Gateway Options Analysis - Context
Project: HIP Platform - API Gateway Replacement
Date: 2026-02-23
Status: Analysis Complete
Executive Summary
Analysis of options to replace Kong Enterprise (£600k/year license) with a cost-effective alternative that maintains enterprise support for Critical National Infrastructure workloads.
Primary Recommendation: AWS API Gateway
Projected Annual Savings: £553k (90% reduction)
Problem Statement
Kong Enterprise costs approximately £600k per year in licensing, with additional £10-15k infrastructure costs, totaling ~£610-615k annually. This cost is:
- Largely independent of usage growth
- Concentrated in a small feature set (authn/z and rate limiting)
- A significant operational expense for the value derived
Key Constraint: Strong requirement for enterprise support due to Critical National Infrastructure designation.
Analysis Completed
1. Document Structure
Comprehensive evaluation documented in initial-thoughts.md:
- Why replacing Kong Enterprise
- Current delivery and ownership model (federated, centrally operated)
- Gateway requirements (OpenAPI, authn/z, rate limiting, operational characteristics)
- Decision criteria (enterprise support requirement)
- Architectural options evaluated (AWS API Gateway, K8s Ingress, Gateway API, Istio, Envoy Gateway)
- Detailed cost modeling with traffic tiers
- Implementation roadmap
2. Cost Modeling
Traffic Tier Definitions (strawman model based on 20k req/sec peak estimate):
| Tier | Time Window | Requests/Second | Days/Year | Annual Requests |
|---|---|---|---|---|
| Night | 9pm-6am daily | 1,000 | 365 | 11.8B |
| Peak | 9am-6pm, peak days | 20,000 | 20 | 13.0B |
| Busy | 9am-6pm, busy days | 10,000 | 20 | 6.5B |
| Steady State | 9am-6pm, normal days | 5,000 | 325 | 52.7B |
| TOTAL | - | - | - | 83.9B |
Peak Month Concentration: 10 peak + 10 busy days occur in one calendar month, resulting in:
- Peak month: 12.3B requests (~£7,677 API Gateway cost)
- Average month: 7.0B requests (~£4,400 API Gateway cost)
- Peak month is 1.74x average (acceptable variability)
3. Options Analysis Summary
Option A: AWS API Gateway (Recommended)
- Total Annual Cost: ~£56,900
- API Gateway fees: £52,800
- Infrastructure (VPC Link, NLB, data transfer): £4,100
- Enterprise Support: Included in existing AWS Enterprise Support
- Savings vs Kong: £553k (90% reduction)
- Trade-offs: Vendor lock-in (mitigated by existing AWS commitment), control plane externalization, VPC Link complexity
Option B: Istio/Envoy Gateway with Enterprise Support
- Total Annual Cost: ~£85-400k
- Tetrate Service Bridge: £154-385k
- Solo.io Gloo Mesh: £77-231k
- Red Hat OpenShift Service Mesh: £40-60k (requires OpenShift migration)
- Infrastructure: £10-15k
- Savings vs Kong: £210-525k (34-86% reduction)
- Trade-offs: Still significant support costs; varies widely by vendor
Option C: Istio/Envoy Gateway (Self-Supported)
- Total Annual Cost: ~£10-15k (infrastructure only)
- Savings vs Kong: £595-600k (98% reduction)
- Trade-offs: High operational risk for CNI workloads; requires strong internal expertise; no SLA-backed support
4. Enterprise Support Pricing Research
Added specific vendor pricing references (previously estimated as “comparable to Kong”):
| Gateway | Vendor/Support Provider | Support Model | Estimated Annual Cost |
|---|---|---|---|
| Istio | Tetrate (Service Bridge) | Enterprise platform + support | $200k-500k USD (~£154-385k) |
| Istio | Solo.io (Gloo Mesh) | Enterprise service mesh + support | $100k-300k USD (~£77-231k) |
| Istio | Red Hat OpenShift Service Mesh | Included in OpenShift subscription | ~$50-75k USD (~£40-60k) |
| Kong Gateway (OSS) | Kong Inc. | Enterprise license + support | ~£500-600k |
Important Caveats:
- Most vendors do not publish list pricing (quote-based)
- Actual costs depend on scale, support tier, and negotiated contracts
- Estimates based on industry knowledge and publicly discussed ranges
- Requires vendor engagement for formal quotes
Key Decisions Made
- Enterprise support is mandatory - CNI workloads require SLA-backed vendor support
- AWS API Gateway emerges as pragmatic choice - Balances cost, support, and operational maturity
- Federated delivery model retained - Producers manage API definitions; APIM team owns gateway runtime
- GitOps-first approach maintained - Declarative configuration via Argo CD
Next Steps
Immediate Actions
- Cost validation: Confirm traffic tier estimates with actual usage data
- Vendor engagement: Formal quotes from Tetrate and Solo.io (if considering Istio alternative)
- AWS API Gateway POC:
- Deploy ACK controller
- Validate Keycloak integration via JWT authorizers
- Test OpenAPI import pipeline
- Confirm rate limiting capabilities
Decision Point
- Go/No-Go on AWS API Gateway based on POC results and confirmed cost projections
- If No-Go: Re-evaluate Istio with enterprise support (if cost acceptable) or challenge enterprise support constraint
Files in This Analysis
gateway-replacement-proposal.md- Distributable proposal document (executive summary + detailed analysis)initial-thoughts.md- Working analysis document with full detail (700+ lines)CONTEXT.md- This summary (AI context for continuity)
Related Context
.ai/projects/hip/SYSTEM-CONTEXT.md- HIP platform architecture and operational model- Kong Enterprise runs on dedicated EKS node group
- Platform serves 20+ producer teams with 10+ API categories
- GitOps delivery via GitLab + Argo CD
- Current auth: Keycloak (OIDC/OAuth2 + basic shared token)
- Observability: Separate O11Y team-owned infrastructure
Status: Proposal Written
Analysis is complete. A distributable proposal document has been written for both technical leadership and senior management audiences.
Recommendation: Proceed with AWS API Gateway POC to validate technical feasibility and cost projections.