API Gateway Trends behind Features: Apache APISIX 3.0 vs. Kong 3.0
On September 28, 2022, Kong released the new Kong Gateway 3.0, which achieved some new functions and performance improvements. On September 21, Apache APISIX, the top-level project of the Apache Software Foundation, also released the preview version of Apache APISIX 3.0, introducing ten highlights in terms of ecosystem and features.
Let's take a closer look at Version 3.0 of these two popular open-source API Gateway projects and figure out the development trend behind these updates.
Let's first look at the eight highlights of Kong Gateway 3.0.
Eight Highlights of Kong Gateway 3.0
| Highlights | OSS/Enterprise | Type | Target User | Improvement | If APISIX supports | Notes |
|---|---|---|---|---|---|---|
| FIPS 140-2 | Enterprise version | Compliance | North American financial corporations and governments | Compliance | No | Inapplicable |
| Secrets Management | both | Compliance | Financial corporations | OSS: environment variables Enterprise: AWS Secrets Manager and HashiCorp Vault | Yes | APISIX supports HashiCorp Vault since Dec, 2021 in OSS: feat(vault): vault lua module, integration with jwt-auth authentication plugin Kong Feb, 2022: feat(vaults) adds vaults beta support to kong |
| Plugin Ordering | Enterprise version | Usability | Large and medium-sized enterprises with complex scenarios | Increase business flexibility with plugins | Yes | APISIX June, 2022: feat: allows users to specify plugin execution priority Kong July, 2022: feat(plugins) add support for ordering |
| Kong Manager 3.0 | Enterprise version | Usability | Medium and large enterprises without many technical teams | Manage APIs better for enterprise users | Yes | Inapplicable |
| Deep Websocket Support | Enterprise version | Function | Enterprise users who deeply use websocket | Verify websocket scheme and limit websocket frame size | Yes, partially | Kong Dec, 2016: feat(proxy) supports websockets APISIX supports websocket request proxy, and can be used with plugins such as limit-conn on Jan, 2020: feature: upstream support websocket enable |
| OpenTelemetry | both | Function | Large and medium-sized enterprises with complex business call chains | Improve observability | Yes | Kong June, 2022: feat(plugins) opentelemetry plugin APISIX Jan, 2022: feat: add opentelemetry plugin |
| Performance Improvements | both | Performance | Cloud vendors, fast-growing SaaS vendors | Reduce server costs | Yes | Apache APISIX has been outperforming other API gateways in performance since it was open-sourced in 2019. |
| New Routing Engine | both | Performance | Cloud vendors, fast-growing SaaS vendors | Solve performance issues with a large number of APIs and reduce server costs | Yes | Kong July, 2022: feat(router) new DSL based router support and tests fix APISIX August, 2019: feature: supported to use router lua-resty-radixtree |
We can analyze three trends from the highlights of Kong Gateway 3.0:
- Kong’s investment in security and compliance in the financial sector is relatively large, which can be analyzed in terms of compliance with FIPS 140-2 and Secrets management.
-
Compliance with FIPS 140-2: FIPS 140-2 is a computer security standard used by North American financial companies and governments to approve encryption modules. Kong Gateway 3.0 Enterprise Version is built based on BoringSSL and will adapt plugins to be compatible with the requirements of the standard. Kong’s support for FIPS 140-2 reflects Kong’s development phase: after seven years of iteration, Kong has gradually focused on paying users, tending to meet the needs of financial companies and governments.
-
Secrets Management: The target users of this function are also financial enterprises. Kong Gateway 3.0 allows users to securely store sensitive information in AWS Secrets Manager and HashiCorp Vault, which Kong can access at runtime. In this way, a higher level of security protection is achieved.
-
From the PR links of each highlight, we can know that most of the eight highlights of Kong Gateway 3.0 are earlier implemented by Apache APISIX.
-
Kong Gateway 3.0 has a relatively significant improvement in performance for two reasons:
-
Kong adds a layer of cache on routing, greatly improving the performance for the benchmark. However, the problem is that the cache becomes invalid when the URL address changes. For details, check the code link below: atc.lua
-
Kong uses Rust to implement a brand-new routing engine, using DSL to increase the expressiveness of the routing layer. When receiving and sending HTTP requests, you can write expressions like this:
net.protocol == "https" && (http.method == "GET" || http.method == "POST")
In scenarios where the requested route matches a specific host, the following expression can be written:
(http.host == "example.com" && http.headers.x_example_version == "v2" ) || (http.host == "store.example.com" && http.headers.x_store_version == "v1")
We can take Apache APISIX for comparison. Apache APISIX implemented a similar routing expression function using Lua-resty-radixtree in August 2019. APISIX's expressions support arbitrary NGINX variables and have more abundant operators. In addition to common numeric and string comparisons, regular expressions, arrays, and IP targeting are also supported.
Most of these eight highlights in the Kong Gateway 3.0 version are biased toward the enterprise version. The following two figures can reflect the technological development trend of Kong more intuitively.
The features released in Kong Gateway 3.0 focus on the government, financial industry, and large enterprises that are more concerned about security compliance.
Analysis of Eight Highlights of Apache APISIX 3.0
The open-source API Gateway Apache APISIX released a preview of version 3.0, which involves ten highlights of the 3.0 version of Apache APISIX. The author selected the most critical eight points for analysis. These eight highlights are all for open-source versions, focusing on ecosystem and technological improvements.
| Highlights | Type | Target User | Improvement | If Kong supports |
|---|---|---|---|---|
| Full Support of ARM64 | Ecosystem | Companies migrating to the cloud at scale | Reduce server costs | Yes, partially |
| gRPC Client | Performance | Optimization requirements of APISIX | Optimization | No |
| Enhanced Service Discovery Support | Ecosystem, Function | Businesses relying on microservices | No | |
| xRPC Framework | Ecosystem, Function | Internet companies | Reduce server costs | No |
| Observability on L4 | Function | Large and medium-sized enterprises with complex business functions | Enhance observability | No |
| Support Gateway API | Ecosystem | Internet companies | Manage APIs better for enterprise users | Yes |
| More Plugins: OpenFunction, ClickHouse, Elasticsearch, SAML, CAS | Ecosystem, Function | Internet companies | Environment variables for OSS, AWS Secrets Manager, and HashiCorp Vault for Enterprise | No |
| AI Plane | Intelligence | Internet companies | Performance issues with a large number of APIs and reduced server costs | No |
Another information we can get from the above table is that Apache APISIX improves in ecosystem and functional aspects. Among these highlights, there are two main points as below.
-
AI plane: In addition to the data plane and control plane, Apache APISIX adds an AI plane in the 3.0 version, which relieves application and ops developers from the pressure of use and O&M (operation and maintenance) through learning and analysis of API traffic and configuration. For example, the following two scenarios can be automatically optimized by the AI plane:
- Discover APIs without authentication and send managers risk warnings.
- Speed up processing by skipping unnecessary stages for APIs that are only configured with plug-ins in the access stage, such as identity authentication.
The AI plane brings new possibilities to traffic processing. In the future, an automatic warm-up of upstream services and security threat detection can all be processed through the AI plane.
-
Full support for ARM64: ARM64 has become a very mainstream server architecture for cloud vendors. Various cloud vendors have begun rolling out servers based on Arm architecture like AWS Graviton and GCP Tau T2A. Apache APISIX has done a comprehensive CI regression test on ARM64 to ensure smoothness when users run Apache APISIX under the Arm architecture. Users care a lot about this. The performance comparison of ARM architecture with GCP and AWS has received nearly 100 comments on Hacker News.
Conclusion
Kong Gateway 3.0 has made new progress in compliance, usability, functions, and performance, focusing more on enterprise security compliance. All the functions introduced by Apache APISIX 3.0 are open-source while paying more attention to ecosystem and new technology exploration.
Let's wait and see how Kong and Apache APISIX will iterate and develop in the future!