Kong vs Tyk vs Envoy for microservices

Evaluating Kong vs Tyk vs Envoy for microservices requires isolating declarative routing syntax, circuit breaker propagation, and connection pool behavior under gRPC/HTTP2 ingress. Modern platform teams must enforce baseline requirements: HTTP/2 multiplexing, native gRPC support, deterministic retry budgets, and zero-trust header injection. This comparison evaluates configuration complexity, runtime overhead, and failure recovery during upstream latency spikes. The methodology prioritizes exact declarative syntax, connection pool tuning, and measurable throughput under high concurrency.

Architectural Positioning and Data Plane Execution

Control plane and data plane separation dictates how each gateway intercepts and proxies requests. Kong relies on an Nginx core extended via LuaJIT, executing routing logic in a worker-per-core model. Tyk is built in Go, utilizing a goroutine scheduler that handles concurrent streams with a single-process architecture. Envoy operates as a C++ proxy using an event-driven reactor pattern, optimized for asynchronous I/O and zero-copy networking. When mapping these execution models to API Gateway Fundamentals & Architecture, the distinction lies in request lifecycle interception: Kong and Tyk embed policy evaluation directly in the proxy loop, while Envoy delegates policy to xDS-compliant control planes, enabling hot-reloading of routing tables without connection drops.

Declarative Routing Syntax Comparison

Path-based routing with header rewriting requires precise, version-controllable configuration. Below are production-ready snippets for Kong 3.x (db-less), Tyk 5.x, and Envoy 1.28+.

Kong 3.x (Declarative YAML)

_format_version: "3.0"
services:
  - name: user-service
    url: http://user-svc:8080
    routes:
      - name: user-route
        paths: ["/api/v1/users"]
        strip_path: true
    plugins:
      - name: request-transformer
        config:
          add:
            headers: ["X-Internal-Source:api-gateway"]

Tyk 5.x (JSON API Definition)

{
  "name": "user-service",
  "api_id": "user_svc_01",
  "proxy": {
    "listen_path": "/api/v1/users/",
    "target_url": "http://user-svc:8080/",
    "strip_listen_path": true
  },
  "version_data": {
    "not_versioned": true,
    "default_version": "default",
    "versions": {
      "default": {
        "global_headers": {
          "X-Internal-Source": "api-gateway"
        }
      }
    }
  }
}

Envoy 1.28+ (xDS YAML)

static_resources:
  listeners:
    - name: ingress_listener
      address: { socket_address: { address: 0.0.0.0, port_value: 8080 } }
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: user_service
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/api/v1/users" }
                          route:
                            cluster: user_cluster
                            prefix_rewrite: "/"
                  request_headers_to_add:
                    - header: { key: "X-Internal-Source", value: "api-gateway" }
                      keep_empty_value: false

Kong’s YAML offers the lowest cognitive overhead for GitOps workflows, while Tyk’s JSON aligns with RESTful management APIs. Envoy’s xDS structure provides granular control but requires strict schema validation in CI/CD pipelines.

Circuit Breaker and Retry Logic Under High Concurrency

Preventing cascading 503s during upstream latency spikes requires strict error thresholds, consecutive failure limits, and half-open probe intervals.

Kong: Uses the circuit-breaker plugin.

plugins:
  - name: circuit-breaker
    config:
      threshold: 50
      timeout_sec: 10
      window_size: 60

Tyk: Defines thresholds in the API definition.

"circuit_breaker": {
  "threshold_percent": 0.5,
  "samples": 100,
  "return_to_service_after": 10
}

Envoy: Combines outlier_detection at the cluster level with retry_policy at the route level.

clusters:
  - name: user_cluster
    outlier_detection:
      consecutive_5xx: 3
      interval: 10s
      base_ejection_time: 30s
route_config:
  virtual_hosts:
    - routes:
        - match: { prefix: "/" }
          route:
            cluster: user_cluster
            retry_policy:
              retry_on: "5xx"
              num_retries: 2
              per_try_timeout: 1s

Envoy’s retry budget mechanism (retry_budget) explicitly caps retry traffic as a percentage of successful requests, preventing thundering herd scenarios during partial outages. When mapping failure tolerance to platform SLAs, consult Gateway Selection Criteria to align circuit breaker ejection times with upstream health check cadences.

Protocol Translation and Header Injection Patterns

gRPC-to-HTTP2 translation overhead varies significantly across implementations. Envoy natively supports gRPC, handling grpc-status codes, trailers, and content-type negotiation without plugin overhead. Kong and Tyk rely on Lua/Go middleware layers to parse HTTP/2 frames, which introduces marginal latency under high QPS.

For zero-trust ingress, header normalization must enforce strict x-forwarded-for, x-forwarded-proto, and x-request-id propagation. JWT validation latency is lowest in Envoy due to compiled C++ crypto libraries, while Kong’s jwt plugin and Tyk’s jwt middleware execute in interpreted/managed runtimes. mTLS termination should occur at the data plane edge, with upstream services validating mutual certificates via SPIFFE/SPIRE. Route recommendations for zero-trust topologies mandate stripping external headers at the gateway boundary and injecting cryptographically signed internal identity tokens before routing.

Failure Mode Analysis and Capacity Planning

Connection pool exhaustion is the primary failure mode during latency spikes. Upstream connection limits must be explicitly tuned to prevent queue buildup.

• Kong: upstream object controls slots, hash_on, and keepalive pool size. Default keepalive is 60. Set max_fails to 3 and fail_timeout to 10s.
• Tyk: upstream configuration uses max_connections, keepalive_timeout, and idle_timeout. Tune max_connections to match upstream thread pool capacity (typically 100-500 per instance).
• Envoy: cluster definitions use max_connections, max_pending_requests, max_retries, and http2_protocol_options.max_concurrent_streams.

Under 10k+ RPS, Kong’s LuaJIT overhead manifests as increased CPU utilization during plugin execution. Tyk’s Go runtime may experience GC pauses during burst traffic, mitigated by GOGC tuning. Envoy’s zero-copy networking and epoll-based reactor pattern maintain linear memory scaling. Horizontal scaling requires stateless control plane replication with consistent hashing for sticky sessions. Monitoring must expose Prometheus metrics (envoy_cluster_upstream_cx_active, kong_upstream_latency), OpenTelemetry distributed traces, and structured JSON access logs for post-mortem analysis.

Selection Matrix for Platform Teams

Gateway selection depends on team expertise, existing infrastructure, compliance mandates, and operational maturity.

For monolith-to-microservice migrations, Kong or Tyk provide lower initial configuration friction and familiar HTTP routing patterns. Greenfield gRPC-heavy architectures should default to Envoy for native protocol support and deterministic retry budgets. Production rollout guardrails require canary deployments with traffic shadowing, automated rollback triggers on 5xx error rate thresholds (>1%), and continuous validation of circuit breaker state transitions against upstream health probes.