I've been reviewing the market recently for open source API Gateways. I'm looking to sit my gateway in-front of a number of API services provided by node.js express applications.
I'm looking for basic rate limiting, throttling and some form of API monitoring. Upon a quick Google search I've come across the following products but I'm completely clueless as to whether the community feels any one is better than the other or if anyone has any real world experience with these products and can offer some insights into good / bad points.
https://tyk.io
https://moesif.com
https://gravitee.io/
https://apiumbrella.io/
https://getkong.org/
Top comments (27)
I'm one of the core commiter on Gravitee.io API Platform.
The main difference between Gravitee.io and all the other open-source solutions is that Gravitee.io is fully open-source, and not only the API Gateway. The Management API, Analytics, Authorization server are freely available and all source code are available in our github organization.
Gravitee.io is already used in production by many major and business-critical companies all over-the-world. They like the performance of the gateway, the minimal overhead and the fact that they can very easily extend it by writing Java plugins.
You're looking for basic rate-limiting, throttling and API monitoring? Perfect! All of them are available in Gravitee.io. More, you may be able to create your own Kibana or Grafana dashboards since all the analytics are stores into Elasticsearch...
I can't tell you that Gravitee is better than the other solution, all of them have their own pros / cons, but I can tell you that, even if their some missing features, we can work on them very quickly. If you have a look to our releases, you can see that we are doing many releases: one major per month, and the next one is coming next tuesday: github.com/gravitee-io/issues/rele....
An other point you have to know: many companies have subscribed to support... and all the bug fixes are directly in the next major version... Also, compagnies are sponsoring the company behind Gravitee.io, GraviteeSource: they ask us to create and develop new features and they paid for that: and all of them are freely available in the next major release... We are doing open-source API Gateway / API Management, and we are doing it from 'A' to 'Z'...
See you!
Hey David, I just took a look at Gravitee and like the highly abtracted and modularized approach a lot. Is the project still under active development? I would also be interested in controlling other gateways, e.g. CA API Gateway (which has an API) through Gravitee API-M front-end - is this possible?
Thanks & cheers, Chris
Hi Chris,
Yes, the project is still under highly active development, you can have a look to our github repositories : github.com/gravitee-io
For your other questions, I don't know well how the "other gateways" are running and how they are managed. What you can do from gravitee is to define your API, then export the API's definition in JSON and convert / import the file somewhere else.
Regards,
Thanks for the quick reply - is there an abstraction for gateways already in Gravitee? Like an API managing the gateway, querying capabilities and apply configuration and service policies.
The common things (auth, throttling, logging, routing, etc) can be implemented on almost every gateway (and you probably know there are many), so I would be highly interested in finding (or contributing to) an API management solution (catalog, subscriptions, etc) which can be used to control different gateway types.
I believe this would be very interesting for many enterprises looking for a central dev portal, but needing to support different gateway technologies, like CA API Gateway, WSO2, Envoy (ingress to Istio), etc.
I was thinking that an abtracted interface to the gateway (like the one you built for storing repository data in Mongo, Redis or via JDBC) could be a way to achieve this.
No there is no abstraction for gateways for now. And nothing about this in our roadmap.
Most of the stuff would be to look on what would be the best format to describe an API, before being able to deploy the API in different gateway technologies.
It is a very interesting feature but also time consuming...
We need a standard to describe an API (inherited from OAI ?) :-)
Ready ? Go !
Hi Chris,
I am a bit late to the discussion but I am really intrigued by your message :-)
Would you be able to share more details on potential use cases you identify?
Why would a company use several gateways?
Thanks
Cheers:
Feel free to PM me on twitter.
Hi Jean
All companies with API Management projects I have contributed to recently use different gateway vendors internally. This may be due to organizational reasons (lack of coordination between different departments) or technology evolution (central gateway vs micro gateway, advent of service meshes).
In addition I think this could be a door-opener for Gravitee in companies using CA, WSO2 or other vendors with weak developer portal solutions.
Since Gravitee is already highly modularized, the only thing needed is an abstracted API gateway interface (sounds simple, but might be a lot of effort). I'm in discussion with David about it.
Cheers, Chris
Hello guy,
I`m curius about Gravitee solution.
Does gravitee is cloud native?
tks
Hello su,
Yes it is. Feel free to join our gitter channel to talk with the community.
Regards
Hi there:
I am curious, is there a more up to date documentation available for the gateway? a lot of information/pages seems to be empty from docs.gravitee.io
Hi Bill,
Sorry for the delay, I was off last week.
You're right, some content are missing because of a lack of time from developers.
We were expecting more help from the community but nothing is coming :(
Sorry for I'm really sorry about it. Also, you may have to understand that we are providing an open-source platform so that, some companies need our help / our expertise because of this lack of documentation... But it's not a good reason and I'm sure we need more to start with Gravitee.io. Perhaps you can help us by indicating which parts are really missing from your pov.
Thanks a lot.
Hi Brassely,
Does Gravitee has OpenID connect support? I couldn't find a clear documentation for that.
Regards
Hi Ranadima,
What are you looking for exactly ?
We have an aAccess Management module which is certified OIDC.
See docs.gravitee.io/am/2.x/am_overvie...
Thanks Brassley for the quick response. I'll have a look.
Regards
I've played with Kong a tiny bit out of curiosity in the past. It works and it's built on battle tested nginx. The open source community is active and there are many plugins for basically everything.
Rate limiting and throttling are supported out of the box.
Keep in mind that if you put all your APIs behind a gateway you need it to not become a single point of failure, so you might have to cluster at least two instances of the API gateway.
The great thing about the API gateway "pattern" is that you can work and evolve APIs in the backend keeping the same interface for the clients if you need to, or for example make it so that all APIs have the same authentication system and so on.
Kong is a great recommendation, It's the most straightforward of the choices above and the community is very much alive.
I should mention thought that it's a bit "crippleware", features you might need like advanced tranformations and OAUTH requires an enterprise license.
Here in my company I use TreeGateway, which is completely free and opensource. It is built to run on Express (Node.js).
The has a number of features and can be customized using JavaScript. Here are a few:
The strengths are:
The weaknesses are:
I believe that the choice depends on your needs. Basic functionality is common among Gateways, but you have to check for customization, ease of deployment and product support.
Good luck!
I consultant working in the domain those are the ones I saw:
Well my personal opinion is I donโt feel 100% confident with this kind of tools as OSS (even if I am an active OSS commiter myself) Those pieces are meant to protect and secure your IS in a way. If I got the source code of the tool protecting your IS itโs easier for me to forge an attack.
Hey Cรฉdrick, thanks for mentioning tyk.io open source API Gateway
Our gateway is 100% open source, the same open source version is used by Cisco and Capital One, as is used by anyone taking the gateway from our package repositories or Github.
Precisely because it is open and transparent, it is trusted and loved by highly regulated industries. This is why Tyk has so many healthcare, financial service and telco customers - no "black boxes" or "systems calling home" from your network!
Enterprise customers can also purchase a support SLA and contract, to ensure ongoing maintenance and support for their deployment.
We believe that open and transparent code makes for better security, and our users agree.
Vive la Open Source!
Ambassador (getambassador.io) is an open source API Gateway specific to Kubernetes services that's built on the Envoy Proxy (envoyproxy.io/). If you're using Kubernetes, definitely check it out!
Check out Tyk.io also. It is probably the most popular free API gateway.
We at Moesif (moesif.com), an API analytics platform is integrated with Tyk.io core codebase. Once your needs goes beyond basic rate limiting or monitoring, check it out.
You may like the micro-services API gateway by Young App (Yap) that offers powerful, yet lightweight features that allow fine-grained control over your API ecosystem.
Young App open source project (Yap):
To find out more, please visit
Community Edition: manual.youngapp.co/community-edition
GitHub: github.com/youngapp/yap/
Website: youngapp.co/en/
Connectors: manual.youngapp.co/connectors/
Yap combines GraphQL with XML policies, OpenAPI v3, and strong functional testing on serverless architecture.
Key features:
๐ Elegant XML policies
The powerful capability of the system that allows the publisher to change API behavior through configuration in elegant XML files.
๐GraphQL as API gateway
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. Yap uses only GraphQL as API Gateway.
๐ YAML functional testing
CI-ready tests for REST APIs configured in YAML.
๐ Error handling with policies
Sentry provides self-hosted and cloud-based error monitoring that helps all software teams discover, triage, and prioritize errors in real time.
๐Connectors
YAP is the only integration platform that was built from the ground to support a single design interface for developer/IT and for citizen integrators.
๐Universal middleware design
The design conventions inspired by Express or KoaJS and adapted for serverless application and low-code approach.
๐ Designed for serverless
Yap is designed for serverless event functions on AWS, GCP, or Azure functions.
๐ NodeJS
YAP is written in Typescript NodeJS, which makes it fast and easy to set up.
Most of the Node.js based API Management solution(that you listed above) comes with features limitation in the free version and require you to upgrade to an Enterprise solution.
However, I will recommend WSO2 if your team is comfortable with Java frameworks and Integration solution to an Enterprise scale. It's free and All the Basic and Enterprise features are OOTB (Rate Limiting, Throttling, caching LDAP Integration, and RBAC).If you looking for a more SAAS solution with minimum cost opt for APIGEE.
Above mentioned node.js solution are still amateur for a Enterprise level solution.
I hope to see more advanced features in these tools from company and communities to build.
This is a bit late but I hope it helps anyone reading this post and still looking for a reliable API Gateway.
Apache APISIX (apisix.apache.org/) should be your straightforward choice out of the multiple API Gateways.
Apache APISIX is an open source, dynamic, scalable, and high-performance cloud native API gateway for all your APIs and microservices.
APISIX facilitates interface traffic handling for websites, mobile and IoT applications by providing services such as load balancing, dynamic upstream, canary release, fine-grained routing, rate limiting, and many more.
Features
I hope this gives a sneak peak why this Apache APISIX should be your straight forward choice.
Also to note, I came across an article that I found useful, comparing APISIX with most of the API Gateways in the market.
api7.ai/blog/why-is-apache-apisix-...
kong and tyk are basically API gateways.
Moesif is an API analytics platform, it provides plugins for Kong and Tyk for easy integration.
btw, I am the co-founder of moesif.