Quick Comparison
| Feature | Envoy | Traefik | Kong |
|---|---|---|---|
| Architecture | C++ sidecar/proxy | Go edge proxy | Lua/Go on Nginx |
| Config model | xDS API (dynamic) | File/Docker/K8s labels | Admin API + DB |
| K8s Gateway API | β (Envoy Gateway) | β (native) | β (KIC) |
| Service mesh | Istio/Cilium data plane | Traefik Mesh | Kong Mesh (Kuma) |
| Plugins | WASM + Lua filters | Middleware chain | 100+ plugins |
| TLS termination | β | β (Letβs Encrypt auto) | β |
| Performance (RPS) | ~180K | ~120K | ~100K |
| License | Apache 2.0 | MIT | Apache 2.0 |
Envoy Proxy
Envoy is a high-performance L4/L7 proxy designed for cloud-native service mesh architectures. Created at Lyft, now a CNCF graduated project.
Architecture
βββββββββββββββββββββββββββββββββββββββββββ
β Control Plane β
β (Istio/Envoy Gateway/Consul) β
ββββββββββββββββββββ¬βββββββββββββββββββββββ
β xDS API (gRPC)
ββββββββββββββββΌβββββββββββββββ
βΌ βΌ βΌ
ββββββββββ ββββββββββ ββββββββββ
β Envoy β β Envoy β β Envoy β
βSidecar β βSidecar β βSidecar β
ββββββ¬ββββ ββββββ¬ββββ ββββββ¬ββββ
β β β
ββββββ΄ββββ ββββββ΄ββββ ββββββ΄ββββ
βService β βService β βService β
β A β β B β β C β
ββββββββββ ββββββββββ ββββββββββKey Features
- xDS dynamic configuration β no restarts needed for route changes
- Advanced load balancing β ring hash, maglev, zone-aware, priority-based
- Observability built-in β distributed tracing, metrics, access logs
- WASM filter chain β extend with WebAssembly plugins
- HTTP/2 and gRPC native β full multiplexing support
Envoy Gateway (Kubernetes)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: api-gateway
spec:
gatewayClassName: envoy
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
certificateRefs:
- name: api-cert
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-routes
spec:
parentRefs:
- name: api-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /api/v2
backendRefs:
- name: api-v2
port: 8080
weight: 90
- name: api-v3
port: 8080
weight: 10Best For
- Service mesh data plane (Istio, Cilium)
- High-performance L4/L7 proxying
- Complex traffic management (canary, mirroring, fault injection)
- gRPC-heavy architectures
Traefik
Traefik is a cloud-native edge router that auto-discovers services from Docker, Kubernetes, and other orchestrators.
Key Differentiators
- Auto-discovery β reads Docker labels, K8s Ingress, Consul catalog
- Letβs Encrypt built-in β automatic certificate management
- Middleware chain β rate limiting, auth, headers, circuit breaker
- Dashboard β real-time UI showing routes and services
- Simple config β YAML/TOML file or dynamic providers
Kubernetes IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: api
spec:
entryPoints:
- websecure
routes:
- match: Host(`api.example.com`) && PathPrefix(`/v2`)
kind: Rule
services:
- name: api-v2
port: 8080
middlewares:
- name: rate-limit
- name: jwt-auth
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 100
burst: 200
period: 1mBest For
- Small-medium Kubernetes clusters
- Docker Compose development environments
- Teams wanting minimal configuration
- Auto-TLS with Letβs Encrypt
- Edge routing without service mesh complexity
Kong Gateway
Kong is an API gateway and management platform built on Nginx/OpenResty with a rich plugin ecosystem.
Architecture
βββββββββββββββββββββββββββββββββββββββ
β Kong Manager (UI) β
ββββββββββββββββββββ¬βββββββββββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββ
β Kong Gateway β
β ββββββββ ββββββββ ββββββββ β
β βAuth β βRate β βLoggerβ ... β
β βPluginβ βLimit β βPluginβ β
β ββββββββ ββββββββ ββββββββ β
β Nginx + OpenResty β
ββββββββββββββββββββ¬βββββββββββββββββββ
βββββββββββΌββββββββββ
βΌ βΌ βΌ
Service A Service B Service CKong Plugins (100+)
| Category | Plugins |
|---|---|
| Auth | JWT, OAuth2, OIDC, mTLS, LDAP, Basic |
| Traffic | Rate limiting, request size, proxy cache |
| Transform | Request/response transform, correlation ID |
| Logging | Datadog, Prometheus, Kafka, HTTP log |
| Security | CORS, IP restriction, bot detection |
Best For
- API management platforms
- Multi-team API gateway with governance
- Plugin-heavy requirements (auth, transform, rate limit)
- Enterprises needing commercial support (Kong Enterprise)
- Developer portal requirements
Performance Benchmarks
Tested on c5.2xlarge, 1KB response body, 100 concurrent connections:
| Gateway | Requests/sec | P50 Latency | P99 Latency | Memory |
|---|---|---|---|---|
| Envoy | 182,000 | 0.4ms | 2.1ms | 45MB |
| Traefik | 124,000 | 0.6ms | 3.8ms | 38MB |
| Kong | 98,000 | 0.8ms | 5.2ms | 120MB |
| Kong (DB-less) | 112,000 | 0.7ms | 4.5ms | 85MB |
Decision Framework
Choose Envoy when:
- Building a service mesh (or using Istio/Cilium)
- Need maximum performance and advanced traffic management
- gRPC-native services
- Complex routing rules (header-based, weighted, mirroring)
Choose Traefik when:
- Simple edge routing with auto-TLS
- Docker Compose or small K8s clusters
- Want minimal operational overhead
- Auto-discovery from multiple providers
- Development and staging environments
Choose Kong when:
- API management is a core requirement
- Multiple teams sharing a gateway
- Need extensive plugin ecosystem
- Want a developer portal
- Enterprise support and SLAs needed
