API Gateway Comparison: Kong, AWS API Gateway, Traefik, Envoy, NGINX & Tyk

An API gateway sits between clients and backend services, handling cross-cutting concerns like authentication, rate limiting, routing, and observability. Choosing the wrong gateway means fighting it on every feature. This guide compares six popular options so you can pick the one that fits your architecture.

What an API Gateway Does#

At minimum, an API gateway provides:

Client Request
      │
      ▼
┌─────────────────────────────┐
│         API Gateway          │
│                              │
│  ● TLS termination          │
│  ● Authentication / AuthZ   │
│  ● Rate limiting             │
│  ● Request routing           │
│  ● Load balancing            │
│  ● Request/response transform│
│  ● Observability (logs,      │
│    metrics, traces)          │
│  ● Circuit breaking          │
└──────────┬──────────────────┘
           │
     ┌─────┼─────┐
     ▼     ▼     ▼
  Svc A  Svc B  Svc C

Beyond these basics, gateways differ in extensibility, deployment model, performance, and ecosystem integration.

Gateway Overviews#

Kong#

Kong is built on NGINX and OpenResty (LuaJIT). It is the most popular open-source API gateway with a large plugin ecosystem.

• Core: NGINX + Lua plugins
• Config: Admin API, declarative YAML, or Kong Manager UI
• Deployment: Self-hosted (Docker, Kubernetes, bare metal) or Kong Konnect (SaaS)
• Plugins: 100+ official and community plugins (auth, rate limiting, transformations, logging)
• Extensibility: Write plugins in Lua, Go, Python, or JavaScript
• Protocol support: HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP/UDP

AWS API Gateway#

AWS API Gateway is a fully managed service with deep AWS integration. It comes in two flavors: REST API (full-featured) and HTTP API (cheaper, fewer features).

• Core: Managed service — no infrastructure to operate
• Config: AWS Console, CloudFormation, CDK, Terraform
• Deployment: AWS-only, multi-region via CloudFront
• Plugins: No plugin system — use Lambda authorizers and integrations
• Extensibility: Lambda functions for custom logic
• Protocol support: HTTP/1.1, HTTP/2, WebSocket (REST API only)

Traefik#

Traefik is a cloud-native edge router designed for dynamic environments. It auto-discovers services from Docker, Kubernetes, and other orchestrators.

• Core: Go-based reverse proxy with automatic service discovery
• Config: File, Docker labels, Kubernetes Ingress/IngressRoute CRDs
• Deployment: Self-hosted (Docker, Kubernetes, binary)
• Plugins: Traefik Plugin Catalog (middleware plugins via Yaegi Go interpreter)
• Extensibility: Go plugins loaded at runtime, middleware chains
• Protocol support: HTTP/1.1, HTTP/2, gRPC, TCP, UDP

Envoy#

Envoy is a high-performance L4/L7 proxy originally built at Lyft. It is the data plane for Istio and many service mesh implementations. It is a proxy rather than a full gateway, but it is widely used as one.

• Core: C++ proxy with xDS dynamic configuration API
• Config: Static YAML or dynamic xDS (control plane)
• Deployment: Self-hosted, typically as sidecar or edge proxy
• Plugins: Wasm (WebAssembly) filters and native C++ filters
• Extensibility: Wasm SDK (Rust, C++, Go, AssemblyScript)
• Protocol support: HTTP/1.1, HTTP/2, HTTP/3, gRPC, TCP, UDP, Thrift, MongoDB, Redis

NGINX#

NGINX is the most widely deployed reverse proxy. NGINX Plus (commercial) adds API gateway features like dynamic configuration, health checks, and a dashboard.

• Core: C event-driven proxy
• Config: Static configuration files, reloaded on change
• Deployment: Self-hosted (everywhere) or NGINX Plus with support
• Plugins: NGINX modules (C), OpenResty (Lua), njs (JavaScript)
• Extensibility: C modules for performance, njs for simpler tasks
• Protocol support: HTTP/1.1, HTTP/2, gRPC, TCP, UDP

Tyk#

Tyk is a Go-based API gateway with built-in developer portal, analytics, and API management features.

• Core: Go-based gateway with bundled API management
• Config: Dashboard UI, REST API, Tyk Operator for Kubernetes
• Deployment: Self-hosted (Docker, Kubernetes) or Tyk Cloud (SaaS)
• Plugins: Go, Python, JavaScript, Lua, gRPC
• Extensibility: Rich plugin hooks at multiple request lifecycle stages
• Protocol support: HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP

Comparison Table#

Pricing#

AWS API Gateway pricing scales linearly with traffic, which can become expensive at high volumes. Self-hosted options have fixed infrastructure costs that amortize at scale.

Deployment Complexity#

Simplest: AWS API Gateway — zero infrastructure, but AWS lock-in.

Moderate: Kong, Traefik, Tyk — require a database or config store (Kong needs PostgreSQL or Cassandra; Tyk needs Redis; Traefik is configless with Kubernetes).

Most complex: Envoy — extremely powerful but expects a control plane (Istio, Gloo, or custom xDS server). Raw Envoy configuration is verbose.

NGINX sits in between — simple to deploy but requires manual config management without a commercial control plane.

Extensibility Deep Dive#

Extensibility determines how easily you can add custom logic:

• Kong: Best plugin ecosystem. Writing a Lua plugin takes minutes. Go/Python/JS plugins run out-of-process via gRPC.
• Envoy: Wasm filters are sandboxed and portable but have a steeper learning curve. C++ filters offer maximum performance.
• Tyk: Multiple language SDKs with hooks at pre-auth, post-auth, pre-request, and post-response stages.
• Traefik: Go plugins via Yaegi interpreter. Limited compared to Kong's ecosystem.
• NGINX: C modules are fast but hard to write. njs (JavaScript subset) is easier but limited.
• AWS API Gateway: Lambda is the only extension point. Cold starts add latency.

Decision Framework#

Choose based on your primary constraints:

• Fully managed, AWS-native → AWS API Gateway (HTTP API for cost, REST API for features)
• Self-hosted, rich plugin ecosystem → Kong
• Kubernetes-native with auto-discovery → Traefik
• Maximum performance, service mesh data plane → Envoy
• Existing NGINX infrastructure → NGINX Plus
• Built-in API management and developer portal → Tyk

Anti-Patterns#

1. Using AWS API Gateway at high volume — Costs escalate quickly past 100M requests/month.
2. Raw Envoy without a control plane — Configuration management becomes a full-time job.
3. Running NGINX OSS as an API gateway — You will rebuild features that Kong and Tyk include out of the box.
4. Choosing based on benchmarks alone — Gateway overhead is rarely the bottleneck; ecosystem fit matters more.

Key Takeaways#

• API gateways handle cross-cutting concerns (auth, rate limiting, routing, observability) so your services do not have to.
• Kong offers the best balance of open-source flexibility and plugin ecosystem for self-hosted deployments.
• AWS API Gateway is the simplest option for AWS-native architectures but gets expensive at scale.
• Traefik excels in dynamic environments with automatic service discovery from Docker and Kubernetes.
• Envoy delivers the highest performance and protocol support but requires a control plane for manageability.
• Tyk is the strongest choice when you need built-in API management, analytics, and a developer portal.
• NGINX remains a solid foundation but lacks modern API gateway features without NGINX Plus or additional tooling.

---

Build and explore system design concepts hands-on at codelit.io.

395 articles on system design at codelit.io/blog.