DEV Community

Алексей Выродов
Алексей Выродов

Posted on

Cloud-Native API Gateway Comparison - (April 2026)

Latest Versions

AV API GW Tyk Kong Istio Ingress KrakenD Apache APISIX Envoy Gateway
Version v0.9.9 5.11.0 3.13 Ent / 3.9.1 OSS 1.29.1 2.13.3 CE / 2.12.5 EE 3.15.0 1.7.1
Released Apr 2026 Dec 2025 Dec 2025 Mar 2026 Mar 2026 Feb 2026 Mar 2026
Language Go 1.26.1 (gin-gonic) Go Lua/OpenResty (NGINX) Go + C++ (Envoy) Go (Lura framework) Lua/OpenResty (NGINX) Go + C++ (Envoy)
License Apache 2.0 MPL v2.0 + Proprietary Apache 2.0 + Proprietary Apache 2.0 Apache 2.0 + Proprietary Apache 2.0 Apache 2.0
Dependencies None (Redis optional for distributed rate limits/cache) Redis PostgreSQL or DB-less Kubernetes (istiod) None etcd Kubernetes
Config Model CRDs (operator mode, preferred) / Declarative YAML REST API / Dashboard / CRDs REST API / YAML / CRDs Istio CRDs + K8s Gateway API Declarative JSON/YAML REST Admin API / YAML / CRDs K8s Gateway API (native)

Protocol Support

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
HTTP/HTTPS
gRPC native ✅ Dedicated port, reflection, health, streaming ✅ (EE) ✅ + HTTP↔gRPC transcoding ✅ GRPCRoute
WebSocket ✅ Full proxy + msg routing ✅ (EE)
GraphQL ✅ (proxy) ✅ UDG ✅ REST↔GraphQL
TCP/UDP ✅ TCP ✅ TCP/TLS ✅ TCP ✅ TCP/UDP + MQTT + Dubbo ✅ TCPRoute/UDPRoute
SOAP
SSE / Streaming ✅ HTTP Flusher

Routing & Traffic Management

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
Path matching (exact/prefix/regex) ✅ radixtree
Header/query matching
Weighted routing / canary ✅ HTTPRoute weights
Load balancing RR, weighted, least-conn, capacity-aware RR, weighted RR, weighted, least-conn, hash RR, random, least-conn, LEAST_REQUEST gRPC RR RR, weighted, least-conn, consistent-hash, ewma RR, random, least-conn, consistent-hash
Circuit breaker ✅ Global + backend ✅ Plugin ✅ DestinationRule ✅ BackendTrafficPolicy
Rate limiting ✅ Token bucket (global/route/backend) ✅ Multiple strategies ✅ Plugin ✅ EnvoyFilter ✅ Multi-layer + bursting ✅ limit-count/conn/req + Redis keepalive ✅ BackendTrafficPolicy
Retry policies ✅ Exp. backoff
Traffic mirroring
Fault injection
Max concurrent sessions ✅ With queueing ✅ (max rate) ✅ limit-conn
Health checking ❌ (stateless) ✅ Active + passive
Service discovery ✅ K8s native ✅ K8s native ✅ K8s native ✅ DNS SRV ✅ DNS/Consul/Nacos/Eureka/K8s ✅ K8s native

Security & Authentication

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
TLS 1.2/1.3 ✅ SIMPLE/MUTUAL/OPT_MUTUAL
mTLS ✅ Identity extraction Mesh-wide auto ✅ (EE) ✅ BackendTLSPolicy
JWT auth ✅ RS256/ES256/HS256+, JWK Multi-IdP, custom claims ✅ Plugin ✅ RequestAuthentication ✅ SecurityPolicy
API key auth ✅ Hashing, header/query ✅ (EE)
OIDC ✅ Keycloak/Auth0/Okta/Azure ✅ Limited ✅ (EE) ✅ OIDC SecurityPolicy
RBAC / ABAC ✅ JWT claims + CEL ✅ (Ent) ✅ AuthorizationPolicy + dry-run ✅ CEL (EE) ✅ consumer-restriction ✅ AuthorizationPolicy
OPA integration ✅ Plugin ✅ Plugin ✅ ext_authz ✅ opa plugin ✅ ext_authz
HashiCorp Vault Deep: K8s/AppRole/Token/AWS/GCP; PKI; secret injection ✅ Secrets + OAuth2 Vault ✅ Vault secrets (jwt-auth)
Cert auto-renewal ✅ Vault PKI + hot-reload ❌ External ✅ cert-manager ✅ Istio CA ✅ ssl + auto-renewal ✅ cert-manager
SNI multi-tenant ✅ Per-route Vault PKI
Security headers (HSTS, CSP)
CORS ✅ Global + route ✅ (via VirtualService)
FIPS compliance FIPS builds ✅ FIPS 140-2

Data Transformation

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
Header manipulation
URL rewriting
Body transforms (req/resp) ✅ Templates + field ops ✅ Body + SOAP↔GraphQL ✅ Plugin + Datakit ✅ Go templates + Martian ✅ serverless-pre/post-function
Response field filtering ✅ Allow/deny lists Deny/allow lists (BFF) ✅ response-rewrite
Response aggregation (multi-backend) Deep/shallow/replace merge Native BFF merging
Field mapping/renaming ✅ Field mapping
Field grouping/flattening
Array operations ✅ Sort, filter, deduplicate
gRPC FieldMask
Content negotiation ✅ JSON/XML/YAML ✅ Auto-encoding
Direct responses

Caching

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
In-memory cache ✅ TTL + max entries ✅ Plugin ✅ LRU cache ✅ proxy-cache
Distributed cache (Redis) ✅ + Cloud Redis
Stale-while-revalidate
Negative caching

Observability

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
Prometheus metrics ✅ Route-based ✅ Tyk Pump ✅ + OTel native Compressed endpoint
OpenTelemetry ✅ Tracing Trace IDs in logs Metrics+Logs+Traces ✅ Deep, native
Structured logging ✅ JSON + console ✅ + request_id in logs
Health/ready/live probes
Analytics dashboard ✅ Grafana ✅ Dashboard ✅ Konnect ✅ Kiali, Grafana ✅ APISIX Dashboard
Access logs

Deployment & Operations

Feature AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
Docker ✅ + FIPS ✅ Official image
Kubernetes / Helm ✅ Helm chart + Operator with CRDs ✅ Tyk Operator ✅ KIC ✅ Native ✅ Ingress Controller 2.0 ✅ Native
DB-less / stateless ✅ (Redis optional for distributed) ❌ (Redis) Fully stateless ✅ Standalone YAML
Hot config reload ✅ Atomic ✅ (dev image) ✅ Hot plugins
Hybrid CP/DP ✅ Multi-cluster
SaaS / Managed ✅ Tyk Cloud ✅ Konnect ✅ GKE/AKS ❌ (API7 Cloud)
Plugin system ✅ Go/Python/JS/gRPC ✅ Lua/Go/JS/WASM ✅ EnvoyFilter/WASM ✅ Go plugins ✅ Lua/Go/Java/Python/WASM ✅ EnvoyExtension/WASM
K8s Ingress Controller Operator with CRDs ✅ Tyk Operator (Ingress) ✅ Kong Ingress Controller ✅ Istio Ingress Gateway ✅ APISIX Ingress Controller 2.0 ✅ (via Gateway API)
Developer portal
Multi-platform ✅ Linux/macOS ✅ Linux ✅ Linux/macOS/Docker ✅ Linux/macOS/ARM64 ✅ Linux

Performance Profile

AV API GW Tyk Kong Istio KrakenD APISIX Envoy GW
Reported throughput N/A Thousands rps/CPU Millions rps (NGINX) High (Envoy) 70K+ rps/instance 18K+ QPS single core High (Envoy)
Memory footprint Low (Go binary) Moderate (+ Redis) Moderate (NGINX) Moderate (Envoy) <100MB at high traffic Low (NGINX) Moderate (Envoy)
Architecture Single binary + optional Redis Gateway + Redis NGINX + optional DB Envoy + istiod Single binary, zero deps NGINX + etcd Envoy + controller

Cost Model

Solution Free / OSS Commercial
AV API GW Fully free (Apache 2.0) N/A
Tyk Gateway OSS (MPL v2.0) Dashboard/Portal/Operator require license
Kong OSS 3.9.1 (Apache 2.0) Konnect ~$105/svc/mo + ~$34.25/1M req
Istio Fully free (Apache 2.0) Cloud provider managed add-ons
KrakenD CE fully free (Apache 2.0) EE flat-rate (unlimited requests/APIs)
APISIX Fully free (Apache 2.0) API7 Cloud (commercial support)
Envoy Gateway Fully free (Apache 2.0) Solo.io Gloo (commercial)

Key Differentiators

AV API Gateway

  • Deepest HashiCorp Vault integration of any gateway (multi-auth, PKI lifecycle, secret injection, SNI certs)
  • Richest data transformation: response merging, field grouping/flattening, array ops, gRPC FieldMask — unique capabilities
  • Advanced caching: stale-while-revalidate, negative caching
  • Kubernetes Operator with CRDs as the preferred config model, plus standalone YAML mode
  • Minimal dependencies — single binary, Redis optional (distributed rate limits / cache only)
  • Gaps: No plugin system

Tyk

  • Full API lifecycle platform with Dashboard, Portal, Analytics
  • Multi-IdP JWT in single config (5.11) — Keycloak + Okta + Auth0 simultaneously
  • FIPS builds for regulated environments
  • Universal Data Graph for GraphQL federation
  • Gaps: Requires Redis, no native Vault, limited transformation

Kong

  • Largest plugin ecosystem (100+), biggest community
  • PCI DSS 4.0 attestation (Konnect/Cloud Gateways)
  • DataKit orchestration for complex API workflows
  • Event Gateway (Kafka integration)
  • Gaps: Many features Enterprise-only, pricing escalates at scale, limited BFF/aggregation

Istio Ingress

  • Automatic mesh-wide mTLS — no other gateway provides this
  • Unified east-west + north-south traffic management
  • Ambient mesh maturing fast (DNS, nftables, multi-network beta)
  • Gaps: K8s-only, no caching/transformation/portal, steep learning curve

KrakenD

  • Best BFF/aggregation pattern alongside avapigw — native multi-backend merging, field filtering
  • Highest per-instance throughput: 70K+ rps, <100MB RAM
  • Truly stateless — zero coordination between nodes, linear scaling
  • Flat-rate pricing (EE) — no per-request costs
  • Gaps: No K8s Ingress Controller, no health checking (by design), no weighted routing

Apache APISIX

  • Richest service discovery: DNS, Consul, Nacos, Eureka, K8s
  • Broadest L4 protocol support: TCP, UDP, MQTT, Dubbo
  • Multi-language plugins: Lua, Go, Java, Python, WASM
  • Fully dynamic — hot plugin loading without restart
  • Gaps: Requires etcd, dashboard development stalled

Envoy Gateway

  • Reference Kubernetes ingress implementation based on Envoy proxy
  • Lightweight with extensibility via EnvoyPatchPolicy and WASM
  • Ideal for teams migrating from Ingress-NGINX (ingress2gateway support)
  • Gaps: Young project, no built-in caching/transformation/portal, K8s-only

Summary Scorecard (1–5)

Dimension AV API GW Tyk 5.11 Kong 3.13 Istio 1.29 KrakenD 2.13 APISIX 3.15 Envoy GW 1.7
Feature breadth ★★★★☆ ★★★★★ ★★★★★ ★★★☆☆ ★★★☆☆ ★★★★★ ★★★☆☆
Data transformation ★★★★★ ★★★☆☆ ★★★☆☆ ★☆☆☆☆ ★★★★☆ ★★☆☆☆ ★☆☆☆☆
BFF / aggregation ★★★★★ ★☆☆☆☆ ★☆☆☆☆ ★☆☆☆☆ ★★★★★ ★☆☆☆☆ ★☆☆☆☆
Vault integration ★★★★★ ★★☆☆☆ ★★★☆☆ ★☆☆☆☆ ★☆☆☆☆ ★★☆☆☆ ★☆☆☆☆
gRPC depth ★★★★★ ★★★☆☆ ★★★☆☆ ★★★★☆ ★★★☆☆ ★★★★☆ ★★★★☆
Plugin ecosystem ★☆☆☆☆ ★★★★☆ ★★★★★ ★★★☆☆ ★★★☆☆ ★★★★★ ★★☆☆☆
K8s Ingress / Operator ★★★★☆ ★★★★☆ ★★★★★ ★★★★★ ★☆☆☆☆ ★★★★☆ ★★★★★
Performance / efficiency ★★★★☆ ★★★☆☆ ★★★★☆ ★★★☆☆ ★★★★★ ★★★★★ ★★★★☆
Operational maturity ★★★☆☆ ★★★★★ ★★★★★ ★★★★★ ★★★★☆ ★★★★☆ ★★★☆☆
Ease of setup ★★★★☆ ★★★☆☆ ★★★☆☆ ★★☆☆☆ ★★★★★ ★★★★☆ ★★★☆☆
Cost efficiency ★★★★★ ★★★☆☆ ★★★☆☆ ★★★★★ ★★★★★ ★★★★★ ★★★★★

Based on official documentation, release notes, and publicly available information as of April 2, 2026.

Top comments (0)