Links

• Blog
• Documentation
• Videos
• Website

Features

Core Gateway Functionality

• Kubernetes Gateway API implementation
• Kubernetes-native ingress controller
• Envoy proxy-based data plane
• Agentgateway data plane (for AI workloads)
• Automatic service discovery
• Dynamic configuration updates (no restarts required)
• GatewayClass and Gateway resource management
• HTTPRoute and TCPRoute support
• ReferenceGrant for cross-namespace references

Routing & Traffic Management

• Path-based routing
• Header-based routing
• Host-based routing
• Cookie-based routing
• Query parameter matching
• Traffic splitting/weighted routing
• Request mirroring
• Direct responses
• URL rewrites
• Path rewrites
• Host rewrites
• Request redirects
• Route delegation
• Canary deployments
• Dynamic forward proxy (DFP)

Load Balancing

• Round robin
• Least request
• Ring hash (consistent hashing)
• Maglev
• Random
• Locality-aware load balancing
• Slow start mode
• Session affinity
• Hash policies (header, cookie, source IP)
• Healthy panic threshold configuration

Protocol Support

• HTTP/1.1
• HTTP/2
• HTTP/3
• gRPC
• WebSockets
• TCP proxy
• UDP proxy

Security

• TLS termination
• TLS origination (backend TLS)
• Mutual TLS (mTLS)
• SNI-based routing
• TLS passthrough
• Let’s Encrypt integration (via cert-manager)
• External authorization (ExtAuth)
• JWT authentication
• OAuth 2.0/2.1 support
• OpenID Connect (OIDC)
• API key authentication
• LDAP authentication
• Role-Based Access Control (RBAC)
• CORS policy
• CSRF protection
• IP restriction policies

Rate Limiting

• Local rate limiting (token bucket)
• Global rate limiting (external service)
• Rate limit descriptors
• Header-based rate limiting
• Remote address-based rate limiting
• Path-based rate limiting

Resiliency

• Retries with configurable conditions
• Retry backoff configuration
• Circuit breaking
• Outlier detection (passive health checking)
• Active health checks (HTTP, gRPC)
• Timeouts (request, stream idle, per-try)
• Connection pooling
• TCP keepalive

Transformations

• Request header manipulation (add, set, remove)
• Response header manipulation (add, set, remove)
• Request body transformation
• Response body transformation
• Inja template support (Envoy)
• CEL expression support (agentgateway)

External Processing

• External processing (ExtProc) support
• Configurable processing modes (headers, body, trailers)
• Request/response stream processing

AI Gateway Capabilities

• Multi-LLM provider support
• OpenAI integration
• Azure OpenAI integration
• Anthropic integration
• Google Gemini integration
• Google Vertex AI integration
• AWS Bedrock integration
• Local/self-hosted LLM support (Ollama, Mistral)
• Prompt enrichment (prepend/append system prompts)
• Prompt guards (regex matching, content filtering)
• PII protection and data masking
• Built-in regex patterns (SSN, credit card, phone, email)
• Custom regex patterns
• Moderation endpoint integration
• Webhook-based prompt guarding
• LLM failover/priority groups
• Model override
• Auth token management (inline, secret ref, passthrough)
• Chat and streaming route types

MCP Gateway (Model Context Protocol)

• MCP server backend support
• Streamable HTTP protocol
• Server-Sent Events (SSE) protocol
• Static and selector-based MCP targets

AWS Integration

• AWS Lambda function backends
• AWS authentication (secrets, environment, web identity, EKS Pod Identity)
• Lambda invocation modes (sync, async)
• Payload transformation for Lambda

Observability

• Access logging (file sink, gRPC service, OpenTelemetry)
• Access log filtering (status code, duration, headers, gRPC status, CEL)
• Distributed tracing (OpenTelemetry)
• Custom trace attributes
• Trace sampling configuration
• Metrics endpoint
• Prometheus integration
• Stats server configuration
• AI-specific observability

Service Mesh Integration

• Istio ambient mesh support (ingress, egress, waypoint proxy)
• Istio sidecar mesh support
• mTLS with Istio
• Istio proxy sidecar injection

Deployment Patterns

• Simple ingress gateway
• Sharded gateway
• Sharded gateway with central ingress
• Edge proxy
• API gateway
• Service mesh gateway
• Multi-cluster support

Policy Management

• TrafficPolicy for route-level policies
• HTTPListenerPolicy for listener-level policies
• BackendConfigPolicy for backend configuration
• DirectResponse for static responses
• GatewayExtension for external services
• Policy attachment via targetRefs
• Policy attachment via label selectors
• Global policy attachment (cross-namespace)
• Policy inheritance and merging
• Policy priority ordering

Backend Configuration

• Static backends (host/port lists)
• Kubernetes Service backends
• Dynamic forward proxy backends
• AI/LLM backends
• AWS Lambda backends
• MCP backends
• Connection timeout configuration
• Per-connection buffer limits
• HTTP/1.1 protocol options
• HTTP/2 protocol options
• App protocol specification (http2, grpc, grpc-web, websocket)

Kubernetes Integration

• GatewayParameters for proxy customization
• Automatic proxy deployment provisioning
• Service account configuration
• Pod template customization
• Deployment strategy configuration
• Resource limits and requests
• Security context configuration
• Node selectors and tolerations
• Affinity rules
• Topology spread constraints
• Graceful shutdown
• Startup, readiness, and liveness probes
• Extra volumes and volume mounts
• Environment variable configuration

Operations

• Helm installation
• GitOps-native declarative configuration
• Hot reload without restarts
• xDS server for configuration distribution
• Health check endpoints
• Admin interface
• Debug capabilities
• Upgrade support
• Uninstall procedures

Extensibility

• Custom resource definitions (CRDs)
• GatewayExtension for external services integration
• ExtAuth provider configuration
• ExtProc provider configuration
• RateLimit provider configuration
• HashiCorp Vault integration (via extensions)
• Plugin ecosystem compatibility

Use Cases

API Gateway

• Centralized API entry point for microservices
• API routing and aggregation
• API versioning through routing rules
• API rate limiting and throttling
• API authentication and authorization
• Request/response transformation for APIs
• API traffic management and load balancing

Kubernetes Ingress Controller

• External traffic ingress to Kubernetes clusters
• TLS termination at the edge
• Host-based and path-based routing
• Load balancing across services
• Health checking and failover
• Canary deployments and traffic splitting

AI Gateway

• Unified access to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, etc.)
• LLM request routing and load balancing
• AI model failover and priority-based routing
• Prompt enrichment and system prompt injection
• Prompt guards and content filtering
• PII protection and data masking in AI requests/responses
• Centralized AI credential management
• Local LLM integration (Ollama, Mistral)
• AI-specific observability and monitoring

MCP Gateway (Model Context Protocol)

• Secure access to MCP servers for AI agents
• Agent-to-server communication management
• Session-smart routing for agent workflows
• MCP server discovery and load balancing

Service Mesh Integration

• Ingress gateway for Istio ambient mesh
• Ingress gateway for Istio sidecar mesh
• Waypoint proxy for ambient mesh
• East-west traffic management within mesh
• mTLS enforcement for service-to-service communication

Microservices Architecture

• Service-to-service routing
• Traffic splitting for A/B testing
• Canary releases and progressive rollouts
• Blue-green deployments
• Circuit breaking for fault tolerance
• Retry and timeout policies
• Rate limiting per service

Edge Proxy

• TLS/SSL termination
• External traffic management
• DDoS protection through rate limiting
• Authentication at the edge
• Geographic routing
• Request filtering and validation

Serverless Integration

• AWS Lambda function invocation
• Serverless function routing
• Function-level authentication
• Request transformation for Lambda payloads

Security Gateway

• Centralized authentication (JWT, OAuth, OIDC)
• External authorization integration
• Role-based access control (RBAC)
• API key validation
• LDAP authentication
• CORS policy enforcement
• CSRF protection
• TLS enforcement and certificate management

Traffic Management

• Weighted traffic distribution
• Header-based routing decisions
• Request mirroring for testing
• Traffic shadowing
• Failover and redundancy
• Global and local rate limiting

Developer Experience

• Local development with dynamic configuration
• GitOps-native workflows
• Declarative configuration via CRDs
• Integration with CI/CD pipelines
• Traffic debugging and troubleshooting

Multi-Tenant Environments

• Namespace isolation
• Sharded gateways for tenant separation
• Resource quotas via rate limiting
• Tenant-specific routing rules
• Access control per tenant

Hybrid and Multi-Cloud

• Consistent gateway across environments
• External service integration
• Static backend routing to non-Kubernetes services
• Dynamic forward proxy for external destinations

Observability Platform

• Centralized access logging
• Distributed tracing integration
• Metrics collection for monitoring
• Traffic analysis and debugging
• AI workload observability

Legacy Application Modernization

• Protocol bridging (HTTP/1.1 to HTTP/2)
• Request/response transformation
• Header manipulation for compatibility
• Gradual traffic migration
• Strangler pattern implementation

High Availability Deployments

• Multi-replica gateway deployments
• Health checking and automatic failover
• Graceful shutdown handling
• Rolling updates without downtime
• Outlier detection and ejection

Compliance and Governance

• Audit logging of all traffic
• Policy enforcement at the gateway
• Data masking for sensitive information
• TLS compliance requirements
• Access control auditing