API Gateway Patterns: Kong vs Envoy vs Traefik in 2025
Compare Kong, Envoy, and Traefik as API gateways. We cover rate limiting, authentication, load balancing, plugins, and when to use each based on your...
The API Gateway Role
An API gateway sits between clients and your backend services. It handles cross-cutting concerns so your services do not have to: authentication, rate limiting, request routing, load balancing, caching, and observability.
API gateway pattern: a single entry point handles auth, rate limiting, and routing to backend services.
Without an API gateway, every service implements its own auth middleware, rate limiter, and logging. With one, you centralize these concerns.
The Three Contenders
Kong: The Full-Featured Gateway
Kong started as an Nginx-based API gateway and evolved into a comprehensive API management platform. It is the most feature-rich option.
# Kong with Docker Compose
services:
kong-database:
image: postgres:16
environment:
POSTGRES_DB: kong
POSTGRES_USER: kong
POSTGRES_PASSWORD: secret
kong:
image: kong:3.8
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_USER: kong
KONG_PG_PASSWORD: secret
KONG_PROXY_LISTEN: 0.0.0.0:8000
KONG_ADMIN_LISTEN: 0.0.0.0:8001
ports:
- "8000:8000"
- "8001:8001"
Kong route configuration:
Get more insights on Cloud Infrastructure
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
# Create a service
curl -i -X POST http://localhost:8001/services/ \
--data name=user-service \
--data url=http://user-api:3000
# Create a route
curl -i -X POST http://localhost:8001/services/user-service/routes \
--data paths[]=/api/users \
--data strip_path=false
# Add rate limiting plugin
curl -i -X POST http://localhost:8001/services/user-service/plugins \
--data name=rate-limiting \
--data config.minute=100 \
--data config.policy=local
# Add JWT authentication
curl -i -X POST http://localhost:8001/services/user-service/plugins \
--data name=jwt
Envoy: The Programmable Proxy
Envoy is a high-performance L4/L7 proxy designed for cloud-native architectures. It is the data plane for Istio and many other service meshes.
# envoy.yaml
static_resources:
listeners:
- name: main
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress
route_config:
name: local_route
virtual_hosts:
- name: api
domains: ["api.example.com"]
routes:
- match:
prefix: "/api/users"
route:
cluster: user-service
- match:
prefix: "/api/orders"
route:
cluster: order-service
retry_policy:
retry_on: "5xx"
num_retries: 3
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: user-service
connect_timeout: 5s
type: STRICT_DNS
load_assignment:
cluster_name: user-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: user-api
port_value: 3000
Traefik: The Docker-Native Gateway
Traefik auto-discovers services from Docker, Kubernetes, and other providers. No config files needed — just labels.
# Service with Traefik labels
services:
user-api:
image: user-api:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.user-api.rule=Host(`api.example.com`) && PathPrefix(`/api/users`)"
- "traefik.http.routers.user-api.entrypoints=web"
- "traefik.http.services.user-api.loadbalancer.server.port=3000"
# Rate limiting middleware
- "traefik.http.middlewares.user-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.user-ratelimit.ratelimit.burst=50"
- "traefik.http.routers.user-api.middlewares=user-ratelimit"
Feature Comparison
| Feature | Kong | Envoy | Traefik |
|---|---|---|---|
| Config method | Admin API / DB | YAML / xDS API | Docker labels / YAML |
| Service discovery | DNS, Consul | DNS, EDS | Docker, K8s, Consul |
| Rate limiting | Plugin (built-in) | Filter (built-in) | Middleware (built-in) |
| Authentication | JWT, OAuth2, LDAP, mTLS | JWT, ext_authz | ForwardAuth, BasicAuth |
| Load balancing | Round-robin, hash, least-conn | 6+ algorithms | Round-robin, WRR |
| Circuit breaking | Plugin | Built-in | Built-in |
| WebSocket | Yes | Yes | Yes |
| gRPC | Yes | Native | Yes |
| WASM extensibility | No | Yes | No |
| Plugin ecosystem | 100+ plugins | WASM + Lua filters | Middlewares + plugins |
| Memory footprint | ~200MB (+DB) | ~50MB | ~30MB |
| Config complexity | Medium | High | Low |
| Dashboard | Kong Manager (paid) | No (use Kiali) | Built-in (free) |
A reverse proxy terminates TLS, routes requests by hostname, and load-balances across backend services.
API Gateway Patterns
Pattern 1: Backend for Frontend (BFF)
Route different clients to different backend compositions:
Mobile App → /mobile/* → Mobile BFF → [User, Order, Payment]
Web App → /web/* → Web BFF → [User, Order, Catalog]
Admin Panel → /admin/* → Admin BFF → [User, Analytics, Config]
Pattern 2: API Versioning
/api/v1/users → user-service-v1 (weight: 100%)
/api/v2/users → user-service-v2 (weight: 100%)
/api/v3/users → user-service-v2 (weight: 90%) + user-service-v3 (weight: 10%)
Pattern 3: Rate Limiting Tiers
Free Resource
Free Cloud Architecture Checklist
A 47-point checklist covering security, scalability, cost optimization, and disaster recovery for production cloud environments.
Free tier: 100 requests/minute
Pro tier: 1,000 requests/minute
Enterprise: 10,000 requests/minute
Internal: No limit
Pattern 4: Request Transformation
Transform requests before they hit your services:
Client sends: GET /api/users/123
Gateway adds: X-Request-ID, X-Correlation-ID headers
Gateway strips: Cookie, Authorization (after auth check)
Backend gets: Clean request with validated context
Microservices architecture: independent services communicate through an API gateway and event bus.
Our Recommendation
Choose Kong when: You need a full API management platform with a plugin ecosystem, have a dedicated API team, need advanced auth (OAuth2 flows, LDAP), or want a commercial support option.
Choose Envoy when: You need maximum performance and programmability, are building a service mesh, need WASM extensibility, or are running at very high scale (100K+ RPS).
Choose Traefik when: You run Docker or Kubernetes, want zero-config service discovery, prefer simplicity over features, or are a small-to-medium team without dedicated API infrastructure engineers.
At TechSaaS, we use Traefik for everything. It handles our 50+ services with Docker label discovery, and the 30MB memory footprint means it barely registers on our resource monitoring. For most teams, Traefik's simplicity and Docker integration beats the feature richness of Kong or Envoy.
Related Service
Cloud Solutions
Let our experts help you build the right technology strategy for your business.
Need help with cloud infrastructure?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.