Is Apache APISIX faster than Envoy Proxy?

In API gateway benchmarks, Apache APISIX delivers 23,000 QPS per core with 0.2ms latency, which is competitive with Envoy's C++ performance. APISIX's LuaJIT plugins add less per-plugin overhead than Envoy's Wasm filters, giving APISIX an advantage in plugin-heavy configurations. Raw L4 proxy throughput is comparable between the two.

Can Envoy replace Apache APISIX as an API gateway?

Envoy can function as an API gateway but requires an external control plane (like Envoy Gateway, Gloo, or custom xDS server) for management. APISIX includes a built-in admin API, 100+ plugins, consumer management, and route configuration out of the box. Using Envoy as an API gateway requires significantly more integration work.

Should I use Envoy or APISIX for Kubernetes ingress?

Both work well as Kubernetes ingress controllers. APISIX Ingress Controller provides richer API gateway features (rate limiting, authentication, traffic splitting) with simpler configuration. Envoy-based ingress (via Envoy Gateway or Contour) is better if you already use Istio and want a unified data plane. APISIX also supports the Kubernetes Gateway API specification.

Can I use both Envoy and Apache APISIX together?

Yes — this is a common production architecture. Envoy handles east-west service mesh traffic as sidecar proxies (managed by Istio), while Apache APISIX or API7 Enterprise handles north-south API gateway and ingress traffic. This combination provides Envoy's mesh capabilities with APISIX's superior API management and plugin ecosystem.

How does plugin development compare between APISIX and Envoy?

APISIX supports plugins in Lua (native), Go, Wasm, Python, JavaScript, and Java — all loaded at runtime without restart. Envoy requires C++ for native filters (complex build process), offers limited Lua scripting, or Wasm via Proxy-Wasm SDK. Most teams find APISIX plugin development significantly faster and more accessible.

Is Envoy better for service mesh than APISIX?

Yes — Envoy is the dominant service mesh data plane, powering Istio, Consul Connect, and AWS App Mesh. APISIX Mesh exists but has smaller adoption for east-west traffic. For pure service mesh sidecar use cases, Envoy is the industry standard. For API gateway and north-south ingress, APISIX is the stronger choice.

New

Announcing AISIX: The AI-Native AI Gateway for LLMs and AI AgentsLearn More

Learn More

API gateway comparison

Apache APISIX vs. Envoy

Apache APISIX and Envoy Proxy are both high-performance, cloud-native proxies — but they target different layers of the stack. APISIX is a full-featured API gateway built on NGINX/OpenResty with dynamic plugin loading and an admin API. Envoy is an L4/L7 proxy designed as a universal data plane for service mesh architectures. This comparison covers architecture, raw throughput, extensibility, observability, and deployment models to help you choose the right foundation for your API infrastructure.

Try API7 for Free Book a Demo

Comparison

Apache APISIX

Envoy Proxy

API7 Enterprise

Architecture

NGINX/OpenResty (LuaJIT) + etcd for configuration storage; stateless data plane with millisecond config sync

C++ single binary with xDS API for dynamic configuration; designed as a universal L4/L7 proxy and service mesh data plane

NGINX/OpenResty + etcd — stateless data plane with millisecond configuration sync, no database bottleneck

Performance (QPS)

23,000 QPS per core with 0.2ms average latency; LuaJIT and NGINX event loop deliver top-tier throughput

High throughput with low latency; C++ provides excellent raw performance but higher memory per connection than LuaJIT

Ultra-high — 23,000 QPS per core, 0.2ms latency; highest throughput among open-source API gateways

Plugin Ecosystem

100+ open-source plugins — auth, traffic, observability, AI/LLM — all included with no enterprise paywall

Limited built-in filters; extensibility via C++ filters (complex), Lua filters (limited), or Wasm plugins (maturing)

100+ fully open-source plugins — auth, traffic, observability, AI — with no enterprise paywall

Dynamic Configuration

Full hot-reload via etcd watch; routes, plugins, upstreams updated in milliseconds without restart

xDS APIs (EDS, CDS, RDS, LDS, SDS) for fully dynamic configuration from a control plane

etcd-backed with millisecond propagation; zero-downtime hot reload; admin API + declarative mode

Service Mesh

Can function as mesh data plane via APISIX Mesh; also works as standalone gateway or Kubernetes ingress

Primary data plane for Istio, Consul Connect, and AWS App Mesh; dominant in service mesh deployments

Supports standalone, Kubernetes ingress, and service mesh data plane modes with unified management

Protocol Support

HTTP/1.1, HTTP/2, HTTP/3 (QUIC), gRPC, TCP, UDP, WebSocket, MQTT, Dubbo

HTTP/1.1, HTTP/2, HTTP/3 (QUIC), gRPC, TCP, UDP, Thrift, MongoDB, Redis, Dubbo

HTTP/1.1, HTTP/2, HTTP/3, gRPC, TCP, UDP, WebSocket, MQTT, Dubbo, and custom protocols

Security & Auth

JWT, OAuth2, OIDC, mTLS, HMAC, API keys, RBAC, OPA, CORS, CSRF — all as built-in plugins

JWT, mTLS, RBAC via OPA/ext_authz; advanced auth requires external services or custom filters

JWT, OIDC, OAuth2, mTLS, FIPS 140-2, fine-grained RBAC and IAM — all included

Observability

Prometheus, Grafana, OpenTelemetry, SkyWalking, Datadog, Zipkin — native integrations

Best-in-class observability: distributed tracing, access logs, stats (Prometheus/StatsD), OpenTelemetry built-in

OpenTelemetry, Prometheus, Grafana, Datadog, SkyWalking — all open-source integrations

Deployment Models

Kubernetes (Ingress Controller + Gateway API), Docker, VM, bare-metal, hybrid cloud, edge

Kubernetes sidecar, standalone proxy, front proxy, edge gateway; typically managed by Istio or similar control planes

On-prem, multi-cloud, hybrid, edge, Kubernetes-native with Ingress Controller and Gateway API

Multi-Language Plugins

Lua (native), Go, Wasm, Python, JavaScript, Java — loaded at runtime without restart

C++ (native filters), Lua (limited), Wasm (Proxy-Wasm SDK in Rust, Go, C++, AssemblyScript)

Lua, Go, Wasm, Python, JavaScript, Java — all runtime-loaded without restart

API Management

Built-in admin API, route management, consumer groups, and full API lifecycle support

No built-in admin API or management UI; requires external control plane (Istio, Gloo, etc.)

Visual dashboard, API7 Portal with documentation, monetization, and self-service subscription

Pricing & Licensing

Apache 2.0 open-source; API7 Enterprise adds RBAC dashboard, FIPS 140-2, and commercial support

Apache 2.0 open-source; commercial support via Envoy Gateway, Tetrate, Solo.io, or cloud service mesh providers

CPU-core based subscription; fraction of Kong or Tetrate cost; built on Apache APISIX (Apache 2.0)

What to consider most when choosing the API gateway

1. Architecture: API Gateway vs Universal Proxy

Apache APISIX is purpose-built as an API gateway. It runs on NGINX/OpenResty with LuaJIT for plugin execution and etcd for configuration storage. The architecture separates data plane (stateless APISIX nodes) from control plane (etcd + optional dashboard), enabling horizontal scaling without database bottlenecks. Configuration changes propagate via etcd watch in milliseconds — routes, plugins, and upstreams update without restart.

Envoy is a general-purpose L4/L7 proxy designed by Lyft as a universal data plane. Written in C++ for raw performance, it uses xDS (discovery service) APIs for dynamic configuration. Envoy does not include a built-in control plane — it relies on external systems like Istio, Gloo Edge, or custom xDS servers to manage its configuration. This makes Envoy extremely flexible but increases operational complexity for teams that need API gateway functionality out of the box.

The key difference: APISIX is a batteries-included API gateway with admin API, plugin management, and consumer authentication built in. Envoy is a programmable proxy that requires a control plane to become a complete API gateway. For teams that want production-ready API management without assembling a control plane, API7 Enterprise provides the complete solution built on APISIX.

2. Performance and Resource Efficiency

Apache APISIX delivers 23,000 QPS per core with 0.2ms average latency in published benchmarks. Its NGINX event loop handles thousands of concurrent connections efficiently, and LuaJIT-compiled plugins execute with near-native speed. The etcd-backed configuration adds negligible overhead since config is cached locally on each node.

Envoy also delivers high throughput thanks to its C++ implementation and asynchronous event-driven architecture. In raw proxy benchmarks, Envoy and APISIX perform comparably at the L4/L7 layer. However, Envoy's per-connection memory footprint is typically higher than NGINX-based proxies due to C++ object overhead, which matters at scale with tens of thousands of concurrent connections.

Where APISIX gains a clear advantage is plugin execution overhead. LuaJIT plugins in APISIX add minimal latency per plugin in the chain. Envoy's C++ filters are fast but hard to write, Lua filters are limited in scope, and Wasm plugins — while improving — still add measurable overhead per filter invocation compared to native LuaJIT.

3. Plugin Extensibility

APISIX ships with 100+ plugins covering authentication (JWT, OAuth2, OIDC, HMAC), traffic control (rate limiting, circuit breaking, request mirroring), observability (Prometheus, OpenTelemetry, SkyWalking), and AI/LLM proxying. All plugins are open-source with no enterprise paywall. Custom plugins can be written in Lua, Go, Wasm, Python, JavaScript, or Java and loaded at runtime without gateway restart.

Envoy's extensibility model centers on C++ filters for maximum performance. Writing a C++ filter requires deep knowledge of Envoy's internal APIs and build system — a high barrier for most teams. Envoy also supports Lua filters (simpler but limited to header/body manipulation) and Wasm plugins via the Proxy-Wasm specification. The Wasm ecosystem is growing but remains less mature than APISIX's multi-language plugin runtime.

For teams that need to add custom business logic to their API gateway — rate limiting rules, custom auth, request transformation, or AI prompt routing — APISIX's approach is significantly more accessible. A Go or Python developer can write and deploy an APISIX plugin in hours; an Envoy C++ filter typically takes days.

4. Service Mesh and Kubernetes Integration

Envoy is the dominant service mesh data plane. It powers Istio (the most popular service mesh), Consul Connect, AWS App Mesh, and Open Service Mesh. If your organization has committed to a service mesh architecture, Envoy is likely already in your stack as a sidecar proxy handling east-west traffic between services.

Apache APISIX focuses primarily on north-south traffic — API gateway, Kubernetes ingress, and edge proxy use cases. APISIX provides a native Kubernetes Ingress Controller and supports the Gateway API specification. For service mesh use cases, APISIX Mesh can act as a sidecar, though it has smaller adoption compared to Envoy-based meshes.

Many production architectures use both: Envoy as sidecar proxy for east-west service mesh traffic (managed by Istio), and Apache APISIX/API7 Enterprise as the API gateway for north-south ingress traffic. This combination provides the best of both worlds — Envoy's mesh capabilities with APISIX's superior API management, plugin ecosystem, and operational simplicity.

5. When to Choose Each Solution

Choose Apache APISIX if you need a production-ready API gateway with built-in admin API, 100+ plugins, dynamic configuration, and multi-language plugin support. APISIX excels as a Kubernetes ingress controller, edge gateway, and north-south API management layer. It is the best choice when you want API gateway functionality without assembling a separate control plane.

Choose Envoy if you are building a service mesh architecture and need a universal L4/L7 sidecar proxy. Envoy is the right choice when you already use Istio or another Envoy-based control plane, need xDS-driven configuration, or require deep L4 protocol support (Redis, MongoDB, MySQL protocol-aware proxying). Envoy is strongest as a data plane component within a larger platform.

Choose API7 Enterprise if you want Apache APISIX's performance and extensibility with enterprise-grade management — visual dashboard, FIPS 140-2 compliance, RBAC, audit logging, and commercial support. API7 is the production-hardened distribution of APISIX for organizations that need API gateway functionality at scale. Contact API7 for a technical evaluation.

Frequently Asked Questions

Ready to get started?

For more information about full API lifecycle management, please contact us to Meet with our API Experts.