05:13 UTC

Update - Service remains restored, and Kong engineers will continue to monitor the apps in the new region.
Mar 03, 2026 - 03:45 UTC

Update - User permission data is now propagating normally again.
Mar 03, 2026 - 03:03 UTC

Update - Status Update (PDP – ME-SOUTH-1)

User permission data replication in ME-SOUTH-1 (Bahrain) region are experiencing extended latencies. Mitigation has been implemented to cap this to 15 minutes.
Updated data should now propagate within a maximum of 15 minutes.
We continue to monitor the situation and will provide further updates as needed.
Mar 02, 2026 - 22:45 UTC

Update - The following services have been restored:

- All Konnect UI-accessible products except for Event Gateway and Metering
- Dataplane connections to the Konnect Control Plane for configuration download and analytics upload

Analytics data is delayed several hours. Konnect is accepting and persisting Analytics data, but it is not yet visible or queryable as we continue investigating restoring service.
Mar 02, 2026 - 21:50 UTC

Monitoring - The Kong engineering team is now verifying restored services in the Middle East region
Mar 02, 2026 - 21:39 UTC

Update - We have restored partial service to Konnect. The UI is working again for Gateway Manager and Dev Portal, as well as all backing APIs.

Dataplane connections to the Control Plane and Telemetry endpoints have been restored for 3 hours and should continue to work.
Mar 02, 2026 - 21:35 UTC

Update - We continue to make progress on restoring to a failover region for the Middle East region. Key AWS services to support our failover efforts are beginning to work as of 11am PST. The Konnect engineering team is working to restore and validate all services and data and will update in one hour.

Please note the control plane and telemetry endpoints are already restored, so dataplanes can connect to Konnect.
Mar 02, 2026 - 20:05 UTC

Update - Control Plane restored for Config Download and Telemetry

We have restored the control plane and telemetry endpoints. Dataplanes can now connect to the control plane api at `me.cp0.konghq.com` and `me.tp0.konghq.com`

This is a read-only instance set up for this incident. Configuration changes are still blocked. But now customers should be able to connect new dataplanes and download their configuration, as well as send telemetry.

The Admin API for changing control plane configuration remains down.
Mar 02, 2026 - 17:36 UTC

Update - We are actively migrating the affected services to operate on other Availability Zones in the Bahrain region (ME-SOUTH-1 Region), but critical AWS services are not responding in that region. Our engineers are working to restore full service functionality and we are communicating with AWS to attempt to determine our failover options. At this time we cannot provide an ETA.

We will provide further updates as they become available. Thank you for your patience.
Mar 02, 2026 - 17:26 UTC

Update - We are actively migrating the affected services to operate on the two healthy Availability Zones in the Bahrain region (ME-SOUTH-1 Region). Our engineers are working to restore full service functionality and expect the migration to be completed within the next few hours.

We will provide further updates as they become available. Thank you for your patience.
Mar 02, 2026 - 15:26 UTC

Update - The incident is ongoing. We are working closely with our cloud provider to monitor restoration efforts.
Due to significant physical infrastructure damage in both the UAE and Bahrain regions, recovery is expected to take more time.
We appreciate your patience as we work toward a full resolution.
Mar 02, 2026 - 11:27 UTC

Update - We are currently observing renewed elevated error rates across multiple Konnect services in ME region related to the AWS outage in that region.
Mar 02, 2026 - 06:31 UTC

Identified - We are seeing many services in ME region recovering and some services are in degraded state. Dataplanes are not affected as part of this incident. All other Konnect regions are 100% operational and healthy.

Our engineers are closely monitoring the situation. We will provide additional updates as soon as more information becomes available.
Mar 02, 2026 - 01:54 UTC

Investigating - We are currently observing renewed elevated 5XX error rates across multiple Konnect services in ME region. Our engineering team is actively investigating the issue and assessing customer impact.

We will provide additional updates as soon as more information becomes available.
Mar 01, 2026 - 20:07 UTC

Monitoring - AWS continues to experience issues some services. However most of Konnect services are now recovered and operating as expected. Our engineers are closely monitoring the services and it's operational efficiency.
Mar 01, 2026 - 18:41 UTC

Identified - The increased error rates are associated with the AWS me-central-1 outage. Our engineers are monitoring the situation closely.
Mar 01, 2026 - 14:45 UTC

Investigating - We are seeing increased 5xx in the ME Region. Our engineers are currently investigating the issue.
Mar 01, 2026 - 13:08 UTC

Kong Konnect Cloud Operational

Kong Insomnia Operational

Kong Support Portal Operational

Operational

Degraded Performance

Partial Outage

Major Outage

Maintenance

Past Incidents

Apr 11, 2026

No incidents reported today.

Apr 10, 2026

Loss of analytics payload from data plane node (US Only)

Resolved - This incident has been resolved.
Apr 10, 21:11 UTC

Monitoring - We have rolled out the fix and will continue monitoring the situation. The system is now functioning as expected, but we are keeping a close eye on performance to ensure stability. We will provide another update if any issues arise.
Apr 10, 19:00 UTC

Update - We have a fix and are rolling the change out. We will begin monitoring the situation closely and will provide another update once the rollout is complete.
Apr 10, 18:41 UTC

Identified - We have identified the issue and are working on a fix
Apr 10, 18:21 UTC

Investigating - Some analytics data in the US may be experiencing data loss. We are currently investigating the cause of this issue and will provide updates as they become available.
Apr 10, 18:07 UTC

Apr 9, 2026

OIDC tls_client_auth_ssl_verify field defaulted to `false` for new updates not explicitly setting the property

Resolved - Customers running 3.13 and below who use the OIDC plugin with `tls_client_auth_ssl_verify` unset would have seen this value change to `false` if they updated the config after the rollback of new defaults following the 3.14 release.

The rollback incorrectly flipped the oidc plugin tls_client_auth_ssl_verify to false as a default, which was not one of the items recently switched to default true and has instead been defaulted true for some time.

We have rolled out a fix to prod to change this default back to true. Updates to the OIDC plugin should once again keep this value set to true if not specifically defined.
Apr 9, 18:06 UTC

Apr 8, 2026

Konnect Control Plane Default Changes due to 3.14 Release and Secure by Default

Resolved - We have completed the rollback to the original default values. Customers applying their configurations without explicitly defining ssl_verify and hide_credentials will default to `false` again.
Apr 8, 21:33 UTC

Identified - The issue has been identified and a fix is being implemented.
Apr 8, 16:20 UTC

Investigating - With the release of 3.14 and changes to default security settings for Kong’s secure by default initiatives, Konnect customers running dataplanes less than 3.14 and updating certain plugins without providing overrides to the new defaults began experiencing the following issues:

Konnect would begin reporting that a default had been overridden that did not apply to the connected dataplane. This is a warning that Konnect gives when the configuration on Konnect control plane appears to have user-defined changes that do not apply to the dataplane version the customer is using. This message is provided to avoid a user configuring properties on a plugin that their dataplane would not utilize, to make it clear to users why a new field isn’t taking effect. Since our defaults changed, this caused the reporting in some cases to see this as an ‘override’ if the configuration didn’t match the new default, causing the message. This had no impact on dataplane configurations or behavior, but it was a confusing message, and we have removed it.

The second and more impactful issue is the updating of default values in 3.14. After the 3.14 release, some fields like ssl_verify and hide_credentials in various entities started defaulting to true instead of false . This is causing customers who run a deck sync without these fields defined, will see their config values change from false to true which is an issue. Konnect is working on rolling back to the old default values. Once the default values are restored on the API, the next time the config is updated without the default values, the previous values will be applied.

Plugins using ssl_verify:
ace
acme
ai-aws-guardrail
ai-azure-content-safety
ai-llm-as-judge
ai-proxy-advanced
ai-rag-injector
ai-rate-limiting-advanced
ai-request-transformer
ai-response-transformer
ai-semantic-cache
ai-semantic-prompt-guard
ai-semantic-response-guard
aws-lambda
azure-functions
basic-auth
confluent
confluent-consume
datakit
forward-proxy
graphql-proxy-cache-advanced
graphql-rate-limiting-advanced
header-cert-auth
http-log
jwt-signer
kafka-consume
kafka-log
kafka-upstream
ldap-auth
ldap-auth-advanced
mtls-auth
opa
openid-connect
proxy-cache-advanced
rate-limiting
rate-limiting-advanced
request-callout
response-ratelimiting
saml
service-protection
tcp-log
upstream-oauth

Plugins using hide_credentials:
Key-auth
Key-auth-enc
Basic-auth
Hmac-authldap-auth
Oauth2
Oauth2-introspection
vault-auth (EE)
ldap-auth-advanced (EE)
Apr 8, 16:20 UTC

Apr 7, 2026

No incidents reported.

Apr 6, 2026

No incidents reported.

Apr 5, 2026

No incidents reported.

Apr 4, 2026

No incidents reported.

Apr 3, 2026

No incidents reported.

Apr 2, 2026

Some Dataplanes could incorrectly show mismatches between expected_hash and their config version

Resolved - On 4/2/2026. Konnect introduced a change as part of our 'secure by default' initiatives for the upcoming 3.14 release, which caused expected_hash syncing issues for some customers' data planes.

For background, when a data plane connects to the Konnect control plane, the configuration is produced for that specific version of the Kong gateway. A configuration hash is calculated based off of the produced config, and stored as the expected config hash. When configuration changes occur, the control plane calculates the new configuration, broadcasts it to the connected data planes, and updates to the new expected hash.

The issue here was the preparation of the control plane for supporting SHA256 to store credential hashes. When this change was introduced, it resulted in a minor structural difference in the produced configuration, but no actual change to the configurations occurred. This led to the same configuration yielding a different hash before and after the deploy.

The way this could get a data plane to report 'out of sync' was the following:
- A data plane is connected and in sync with DP hash and Expected Config Hash `a111111a`
- The data plane is disconnected/reconnected, and since it is still in sync with DP hash and Expected Config Hash `a111111a`, a new config is not calculated
- The change to embed SHA256 support in the control plane is deployed
- A new data plane connects with no config loaded, and reports an empty config to the Control Plane
- The control plane generates the slightly altered config, and ends up with a new config hash, which updates the expected config hash to `b22222b`
- Since no configuration change occurred, the data planes already connected and on `1aaaaaa1` would not have been pushed a change event, and would still be running the same configuration as `b222222b` but the hash would not match, causing the DPs to appear out of sync

Note: Once *any* change to the control plane configuration occurred, a new config event would have been delivered, and all previous data planes would have been updated to the hash based on the new structure. Additionally, if an impacted data plane were to disconnect and reconnect, they also would have been brought into sync with the new hash. The issue was the system failing to consider the new hash as an 'event' since it did not change configured proxy behavior.

To address this in the short term, the Konnect engineering team has ensured structural changes like this which result in a config hash will trigger a configuration change event, even when no config has changed.

To address this in the long term, Konnect is moving to a config version tracking methodology that will not be impacted by structural, non-behavioral changes as the hash is.
Apr 2, 19:00 UTC

Apr 1, 2026

Interacting with PATs in a degraded state

Resolved - This incident has been resolved.
Apr 1, 20:17 UTC

Update - The issue has been resolved and we are now monitoring.
Apr 1, 19:19 UTC

Monitoring - Creating, Reading, & Deleting PATs through the API & UI is degraded. This does not impact authentication with PATs.
Apr 1, 19:18 UTC

Some Dataplanes Incorrectly Reporting Out of Sync

Mar 31, 2026

No incidents reported.

Mar 30, 2026

No incidents reported.

Mar 29, 2026

No incidents reported.

Mar 28, 2026

No incidents reported.