API Gateway Trends behind Features: Apache APISIX 3.0 vs. Kong 3.0

Yilia Lin

Yilia Lin

October 16, 2022


On September 28, 2022, Kong released the new Kong Gateway 3.0, which achieved some new functions and performance improvements. On September 21, Apache APISIX, the top-level project of the Apache Software Foundation, also released the preview version of Apache APISIX 3.0, introducing ten highlights in terms of ecosystem and features.

Let's take a closer look at Version 3.0 of these two popular open-source API Gateway projects and figure out the development trend behind these updates.

Let's first look at the eight highlights of Kong Gateway 3.0.

Eight Highlights of Kong Gateway 3.0

HighlightsOSS/EnterpriseTypeTarget UserImprovementIf APISIX supportsNotes
FIPS 140-2Enterprise versionComplianceNorth American financial corporations and governmentsComplianceNoInapplicable
Secrets ManagementbothComplianceFinancial corporationsOSS: environment variables

Enterprise: AWS Secrets Manager and HashiCorp Vault
YesAPISIX supports HashiCorp Vault since Dec, 2021 in OSS: feat(vault): vault lua module, integration with jwt-auth authentication plugin

Kong Feb, 2022: feat(vaults) adds vaults beta support to kong
Plugin OrderingEnterprise versionUsabilityLarge and medium-sized enterprises with complex scenariosIncrease business flexibility with pluginsYesAPISIX June, 2022: feat: allows users to specify plugin execution priority

Kong July, 2022: feat(plugins) add support for ordering
Kong Manager 3.0Enterprise versionUsabilityMedium and large enterprises without many technical teamsManage APIs better for enterprise usersYesInapplicable
Deep Websocket SupportEnterprise versionFunctionEnterprise users who deeply use websocketVerify websocket scheme and limit websocket frame sizeYes, partiallyKong Dec, 2016: feat(proxy) supports websockets

APISIX supports websocket request proxy, and can be used with plugins such as limit-conn on Jan, 2020: feature: upstream support websocket enable
OpenTelemetrybothFunctionLarge and medium-sized enterprises with complex business call chainsImprove observabilityYesKong June, 2022: feat(plugins) opentelemetry plugin

APISIX Jan, 2022: feat: add opentelemetry plugin
Performance ImprovementsbothPerformanceCloud vendors, fast-growing SaaS vendorsReduce server costsYesApache APISIX has been outperforming other API gateways in performance since it was open-sourced in 2019.
New Routing EnginebothPerformanceCloud vendors, fast-growing SaaS vendorsSolve performance issues with a large number of APIs and reduce server costsYesKong July, 2022: feat(router) new DSL based router support and tests fix

APISIX August, 2019: feature: supported to use router lua-resty-radixtree

We can analyze three trends from the highlights of Kong Gateway 3.0:

  1. Kong’s investment in security and compliance in the financial sector is relatively large, which can be analyzed in terms of compliance with FIPS 140-2 and Secrets management.
  • Compliance with FIPS 140-2: FIPS 140-2 is a computer security standard used by North American financial companies and governments to approve encryption modules. Kong Gateway 3.0 Enterprise Version is built based on BoringSSL and will adapt plugins to be compatible with the requirements of the standard. Kong’s support for FIPS 140-2 reflects Kong’s development phase: after seven years of iteration, Kong has gradually focused on paying users, tending to meet the needs of financial companies and governments.

  • Secrets Management: The target users of this function are also financial enterprises. Kong Gateway 3.0 allows users to securely store sensitive information in AWS Secrets Manager and HashiCorp Vault, which Kong can access at runtime. In this way, a higher level of security protection is achieved.

  1. From the PR links of each highlight, we can know that most of the eight highlights of Kong Gateway 3.0 are earlier implemented by Apache APISIX.

  2. Kong Gateway 3.0 has a relatively significant improvement in performance for two reasons:

  • Kong adds a layer of cache on routing, greatly improving the performance for the benchmark. However, the problem is that the cache becomes invalid when the URL address changes. For details, check the code link below: atc.lua

  • Kong uses Rust to implement a brand-new routing engine, using DSL to increase the expressiveness of the routing layer. When receiving and sending HTTP requests, you can write expressions like this:

    net.protocol == "https" && (http.method == "GET" || http.method == "POST")

    In scenarios where the requested route matches a specific host, the following expression can be written:

    (http.host == "example.com" && http.headers.x_example_version == "v2" ) || (http.host == "store.example.com" && http.headers.x_store_version == "v1")

    We can take Apache APISIX for comparison. Apache APISIX implemented a similar routing expression function using Lua-resty-radixtree in August 2019. APISIX's expressions support arbitrary NGINX variables and have more abundant operators. In addition to common numeric and string comparisons, regular expressions, arrays, and IP targeting are also supported.

Most of these eight highlights in the Kong Gateway 3.0 version are biased toward the enterprise version. The following two figures can reflect the technological development trend of Kong more intuitively.

The ratio of OSS and Enterprise version in Kong Gateway 3,0's 8 highlights

Highlights supported by Apache APISIX in Kong Gateway 3.0

The features released in Kong Gateway 3.0 focus on the government, financial industry, and large enterprises that are more concerned about security compliance.

Analysis of Eight Highlights of Apache APISIX 3.0

The open-source API Gateway Apache APISIX released a preview of version 3.0, which involves ten highlights of the 3.0 version of Apache APISIX. The author selected the most critical eight points for analysis. These eight highlights are all for open-source versions, focusing on ecosystem and technological improvements.

HighlightsTypeTarget UserImprovementIf Kong supports
Full Support of ARM64EcosystemCompanies migrating to the cloud at scaleReduce server costsYes, partially
gRPC ClientPerformanceOptimization requirements of APISIXOptimizationNo
Enhanced Service Discovery SupportEcosystem, FunctionBusinesses relying on microservicesNo
xRPC FrameworkEcosystem, FunctionInternet companiesReduce server costsNo
Observability on L4FunctionLarge and medium-sized enterprises with complex business functionsEnhance observabilityNo
Support Gateway APIEcosystemInternet companiesManage APIs better for enterprise usersYes
More Plugins: OpenFunction, ClickHouse, Elasticsearch, SAML, CASEcosystem, FunctionInternet companiesEnvironment variables for OSS, AWS Secrets Manager, and HashiCorp Vault for EnterpriseNo
AI PlaneIntelligenceInternet companiesPerformance issues with a large number of APIs and reduced server costsNo

Another information we can get from the above table is that Apache APISIX improves in ecosystem and functional aspects. Among these highlights, there are two main points as below.

  • AI plane: In addition to the data plane and control plane, Apache APISIX adds an AI plane in the 3.0 version, which relieves application and ops developers from the pressure of use and O&M (operation and maintenance) through learning and analysis of API traffic and configuration. For example, the following two scenarios can be automatically optimized by the AI ​​plane:

    1. Discover APIs without authentication and send managers risk warnings.
    2. Speed up processing by skipping unnecessary stages for APIs that are only configured with plug-ins in the access stage, such as identity authentication.

    The AI ​​plane brings new possibilities to traffic processing. In the future, an automatic warm-up of upstream services and security threat detection can all be processed through the AI ​​plane.

  • Full support for ARM64: ARM64 has become a very mainstream server architecture for cloud vendors. Various cloud vendors have begun rolling out servers based on Arm architecture like AWS Graviton and GCP Tau T2A. Apache APISIX has done a comprehensive CI regression test on ARM64 to ensure smoothness when users run Apache APISIX under the Arm architecture. Users care a lot about this. The performance comparison of ARM architecture with GCP and AWS has received nearly 100 comments on Hacker News.


Kong Gateway 3.0 has made new progress in compliance, usability, functions, and performance, focusing more on enterprise security compliance. All the functions introduced by Apache APISIX 3.0 are open-source while paying more attention to ecosystem and new technology exploration.

Let's wait and see how Kong and Apache APISIX will iterate and develop in the future!

API Gateway ConceptKongTechnical Trends