This is an API Gateway feature comparison on Tyk, Kong and AWS we did sometime back around November 2019. Please note that there is no intention of bias to any of the products and these were me and my teams opinion at the time. With recent releases any of these evaluation results might vary.
The evaluation result is categorized under the following levels.
– The feature is supported out of the box.
– The feature is not supported out of the box but there are possible workarounds with some effort.
– The feature is not supported and there are no quick workarounds.
| Feature | Use Case | Tyk On-Premise API Gateway (Commercial) | AWS API Gateway | Kong API Gateway EE (Enterprise Edition) | Kong API Gateway CE (Community Edition) | |
|---|---|---|---|---|---|---|
| 1. | Design and Prototype | |||||
| 1.1 | API Lifecycle | 1.1.1 It should be possible to create an API and then move it into different stages to have full control over its life cycle. 1.1.2 It should be possible to notify users (possibly via a header) when an API is deprecated. | – An enable/disable feature is there at the API level but there isn’t a concept for stages. – An API version can be scheduled to expire automatically as well. Refer https://tyk.io/docs/concepts/versioning/#a-name-sunsetting-a-sunsetting-api-versions for more details. – Support to add a custom header (such as Deprecated) to an API version is also there. | – A concept of API stages is there. However no direct concept of API deprecation as of now. – Should be able to support deprecation with a custom header. – https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html | – It is only possible to create API no other life cycle stages | – Similar to Kong EE |
| 1.2 | Mock/Prototype API | 1.2.1. It should be possible to Mock/prototype API. | – Mocking is available via virtual endpoints concept which provides support for writing JavaScript based methods for response mocking. – https://tyk.io/docs/compose-apis/virtual-endpoints/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-mock-integration.html | – There is no functionality for mocking/prototyping API. – Mocking an API can be done using 3rd party Kong-service-virtualization plugin where we can create a mock API by providing the mock request and response details. – https://docs.konghq.com/hub/optum/kong-service-virtualization/ | – Similar to Kong EE |
| 2. | Publish and Governance | |||||
| 2.1 | API Visibility | 2.1.1 It should be possible to mark APIs with different access levels for consumers (i.e internal, external and public) 2.1.2 It should be possible to RBAC API publishers. (i.e managers can edit, testers can only view etc) 2.1.3 Configurability of API visibility based on a resource (endpoint). | – Does not have a straight out of the box concept of API visibility levels but such access control can be achieved via the policy concept in Tyk. – https://tyk.io/docs/concepts/what-is-a-security-policy/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html – Does not have a straight out of the box concept of API visibility levels but one should be able to use scopes in Cognito and API categories to implement this kind of separation. | – Should be possible with RBAC in Kong EE. – https://docs.konghq.com/1.3.x/secure-admin-api/#role-based-access-control | – RBAC is only available in Kong EE. |
| 2.2 | Multi-Environment Support | 2.2.1 It should be able to import and export configuration from one environment to another. 2.2.2 It should be possible to manage API for both prod and sandbox using one console. (i.e. if the API is exposed to sandbox env, and needs to be exposed to prod env, this could be done through a simple tick without having to set up the API again in a different env) | 2.2.1 – API definition can be exported and imported to another environment via APIs or the developer dashboard and REST API. – Tyk-sync command-line tool can be used to migrate APIs and Policies from one environment to another. – https://tyk.io/docs/manage-multiple-environments/tyk-sync/ 2.2.2 | – If the idea is to use stages for multiple environments then this is supported. – https://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html | 2.2.1 – API definition can be exported as a JSON and can be imported via the REST API. 2.2.2 | 2.2.1 – Similar to Kong EE 2.2.2 |
| 2.3 | API Versioning | 2.3.1 It should be possible to maintain different versions of the API. | – Versioning is supported inherently. A version can be set to be automatically expired as well. Further, we can even send a mock response without completely expiring a particular version and we can also add a custom header as deprecated if needed. | – A straight forward versioning concept is not there but stages concept can be used for versioning. | – It is impossible. if we want to create a different version of an API, It can be done by exporting the API and importing it with the version in the path or host. | – Similar to Kong EE |
| 2.4 | Response Caching | 2.4.1 It should be possible to support response caching. | – https://tyk.io/docs/reduce-latency/caching/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html | – Supported via the proxy caching plugin – https://docs.konghq.com/hub/kong-inc/proxy-cache/ | – Caching plugin is only available for Kong EE |
| 2.5 | Support for CORS | 2.5.1 It should be possible to support CORS at the API level. | – https://tyk.io/docs/tyk-rest-api/api-definition-objects/cors/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html | – https://docs.konghq.com/hub/kong-inc/cors/ | – Similar to Kong EE |
| 2.6 | IP Whitelisting and Blacklisting | 2.6.1 It should be possible to blacklist and whitelist based on IP | – https://tyk.io/docs/tyk-rest-api/api-definition-objects/ip-blacklisting/ – https://tyk.io/docs/tyk-rest-api/api-definition-objects/ip-whitelisting/ | – https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-whitelist/ | – https://docs.konghq.com/hub/kong-inc/ip-restriction/ | – Similar to Kong EE |
| 3. | Security and Authentication | |||||
| 3.1 | OpenID Connect Support | 3.1.1 It should be possible to configure API authentication via an external OIDC provider such as Keycloak with JWT rich tokens 3.1.2 It should be possible to forward the JWT rich token to the upstream services | – https://tyk.io/docs/security/your-apis/openid-connect/ | – Direct integration support with external OIDC providers is not there. However identity federation via AWS Cognito should be possible. | – https://docs.konghq.com/hub/kong-inc/openid-connect/ | – Official Kong OIDC plugin is for Kong EE only. However, a third-party plugin is there for OIDC. – https://github.com/nokia/kong-oidc |
| 4. | Traffic Control | |||||
| 4.1 | Usage Quotas (Throttling) | 4.1.1 It should be possible to impose hard limiting per consumer 4.1.2 It should be possible to impose soft limiting per consumer with notifications to the consumer on quota exceeding or such similar events | 4.1.1 4.1.2 – Soft throttling kind of a feature (i.e allowing quota to be exceeded by a certain percentage with a notification mechanism) is not supported. However, monitoring mechanism supported by Tyk can be used to trigger an event when a quota is being overrun (QuotaExceeded) or when quota reaches a certain percentage. | 4.1.1 – https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html 4.1.2 – Soft throttling kind of a feature (i.e allowing quota to be exceeded by a certain percentage with a notification mechanism) is not supported. However, it should be possible to get triggers via Cloud Watch metrics | 4.1.1 – There isn’t a separate usage quota feature/plugin available but the rate-limiting plugin can be used for this. – https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced/ 4.1.2 | 4.1.1 – There isn’t a separate usage quota feature/plugin available but a rate-limiting plugin can be used for this. – Kong EE rate-limiting plugin is not available in Kong CE but another plugin is available. – https://docs.konghq.com/hub/kong-inc/rate-limiting/ 4.1.2 |
| 4.2 | Rate Limiting | 4.2.1 It should be possible to impose rate limiting. | – https://tyk.io/docs/control-limit-traffic/rate-limiting/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html | – https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced/ | – Kong EE rate-limiting plugin is not available in Kong CE but another plugin is available. However, the precision of the third party plugin was not accurate. – https://docs.konghq.com/hub/kong-inc/rate-limiting/ – https://github.com/Kong/kong/issues/3329 |
| 4.3 | Circuit Breaker Pattern | 4.3.1 It should be possible to add the circuit breaker to an API | – https://tyk.io/docs/ensure-high-availability/circuit-breakers/ | – AWS APIGateway does not seem to support circuit breaker inherently. However, a Lamda based solution might be possible instead. – https://binx.io/blog/2018/11/10/aws-lambda-circuit-breaker/ | – https://docs.konghq.com/1.3.x/health-checks-circuit-breakers/ | – https://docs.konghq.com/1.3.x/health-checks-circuit-breakers/ |
| 4.4 | Compression | 4.4.1 Response compression at the API Gateway level should be possible with a compression algorithm like Gzip | – Tyk does not support response compression at the gateway level but can handle (pass-through) compressed response from the upstream services. | – https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html | Compression is not inherently supported but can be enabled by tweaking the Nginx config. | – Similar to Kong EE |
| 5. | Developer Portal | |||||
| 5.1 | Swagger Documentation | 5.1.1 It should be possible to import swagger JSON and create API documentation | – https://tyk.io/docs/tyk-developer-portal/portal-concepts/#a-name-documentation-a-documentation | | – https://docs.konghq.com/enterprise/0.31-x/developer-portal/introduction/ | – Kong CE does not have a developer portal |
| 5.2 | Sandbox Environment Support | 5.2.1 It should be possible to generate an access token (key) via OIDC through the developer portal 5.2.2 It should be possible for the consumers to make calls to the sandbox environment from the developer portal itself | | | | – Kong CE does not have a developer portal |
| 5.3 | Client Registration | 5.3.1 It should be possible for the clients (API consumers) to self register themselves in the developer portal. 5.3.2 It should be possible to integrate client registration and login with an external OIDC provider such as Keycloak | | 5.3.1 5.3.2 – Registration and login are supported with AWS Cognito and it should be possible to integrate this with an external IDP. – https://stackoverflow.com/a/50343585/1849366 | 5.3.1 5.3.2 – https://docs.konghq.com/enterprise/0.32-x/developer-portal/configuration/authentication/#open-id-connect-plugin – https://docs.konghq.com/hub/kong-inc/openid-connect/ | – Kong CE does not have a developer portal |
| 5.4 | API Key Request | 5.4.1 It should be possible for the API consumers to subscribe and request an API key through the developer portal | https://tyk.io/docs/tyk-developer-portal/portal-concepts/#a-name-key-requests-a-key-requests | – https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-developer-portal.html | – https://docs.konghq.com/enterprise/0.32-x/developer-portal/managing-developers/#approving-developers | – Kong CE does not have a developer portal |
| 5.5 | API Visibility | 5.5.1 It should be possible to limit APIs shown to a consumer depending on a type (i.e internal, external, public) for the user in the developer portal. | – Such a type is not supported inherently, however, a workaround is possible using custom fields. | – https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html – https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-tagging-iam-policy.html | https://docs.konghq.com/enterprise/0.36-x/developer-portal/configuration/workspaces/ | – Kong CE does not have a developer portal |
| 5.6 | Analytics | 5.6.1 It should be possible for the consumer to view API analytics in the developer portal | – At the moment only 7 days of data is visible hence marked as not supported. | – https://github.com/awslabs/aws-api-gateway-developer-portal#introduction | | – Kong CE does not have a developer portal |
| 5.7 | Customization Support | 5.7.1 It should be able to customize the developer portal look and feel. | – https://tyk.io/docs/tyk-developer-portal/customise/ | – Can customize the developer portal source – https://github.com/awslabs/aws-api-gateway-developer-portal – https://aws.amazon.com/blogs/compute/generate-your-own-api-gateway-developer-portal/ | – https://docs.konghq.com/enterprise/0.36-x/developer-portal/theme-customization/customizing-dev-portal/ | – Kong CE does not have a developer portal |
| 6. | Statistics and Reporting | |||||
| 6.1 | Per Request Per API Statistics | 6.1.1 It should be possible to get per request, per API data published to an external statistics collector | – https://tyk.io/docs/concepts/tyk-components/pump/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/monitoring_automated_manual.html | – https://docs.konghq.com/enterprise/0.36-x/admin-api/vitals/#traffic-metrics | – Kong (CE) Monitoring with Prometheus |
| 7 | API Monetization | |||||
| 7.1 | Subscriptions | 7.1.1 It should be possible to create and charge for fixed subscriptions. (i.e 50$ per month with a given rate limiting and throttling) 7.1.2. It should be possible to charge consumers based on their API usage (i.e pay-as-you-go model) | – Monetization is not inherently supported but Tyk gives an extension point for monetization with the API key request. | – Monetization is not supported inherently in the developer portal. The option we have is to go for the AWS marketplace and in that case, consumers will have to separately register to the AWS marketplace. – https://docs.aws.amazon.com/apigateway/latest/developerguide/sell-api-as-saas-on-aws-marketplace.html – https://forums.aws.amazon.com/thread.jspa?messageID=769220 | – https://discuss.konghq.com/t/api-monetization/2879 | – Kong CE does not have built-in monetization. |
| 8 | Mediation Support | |||||
| 8.1 | Transformation | 8.1.1 It should be possible to modify/add/remove request and response headers 8.1.2 It should be possible to a method transform on the request 8.1.3 It should be possible to perform simple request/response body transform. (i.e simple JSON/XML to JSON/XML mappings) | – https://tyk.io/docs/transform-traffic/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/models-mappings.html | – https://docs.konghq.com/hub/kong-inc/request-transformer-advanced/ | – https://docs.konghq.com/hub/kong-inc/request-transformer/ |
| 8.2 | Routing | 8.2.1 It should be possible to do header-based routing | – https://tyk.io/docs/transform-traffic/url-rewriting/ | – https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html – https://aws.amazon.com/blogs/compute/overriding-request-response-parameters-and-response-status-in-amazon-api-gateway/ | – https://docs.konghq.com/hub/kong-inc/route-by-header/ | – Header based routing plugin is available only on Kong EE. However, host header-based routing can be done up to some extent via Routes in Kong. |
| 8.3 | Custom Mediation Logic | 8.3.1 It should be possible to write a custom plugin to manipulate headers. 8.3.2 It should be possible to write a custom plugin to manipulate request. 8.3.2 It should be possible to write a custom plugin to manipulate the response. | 8.3.1 8.3.2 8.3.3 – https://community.tyk.io/t/plugin-middleware-to-transform-response/3400/2 – https://tyk.io/docs/customise-tyk/plugins/rich-plugins/rich-plugins-data-structures/#returnoverrides-coprocess-return-overrides-proto | – Possible with lambda integration support. – https://aws.amazon.com/premiumsupport/knowledge-center/custom-headers-api-gateway-lambda/ – https://www.alexdebrie.com/posts/api-gateway-elements/#step-2-transforming-the-request-with-the-integration-request – https://www.alexdebrie.com/posts/api-gateway-elements/#step-3-handling-your-response-with-integration-responses | – Custom mediation login is supported via Lua scripts. – https://docs.konghq.com/1.3.x/plugin-development/ | – Custom mediation login is supported via Lua scripts. – https://docs.konghq.com/1.3.x/plugin-development/ |
Photo by form PxHere
~ Rajind Ruparathna
Notebook 