Techcle Wiki

Initial Thoughts

21 min read

API Gateway Replacement Options

1. Why We’re Considering Replacing Kong Enterprise

We currently run Kong Enterprise as our API gateway in a Kubernetes-based platform on AWS.

The primary driver for change is cost:

  • Kong Enterprise licence cost is approximately £600k per year
  • This cost is largely independent of actual usage growth or feature adoption
  • The value we derive is concentrated in a small number of features (authn/z and rate limiting)

Secondary drivers include:

  • Desire to reduce dependence on a proprietary control plane
  • Governance risk associated with vendor-led roadmaps
  • Opportunity to simplify the gateway architecture while retaining our existing delivery model

We are already operating a Kubernetes-native platform with GitOps (GitLab + Argo CD), so replacing the gateway is an opportunity to align more closely with upstream Kubernetes networking standards.

2. Current Delivery and Ownership Model

Our operating model is centrally owned and operated:

The APIM team owns:

  • Gateway runtime
  • Routing configuration
  • Authentication and authorisation
  • Rate limiting and traffic policy

Federated teams:

  • Do not interact with Kubernetes
  • Provide OpenAPI (OAS) specifications & configuration only
  • Interact with us via a GitOps or ClickOps (or in future, potentially ApiOps) interface
  • NB. We’re ignoring advanced APIs for the purposes of this doc as it has negligible impact on the decision

An OpenAPI spec is treated as the input contract, not the runtime configuration.

3. What We Need From the Gateway

The gateway must meet the following functional requirements.

3.1 OpenAPI Handling

  • OpenAPI is the authoritative description of APIs
  • Gateway configuration may be derived from OAS, but OAS is not expected to be consumed directly at runtime
  • Optional request validation against OpenAPI schemas is desirable, but not mandatory if it adds significant complexity

3.2 Authentication and Authorisation

  • Currently handled by Keycloak; replacement must integrate with Keycloak or potentially replace it (e.g., AWS Cognito)
  • Support for both standard OAuth2 / OIDC flows and our current basic shared token authentication
  • Clear separation between platform-managed authentication elements and simple producer configuration
  • Ability to enforce consistent authn/z across all exposed APIs
  • Centralised configuration (not per-API ownership)

This currently maps to Kong’s Advanced Auth plugin.

3.3 Rate Limiting

  • Global and per-API rate limiting
  • Preferably identity-aware (per-client / per-principal)
  • Central policy ownership
  • Predictable behaviour under load

3.4 Operational Characteristics

Core requirement: Federated delivery model - Producers manage ‘their’ API definition independently

This federated delivery model naturally lends itself to:

  • Declarative configuration - API definitions as code
  • GitOps-friendly workflows (Argo CD) - Version-controlled, auditable changes
  • Kubernetes-native deployment (desirable but not mandatory) - GitOps workflows integrate well with Kubernetes, but the key is federated delivery, not the underlying platform

Additional operational requirements:

  • Strong observability and debuggability
  • High availability and horizontal scalability

4. Decision Criteria and Constraints

4.1 Enterprise Support Requirement

Strong preference for enterprise support. While open-source solutions are technically viable, the operational reality of managing Critical National Infrastructure on this platform creates a compelling case for vendor-backed enterprise support.

Key considerations:

  • Risk mitigation: Enterprise support provides SLA-backed incident response and security patching
  • Cost comparison: Other enterprise gateway products are likely to have similar pricing to Kong Enterprise (£600k p.a.)
  • AWS API Gateway emerges as the leading candidate:
    • Integrated AWS Support at existing Enterprise Support tier
    • No additional vendor relationship or procurement overhead
    • Aligned with existing AWS infrastructure investment
    • Clear cost model tied to usage rather than flat licensing

4.2 Implications for Options Analysis

Given the enterprise support preference, the decision space narrows significantly:

  • AWS-managed solutions (AWS API Gateway) benefit from existing AWS Enterprise Support
  • Open-source Kubernetes-native gateways (Istio, Envoy Gateway) would require either:
    • Self-support (increases operational risk for CNI workloads)
    • Enterprise support contracts (likely similar cost to current Kong licensing)
    • Hybrid approach (AWS support for infrastructure, community support for gateway)

This constraint shifts the analysis toward AWS API Gateway as the pragmatic choice, despite previously identified concerns around vendor lock-in and control plane externalization.

5. Architectural Options

5.1 AWS API Gateway

AWS API Gateway (HTTP APIs or REST APIs) is a managed alternative.

Pros:

  • Fully managed control plane
  • Integrated with AWS IAM, logging, and monitoring
  • Scales without operational effort

Cons:

  • Strong vendor lock-in
  • OpenAPI support relies on AWS-specific extensions
  • Keycloak integration is possible but less flexible than in-cluster gateways
  • Rate limiting capabilities are comparatively coarse
  • GitOps integration requires an indirection layer (ACK or Crossplane)
  • Hard limits: 10MB maximum payload size, 30-second maximum integration timeout (aligns with current platform NFRs but becomes enforced at gateway level rather than policy)

Operational Model:

  • Argo CD would manage Kubernetes CRDs
  • A controller (ACK or Crossplane) would reconcile these into AWS resources
  • This adds complexity and reduces transparency

How ACK Manages AWS API Gateway from Kubernetes

AWS Controllers for Kubernetes (ACK) provides a way to manage AWS API Gateway resources using Kubernetes CRDs. The architecture involves several components working together:

Architecture Components:

  • ACK Controller: Runs in the Kubernetes cluster and watches for API Gateway CRDs
  • VPC Link: AWS-managed ENIs that connect API Gateway to our VPC
  • Network Load Balancer (NLB) or Application Load Balancer (ALB): Sits inside our VPC
  • Kubernetes Services: Target services running in EKS

Key Points:

  • API Gateway is NOT inside the cluster: It’s a fully managed AWS service outside our VPC
  • VPC Link provides the bridge: AWS creates and manages Elastic Network Interfaces (ENIs) in our VPC subnets
  • Load Balancer is required: We must have an NLB or ALB inside our VPC to receive traffic from the VPC Link
  • No direct pod access: API Gateway cannot route directly to Kubernetes services - it must go through a load balancer
  • ACK manages the control plane: The ACK controller translates Kubernetes CRDs into AWS API Gateway API calls
  • Routing happens at multiple layers:
    • API Gateway routes based on paths/methods to different VPC Link integrations
    • Load Balancer routes to Kubernetes services
    • Kubernetes services route to pods

Configuration Flow:

  1. Define API Gateway resources as Kubernetes CRDs (API, VPCLink, Stage, Routes)
  2. Argo CD applies these CRDs to the cluster
  3. ACK controller watches for these CRDs and calls AWS APIs to create/update API Gateway resources
  4. API Gateway is configured to use VPC Link for private integration
  5. VPC Link connects to NLB/ALB listener ARNs
  6. NLB/ALB forwards traffic to Kubernetes services

Limitations:

  • Additional infrastructure: Requires NLB/ALB for each service (or multiple listeners on one NLB)
  • Complexity: Multiple layers of routing and configuration
  • Cost: VPC Link, NLB/ALB, and API Gateway all have associated costs
  • Latency: Additional network hops compared to in-cluster gateways

Assessment

Given the enterprise support requirement, AWS API Gateway becomes the leading candidate despite trade-offs:

Supports enterprise requirements:

  • Integrated with existing AWS Enterprise Support (no additional vendor contracts)
  • Proven at scale with strong SLAs
  • Reduces procurement and vendor management overhead
  • Clear, usage-based cost model (see Section 8 for costing analysis)

Trade-offs accepted:

  • Vendor lock-in to AWS (mitigated by existing AWS commitment)
  • Control plane externalized (acceptable given managed service benefits)
  • Additional architectural complexity with VPC Links and load balancers (operational overhead justified by support model)
  • Less flexible Keycloak integration (workable within constraints)
  • Hard enforcement of platform NFRs: AWS API Gateway enforces 10MB payload and 30-second timeout limits at the gateway level (aligns with existing platform NFRs, but changes from policy guidance to hard technical constraint)

Conclusion: While originally assessed as conflicting with governance concerns, the enterprise support constraint makes AWS API Gateway the pragmatic choice that balances risk, cost, and operational reality.

5.2 Kubernetes Ingress-Based Gateways

We already operate an ingress-based stack successfully.

Ingress is:

  • Stable
  • Well understood
  • Operationally proven

However:

  • Ingress APIs are effectively feature-complete and frozen
  • Advanced behaviour is implemented via controller-specific annotations
  • Auth and rate limiting semantics are not portable

If we replaced Kong with another ingress-based solution, we would likely:

  • Reduce licence cost
  • But re-encode gateway behaviour into another vendor-specific dialect

This improves cost but does not materially improve long-term portability.

5.3 Kubernetes Gateway API

Gateway API is the successor to Ingress and is designed for long-lived, centrally operated gateways.

Key characteristics:

  • Typed, structured APIs (Gateway, HTTPRoute, policy resources)
  • Clear separation of concerns (listeners vs routing vs policy)
  • Actively evolving as the Kubernetes networking standard

For our model:

  • Platform team still owns 100% of the configuration
  • Federated teams continue to provide OAS only
  • Gateway API acts as an internal, neutral configuration model

The primary benefit is not delegation, but:

  • Cleaner abstraction boundaries
  • Reduced reliance on annotations
  • Lower future migration cost

6. Kubernetes Gateway Implementations

6.1 Istio

We already operate Istio in the platform.

Pros:

  • Already deployed and understood
  • Strong OIDC / JWT integration with Keycloak
  • Mature traffic policy (rate limiting, retries, timeouts)
  • Gateway API support is actively developed

Cons:

  • Relatively heavy-weight
  • Gateway and mesh concerns can become intertwined if not carefully managed

Istio represents the lowest operational friction option.

6.2 Envoy-Based Gateways (Envoy Gateway)

Envoy-based gateways provide:

  • CNCF-governed data plane (Envoy)
  • Gateway API as the primary configuration model
  • Strong authn/z and rate limiting capabilities

Pros:

  • Clean separation between gateway and service mesh concerns
  • Strong alignment with Gateway API direction
  • Reduced conceptual overhead compared to a full mesh

Cons:

  • Additional component to operate alongside Istio (if both are retained)

Envoy Gateway represents the cleanest conceptual gateway-only solution.

7. Recommendation (Updated)

Given:

  • We are already replacing Kong Enterprise
  • The licence cost (£600k p.a.) is the primary driver
  • Enterprise support is a strong requirement for CNI workloads
  • AWS API Gateway integrates with existing AWS Enterprise Support
  • We want to minimise long-term governance and vendor risk (balanced against support needs)

Primary recommendation: AWS API Gateway

  • Replace Kong Enterprise with AWS API Gateway (HTTP APIs)
  • Implement via AWS Controllers for Kubernetes (ACK) for GitOps integration
  • Retain the existing delivery model:
    • OAS as the only federated input
    • Platform-owned gateway configuration
    • Argo CD-managed deployment

Alternative (if enterprise support constraint is relaxed): Gateway API–based gateway

  • Use Istio Gateway or Envoy Gateway as the implementation
  • Accept community support or procure separate enterprise support contract

Rationale for AWS API Gateway

  • Enterprise support included in existing AWS contract (no additional vendor management)
  • Significant cost reduction from Kong’s £600k p.a. license to usage-based pricing (see Section 8 for detailed costing)
  • Operational maturity - fully managed service with proven scalability
  • Acceptable trade-offs:
    • Vendor lock-in is mitigated by existing AWS infrastructure commitment
    • Control plane externalization is offset by reduced operational burden
    • Additional complexity (VPC Links, load balancers) is manageable and well-documented

Non-Goals

  • We are not delegating Kubernetes access to API teams
  • We are not exposing Gateway API (or AWS API Gateway CRDs) directly to federated teams
  • We are not attempting a big-bang architectural rewrite

8. Cost Analysis and Comparison

8.1 Traffic Tier Definitions

To accurately model AWS API Gateway costs, we define traffic patterns based on expected usage.

Note: This model is a strawman intended as a starting point, and is based on an estimate of the SA peak volume being 20k requests/sec.

TierTime WindowRequests/SecondDays per YearHours per DayTotal Hours/Year
Night9pm - 6am daily1,00036593,285
Peak9am - 6pm, peak days20,000209180
Busy9am - 6pm, busy days10,000209180
Steady State9am - 6pm, normal days5,000325*92,925

*365 days - 20 peak - 20 busy = 325 normal days

Total annual hours: 6,570 hours

Peak month concentration: Our peak traffic happens in one calendar month; estimate 10 of the peak days and 10 of the busy days occurring in that single month.

8.2 Request Volume Calculations

Annual Request Volumes by Tier

TierHours/YearRequests/SecondRequests/HourTotal Requests/Year
Night3,2851,0003,600,00011,826,000,000
Peak18020,00072,000,00012,960,000,000
Busy18010,00036,000,0006,480,000,000
Steady State2,9255,00018,000,00052,650,000,000
TOTAL6,570--83,916,000,000

Total annual requests: ~84 billion requests/year

Peak Month Request Volumes

Given that peak traffic concentrates in one month (10 peak days + 10 busy days):

PeriodDaysHours/DayRequests/SecTotal Requests
Peak days (10 days)10920,0006,480,000,000
Busy days (10 days)10910,0003,240,000,000
Night (30 days)3091,000972,000,000
Steady State (10 days)1095,0001,620,000,000
Peak Month TOTAL30--12,312,000,000

Peak month requests: ~12.3 billion requests

Peak month cost impact: Billing is monthly, so the peak month will have significantly higher costs:

TierRequestsPrice per MillionCost
First 300M300,000,000$1.00$300.00
Next 700M700,000,000$0.90$630.00
Next 11.312B11,312,000,000$0.80$9,049.60
Peak Month TOTAL12,312,000,000-$9,979.60

Peak month API Gateway cost: $9,979.60 (~£7,676.62)

This is approximately 1.74x the average monthly cost (4,255/month (~£3,273) during the peak period. This variability is acceptable and significantly more favorable than flat licensing costs.

8.3 AWS API Gateway Pricing (HTTP APIs)

AWS API Gateway HTTP APIs pricing (as of 2026, eu-west-2 London region):

TierRequests per MonthPrice per Million Requests
First 300 million0 - 300M$1.00
Next 700 million300M - 1B$0.90
Over 1 billion1B+$0.80

Monthly request volume: 83.916B / 12 = ~6.993 billion requests/month

8.4 AWS API Gateway Cost Calculation

Monthly Cost Breakdown

TierRequestsPrice per MillionCost
First 300M300,000,000$1.00$300.00
Next 700M700,000,000$0.90$630.00
Next 5.993B5,993,000,000$0.80$4,794.40
TOTAL6,993,000,000-$5,724.40/month

Annual API Gateway cost: $68,692.80 (~£52,700 at 1.30 GBP/USD)

8.5 Infrastructure Cost Components

Cost Categories by Gateway Option

The following costs apply differently depending on the gateway choice:

Costs common to all options (baseline infrastructure):

  • EKS node group compute (for API services)
  • Inter-AZ data transfer within cluster
  • EBS volumes and storage
  • Observability infrastructure

AWS API Gateway specific costs:

ComponentCost SignificanceAnnual EstimateNotes
API Gateway (HTTP APIs)HIGH~$68,700 / £52,800Primary cost driver; scales with request volume
VPC LinkLOW~$130 / £100Per VPC Link; likely need 1-2
Network Load Balancer (NLB)LOW~$850 / £650Required for VPC Link integration; disable cross-zone load balancing for AZ affinity
Data Transfer (inter-AZ)NEGLIGIBLE~£0Eliminated via AZ affinity (requests stay within entry AZ)

Kubernetes-native Gateway specific costs (Istio/Envoy Gateway):

ComponentCost SignificanceAnnual EstimateNotes
Gateway node group computeMEDIUMTBDDedicated nodes for gateway pods; scaled to handle traffic
Enterprise support (if procured)HIGHSee belowVaries significantly by vendor and support level
Load Balancer (ALB/NLB)LOW~£300-850 / £230-650External load balancer for ingress traffic; disable cross-zone load balancing for AZ affinity
Data Transfer (inter-AZ)NEGLIGIBLE~£0Eliminated via AZ affinity (requests stay within entry AZ)

Enterprise Support Options for Kubernetes-native Gateways:

GatewayVendor/Support ProviderSupport ModelEstimated Annual CostNotes
IstioTetrate (Tetrate Service Bridge)Enterprise platform + support$200k-500k+ USDFull enterprise features, training, SLAs; pricing varies by scale
IstioSolo.io (Gloo Mesh)Enterprise service mesh + support$100k-300k+ USDIstio-based with additional features; smaller deployments less expensive
IstioRed Hat OpenShift Service MeshIncluded in OpenShift subscription~$50-75k USD/clusterOUT OF SCOPE - Requires migrating from EKS to OpenShift
Envoy GatewayTetrateEnterprise support availableTBDNewer offering; pricing not widely published
Envoy GatewayCommunity supportFree£0No SLAs; relies on internal expertise
Kong Gateway (OSS)Kong Inc.Enterprise license + support~£500-600kReference point - our current situation
NGINXF5 NGINXEnterprise Plus$30k-100k+ USDSimpler gateway; may lack some features vs. Kong

Key observations:

  • Enterprise support costs vary widely: $30k-600k+ annually depending on vendor, features, and scale
  • Istio enterprise support typically ranges $100k-500k+ (significantly cheaper than Kong’s £600k but still substantial)
  • Self-managed open-source options exist but increase operational risk for CNI workloads
  • AWS support doesn’t cover application-layer components like Istio/Envoy Gateway (only EKS infrastructure)

Data gaps:

  • Specific pricing for our scale and requirements requires vendor engagement
  • Most enterprise gateway vendors do not publish list pricing (quote-based)
  • Support tiers vary (basic support vs. 24/7 vs. dedicated TAM)

Key differentiators:

  • AWS API Gateway: High API Gateway fees (~£53k), but no dedicated gateway compute or enterprise support costs
  • Open-source Gateway: No API Gateway fees, but requires gateway node group compute + potential enterprise support costs (~£75-385k)

8.6 Total Solution Cost Comparison

SolutionGateway/LicenseInfrastructureSupportTotal Annual Cost (GBP)
Kong Enterprise (current)£600,000 (license)£10k-15k (node group)*Included~£610-615k
AWS API Gateway£52,800 (API GW)£1,000 (VPC+NLB)**Included in AWS~£53,800
Istio (Tetrate support)£0£10k-15k (node group)*£154-385k***~£164-400k
Istio (Solo.io support)£0£10k-15k (node group)*£75-230k***~£85-245k
Istio/Envoy (self-supported)£0£10k-15k (node group)*£0 (internal)~£10-15k

*Estimated EKS node group costs for gateway workloads (compute + storage) **VPC Link + NLB only; inter-AZ data transfer eliminated via AZ affinity (cross-zone load balancing disabled) ***Based on publicly available ranges: Tetrate 100k-300k (converted at 1.30 GBP/USD)

Options excluded as out of scope:

  • Red Hat OpenShift Service Mesh: Would require migrating entire cluster from EKS to OpenShift (massive undertaking with platform-wide impacts)

8.7 Cost Analysis Summary

AWS API Gateway delivers significant savings compared to Kong Enterprise and most enterprise-supported alternatives:

Savings vs. Kong Enterprise (£610-615k):

  • AWS API Gateway: ~£556k annual savings (91% reduction)
  • Istio with Solo.io support: ~£368-528k annual savings (60-86% reduction)
  • Istio with Tetrate support: ~£213-449k annual savings (35-74% reduction)

Key trade-offs:

  1. AWS API Gateway (~£54k/year)

    • Pros: Lowest cost with enterprise support; fully managed; no operational overhead
    • Cons: Vendor lock-in; less flexible than in-cluster solutions; hard enforcement of 10MB/30s limits
    • Note: Costs assume AZ affinity enabled on NLB to eliminate inter-AZ data transfer

  2. Istio with enterprise support (~£85-400k/year)

    • Pros: Kubernetes-native; retains portability; strong feature set
    • Cons: Still significant support costs; operational complexity; support costs vary widely by vendor

  3. Self-supported Istio/Envoy (~£10-15k/year)

    • Pros: Lowest total cost; maximum flexibility
    • Cons: Highest operational risk for CNI workloads; requires strong internal expertise

Recommendation impact: Enterprise support pricing for Kubernetes-native gateways ranges from ~£75k-385k annually, which is significantly less than Kong but still substantial. AWS API Gateway remains the most cost-effective option with enterprise support included.

8.8 AWS Enterprise Support Costs

Important clarification: The analysis assumes HIP already has AWS Enterprise Support as part of the existing AWS contract.

AWS Support Tiers:

TierCostCoverageRelevant to API Gateway?
Developer$29/month or 3% of monthly usage (min)Business hours, general guidanceNo - not suitable for CNI
Business$100/month or 3-10% of monthly usage24/7 for production issues, <1hr responseMarginal - minimal for production CNI
Enterprise$15k/month or 3-10% of monthly usage (min)24/7, <15min critical response, TAMYes - covers API Gateway

For HIP platform:

  • Assumption: Already have AWS Enterprise Support for EKS infrastructure
  • Incremental cost for API Gateway: £0 * covered under existing Enterprise Support contract
  • If not already on Enterprise Support: Would need to add ~$15k/month minimum (~£11.5k/month, ~£138k/year)

Cost comparison with enterprise support factored in:

SolutionGateway CostAWS Enterprise SupportTotal
AWS API Gateway (with existing Enterprise Support)£53,800£0 (already have)£53,800
AWS API Gateway (without existing Enterprise Support)£53,800£138,000£191,800
Istio with vendor support£85-400k£0 (not covered by AWS)£85-400k

Key insight: AWS API Gateway is only cost-competitive (~£54k/year) if you already have AWS Enterprise Support. If not, total cost rises to ~£192k/year, making Istio with vendor support (£85-245k for Solo.io) potentially more competitive.

Action required: Confirm current AWS Support tier. If not on Enterprise Support, factor in additional ~£138k/year for AWS API Gateway recommendation.

8.9 Cost Data Sources and Caveats

Enterprise support pricing sources:

  • Kong Enterprise: Current contracted pricing (£600k/year)
  • AWS API Gateway: AWS published pricing (https://aws.amazon.com/api-gateway/pricing/)
  • AWS Enterprise Support: AWS published pricing (https://aws.amazon.com/premiumsupport/pricing/)
  • Tetrate Service Bridge: Industry estimates and publicly discussed ranges ($200k-500k USD)
  • Solo.io Gloo Mesh: Industry estimates and publicly discussed ranges ($100k-300k USD)
  • Red Hat OpenShift Service Mesh: Published subscription pricing ranges (excluded from analysis - requires EKS → OpenShift migration)

Important caveats:

  • Most enterprise gateway vendors do not publish list pricing
  • Actual costs depend on scale, support tier, and negotiated contracts
  • Pricing estimates for Istio enterprise support are based on industry knowledge and should be validated with vendors
  • AWS API Gateway pricing is usage-based and accurately calculable from published rates
  • AWS Enterprise Support cost assumes existing contract; if not in place, adds ~£138k/year

Next step for accurate costing:

  1. Confirm current AWS Support tier
  2. Engage with Tetrate and Solo.io for formal quotes based on our specific requirements (84B req/year, CNI workloads, 24/7 support)

8.10 Migration Costs and Impacts

Migration from Kong Enterprise to any alternative involves one-time costs and ongoing impacts that must be factored into the total cost of ownership.

8.10.1 Direct Migration Costs

AWS API Gateway Migration:

ActivityEffort EstimateCost EstimateNotes
OAS → API Gateway tooling4-6 weeks£40-60kBuild/adapt pipeline to translate OpenAPI specs to AWS API Gateway configurations via ACK
ACK controller setup1-2 weeks£10-15kDeploy and configure ACK for API Gateway; integrate with Argo CD
Keycloak → JWT authorizer integration2-3 weeks£20-30kConfigure JWT authorizers; test with existing Keycloak setup; migrate from Kong auth plugin
VPC Link + NLB setup1 week£8-12kConfigure VPC Links, NLB listeners, and routing to EKS services
Paved road updates2-3 weeks£20-30kUpdate platform APIs abstraction layer; no producer-facing changes needed due to abstraction
Testing & validation4-6 weeks£40-60kLoad testing, integration testing, security testing, failover testing
Documentation & training2 weeks£15-20kOperational runbooks, platform team training (minimal producer impact)
Pilot migration (1 environment)2-3 weeks£20-30kMigrate non-prod environment, validate platform behavior, refine process
Full migration execution6-8 weeks£60-80kEnvironment-by-environment migration (dev → test → prod), DNS cutover, monitoring
TOTAL (AWS API Gateway)22-31 weeks£213-307kOne-time cost; amortize over 3-5 years

Istio Gateway Migration (managed CP):

ActivityEffort EstimateCost EstimateNotes
OAS → Gateway API/Istio tooling4-6 weeks£40-60kBuild pipeline to translate OpenAPI specs to Istio VirtualService/Gateway configs
Managed CP procurement & setup2-3 weeks£20-30kVendor engagement, contract, deploy managed control plane (Tetrate/Solo.io)
Keycloak integration1-2 weeks£10-15kConfigure Istio RequestAuthentication/AuthorizationPolicy; simpler than AWS option
Gateway node group setup1 week£8-12kProvision dedicated gateway nodes; configure Istio ingress gateway
Paved road updates2-3 weeks£20-30kUpdate platform APIs abstraction layer for Istio configs
Testing & validation3-4 weeks£30-40kLoad testing, integration testing, security testing
Documentation & training2 weeks£15-20kOperational runbooks, platform team training
Pilot migration (1 environment)2 weeks£15-20kMigrate non-prod environment, validate platform behavior
Full migration execution4-6 weeks£40-60kEnvironment-by-environment migration (dev → test → prod)
TOTAL (Istio with managed CP)19-27 weeks£188-272kOne-time cost; amortize over 3-5 years

8.10.2 Impacted Systems and Additional Costs

Observability Integration:

SystemCurrent StateAWS API Gateway ImpactIstio Gateway ImpactMigration Cost
LoggingKong logs → ELK/LokiAPI Gateway logs → CloudWatch; need aggregation to existing stackIstio logs → existing stack (no change)AWS: £10-15k integration; Istio: £0
MetricsKong metrics → PrometheusAPI Gateway metrics → CloudWatch; need Prometheus exporter or dual collectionIstio metrics → Prometheus (native)AWS: £8-12k integration; Istio: £0
TracingKong tracing → JaegerAPI Gateway X-Ray integration; need bridge to existing tracingIstio tracing → Jaeger (native)AWS: £12-18k integration; Istio: £0
DashboardsGrafana dashboards for Kong metricsNeed new dashboards for CloudWatch metrics or Prometheus exporterModify existing dashboards for Istio gatewayAWS: £5-8k; Istio: £3-5k
AlertingAlert rules based on Kong metricsNeed new alert rules for API Gateway metricsModify existing alert rulesAWS: £3-5k; Istio: £2-3k
Integration HubPulls metrics from O11y stackUpdate to use API Gateway metrics from CloudWatch or Prometheus exporterUpdate to use Istio metrics (minimal change)AWS: £5-8k; Istio: £2-3k

Observability migration total:

  • AWS API Gateway: £43-66k (one-time integration costs to maintain existing observability platform)
  • Istio Gateway: £7-11k (minimal changes; native integration with existing stack)

Platform APIs (Developer Portal + ClickOps):

The platform offers a “paved road” implementation abstracted from the underlying gateway (Kong, AWS API Gateway, Istio). Producers interact via Platform APIs (OAS Discovery, Platform Management API, MR Worker) which handle GitOps and ClickOps workflows.

ComponentAWS API GatewayIstio GatewayMigration Cost
OAS → Gateway config pipelineCovered in “Direct Migration Costs”Covered in “Direct Migration Costs”-
Platform API updatesUpdate backend to generate ACK CRDs instead of Kong configUpdate backend to generate Istio CRDs instead of Kong config£15-25k (both)
Validation logicUpdate validation for API Gateway constraintsUpdate validation for Istio/Gateway API schemas£8-12k (both)
API catalog integrationUpdate to pull metadata from API Gateway APIsUpdate to pull metadata from Istio configs£8-12k (both)
Producer journeyNo change (abstracted by Platform APIs)No change (abstracted by Platform APIs)£0 (both)
Documentation updatesInternal platform team docs onlyInternal platform team docs only£3-5k (both)

Platform APIs migration total:

  • AWS API Gateway: £34-54k
  • Istio Gateway: £34-54k

Key insight: Producer-facing journey remains unchanged due to paved road abstraction. All migration work is internal to platform team and Platform APIs layer.

8.10.3 Total Migration Cost Summary

SolutionDirect MigrationObservabilityPlatform APIsTotal One-Time Cost
AWS API Gateway£213-307k£43-66k£34-54k£290-427k
Istio (managed CP)£188-272k£7-11k£34-54k£229-337k

8.10.4 Amortized Total Cost of Ownership (3-Year)

SolutionAnnual Recurring CostOne-Time Migration CostTotal 3-Year CostAnnualized Cost
Kong Enterprise£610-615k£0 (status quo)£1,830-1,845k£610-615k/year
AWS API Gateway£53,800£290-427k£451-589k£150-196k/year
Istio (managed CP - Solo.io)£85-245k£229-337k£484-1,072k£161-357k/year
Istio (managed CP - Tetrate)£164-400k£229-337k£721-1,537k£240-512k/year

Key insights:

  • Migration costs for AWS API Gateway are £61-90k higher than Istio (primarily due to observability integration with CloudWatch)
  • Over 3 years, AWS API Gateway remains most cost-effective (~£150-196k/year amortized)
  • Istio with Solo.io support is competitive when amortized (~£161-357k/year), with lower migration cost
  • Migration costs are recovered in <1 year for all options (vs. Kong’s £610k annual cost)
  • Paved road abstraction significantly reduces migration cost by eliminating producer-facing changes

8.10.5 Ongoing Operational Impacts

Post-migration operational considerations:

AreaAWS API GatewayIstio (managed CP)
Team skills requiredAWS services expertise, ACK knowledgeIstio/Envoy expertise (reduced with managed CP)
Operational complexityExternal control plane; multiple layers (API GW → VPC Link → NLB → EKS)In-cluster; familiar Kubernetes patterns
Incident responseAWS Support escalation for gateway issuesVendor support (Tetrate/Solo.io) for CP; internal for data plane
Upgrade managementFully managed by AWSManaged CP by vendor; data plane upgrades by platform team
Multi-cloud portabilityLocked to AWSPortable to other clouds/on-prem

8.11 Cost Assumptions and Sensitivities

Key assumptions:

  • AZ affinity enabled: Cross-zone load balancing disabled on NLB to keep traffic within same AZ, eliminating inter-AZ data transfer costs (~£3,230 saved annually)
  • Multi-AZ deployment maintained for HA (pods deployed across multiple AZs, but requests stay within entry AZ)
  • Single VPC Link (additional VPC Links add $126/year each)
  • Single NLB with 10 LCU peak capacity (may vary with actual traffic patterns)
  • No caching enabled (would reduce backend calls but add caching costs)
  • No WAF costs included (already exists in current architecture)

Sensitivity analysis:

ScenarioImpact on Annual Cost
Request volume +50%+103,039 total, still 83% savings)
Request volume -50%-34,347 total, 94.4% savings)
Cross-zone LB enabled (no AZ affinity)+73,053 total, 88% savings)
Additional VPC Link+$126 (negligible)
Double NLB capacity (20 LCU)+74,466 total, 87.6% savings)

Conclusion: Even with significant variance in assumptions, AWS API Gateway delivers 83-94% cost savings compared to Kong Enterprise licensing. AZ affinity provides modest additional savings (~£3,230 annually).

9. Next Steps (Proposed)

For AWS API Gateway path:

  1. Cost validation:

    • Confirm traffic tier estimates with actual usage data
    • Validate peak month traffic concentration assumptions
    • Refine request/response size estimates for data transfer calculations

  2. Technical proof of concept:

    • Deploy ACK API Gateway controller
    • Configure VPC Link and NLB integration
    • Test OAS → API Gateway import pipeline
    • Validate feature parity:
      • Keycloak integration via JWT authorizers
      • Rate limiting capabilities (request throttling and quotas)
      • OpenAPI import and extensions compatibility

  3. Migration planning:

    • Define parallel run strategy (Kong + API Gateway)
    • Identify pilot environment for initial migration
    • Establish rollback procedures
    • Document operational runbooks

If enterprise support constraint is removed:

  • Re-evaluate Istio Gateway or Envoy Gateway as lower-cost, Kubernetes-native alternatives
  • Assess internal capability to self-support vs. procuring enterprise support contract
  • Compare total cost of ownership including operational overhead

Graph View