KrakenD EE v2.13: AWS Bedrock, AI Dashboard, Kafka, and Plugin Extensibility

KrakenD Enterprise v2.13 continues expanding the AI Gateway with AWS Bedrock support, a brand-new Grafana dashboard to monitor AI token usage, and a new way to fallback to alternative AI providers if a specific quota threshold is met.

Beyond AI, this release delivers advanced Kafka integration, makes Redis and quota processors available to all plugin types, and introduces a new Request Body Extractor modifier, among other improvements. Here’s what changed and why it matters.

AI Gateway: AWS Bedrock and Token Visibility

The AI Gateway ai/llm component now supports AWS Bedrock, and it’s been a frequently requested integration. The reason comes up often in conversations with enterprise teams: data ownership. When you send prompts to a third-party model API, your data passes through infrastructure you don’t fully control. As Amazon doesn’t use your inputs to train its models, your data stays within your AWS environment, and you keep the compliance posture you’ve already established.

If your team is already on AWS, the integration is straightforward: route AI workloads through Bedrock using the same unified LLM interface you use for OpenAI, Gemini, Anthropic, and Mistral. For teams operating under strict data residency or regulatory requirements (HIPAA, GDPR, FedRAMP), this makes Bedrock a natural fit.

Alongside Bedrock, a new AI Gateway Dashboard gives you visibility into AI token consumption directly from Grafana. Monitor usage patterns, track costs, and detect anomalies across all your AI providers in one place.

Advanced Kafka Integration and Kafka Async Agents

Kafka support has been part of KrakenD’s PubSub backend for years. But the Async Agent — KrakenD’s engine for event-driven, consumer-side processing — only supported RabbitMQ until now. [Kafka is now a first-class citizen in Async Agents(/docs/enterprise/async/kafka/), which is a big deal if you’re running a Kafka-first infrastructure and wanted to keep async processing inside KrakenD rather than bolting on a separate consumer.

Beyond that, the entire Kafka integration has been overhauled with advanced configuration and connectivity that was previously out of reach: explicit connection settings, TLS configuration, and finer control over how KrakenD interacts with your topics. If you’ve been using Kafka with KrakenD for a while and working around its limitations, this is the release where those workarounds become unnecessary.

Finally, there is a new Kafka dashboard for Prometheus/Grafana that will help administrators track the entire KrakenD-Kafka integration.

Plugin Extensibility: Redis and Quotas

Two major extensibility improvements land in this release. Quota processors and Redis can now be injected and used in all types of plugins (handlers, modifiers, middlewares, and clients). This opens the door to building custom plugin logic that leverages centralized rate limiting, quotas, and Redis-backed state without having to reinvent the wheel.

Your plugins can now read KrakenD’s quota state and report a cost after your custom logic runs — so the weight of a request reflects what actually happened, not a fixed rule. Redis access is also injected directly by KrakenD, meaning your plugin gets a ready-to-use client without managing connections or credentials. Less boilerplate, more expressive logic.

Smarter Quota Management with Fallbacks

A new quotaProcessor macro is available in Security Policies, enabling more complex quota management scenarios. This includes the ability to define fallback backend options, so when a primary quota source is unavailable, your gateway continues to operate with alternative logic rather than failing.

For example, when a user exhausts their quota, instead of returning a hard rejection, a policy can route them to a fallback backend that keeps them functional at a lower cost. For example, a user who hits their limit on a premium hosted AI model can be transparently redirected to a local model that adds no inference cost — degraded in quality perhaps, but still useful, and far better than a rejection.

Request Body Extractor

The new modifier/request-body-extractor component lets you extract values from the request body and propagate them as headers. These extracted values are then available throughout the rest of the request flow, enabling scenarios like routing or filtering based on body content without custom code. A classic one: routing or authenticating based on a tenant_id or workspace_id buried in a JSON body. Upstream services often expect it as a header, but clients send it in the payload.

Developer Experience Improvements

A handful of quality-of-life improvements round out the release: gRPC reflection support, new logging verbs for microsecond and nanosecond latency precision, a license info subcommand, JSON Schema updated to support drafts up to 2020-12, and improvements to GCP and Gemini authentication.

Bug fixes and security updates

Several bug fixes ship in this release, including a notable fix for slow startup times in services with thousands of endpoints. Go has been upgraded to 1.25.8, addressing several CVEs in crypto/x509, html/template, net/url, and os. The Circuit Breaker library has also been upgraded with the latest patches.

On a relevant note, Opencensus no longer instruments PubSub or JOSE secrets management.

Happy building! 🐙