AWS API Gateway vs. Kong

AWS API Gateway is a fully managed, serverless service. You deploy no infrastructure — AWS handles scaling, patching, and availability. This simplicity comes at a cost: you have no control over internal routing logic, no plugin system, and no ability to inspect or modify the gateway's behavior beyond what AWS exposes through its configuration API. Custom logic requires Lambda functions, adding cold-start latency and per-invocation costs.

Kong is self-hosted, giving teams full control over the gateway infrastructure. It runs on NGINX/OpenResty with PostgreSQL or Cassandra for configuration storage. This provides flexibility but requires operational expertise — database management, cluster coordination, and capacity planning are your responsibility.

Apache APISIX takes the best of both approaches. Like Kong, it is self-hosted and fully controllable. But its etcd-based architecture eliminates the database management overhead — configuration syncs in milliseconds via etcd watch, and each APISIX node operates statelessly. The result is Kong-level flexibility with significantly less operational complexity.

AWS API Gateway has a default limit of 10,000 requests per second per region for REST APIs. While this limit can be increased through support requests, the managed proxy layer introduces baseline latency. Lambda-backed APIs add cold-start delays of 100ms-1s depending on runtime, memory, and VPC configuration. At high traffic volumes, AWS costs scale linearly with no per-unit efficiency gains.

Kong handles higher throughput than AWS API Gateway thanks to its NGINX foundation, but configuration propagation via database polling (5-10 seconds) creates stale-config windows during dynamic routing changes. Horizontal scaling requires each node to access the shared PostgreSQL/Cassandra instance, creating coordination complexity.

Apache APISIX achieves 23,000 QPS per core with 0.2ms average latency. In head-to-head benchmarks between APISIX 3.0 and Kong 3.0, APISIX delivers 140% of Kong's throughput without plugins and 200% with plugins enabled. Configuration updates propagate in milliseconds through etcd watch, with zero cold starts and no database bottleneck.

AWS API Gateway has no plugin system. All custom logic must be implemented through Lambda authorizers, request/response mapping templates (VTL), or downstream Lambda functions. This makes every customization a deployed AWS resource with its own costs, cold-start characteristics, and monitoring requirements. Protocol support is limited to REST, HTTP, and WebSocket — no native gRPC, TCP, or UDP.

Kong offers 300+ plugins, but the most valuable enterprise features — OIDC, FIPS 140-2, advanced rate limiting, plugin ordering — are locked behind paid Enterprise licenses. Custom plugins can be written in Lua, Go, or JavaScript. Protocol support includes HTTP, gRPC, TCP, UDP, and WebSocket, though GraphQL proxying requires Enterprise.

Apache APISIX ships 100+ plugins that are fully open-source with no enterprise paywall. Features Kong charges for — dynamic routing, hot reload, advanced rate limiting, and full observability — are included out of the box. APISIX also has the broadest protocol support: HTTP/1.1, HTTP/2, HTTP/3, gRPC, TCP, UDP, MQTT, Dubbo, and custom Layer 4/7 protocols.

AWS API Gateway pricing is simple at low volumes — $1.00 per million REST API calls plus data transfer. But costs scale linearly: 100 million daily API calls costs approximately $3,000/month for the gateway alone, before Lambda execution costs, data transfer, and CloudWatch logging. There are no volume discounts, and organizations with high-throughput APIs often find AWS API Gateway is their largest single AWS line item.

Kong's open-source version is free, but teams needing enterprise features (RBAC, OIDC, dev portal, advanced analytics) must purchase a subscription at approximately $5,350/year for 5 million API requests and 50 services. Infrastructure costs (compute, database) are additional. Konnect SaaS adds per-service and per-request fees.

API7 Enterprise uses CPU-core-based pricing at approximately $1,260 for 5 million API requests across 3 clusters and 50 services — less than a quarter of Kong's cost and dramatically cheaper than AWS API Gateway at scale. Because the open-source APISIX includes all plugins without an enterprise paywall, organizations avoid the hidden cost of upgrading tiers to access critical security and observability features.

AWS API Gateway creates the deepest vendor lock-in in this comparison. API configurations, Lambda authorizer logic, IAM policies, CloudWatch dashboards, and VTL mapping templates are all AWS-specific. Migrating to another gateway means rewriting every integration point. Organizations with hundreds of APIs on AWS API Gateway face months of re-engineering to switch providers.

Kong's open-source core is Apache 2.0 licensed, providing some lock-in protection. However, Kong Inc. controls the project roadmap, and organizations dependent on enterprise-only features (OIDC, FIPS, advanced rate limiting) are locked to Kong's commercial licensing. The company has previously changed enterprise licensing terms, creating uncertainty for long-term planning.

Apache APISIX has the lowest vendor lock-in risk. It is governed by the Apache Software Foundation under Apache 2.0 — no single company controls the project. All 100+ plugins and the complete codebase are open source. Standard protocols and declarative configuration make migration straightforward. API7 Enterprise builds on this foundation with commercial support while preserving full infrastructure portability.