Skip to main content

Kong vs Envoy vs Tyk vs AWS API Gateway 2026

·APIScout Team
kongenvoytykaws api gatewayapi gatewayservice meshrate limitingapi comparison2026

API Gateways Diverged by Deployment Model

In 2019, every API gateway comparison was essentially "which reverse proxy has the best plugin ecosystem?" By 2026, the category has split into distinct architectural patterns that aren't interchangeable:

  • Kong and Tyk: Traditional API gateway control planes with rich plugin systems, designed for teams that want to centralize API management across services
  • Envoy: A high-performance L4/L7 proxy built for service mesh — the data plane behind Istio and AWS App Mesh, programmable via xDS APIs
  • AWS API Gateway: Managed, serverless-native, deeply integrated with Lambda and the AWS ecosystem — zero infrastructure management at the cost of AWS lock-in

The right answer depends on your deployment model (Kubernetes, cloud-native, on-prem), your team's infrastructure sophistication, and whether you need a control plane UI or raw proxy performance.

TL;DR

Kong is the most mature self-managed API gateway with the largest plugin ecosystem — available as open source (Kong Gateway OSS) or managed (Konnect). Envoy is the industry-standard L7 proxy for Kubernetes service mesh — you rarely use it directly; it runs as a sidecar via Istio, Envoy Gateway, or AWS App Mesh. Tyk is the best open-source alternative to Kong with a strong developer portal and flexible deployment. AWS API Gateway is the serverless-native choice — zero ops, direct Lambda integration, but AWS lock-in and per-request pricing that gets expensive at scale.

Key Takeaways

  • Kong: ~40K GitHub stars; Kong Gateway 3.10 LTS; OSS free (OIDC/RBAC/GUI enterprise-only); Konnect managed; Kong AI Gateway 3.11 (July 2025) adds LLM features
  • Envoy: ~25K GitHub stars; always free (CNCF); Envoy Gateway v1.3 implements Kubernetes Gateway API; powers Istio, AWS App Mesh, Contour
  • Tyk: ~10.6K GitHub stars; full gateway feature set in OSS (including Dev Portal — unlike Kong); Tyk Cloud ~$1,800/month+; written in Go
  • AWS API Gateway: HTTP API $1.00/M; REST API $3.50/M; WebSocket $1.00/M messages + $0.25/M connection-minutes; default 10K RPS throttle
  • Performance: Kong ~138K RPS official benchmark (no plugins); Envoy near bare-metal (C++); AWS throttled at 10K RPS default
  • Best for Kubernetes: Kong Ingress Controller or Envoy Gateway (Kubernetes Gateway API spec)

Pricing Comparison

OptionSelf-Hosted CostManaged/Cloud CostNotes
Kong Gateway OSSFreeOpen source, Apache 2.0
Kong KonnectFree (Dev tier)$250–$1,000+/monthManaged control plane
Kong EnterpriseCustomCustomFull enterprise features
EnvoyFreeCNCF open source; no vendor product
Tyk OSSFreeOpen source, MPL-2.0
Tyk Cloud~$500/monthManaged SaaS
Tyk EnterpriseCustomCustomOn-prem + support
AWS API Gateway RESTN/A$3.50/M requests + dataFirst 1M free/month
AWS API Gateway HTTPN/A$1.00/M requestsFirst 1M free/month

AWS API Gateway Pricing Detail

AWS API Gateway has two main API types with very different pricing:

  • HTTP API: $1.00/million requests (first 300M/month); 71% cheaper than REST API; missing WAF, usage plans, caching
  • REST API: $3.50/million requests (first 333M/month); supports caching ($0.02/hr/GB), API keys, usage plans, WAF
  • WebSocket API: $1.00/million messages + $0.25/million connection-minutes (idle connections incur charges); 500 new connections/second limit; regional only
  • Data transfer: $0.09/GB outbound (same as standard AWS egress)
  • Caching: Optional, $0.02/hour/GB — billed separately per stage

At 100M requests/month: HTTP API = $100/month; REST API = $350/month. At 1 billion requests/month: HTTP API = $550/month vs REST API = $1,925/month.

Throttling limits: Default 10,000 RPS steady-state, 5,000 burst (token bucket) per account per region. Newer regions (Cape Town, Milan, Jakarta, UAE) default to 2,500 RPS / 1,250 burst. Limits are soft and can be increased via AWS Support. If your workload exceeds these, AWS API Gateway is not the right choice — consider an ALB + Lambda directly.

Architecture Deep-Dive

Kong: Plugin-Driven Gateway

Kong is built on OpenResty (Nginx + Lua) with a plugin architecture that intercepts requests at configurable phases:

# Kong declarative config (deck)
services:
  - name: user-service
    url: http://users.internal:8080
    routes:
      - name: users-route
        paths:
          - /api/users
    plugins:
      - name: rate-limiting
        config:
          minute: 100
          policy: redis
          redis_host: redis
      - name: jwt
        config:
          secret_is_base64: false
      - name: request-transformer
        config:
          add:
            headers:
              - "X-Request-ID:$(uuid)"
      - name: prometheus
        # Exposes /metrics endpoint for Prometheus scraping

# Kong Konnect — control plane managed, data plane self-hosted
# Install data plane
curl -Ls https://get.konghq.com/install.sh | bash
kong start -c /etc/kong/kong.conf

# Deploy via Kong Ingress Controller on Kubernetes
helm repo add kong https://charts.konghq.com
helm install kong/kong --set ingressController.installCRDs=false

Kong's 60+ plugins cover rate limiting, auth (JWT, OAuth2, HMAC, LDAP, OIDC), transforms, logging (to Datadog, Splunk, TCP), and more. Enterprise adds secrets management (Vault), OPA policy enforcement, and RBAC.

Envoy: Programmable L7 Proxy

Envoy is configured via the xDS (discovery service) API, typically through a control plane like Istio:

# Envoy standalone config — direct YAML
static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address: { address: 0.0.0.0, port_value: 10000 }
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  virtual_hosts:
                    - name: local_service
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/" }
                          route: { cluster: target_service }
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: target_service
      connect_timeout: 0.25s
      type: STRICT_DNS
      load_assignment:
        cluster_name: target_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address: { address: backend, port_value: 8080 }

# More commonly: Envoy via Istio VirtualService + DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: user-service
spec:
  http:
    - match:
        - uri:
            prefix: /api/users
      route:
        - destination:
            host: users
            port:
              number: 8080
      retries:
        attempts: 3
        perTryTimeout: 2s
      fault:
        delay:
          percentage:
            value: 0.1
          fixedDelay: 5s  # Chaos testing: inject 100ms delay on 0.1% of traffic

Envoy's real power is dynamic configuration via xDS — the control plane pushes updates without Envoy restart, enabling zero-downtime reconfiguration at Kubernetes scale.

Tyk: Open Source with Developer Portal

Tyk differentiates with a built-in developer portal — a self-service API documentation and key management interface:

// Tyk API definition
{
  "name": "User Service",
  "api_id": "user-service-v1",
  "slug": "user-service",
  "auth": {
    "auth_header_name": "Authorization"
  },
  "definition": {
    "location": "header",
    "key": "x-api-version"
  },
  "version_data": {
    "versions": {
      "v1": {
        "name": "v1",
        "global_rate_limit": {
          "rate": 100,
          "per": 60
        },
        "paths": {
          "black_list": [],
          "white_list": [],
          "ignored": []
        }
      }
    }
  },
  "proxy": {
    "target_url": "http://users.internal:8080"
  }
}

# Tyk OSS — Docker Compose
curl https://raw.githubusercontent.com/TykTechnologies/tyk-gateway-docker/master/docker-compose.yml -o docker-compose.yml
docker compose up

# Tyk API via CLI
tyk api import --file api-definition.json

Tyk's developer portal generates interactive API documentation, manages API subscriptions, and issues API keys — capabilities that Kong OSS lacks (Kong Enterprise required) and AWS API Gateway only partially supports.

AWS API Gateway: Serverless Native

// Lambda + API Gateway — zero infrastructure
export const handler = async (event) => {
  const userId = event.pathParameters.id

  // API Gateway authorizer injects user context
  const user = event.requestContext.authorizer?.claims

  return {
    statusCode: 200,
    headers: {
      'Content-Type': 'application/json',
      'Access-Control-Allow-Origin': '*'
    },
    body: JSON.stringify({ userId, user })
  }
}

# SAM / CloudFormation — API Gateway + Lambda wiring
Resources:
  UsersApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      Cors:
        AllowMethods: "'GET,POST,OPTIONS'"
        AllowHeaders: "'Content-Type,Authorization'"
        AllowOrigin: "'*'"
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: !GetAtt UserPool.Arn

  GetUserFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: src/handlers/getUser.handler
      Events:
        GetUser:
          Type: Api
          Properties:
            RestApiId: !Ref UsersApi
            Path: /users/{id}
            Method: GET

AWS API Gateway's deep integration with Lambda, Cognito, IAM, and WAF makes it the natural choice for AWS-native applications. The HTTP API type is 71% cheaper than REST API and sufficient for most use cases.

Feature Comparison

FeatureKongEnvoyTykAWS API Gateway
Rate limiting✅ Plugin✅ Local/Global✅ Built-in✅ (usage plans)
Auth (JWT, OAuth2, API Key)✅ Plugins✅ (via filter)✅ Built-in✅ (Cognito/Lambda)
Request/Response transform✅ (mapping templates)
WebSocket support
gRPC support❌ (HTTP/2 only)
GraphQL support✅ (Enterprise)
Developer portal❌ (Enterprise)✅ (built-in)✅ (basic)
Service mesh✅ (Kong Mesh)✅ (native)
Kubernetes ingress✅ (KIC)✅ (Envoy Gateway)
Multi-cloud❌ (AWS only)
Self-hosted
Analytics built-in✅ (Konnect)✅ (CloudWatch)

Performance Benchmarks

Envoy's C++ data plane consistently benchmarks fastest among the four:

GatewayThroughput (RPS)P99 LatencyMemory
EnvoyNear bare-metal~1ms~50MB
Kong (no plugins)~138K RPS (official AWS EKS benchmark)~3.8ms P95~100MB
Kong (rate limit + key-auth)~96K RPS~5ms P95~100MB
Tyk4,000+ RPS typical; claims to outperform Kong with plugins enabled~3ms~80MB
AWS API GatewayManaged; default 10K RPS throttle (soft limit, increasable via support)5–15msN/A

Kong's official benchmarks are published and reproducible via their open-source k6-based benchmark framework. Tyk's comparison figures are self-reported. Envoy benchmarks vary widely by workload and sidecar mode.

Kong's Lua-based plugins add some overhead vs Envoy's C++ filters, but Kong's official 138K RPS benchmark with no plugins — and 96K RPS with auth + rate limiting — is far higher than commonly cited figures. Tyk's Go runtime eliminates Lua overhead entirely and claims competitive performance with heavy plugin load.

When to Choose Each

Choose Kong if:

  • You want the largest plugin ecosystem (50+ official plugins; 100s community)
  • You need a managed control plane (Konnect) without managing the full stack
  • You're running on Kubernetes and want a battle-tested Ingress Controller
  • You're building AI/LLM API infrastructure — Kong AI Gateway 3.11 (July 2025) adds prompt compression, PII sanitization, AWS Bedrock Guardrails, and multimodal GenAI support
  • You need enterprise features (OIDC, OPA, Vault, RBAC) — note: these are Enterprise-only, not in OSS

Choose Envoy if:

  • You're implementing a service mesh (Kubernetes + Istio/Linkerd)
  • You need the highest throughput and lowest latency
  • You want dynamic xDS-based configuration
  • You're using AWS App Mesh, Contour, or another Envoy-based control plane
  • You want a raw proxy you can program without a plugin model

Choose Tyk if:

  • You need a full gateway feature set in OSS — Tyk's open-source version includes the Dev Portal, analytics, and OIDC/JWT/OAuth, unlike Kong which gates these behind Enterprise
  • You prefer Go-based architecture (vs Kong's Lua) for performance and maintainability
  • You want GraphQL federation gateway support natively (not a plugin)
  • You need event-driven API support with Kafka (Tyk Streams on paid plans)
  • You're deploying on-prem, Kubernetes, or hybrid and want all three under one product

Choose AWS API Gateway if:

  • You're building serverless with Lambda (zero infrastructure)
  • You're already all-in on AWS (Cognito, WAF, CloudWatch integration)
  • You want managed scaling with no ops overhead
  • Your request volume doesn't justify $3.50/million at scale (Compute-based alternatives become cheaper above ~500M req/month)

Track Kong, Tyk, and AWS API Gateway uptime and API health on APIScout.

Related: Cloudflare Workers vs Vercel Edge vs Lambda@Edge 2026 · LLM API Pricing 2026

Comments