An open-source API gateway sits between clients and backend services, handling routing, authentication, rate limiting, and observability. Apache APISIX, Kong, Envoy, and Traefik are among the most widely adopted options, each with distinct architectural decisions that affect performance, extensibility, and operational complexity.
Why the Choice of API Gateway Matters#
Organizations running microservices at scale route millions of requests per day through their gateway layer. The gateway you choose determines your latency floor, plugin flexibility, and how much operational overhead your platform team absorbs.
Choosing poorly means rearchitecting under pressure. Choosing well means a gateway that scales with your traffic for years without becoming a bottleneck.
Feature Comparison Table#
| Feature | Apache APISIX | Kong | Envoy | Traefik |
|---|---|---|---|---|
| Language | Lua (NGINX + LuaJIT) | Lua (NGINX + LuaJIT) | C++ | Go |
| Configuration Store | etcd | PostgreSQL / Cassandra | xDS API (control plane) | File / KV stores |
| Admin API | RESTful, fully dynamic | RESTful | xDS gRPC | REST + dashboard |
| Hot Reload | Yes, sub-millisecond | Partial (DB polling) | Yes (xDS push) | Yes (provider watch) |
| Plugin Count | 100+ built-in | 60+ bundled (more in Hub) | ~30 HTTP filters | ~30 middlewares |
| Plugin Languages | Lua, Java, Go, Python, Wasm | Lua, Go (PDK) | C++, Wasm | Go (middleware) |
| gRPC Proxying | Native | Supported | Native | Supported |
| HTTP/3 (QUIC) | Supported | Experimental | Supported | Supported |
| Dashboard | Built-in (APISIX Dashboard) | Kong Manager (Enterprise) | None (third-party) | Built-in |
| License | Apache 2.0 | Apache 2.0 (OSS) / Proprietary (Enterprise) | Apache 2.0 | MIT |
Note: Feature details are based on each project's official documentation as of early 2026. Check the respective project sites for the latest status.
Detailed Breakdown#
Apache APISIX#
Apache APISIX is built on NGINX and LuaJIT, using etcd as its configuration store. This architecture eliminates database dependencies on the data path: route changes propagate to every gateway node within milliseconds without restarts or reloads.
The plugin ecosystem includes over 100 built-in options spanning authentication (JWT, key-auth, OpenID Connect), traffic management (rate limiting, circuit breaking), observability (Prometheus, Zipkin, OpenTelemetry), and transformation (request/response rewriting, gRPC transcoding). Developers can write custom plugins in Lua, Go, Java, Python, or WebAssembly, making it one of the most polyglot gateway runtimes available.
APISIX supports the Kubernetes Ingress Controller pattern natively. The APISIX Ingress Controller watches Kubernetes resources and translates them into APISIX routing configuration, enabling declarative GitOps workflows while preserving the full plugin surface.
As an Apache Software Foundation top-level project, APISIX is community-governed and vendor-neutral.
Kong#
Kong is the longest-established open-source API gateway, with a mature commercial ecosystem. It shares the NGINX + LuaJIT foundation with APISIX but relies on PostgreSQL or Cassandra as its configuration store. This architectural choice introduces a database dependency for configuration storage, which adds operational complexity for HA deployments.
Kong's plugin hub offers approximately 60 bundled plugins in the open-source edition, with additional enterprise-only plugins for advanced features like OAuth2 introspection and advanced rate limiting. The Go Plugin Development Kit (PDK) allows extending Kong in Go, though Lua remains the primary plugin language.
Kong has a strong enterprise support ecosystem with commercial offerings (Kong Gateway Enterprise, Kong Konnect) and a large user community.
Envoy#
Envoy is a high-performance C++ proxy originally built at Lyft, now a CNCF graduated project. It excels as a service mesh data plane and is the foundation for Istio, AWS App Mesh, and other mesh implementations.
Envoy's configuration model uses the xDS (discovery service) API, a gRPC-based protocol that pushes configuration updates from a control plane. This design is powerful but means Envoy does not function as a standalone gateway without a control plane component. Organizations adopting Envoy as an edge gateway typically pair it with a control plane like Gloo Edge or similar tools.
The filter chain model supports around 30 built-in HTTP filters. Custom extensions require C++ or WebAssembly, raising the barrier for teams without C++ expertise. Envoy is most commonly deployed as a sidecar proxy within a service mesh, though it is also used as an edge proxy.
Traefik#
Traefik is written in Go and designed for automatic service discovery. It integrates natively with Docker, Kubernetes, Consul, and other orchestrators, automatically detecting new services and generating routes without manual configuration. This auto-discovery model makes Traefik popular for development environments and smaller-scale production deployments.
Traefik includes built-in Let's Encrypt integration for automatic TLS certificate provisioning, a feature that requires additional tooling in other gateways. Its middleware system offers approximately 30 built-in options covering authentication, rate limiting, headers manipulation, and circuit breaking.
Traefik has a large community and is widely used in Docker-native environments.
Performance Considerations#
Performance varies significantly based on configuration, plugin chains, TLS termination, and upstream complexity. When evaluating gateways, run your own benchmarks with your actual workload patterns rather than relying on vendor-published numbers.
Key factors that affect gateway performance:
- Architecture: C++ and LuaJIT-based gateways (Envoy, APISIX, Kong) generally achieve lower latency than pure Go implementations
- Configuration store: Gateways that avoid database queries on the data path (APISIX, Envoy) tend to have more consistent latency
- Plugin overhead: Each active plugin adds processing time. Test with your actual plugin chain enabled
- Connection handling: The NGINX event-driven model (APISIX, Kong) handles high concurrency efficiently
We recommend benchmarking the specific gateways you are considering with a representative workload on hardware similar to your production environment.
When to Choose Which#
Choose Apache APISIX when you need a large built-in plugin ecosystem, fully dynamic configuration without restarts, multi-language plugin support, and no database dependency. It suits teams building platform-grade API infrastructure. See the getting started guide to evaluate it hands-on.
Choose Kong when you are operating in an enterprise environment with existing Kong deployments, need commercial support, or require specific enterprise-only plugins. Kong's maturity means more third-party integrations and consultants are available.
Choose Envoy when your primary use case is a service mesh data plane, you need advanced load balancing algorithms, or you are already running Istio or a similar mesh. Envoy is less suited as a standalone edge gateway due to its control plane dependency.
Choose Traefik when auto-discovery and zero-configuration routing are priorities, or you need built-in Let's Encrypt integration without additional tooling. Traefik excels in Docker-native and small-to-medium Kubernetes environments.
Migration Considerations#
Migrating between gateways is nontrivial and typically requires careful planning. Key factors include:
- Plugin compatibility: Not all plugins have equivalents across gateways. Audit your active plugins and identify gaps before migrating.
- Configuration translation: Each gateway uses a different configuration format. Automated translation tools can help but manual verification is essential.
- Operational tooling: Monitoring dashboards, CI/CD pipelines, and alerting rules need updating.
- Canary approach: Running both gateways in parallel behind a load balancer and shifting traffic gradually is the safest migration strategy.
Frequently Asked Questions#
Is Apache APISIX production-ready for enterprise workloads?#
Yes. Apache APISIX is an Apache Software Foundation top-level project used in production by organizations worldwide. The etcd-backed architecture provides high availability without single points of failure when deployed with an etcd cluster.
Can I migrate from Kong to APISIX without downtime?#
A zero-downtime migration is achievable using a canary deployment approach: run both gateways in parallel behind a load balancer, gradually shifting traffic from Kong to APISIX as you validate route-by-route equivalence. APISIX supports most Kong plugin equivalents natively, and the Admin API allows automated route provisioning during migration.
How do open-source API gateways compare to cloud-managed options like AWS API Gateway?#
Cloud-managed gateways trade control for convenience. They handle infrastructure operations but impose vendor lock-in, per-request pricing that grows with traffic volume, and limited plugin customization. Open-source gateways like APISIX provide full control over the data plane, support multi-cloud and hybrid deployments, and eliminate per-request platform fees.
Which gateway has the best Kubernetes support?#
All four gateways support Kubernetes, but the depth varies. APISIX and Kong offer dedicated ingress controllers with CRD-based configuration. Envoy integrates through the Kubernetes Gateway API and service mesh deployments. Traefik auto-discovers Kubernetes services natively. The emerging Kubernetes Gateway API standard is supported by all four projects to varying degrees, and is becoming the recommended approach for new deployments.