502 Despite Healthy Upstream

critical

reliabilityUpdated Sep 7, 2025

Kong returns 502 Bad Gateway errors even when backend services are healthy, caused by connection limits, DNS failures, network timeouts, or health check misconfigurations marking upstreams as down incorrectly.

Sources

Kong Gateway Performance Optimization - When Your API Gateway Becomes the Bottlenecktoolstac.com

Technologies:

Kong GatewaySymptoms of this issue are visible in Kong Gateway metrics and logs

kong.upstream.health.status

kong.upstream.connections.refused

kong.dns.resolution.failures

How to detect:

Monitor 502 response count, upstream health check status, and connection pool utilization. If 502s occur while backend service health checks pass, issue is in Kong's connectivity layer. Check Kong error logs for connection refused, DNS resolution failures, or timeout messages.

Recommended action:

Verify upstream service connection limits aren't exceeded by Kong's connection pooling. Check DNS resolution with /etc/resolv.conf in Kong containers—use IP addresses as workaround. Reduce Kong timeout settings if backends drop idle connections faster than default 60s. Review health check configuration for false negatives marking healthy upstreams as down.