Is Kong or Ambassador better for Kubernetes?

Ambassador (Emissary-Ingress) is more Kubernetes-native by design — it uses CRD-based configuration, automatic service discovery, and Gateway API support natively. Kong works with Kubernetes through Kong Ingress Controller but was not designed K8s-first and still requires a database. Apache APISIX offers native K8s CRD support while also running outside Kubernetes.

How does Kong performance compare to Ambassador (Envoy)?

Kong (NGINX-based) achieves ~16,000 RPS with 3.5ms p99 latency. Ambassador (Envoy-based) provides comparable throughput but with higher memory consumption. Apache APISIX outperforms both at 23,000 QPS per core with 0.2ms latency, combining NGINX efficiency with etcd-based dynamic configuration.

Can Ambassador run outside of Kubernetes?

No. Ambassador / Emissary-Ingress is designed exclusively for Kubernetes. Its CRD-based configuration and control plane require a K8s cluster. If you need an API gateway for bare metal, VMs, or non-K8s environments, consider Kong or Apache APISIX, both of which run on any infrastructure.

Which has a better plugin ecosystem: Kong or Ambassador?

Kong has a larger plugin ecosystem (100+ plugins), but many advanced features are Enterprise-only (~$50K/year). Ambassador uses Envoy filters and Wasm with a smaller but growing ecosystem. Apache APISIX provides 100+ fully open-source plugins with no enterprise paywall, supporting custom development in Lua, Go, Java, Python, or Wasm.

What is the best GitOps-friendly API gateway?

Ambassador was built for GitOps with CRD-based configuration that works natively with ArgoCD and Flux. Apache APISIX also supports declarative YAML/JSON and Kubernetes CRDs for GitOps workflows. Kong supports GitOps through decK but was not designed GitOps-first and requires database state management.

New

Announcing AISIX: The AI-Native AI Gateway for LLMs and AI AgentsLearn More

Learn More

API gateway comparison

Kong vs. Ambassador Edge Stack

Kong and Ambassador (now Emissary-Ingress for OSS, Edge Stack for commercial) are popular API gateways with fundamentally different architectures. Kong is built on NGINX/OpenResty with a Lua plugin ecosystem, while Ambassador is built on Envoy Proxy with a Kubernetes-native CRD-based configuration model. This comparison evaluates NGINX vs Envoy performance, Kubernetes integration depth, GitOps readiness, plugin ecosystems, and pricing — plus how Apache APISIX delivers the best of both approaches.

Try API7 for Free Book a Demo

Comparison

Kong

Ambassador

API7 Enterprise

Architecture

NGINX/OpenResty + PostgreSQL or Cassandra; configurable through Admin API, decK CLI, or Kong Konnect cloud

Envoy Proxy data plane + Ambassador control plane; CRD-based configuration, Kubernetes-native by design

NGINX/OpenResty + etcd — stateless data plane with millisecond config sync; no database required

Kubernetes Integration

Kong Ingress Controller available; works with K8s but not Kubernetes-native by design — requires database for clustering

Deeply Kubernetes-native — CRD-based Mappings, Gateway API support, automatic service discovery, namespace isolation

Native Kubernetes Ingress Controller with CRD-based routing, Helm deployment, and Gateway API support

Performance (QPS)

~16,000 RPS per node with ~3.5ms p99 latency; NGINX event loop provides reliable baseline throughput

Envoy C++ data plane provides good throughput; higher memory footprint than NGINX; warm-up time for xDS config sync

Ultra-high — 23,000 QPS per core, 0.2ms latency; outperforms both Kong (NGINX) and Ambassador (Envoy)

Protocol Support

HTTP/1.1, HTTP/2, gRPC, TCP, UDP, WebSocket, GraphQL; broad protocol coverage

HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP; GraphQL support via Envoy filters; limited legacy protocol support

HTTP/1.1, HTTP/2, HTTP/3, gRPC, TCP, UDP, WebSocket, MQTT, Dubbo, and custom Layer 4/7 protocols

Plugin Ecosystem

100+ plugins; many advanced features (OIDC, OPA, mTLS, rate limiting tiers) locked behind Enterprise

Envoy filters and WebAssembly (Wasm) extensions; smaller ecosystem than Kong or APISIX plugins

100+ fully open-source plugins — auth, traffic, observability, AI — no enterprise paywall

GitOps & CI/CD

decK for declarative config; Kong Ingress Controller supports CRDs; not natively GitOps-first

Built for GitOps — CRD-based config works natively with ArgoCD, Flux; canary/blue-green via Envoy traffic splitting

Declarative YAML/JSON config; Kubernetes CRDs; native integration with ArgoCD, Jenkins, and GitHub CI/CD

Developer Portal

Kong Dev Portal (Enterprise only) with API catalog and developer onboarding; starts at ~$50K/year

No built-in developer portal; Edge Stack includes basic API catalog (commercial)

API7 Portal with documentation, monetization, and self-service subscription — included in Enterprise

Security

JWT, OAuth2, API keys, mTLS (Enterprise), ACLs; Kong Konnect for cloud-managed security policies

OAuth2, JWT, API keys via Envoy filters; integrates with Open Policy Agent (OPA) and external auth services

JWT, OIDC, OAuth2, mTLS, FIPS 140-2, fine-grained RBAC and IAM — all included

Observability

Prometheus, Datadog, Zipkin, OpenTelemetry via plugins; Kong Konnect for advanced analytics (Enterprise)

Envoy-native metrics (Prometheus), distributed tracing (Jaeger, Zipkin), access logging; no built-in dashboards

OpenTelemetry, Prometheus, Grafana, Datadog, SkyWalking — fully open-source observability stack

Pricing Model

Free OSS tier; Enterprise starts ~$50K/year with per-service or per-request pricing tiers

Emissary-Ingress (free OSS); Edge Stack commercial pricing per cluster — can reach $50K-$100K/year

CPU-core based subscription; significantly lower than Kong Enterprise or Ambassador Edge Stack

Vendor Lock-in

Controlled by Kong Inc.; Enterprise features proprietary; licensing concerns for community edition

Emissary-Ingress is CNCF project (Apache 2.0); Edge Stack commercial features proprietary to Ambassador Labs (now Datawire)

None — built on Apache APISIX (Apache 2.0), governed by the Apache Software Foundation

Deployment Flexibility

Runs on bare metal, Docker, Kubernetes, and cloud; not limited to K8s like Ambassador

Kubernetes-only; not designed for bare metal, VM, or non-K8s environments

Runs anywhere — bare metal, Docker, Kubernetes, multi-cloud, hybrid-cloud, and edge deployments

What to consider most when choosing the API gateway

1. NGINX vs Envoy: Architecture Trade-offs

Kong uses NGINX/OpenResty with Lua plugins. This architecture provides excellent HTTP proxying performance with low memory footprint. However, Kong requires PostgreSQL or Cassandra for clustering configuration, adding operational complexity. The Lua plugin ecosystem is mature but narrower than some alternatives.

Ambassador uses Envoy Proxy with a custom control plane. Envoy provides a modern C++ data plane with advanced load balancing (circuit breaking, outlier detection, weighted routing) and xDS API for dynamic configuration. The trade-off is higher memory consumption, JIT warm-up time, and a smaller plugin ecosystem compared to NGINX-based gateways.

Apache APISIX combines NGINX's efficiency with etcd for distributed configuration — eliminating the database dependency that burdens Kong while providing millisecond config propagation that rivals Envoy's xDS. The result is the highest throughput (23,000 QPS/core) with the lowest latency (0.2ms) among all three options, plus a plugin system that supports Lua, Go, Java, Python, and Wasm.

2. Kubernetes-Native vs Kubernetes-Compatible

Ambassador is the most Kubernetes-native option. Its CRD-based Mappings, automatic service discovery, namespace-level isolation, and Gateway API support make it feel like a natural extension of Kubernetes. For pure K8s environments, Ambassador's GitOps workflow (CRDs + ArgoCD/Flux) is seamless. The limitation is that Ambassador is Kubernetes-only — it cannot run outside K8s.

Kong works with Kubernetes through the Kong Ingress Controller, but it was not designed Kubernetes-native. It uses the same PostgreSQL or Cassandra backend in K8s, and some configurations require the Admin API rather than CRDs. Kong's advantage is flexibility — it runs equally well on bare metal, VMs, Docker, and K8s.

Apache APISIX offers a native Kubernetes Ingress Controller with full CRD support, Helm charts, and Gateway API compatibility — matching Ambassador's Kubernetes integration. Unlike Ambassador, APISIX also runs on bare metal, Docker, and VMs with identical configuration, making it the best choice for organizations with mixed infrastructure.

3. Plugin Ecosystem and Extensibility

Kong has the largest plugin ecosystem with 100+ plugins, but most advanced features (OIDC, OPA integration, advanced rate limiting, mTLS) are locked behind the Enterprise license starting at ~$50K/year. The open-source edition provides a solid foundation but may fall short for production security requirements.

Ambassador's extensibility comes through Envoy filters and WebAssembly (Wasm). While powerful, the ecosystem is smaller and the learning curve steeper than Lua or YAML-based plugin systems. Ambassador relies on external services (OPA, ext-auth) for advanced functionality that Kong and APISIX handle natively.

Apache APISIX provides 100+ fully open-source plugins with no enterprise paywall — including authentication (JWT, OIDC, OAuth2), traffic management, observability, and AI plugins. Custom plugins can be written in Lua, Go, Java, Python, or Wasm, making APISIX the most extensible option with the lowest barrier to advanced functionality.

4. GitOps Readiness and CI/CD Integration

Ambassador was built for GitOps from the ground up. CRD-based configuration means gateway routes, rate limits, and auth policies are Kubernetes manifests that live in Git. Integration with ArgoCD and Flux is native. Canary deployments and traffic splitting work through Envoy's built-in capabilities. For teams practicing GitOps, Ambassador provides the most frictionless workflow.

Kong supports GitOps through decK (declarative configuration tool) and Kong Ingress Controller CRDs, but it was not designed GitOps-first. Some configurations require imperative Admin API calls, and the database dependency adds state management complexity to GitOps pipelines.

Apache APISIX supports fully declarative YAML/JSON configuration and Kubernetes CRDs, working natively with ArgoCD, Jenkins, and GitHub Actions. Its etcd-based configuration store is lightweight and stateless from the data plane perspective — simpler to manage in GitOps workflows than Kong's database-backed configuration.

5. When to Choose Each Gateway

Choose Kong if you need a mature API gateway ecosystem that works across Kubernetes, bare metal, and cloud with a large plugin library and established enterprise support. Kong is strongest for organizations that value ecosystem maturity and vendor support over Kubernetes-native design.

Choose Ambassador / Emissary-Ingress if you run a pure Kubernetes environment and want the most Kubernetes-native gateway experience with GitOps-first workflows, CRD-based configuration, and deep Envoy integration. Accept the trade-off of K8s-only deployment and a smaller plugin ecosystem.

Choose Apache APISIX / API7 Enterprise if you need top-tier performance (23,000 QPS/core), full Kubernetes-native support AND bare metal/cloud flexibility, 100+ open-source plugins with no paywall, and the lowest total cost. API7 Enterprise is ideal for organizations that want Ambassador's Kubernetes-native workflow with Kong's deployment flexibility — without the vendor lock-in of either.

Frequently Asked Questions

Ready to get started?

For more information about full API lifecycle management, please contact us to Meet with our API Experts.