DEV Community: Алексей Выродов

Cloud-Native API Gateway Comparison - (April 2026)

Алексей Выродов — Thu, 02 Apr 2026 10:51:56 +0000

Latest Versions

	AV API GW	Tyk	Kong	Istio Ingress	KrakenD	Apache APISIX	Envoy Gateway
Version	v0.9.9	5.11.0	3.13 Ent / 3.9.1 OSS	1.29.1	2.13.3 CE / 2.12.5 EE	3.15.0	1.7.1
Released	Apr 2026	Dec 2025	Dec 2025	Mar 2026	Mar 2026	Feb 2026	Mar 2026
Language	Go 1.26.1 (gin-gonic)	Go	Lua/OpenResty (NGINX)	Go + C++ (Envoy)	Go (Lura framework)	Lua/OpenResty (NGINX)	Go + C++ (Envoy)
License	Apache 2.0	MPL v2.0 + Proprietary	Apache 2.0 + Proprietary	Apache 2.0	Apache 2.0 + Proprietary	Apache 2.0	Apache 2.0
Dependencies	None (Redis optional for distributed rate limits/cache)	Redis	PostgreSQL or DB-less	Kubernetes (istiod)	None	etcd	Kubernetes
Config Model	CRDs (operator mode, preferred) / Declarative YAML	REST API / Dashboard / CRDs	REST API / YAML / CRDs	Istio CRDs + K8s Gateway API	Declarative JSON/YAML	REST Admin API / YAML / CRDs	K8s Gateway API (native)

Protocol Support

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
HTTP/HTTPS	✅	✅	✅	✅	✅	✅	✅
gRPC native	✅ Dedicated port, reflection, health, streaming	✅	✅	✅	✅ (EE)	✅ + HTTP↔gRPC transcoding	✅ GRPCRoute
WebSocket	✅ Full proxy + msg routing	✅	✅	✅	✅ (EE)	✅	✅
GraphQL	✅ (proxy)	✅ UDG	✅	❌	✅ REST↔GraphQL	❌	❌
TCP/UDP	❌	✅ TCP	✅ TCP/TLS	✅ TCP	❌	✅ TCP/UDP + MQTT + Dubbo	✅ TCPRoute/UDPRoute
SOAP	❌	✅	✅	❌	❌	❌	❌
SSE / Streaming	✅ HTTP Flusher	✅	✅	✅	✅	✅	✅

Routing & Traffic Management

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
Path matching (exact/prefix/regex)	✅	✅	✅	✅	✅	✅ radixtree	✅
Header/query matching	✅	✅	✅	✅	✅	✅	✅
Weighted routing / canary	✅	✅	✅	✅	❌	✅	✅ HTTPRoute weights
Load balancing	RR, weighted, least-conn, capacity-aware	RR, weighted	RR, weighted, least-conn, hash	RR, random, least-conn, LEAST_REQUEST gRPC	RR	RR, weighted, least-conn, consistent-hash, ewma	RR, random, least-conn, consistent-hash
Circuit breaker	✅ Global + backend	✅	✅ Plugin	✅ DestinationRule	✅	✅	✅ BackendTrafficPolicy
Rate limiting	✅ Token bucket (global/route/backend)	✅ Multiple strategies	✅ Plugin	✅ EnvoyFilter	✅ Multi-layer + bursting	✅ limit-count/conn/req + Redis keepalive	✅ BackendTrafficPolicy
Retry policies	✅ Exp. backoff	✅	✅	✅	✅	✅	✅
Traffic mirroring	✅	❌	✅	✅	❌	✅	✅
Fault injection	✅	❌	❌	✅	❌	✅	❌
Max concurrent sessions	✅ With queueing	✅	✅	✅	✅ (max rate)	✅ limit-conn	✅
Health checking	✅	✅	✅	✅	❌ (stateless)	✅ Active + passive	✅
Service discovery	✅ K8s native	✅ K8s native	✅	✅ K8s native	✅ DNS SRV	✅ DNS/Consul/Nacos/Eureka/K8s	✅ K8s native

Security & Authentication

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
TLS 1.2/1.3	✅ SIMPLE/MUTUAL/OPT_MUTUAL	✅	✅	✅	✅	✅	✅
mTLS	✅ Identity extraction	✅	✅	✅ Mesh-wide auto	✅ (EE)	✅	✅ BackendTLSPolicy
JWT auth	✅ RS256/ES256/HS256+, JWK	✅ Multi-IdP, custom claims	✅ Plugin	✅ RequestAuthentication	✅	✅	✅ SecurityPolicy
API key auth	✅ Hashing, header/query	✅	✅	❌	✅ (EE)	✅	❌
OIDC	✅ Keycloak/Auth0/Okta/Azure	✅	✅	✅ Limited	✅ (EE)	✅	✅ OIDC SecurityPolicy
RBAC / ABAC	✅ JWT claims + CEL	✅	✅ (Ent)	✅ AuthorizationPolicy + dry-run	✅ CEL (EE)	✅ consumer-restriction	✅ AuthorizationPolicy
OPA integration	✅	✅ Plugin	✅ Plugin	✅ ext_authz	❌	✅ opa plugin	✅ ext_authz
HashiCorp Vault	✅ Deep: K8s/AppRole/Token/AWS/GCP; PKI; secret injection	❌	✅ Secrets + OAuth2 Vault	❌	❌	✅ Vault secrets (jwt-auth)	❌
Cert auto-renewal	✅ Vault PKI + hot-reload	❌ External	✅ cert-manager	✅ Istio CA	❌	✅ ssl + auto-renewal	✅ cert-manager
SNI multi-tenant	✅ Per-route Vault PKI	❌	✅	✅	✅	✅	✅
Security headers (HSTS, CSP)	✅	✅	✅	❌	✅	✅	❌
CORS	✅ Global + route	✅	✅	✅ (via VirtualService)	✅	✅	✅
FIPS compliance	❌	✅ FIPS builds	✅ FIPS 140-2	❌	❌	❌	❌

Data Transformation

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
Header manipulation	✅	✅	✅	✅	✅	✅	✅
URL rewriting	✅	✅	✅	✅	✅	✅	✅
Body transforms (req/resp)	✅ Templates + field ops	✅ Body + SOAP↔GraphQL	✅ Plugin + Datakit	❌	✅ Go templates + Martian	✅ serverless-pre/post-function	❌
Response field filtering	✅ Allow/deny lists	✅	✅	❌	✅ Deny/allow lists (BFF)	✅ response-rewrite	❌
Response aggregation (multi-backend)	✅ Deep/shallow/replace merge	❌	❌	❌	✅ Native BFF merging	❌	❌
Field mapping/renaming	✅	❌	❌	❌	✅ Field mapping	❌	❌
Field grouping/flattening	✅	❌	❌	❌	✅	❌	❌
Array operations	✅ Sort, filter, deduplicate	❌	❌	❌	❌	❌	❌
gRPC FieldMask	✅	❌	❌	❌	❌	❌	❌
Content negotiation	✅ JSON/XML/YAML	✅	✅	❌	✅ Auto-encoding	❌	❌
Direct responses	✅	✅	✅	✅	✅	✅	✅

Caching

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
In-memory cache	✅ TTL + max entries	✅	✅ Plugin	❌	✅ LRU cache	✅ proxy-cache	❌
Distributed cache (Redis)	✅	✅	✅ + Cloud Redis	❌	❌	✅	❌
Stale-while-revalidate	✅	❌	❌	❌	❌	❌	❌
Negative caching	✅	❌	❌	❌	❌	❌	❌

Observability

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
Prometheus metrics	✅ Route-based	✅ Tyk Pump	✅ + OTel native	✅ Compressed endpoint	✅	✅	✅
OpenTelemetry	✅ Tracing	✅ Trace IDs in logs	✅ Metrics+Logs+Traces	✅ Deep, native	✅	✅	✅
Structured logging	✅ JSON + console	✅	✅	✅	✅	✅ + request_id in logs	✅
Health/ready/live probes	✅	✅	✅	✅	✅	✅	✅
Analytics dashboard	✅ Grafana	✅ Dashboard	✅ Konnect	✅ Kiali, Grafana	❌	✅ APISIX Dashboard	❌
Access logs	✅	✅	✅	✅	✅	✅	✅

Deployment & Operations

Feature	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
Docker	✅	✅ + FIPS	✅	✅	✅ Official image	✅	✅
Kubernetes / Helm	✅ Helm chart + Operator with CRDs	✅ Tyk Operator	✅ KIC	✅ Native	✅	✅ Ingress Controller 2.0	✅ Native
DB-less / stateless	✅ (Redis optional for distributed)	❌ (Redis)	✅	✅	✅ Fully stateless	✅ Standalone YAML	✅
Hot config reload	✅ Atomic	✅	✅	✅	✅ (dev image)	✅ Hot plugins	✅
Hybrid CP/DP	❌	✅	✅	✅ Multi-cluster	❌	✅	❌
SaaS / Managed	❌	✅ Tyk Cloud	✅ Konnect	✅ GKE/AKS	❌	❌ (API7 Cloud)	❌
Plugin system	❌	✅ Go/Python/JS/gRPC	✅ Lua/Go/JS/WASM	✅ EnvoyFilter/WASM	✅ Go plugins	✅ Lua/Go/Java/Python/WASM	✅ EnvoyExtension/WASM
K8s Ingress Controller	✅ Operator with CRDs	✅ Tyk Operator (Ingress)	✅ Kong Ingress Controller	✅ Istio Ingress Gateway	❌	✅ APISIX Ingress Controller 2.0	✅ (via Gateway API)
Developer portal	❌	✅	✅	❌	❌	❌	❌
Multi-platform	✅ Linux/macOS	✅	✅	✅ Linux	✅ Linux/macOS/Docker	✅ Linux/macOS/ARM64	✅ Linux

Performance Profile

	AV API GW	Tyk	Kong	Istio	KrakenD	APISIX	Envoy GW
Reported throughput	N/A	Thousands rps/CPU	Millions rps (NGINX)	High (Envoy)	70K+ rps/instance	18K+ QPS single core	High (Envoy)
Memory footprint	Low (Go binary)	Moderate (+ Redis)	Moderate (NGINX)	Moderate (Envoy)	<100MB at high traffic	Low (NGINX)	Moderate (Envoy)
Architecture	Single binary + optional Redis	Gateway + Redis	NGINX + optional DB	Envoy + istiod	Single binary, zero deps	NGINX + etcd	Envoy + controller

Cost Model

Solution	Free / OSS	Commercial
AV API GW	Fully free (Apache 2.0)	N/A
Tyk	Gateway OSS (MPL v2.0)	Dashboard/Portal/Operator require license
Kong	OSS 3.9.1 (Apache 2.0)	Konnect ~$105/svc/mo + ~$34.25/1M req
Istio	Fully free (Apache 2.0)	Cloud provider managed add-ons
KrakenD	CE fully free (Apache 2.0)	EE flat-rate (unlimited requests/APIs)
APISIX	Fully free (Apache 2.0)	API7 Cloud (commercial support)
Envoy Gateway	Fully free (Apache 2.0)	Solo.io Gloo (commercial)

Key Differentiators

AV API Gateway

Deepest HashiCorp Vault integration of any gateway (multi-auth, PKI lifecycle, secret injection, SNI certs)
Richest data transformation: response merging, field grouping/flattening, array ops, gRPC FieldMask — unique capabilities
Advanced caching: stale-while-revalidate, negative caching
Kubernetes Operator with CRDs as the preferred config model, plus standalone YAML mode
Minimal dependencies — single binary, Redis optional (distributed rate limits / cache only)
Gaps: No plugin system

Tyk

Full API lifecycle platform with Dashboard, Portal, Analytics
Multi-IdP JWT in single config (5.11) — Keycloak + Okta + Auth0 simultaneously
FIPS builds for regulated environments
Universal Data Graph for GraphQL federation
Gaps: Requires Redis, no native Vault, limited transformation

Kong

Largest plugin ecosystem (100+), biggest community
PCI DSS 4.0 attestation (Konnect/Cloud Gateways)
DataKit orchestration for complex API workflows
Event Gateway (Kafka integration)
Gaps: Many features Enterprise-only, pricing escalates at scale, limited BFF/aggregation

Istio Ingress

Automatic mesh-wide mTLS — no other gateway provides this
Unified east-west + north-south traffic management
Ambient mesh maturing fast (DNS, nftables, multi-network beta)
Gaps: K8s-only, no caching/transformation/portal, steep learning curve

KrakenD

Best BFF/aggregation pattern alongside avapigw — native multi-backend merging, field filtering
Highest per-instance throughput: 70K+ rps, <100MB RAM
Truly stateless — zero coordination between nodes, linear scaling
Flat-rate pricing (EE) — no per-request costs
Gaps: No K8s Ingress Controller, no health checking (by design), no weighted routing

Apache APISIX

Richest service discovery: DNS, Consul, Nacos, Eureka, K8s
Broadest L4 protocol support: TCP, UDP, MQTT, Dubbo
Multi-language plugins: Lua, Go, Java, Python, WASM
Fully dynamic — hot plugin loading without restart
Gaps: Requires etcd, dashboard development stalled

Envoy Gateway

Reference Kubernetes ingress implementation based on Envoy proxy
Lightweight with extensibility via EnvoyPatchPolicy and WASM
Ideal for teams migrating from Ingress-NGINX (ingress2gateway support)
Gaps: Young project, no built-in caching/transformation/portal, K8s-only

Summary Scorecard (1–5)

Dimension	AV API GW	Tyk 5.11	Kong 3.13	Istio 1.29	KrakenD 2.13	APISIX 3.15	Envoy GW 1.7
Feature breadth	★★★★☆	★★★★★	★★★★★	★★★☆☆	★★★☆☆	★★★★★	★★★☆☆
Data transformation	★★★★★	★★★☆☆	★★★☆☆	★☆☆☆☆	★★★★☆	★★☆☆☆	★☆☆☆☆
BFF / aggregation	★★★★★	★☆☆☆☆	★☆☆☆☆	★☆☆☆☆	★★★★★	★☆☆☆☆	★☆☆☆☆
Vault integration	★★★★★	★★☆☆☆	★★★☆☆	★☆☆☆☆	★☆☆☆☆	★★☆☆☆	★☆☆☆☆
gRPC depth	★★★★★	★★★☆☆	★★★☆☆	★★★★☆	★★★☆☆	★★★★☆	★★★★☆
Plugin ecosystem	★☆☆☆☆	★★★★☆	★★★★★	★★★☆☆	★★★☆☆	★★★★★	★★☆☆☆
K8s Ingress / Operator	★★★★☆	★★★★☆	★★★★★	★★★★★	★☆☆☆☆	★★★★☆	★★★★★
Performance / efficiency	★★★★☆	★★★☆☆	★★★★☆	★★★☆☆	★★★★★	★★★★★	★★★★☆
Operational maturity	★★★☆☆	★★★★★	★★★★★	★★★★★	★★★★☆	★★★★☆	★★★☆☆
Ease of setup	★★★★☆	★★★☆☆	★★★☆☆	★★☆☆☆	★★★★★	★★★★☆	★★★☆☆
Cost efficiency	★★★★★	★★★☆☆	★★★☆☆	★★★★★	★★★★★	★★★★★	★★★★★

Based on official documentation, release notes, and publicly available information as of April 2, 2026.

High Performance API Gateway: The Path to Building Your Own Gateway

Алексей Выродов — Fri, 30 Jan 2026 11:00:24 +0000

In microservice architecture, an API Gateway solves the "endpoint sprawl" problem — instead of clients needing to know about dozens of internal services, they work with a single unified API. This simplifies client code, allows backend services to evolve independently, and enables centralized security policy management.

Ten years — enough time to journey from an enthusiastic newcomer to a weary pragmatist, and then, if you're lucky, return to something resembling conscious enthusiasm. That's exactly how long I've been living side by side with microservice architecture, and nearly all that time I've been haunted by the same question: why doesn't any API Gateway do everything the way I'd want it to?

It all started with Ocelot — a .NET solution that seemed like a revelation at the time. A great constructor with declarative configuration and clear routing. But the moment you stepped outside typical scenarios, you had to dig into the code, write custom middleware, accept limitations, or find workarounds. Then came KrakenD — fast, written in Go, with an elegant idea of backend aggregation. Lura, its underlying framework, promised extensibility, but in practice every additional non-trivial task significantly increased response times, and even implementing gRPC Unary required a "hack." A separate pain I experienced for years was managing secrets and certificates. Passwords in config files. API keys in environment variables. Certificates that someone forgot to renew, causing services to crash at three in the morning. Credential rotation that required restarts.

I modified, patched, wrapped in proxy layers, wrote plugins. Solved specific problems — and each time caught myself thinking: "If only this worked out of the box."

Years passed, projects changed, technologies evolved — but the dream remained. To create my own open-source Cloud-native API Gateway. Not just "another proxy," but a tool designed with all the experience accumulated over those years. A tool where every feature is an answer to real pain, not a checkbox on a marketing checklist.

And finally, the time came, along with the accumulated knowledge and technologies to make it happen. Thus, AV API Gateway was born.

What AV API Gateway Can Do

Routing and Protocols. Full HTTP support and native gRPC through a dedicated port with HTTP/2. Routing by exact, prefix, regex, and wildcard patterns. Matching by methods, headers, and query parameters. For gRPC — routing by service and method, metadata matching, support for all streaming types: unary, server streaming, client streaming, and bidirectional.

Authentication. JWT supporting RS256, ES256, HS256, Ed25519 with automatic key renewal via JWKS URL. API Key with hashing and per-key rate limiting. mTLS with identity extraction from certificates. Full OIDC integration with Keycloak, Auth0, Okta, Azure AD — with discovery and token caching.

Authorization. RBAC based on JWT claims with role hierarchy. ABAC with CEL expressions for complex policies. Integration with Open Policy Agent for external authorization. Decision caching with configurable TTL.

Traffic Management. Load balancing with round-robin, weighted, and least connections algorithms. Backend health checking with configurable thresholds. Token bucket rate limiting at global, route, and backend levels. Max sessions with queues and timeouts. Circuit breaker with automatic recovery. Retry policies with exponential backoff. Traffic mirroring for testing. Fault injection for chaos engineering.

Data Transformation. Response field filtering through allow/deny lists. Field mapping and renaming. Grouping into nested objects and flattening. Array operations: append, prepend, filter, sort, limit, deduplicate. Go templates for custom formatting. Merge responses from multiple backends. For gRPC — FieldMask filtering, metadata transformation, rate limiting on streaming messages.

Caching. In-memory cache with TTL and entry limits. Redis for distributed caching. Stale-while-revalidate. Negative caching for errors. Flexible cache key generation.

Observability. Prometheus metrics covering all aspects: requests, latency, sizes, circuit breaker states, rate limit hits, authentication, and authorization. OpenTelemetry tracing with configurable sampling. Structured logging in JSON or console format.

HashiCorp Vault. Secret storage and automatic certificate issuance and renewal.

Config. Hot configuration reload without restart. Graceful shutdown with connection draining. Docker images. Helm chart for Kubernetes with HPA, PDB, and Ingress support. Multi-platform builds.

AV API Gateway is not just a technical project. It's the crystallization of ten years of experience, dozens of solved problems and workarounds that are no longer needed. It's the tool I wish I had when I first started working with microservices. And now it exists — open and extensible.

Join in using it, write about problems and suggestions in issues!!!

Source code available on GitHub: github.com/vyrodovalexey/avapigw