DEV Community

Cover image for Overview of Apache APISIX API Gateway Plugins
Bobur Umurzokov for Apache APISIX

Posted on • Updated on


Overview of Apache APISIX API Gateway Plugins

Nowadays the role of an API (Application programming interface) gateway in building large-scale, cloud-native Microservices APIs is becoming very important in every aspect of product development. An API gateway introduces traffic management concerns, allowing your Microservices to focus on delivering new features/functionalities at hand. A Plugin is a heart mechanism in API Gateway by using it, we can create high-performance systems under tight deadlines in more centralized way to handle new requirements. Apache APISIX exposes a set of interfaces that allow us to bind plugins to the API. Lets walk through some commonly used plugins.
Some commonly used plugins

Authentication Plugin Example

The API authentication process validates the identity of the client attempting to make a connection by using an authentication protocol. The tradition mode of identity control in monolithic application was simply you figure out who the caller, then pass credential information to other layers when API is called and store user information in a data repository.

If the same technique were to be applied to individual microservices, it would be extremely inefficient and time consuming. Having an independent security barrier — or request handler — for each service to authenticate identity is unnecessary. This would involve calling an Authentication Service to populate the object to handle the request and respond in every single instance.

On the other hand, a modern API Gateway acts as a single entry point and can apply many different authentication mechanisms by default including HTTP Basic Auth, API Keys based Auth, OAuth 2.0, OpenID Connect or JWT to validate the token on behalf of your API, so a developer does not have to add any code in your API to process the authentication.

JWT Plugin slide

JWT (JSON Web Token) plugin is one strategy for API gateway authentication. JWT simplifies authentication setup, allowing you to focus more on coding and less on security.

Security Plugin Example

API security refers to the practice of preventing or mitigating attacks on APIs. In our modern era, API security has become increasingly important. There are many API security best practices such as making use of TLS encryption, setting API Firewalls, validating request data, throttling for protection, continuously monitoring, auditing, logging or a dedicated API Gateway deployment where you can secure the API traffic from beginning to end.

Also, IP Restrictions can be enabled for security reasons, wherein, the users will be allowed to login only from a range of IP addresses as defined by the system or administrators. If the user tries to log in outside the allowed range, the system throws an error, and login will not be possible.

IP Restriction Plugin Slide

IP Restriction Plugin- restricts access to a service or a route by either whitelisting or blacklisting IP addresses. Single IPs, multiple IPs or ranges in CIDR notation like can be used.

Traffic Control Plugin Example

The quantity of API traffic and the quality of that traffic reflect as well as affect the quantity and quality of the company’s business grow. This means that managing the business requires an understanding of the data types and meaning of your API traffic.

API traffic management can improve the overall visibility of your system and allow you to better understand just what is going on throughout your organization. And, after you have a better sense of your system’s activities, you’ll have an opportunity to use that information to solve problems directly.

With the help of API Gateway, you can set automatic retries, timeouts, circuit breakers or rate limiting. Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe – for instance, trying to log into an account.

Rate-limit plugin example

Limit count plugin is one type of request limiting plugins. It limits request-rate by a fixed number of requests in a given time window. It means how many HTTP requests can be made in a given period of seconds, minutes, hours, days, months, or years.

Monitoring Plugin Example

API monitoring is the process of collecting and analyzing data about the performance of an API in order to identify problems that impact users. If an application is running slowly, you must first understand the cause before you can correct it. Modern applications use many independent microservices instead of a few large ones, and one poor-performing service can adversely impact the overall performance of an application. In addition, isolating a single poor-performing service among hundreds can be a challenge unless proper monitoring is in place. This makes API monitoring and measuring API performance a crucial practice for modern multi-cloud environments.

Monitoring Plugin slide

Prometheus plugin can fetch API metrics data and you can show metrics exported by the plugin in Grafana.

Observability Plugin Example

API observability is the ability to understand system behavior and investigate the interactions between an application's components. It provides comprehensive and actionable insights on top of monitored application data, enabling faster API iteration, more confident change management, and production readiness.

Observability Plugin HTTP Logger

HTTP logger is a plugin which pushes Log data requests to HTTP/HTTPS servers or sends as JSON objects to Monitoring tools.

Serverless Plugin Example

Serverless is a cloud-native development model that allows developers to build and run applications without having to manage servers.

Serverless Plugin Slide

There are two plug-ins for serverless offered by Apache APISIX, namely serverless-pre-function and serverless-post-function. The former runs at the beginning of the specified phase, while the latter runs at the end of the specified phase.

Breaking Down Other Plugins

When using Apache APISIX, you must be faced with multiple types of plugins and currently, It has more than 50 built-in plugins broken down into several categories, as we have seen. It covers authentication, security, transformation, traffic control, serverless, observability, and other aspects to meet the common usage scenarios of all customers.

Here is the outline of some available Plugins, actually they are more listed on Apache APISIX official website:


  • Basic Authentication(basic-auth) – Add basic Authentication to your API service or a route.
  • Key Authentication (key-auth) – Add a key authentication to your API service and a route.
  • Forward Authentication (forward-auth) – Implements a classic external authentication model. We can implement a custom error return or user redirection to the authentication page if the authentication fails.
  • OpenID Connect (openid-connect) – Integrate Apache APISIX with a third-party OpenID Connect.
  • HMAC Authentication (hmac-auth) – Add HMAC Authentication to your APIs.
  • LDAP Authentication (ldap-auth) – Integrate APISIX with a LDAP server.


  • CORS – Enable CORS easily to allow developers to make requests from the browser.
  • URI Blocker (uri-blocker)– Intercepts user requests and blocks uri resources.
  • Consumer Restriction (consumer-restriction) – makes corresponding access restrictions to your services or routes based on different users selected.
  • CSRF – Based on the Double Submit Cookie way, protects your API from CSRF attacks.


  • Open Telemetry – Report Tracing data according to opentelemetry specification.
  • Datadog – monitoring plugin built into Apache APISIX for seamless integration with Datadog.
  • Skywalking – Provides tracing, topology analysis, and metrics from service.
  • TCP Logger (tcp-logger) – Send request and response logs to a TCP server
  • UDP Logger (udp-logger) – Send request and response logs to a UDP server
  • HTTP Logger (http-logger) – Sends Log data requests as JSON objects to Monitoring tools and other HTTP servers
  • Kafka logger (kafka-logger) – Provides the ability to push requests log data as JSON objects to your external Kafka clusters.

Traffic Control


  • Response rewrite (response-rewrite)– Rewrites response the content returned by the upstream as well as Apache APISIX itself.
  • Proxy Rewrite (proxy-rewrite) – Upstream proxy information rewriting plugin.
  • GRPC WEB (grpc-web) – Proxy plugin used to process gRPC Web client requests to gRPC Server.
  • Mocking – It returns random mock data in the specified format and is no longer forwarded to the upstream.


Plugin Orchestration

Sometimes your service requires you to use many plugins together or create custom plugins in addition to Apache Apisix provides. It offers two solutions for these cases respectively. Plugin orchestration and Plugin Runtime to develop our custom ones.

Plugin orchestration is a form of low-code that can help enterprises automate development, reduce usage costs and increase operation and maintenance efficiency. With the plugin orchestration capability in the low-code API gateway Apache APISIX, we can easily orchestrate 50+ plugins in a “drag-and-drop” way, and the orchestrated plugins can share contextual information to realize scenario-based requirements.

Plugin orchestration screenshot

Plugin development

During technological selection, the most important consideration for the development team is whether the chosen product matches the team’s technology stack. Apache APISIX has been supporting customized plugins since the day it was born. With Apache APISIX we can write custom plugins in a programming language we are familiar with, including Go, Python, Java, JavaScript, Lua, PHP and more.

Apache APISIX Software Architecture


In this post, we learnt that Apache APISIX Plugins are additional components that can be plugged into your API Gateway, walked through some plugins and now we know that plugins can be customized and orchestrated to exactly fit your needs and your technical constraints.

Top comments (1)

sherlockboy profile image
Khurshidbek Kobilov

Great job, very understandable article. Keep going!

An Animated Guide to Node.js Event Loop

Node.js doesn’t stop from running other operations because of Libuv, a C++ library responsible for the event loop and asynchronously handling tasks such as network requests, DNS resolution, file system operations, data encryption, etc.

What happens under the hood when Node.js works on tasks such as database queries? We will explore it by following this piece of code step by step.