Back to Guides

Microservices & Distributed Systems

API Gateway Showdown: Kong vs Ambassador vs AWS API Gateway for Microservices

MatterAI Agent
MatterAI Agent
12 min read·

API Gateway Patterns: Kong vs Ambassador vs AWS API Gateway for Microservices

API gateways serve as the unified entry point for microservices, handling cross-cutting concerns like authentication, rate limiting, routing, and observability. This guide compares three major solutions across deployment models, extensibility, and performance characteristics.

Architecture Comparison

Gateway Proxy Engine Deployment Model Config Model Primary Use Case
Kong Nginx/OpenResty Self-hosted or Managed Kong Konnect Declarative YAML/JSON + Admin API Hybrid/multi-cloud, plugin-heavy workloads
Ambassador (Emissary) Envoy Kubernetes-native only Kubernetes CRDs + Gateway API K8s-first architectures, service mesh integration
AWS API Gateway Proprietary AWS managed only Terraform/CloudFormation/SAM AWS-centric, serverless workloads

Key architectural distinction: Kong and Ambassador separate control plane (configuration) from data plane (proxy), enabling horizontal scaling. AWS API Gateway is a tightly coupled managed service.

Kong

Built on Nginx and LuaJIT, Kong offers maximum extensibility through a rich plugin ecosystem. Supports both traditional VM deployments and Kubernetes via Kong Ingress Controller. Available as Kong Gateway OSS and Kong Gateway Enterprise.

Core Features

  • Plugin system: 100+ plugins written in Lua, Go, Python, and Wasm
  • DB-less mode: Configuration stored in declarative YAML for GitOps workflows
  • Multi-protocol support: HTTP/HTTPS, gRPC, GraphQL, TCP, UDP, WebSocket
  • Enterprise features: Developer portal, API analytics, RBAC, Vitals, end-to-end encryption

Configuration Example

_format_version: "3.0"
services:
  - name: user-service
    url: http://user-service:8080
    routes:
      - name: user-route
        paths:
          - /api/v1/users
        strip_path: true
    plugins:
      - name: rate-limiting
        config:
          minute: 100
          policy: redis
      - name: jwt
        config:
          uri_param_names:
            - jwt

Performance Profile

  • Latency: ~2-5ms overhead (depends on plugins, hardware, and configuration)
  • Throughput: 50K+ RPS per instance in DB-less mode (estimate, varies with workload)
  • Scaling: Horizontal via data plane nodes; stateless when using external Redis

Ambassador (Emissary-Ingress)

Emissary-Ingress (formerly Ambassador API Gateway) leverages Envoy proxy for Kubernetes-native API gateway functionality. Designed for cloud-native environments with deep Kubernetes integration. Available as OSS Emissary-Ingress and Ambassador Edge Stack.

Core Features

  • Kubernetes CRDs: Mapping, Module, Filter, Listener resources
  • Canary deployments: Weight-based traffic splitting via AmbassadorMapping
  • Auth integration: OAuth2, OIDC, JWT, API keys via AuthService
  • Service mesh: Seamless transition to Istio or Linkerd

Configuration Example

apiVersion: getambassador.io/v3
kind: Mapping
metadata:
  name: user-service-mapping
spec:
  hostname: api.example.com
  prefix: /api/v1/users
  service: user-service:8080
  rewrite: /api/v1/users
  weight: 100
  bypass_auth: false
  timeout_ms: 3000

apiVersion: getambassador.io/v3
kind: Filter
metadata:
  name: jwt-filter
spec:
  JWT:
    jwksURI: https://auth.example.com/.well-known/jwks.json
    providerURL: https://auth.example.com

Performance Profile

  • Latency: ~1-3ms overhead (Envoy's C++ architecture, estimate varies with hardware)
  • Throughput: 40K+ RPS per instance (estimate, depends on workload and configuration)
  • Scaling: Horizontal via HPA; leverages Envoy's xDS protocol

AWS API Gateway

Fully managed AWS service with two primary types: REST APIs (v1, older, feature-rich) and HTTP APIs (v2, newer, faster, cheaper). Deep integration with AWS ecosystem.

Core Features

  • REST APIs (v1): Full-featured with request/response transformations, authorizers, caching, stage variables
  • HTTP APIs (v2): Lower cost, supports JWT authorizers, auto-deployments, simplified routing
  • WebSocket APIs: Real-time bidirectional communication
  • Integration targets: Lambda, VPC Link (ALB/NLB), HTTP endpoints, AWS services

Configuration Example (Terraform)

resource "aws_apigatewayv2_api" "http_api" {
  name          = "user-service-api"
  protocol_type = "HTTP"
  description   = "User service HTTP API"
}

resource "aws_apigatewayv2_route" "users_route" {
  api_id = aws_apigatewayv2_api.http_api.id
  route_key = "GET /users"
  target = "integrations/${aws_apigatewayv2_integration.user_service.id}"
}

resource "aws_apigatewayv2_integration" "user_service" {
  api_id = aws_apigatewayv2_api.http_api.id
  integration_type = "HTTP_PROXY"
  integration_uri = "http://user-service-alb-123456.us-east-1.elb.amazonaws.com"
  connection_type = "VPC_LINK"
  connection_id   = aws_apigatewayv2_vpc_link.vpc_link.id
}

Performance Profile

  • Latency: HTTP APIs (v2): ~10-30ms; REST APIs (v1): ~30-60ms (varies by region and configuration)
  • Throughput: Managed scaling (no RPS limits within account quotas)
  • Pricing: Per-million requests + data transfer; HTTP APIs: $1.00/million (first 300M), $0.90/million thereafter; REST APIs: $3.50/million (first 300M), $3.00/million thereafter (pricing varies by region)

Security Comparison

Gateway WAF Capabilities DDoS Protection TLS Termination Certificate Management
Kong Plugin-based WAF (Enterprise), custom Lua rules Rate limiting, IP restrictions Full TLS 1.3 support, mTLS Certificates stored in DB or secret store
Ambassador External WAF integration via Filter CRDs Rate limiting, circuit breaking Full TLS 1.3 support, mTLS Kubernetes Secrets integration
AWS API Gateway AWS WAF integration (native) AWS Shield Standard (built-in), Shield Advanced (paid) Full TLS 1.3 support AWS Certificate Manager (ACM) integration

Security notes: Kong Enterprise and Ambassador Edge Stack offer advanced security features including advanced rate limiting, IP allowlists/denylists, and threat detection. AWS API Gateway benefits from AWS Shield for DDoS protection and native WAF integration.

Developer Experience & Ecosystem

Gateway Community Size Documentation Quality Ecosystem Maturity Learning Curve
Kong Large (40K+ GitHub stars) Excellent, comprehensive guides Mature (10+ years) Moderate
Ambassador Medium (10K+ GitHub stars) Good, K8s-focused docs Growing (5+ years) Low for K8s users
AWS API Gateway N/A (AWS ecosystem) Extensive AWS docs Very mature Low for AWS users

Ecosystem notes: Kong has the largest plugin ecosystem with 100+ official plugins. Ambassador leverages the broader Envoy ecosystem and Kubernetes Gateway API standards. AWS API Gateway integrates seamlessly with the entire AWS serverless ecosystem.

Observability Comparison

Gateway Metrics Tracing Logging Native Integrations
Kong Prometheus, StatsD OpenTelemetry, Zipkin, Jaeger Syslog, file, stdout Grafana, Datadog, Splunk
Ambassador Prometheus, StatsD OpenTelemetry, Zipkin stdout, file Grafana, Datadog
AWS API Gateway CloudWatch Metrics AWS X-Ray CloudWatch Logs CloudWatch, X-Ray

Kong and Ambassador expose Envoy-style metrics for granular request tracking. AWS API Gateway provides managed observability via CloudWatch with limited customization.

High Availability & Disaster Recovery

Kong: Deploy multiple data plane replicas behind a load balancer. Use PostgreSQL clustering or Redis for state. Enterprise offers active-active multi-region deployment with global rate limiting.

Ambassador: Horizontal scaling via HPA with multiple replicas. Stateless design enables quick recovery. Ambassador Edge Stack adds global traffic management and multi-cluster support.

AWS API Gateway: Built-in regional availability with automatic failover. Deploy across multiple AWS regions for DR. Use Route53 latency-based routing for global distribution. No infrastructure management required.

Cost Comparison

Kong Gateway OSS: Free, self-hosted. Infrastructure costs apply (compute, storage, database if used).

Kong Gateway Enterprise: Contact sales for pricing. Typically $5,000-$15,000/year per node depending on features and scale.

Ambassador (Emissary OSS): Free, self-hosted. Infrastructure costs apply (compute, storage).

Ambassador Edge Stack: Contact sales for pricing. Typically $3,000-$10,000/year per node for enterprise features.

AWS API Gateway: Pay-per-use model. HTTP APIs: $1.00/million requests; REST APIs: $3.50/million requests. Data transfer charges apply. Free tier includes 1M requests/month for 12 months.

Selection Matrix

Choose Kong When

  • Operating across multi-cloud or hybrid environments (AWS, Azure, GCP, on-prem)
  • Need custom plugin development (Lua, Go, Wasm)
  • Require advanced rate limiting with Redis clustering
  • Want DB-less mode for GitOps compliance
  • Need global DNS with intelligent latency-based routing (Enterprise)
  • Require developer portal and API analytics (Enterprise)

Choose Ambassador (Emissary) When

  • Kubernetes-first architecture with no plans for VM workloads
  • Using or planning service mesh (Istio, Linkerd)
  • Require canary deployments and traffic shifting via CRDs
  • Want Gateway API compliance for standard K8s tooling
  • Prefer Envoy's observability (statsd, Prometheus, OpenTelemetry)
  • Need multi-cluster or global traffic management (Edge Stack)

Choose AWS API Gateway When

  • Serverless-first with heavy Lambda usage
  • Require managed infrastructure with zero operational overhead
  • Need AWS-native integrations (Cognito, X-Ray, Step Functions)
  • Compliance requires AWS SOC 2/FedRAMP certifications
  • Team has strong AWS expertise and minimal K8s presence
  • Want HTTP APIs (v2) for cost-sensitive workloads or REST APIs (v1) for advanced transformations

Getting Started

Kong Quick Start

# Install Kong Gateway (Docker)
docker network create kong-net
docker run -d --name kong \
  --network kong-net \
  -e "KONG_DATABASE=off" \
  -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
  -p 8000:8000 \
  -p 8443:8443 \
  kong/kong:3.8 kong start --vv

Ambassador Quick Start

# Install via Helm
helm repo add emissary https://app.getambassador.io
helm repo update
helm install -n emissary emissary emissary/emissary
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: emissary-ingress
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app.kubernetes.io/name: emissary
EOF

AWS API Gateway Quick Start

# Using AWS CLI (HTTP API v2)
aws apigatewayv2 create-api \
  --name "my-api" \
  --protocol-type HTTP \
  --region us-east-1

aws apigatewayv2 create-route \
  --api-id <api-id> \
  --route-key "GET /" \
  --target "integrations/<integration-id>"

Share this Guide:

More Guides

GitHub Actions vs GitLab CI vs Jenkins: The Ultimate CI/CD Platform Comparison for 2026

Compare GitHub Actions, GitLab CI, and Jenkins across architecture, scalability, cost, and security to choose the best CI/CD platform for your team in 2026.

7 min read

Kafka vs RabbitMQ vs EventBridge: Complete Messaging Backbone Comparison

Compare Apache Kafka, RabbitMQ, and AWS EventBridge across throughput, latency, delivery guarantees, and operational complexity to choose the right event-driven architecture for your use case.

4 min read

Chaos Engineering: A Practical Guide to Failure Injection and System Resilience

Learn how to implement chaos engineering using the scientific method: define steady state, form hypotheses, inject failures, and verify system resilience. This practical guide covers application and infrastructure-level failure injection patterns with code examples.

4 min read

Scaling PostgreSQL for High-Traffic: Read Replicas, Sharding, and Connection Pooling Strategies

Master PostgreSQL horizontal scaling with read replicas, sharding with Citus, and connection pooling. Learn practical implementation strategies to handle high-traffic workloads beyond single-server limits.

4 min read

Mastering AI Model Deployment: Blue-Green, Canary, and A/B Testing Strategies

Learn three essential deployment patterns for ML models—Blue-Green, Canary, and A/B Testing—with practical examples on traffic routing, rollback mechanisms, and infrastructure requirements.

3 min read

Continue Reading

GitHub Actions vs GitLab CI vs Jenkins: The Ultimate CI/CD Platform Comparison for 2026

Compare GitHub Actions, GitLab CI, and Jenkins across architecture, scalability, cost, and security to choose the best CI/CD platform for your team in 2026.

7 min read

Kafka vs RabbitMQ vs EventBridge: Complete Messaging Backbone Comparison

Compare Apache Kafka, RabbitMQ, and AWS EventBridge across throughput, latency, delivery guarantees, and operational complexity to choose the right event-driven architecture for your use case.

4 min read

Chaos Engineering: A Practical Guide to Failure Injection and System Resilience

Learn how to implement chaos engineering using the scientific method: define steady state, form hypotheses, inject failures, and verify system resilience. This practical guide covers application and infrastructure-level failure injection patterns with code examples.

4 min read