What’s New with the APISIX Gateway
Since it graduated from the Apache Software Foundation Incubator in July 2020, APISIX has become one of the most active open source API projects on GitHub. Its founders soon after launched API7.ai, a company focused on the enterprise concerns related to the open source project.
API7 attracted talent from six countries, many of whom are ASF committers and authorities in cloud infrastructure and security, added Kubernetes and Docker capabilities and now supports a range of languages beyond Lua, including Go, Java, Python, Node.js and Wasm, according to CEO Ming Wen.
“From monolithic to microservices architectures and from bare metal to the cloud, the challenges we face grow into how to achieve rapid elastic autoscaling, efficient cluster management and convenient customization,” he said in an email interview.
“Now APIs are growing explosively. There are tens of or even hundreds of thousands of instances. [Users] need fast and elastic autoscaling and low latency to release products quickly and provide users with a good product experience.”
Wasm and More
Wen and Yuansheng Wang created APISix in April 2019 at China’s Zhiliu Technology and donated it to the Apache Software Foundation that October. When creating the company, they took a developer-first approach.
“The sustainable development of open source projects requires the investment of engineers, and the support of financial resources is needed to ensure the investment. Commercialization and open source can form a good ecosystem and a virtuous circle for mutual growth, especially since the basic software requires long-term investment and multiple resources to do well,” Wen said.
Apache APISIX is a dynamic, real-time and high-performance API gateway. It provides traffic management features such as load balancing, circuit breaking, authentication, observability and more.
APISIX consists of a data plane to dynamically control request traffic; a control plane to store and synchronize gateway data configuration, and a newly added AI plane to orchestrate plugins, as well as real-time analysis and processing of request traffic.
It’s built on the OpenResty NGINX distribution that includes the LuaJIT interpreter for Lua scripts. It stores and manages routing-related and plugin-related configurations in etcd, rather than a relational database, which improves availability and is more aligned with cloud native architecture, according to Wen. APISIX uses a radix tree (compressed prefix tree) data structure that only compresses intermediate nodes with one child node, which works well for fast lookups, optimizing performance for route matching.
It offers plugins for features such as speed limiting, identity authentication, request rewriting, URI redirection, open tracing and serverless. The number of plugins has grown from 20 at graduation to more than 100.
It was originally written primarily in Lua, a programming language similar to Python, though since embedding Wasm into APISIX, users can also work in Go, Python and other languages to create custom plugins.
It has added integrations with Prometheus and Datadog for monitoring, the Cypress testing framework and support for HTTP/3 and QUIC to provide more reliable connections and reduce latency.
The separation of the control plane and data plane was among the changes in APISIX 3.0, released last October, meant to address several security-related vulnerabilities found in the project over the past two years. A security patch for the Jason Web Token (JWT) was released in July.
APISIX now offers three modes of deployment: traditional, where both planes are deployed together; decoupled, where they’re deployed independently; and standalone, where only the data plane is deployed and configurations are loaded from a local YAML file.
The project has added full support for Arm64; a new gRPC client to allow developers to call third-party gRPC services directly; a transport layer protocol extension framework called xRPC that allows developers to customize specific application protocols; and support for the OpenAPI 3.0 specification.
Version 3.0 also added an AI plane that optimizes the data plane configuration using data as users’ settings on routes and plugins as well as log metrics.
The 3.4.0 release in June added a new plugin to forward logs to Grafana Loki, and allows for mTLS connection on the route level.
APISix has been gaining contributors more rapidly than rival open source API gateways and only slightly slower than other top Apache projects, according to git-contributor.com.
Its users include Zoom, Lotus Cars, Australian payments company Airwallex; Chinese companies Lenovo, WPS, vivo and OPPO, as well as scientific research institutions such as NASA and European Factory Platform.
API7 uses APISIX at its core, adding enterprise features, such as role-based access control, traffic labeling, support for the SOAP protocol and more. API7 also has achieved SOC 2 Type 1 security certification.
Wen maintains that as part of API7’s API management offerings, AI in its API gateway runtime can help developers improve performance by about 10%. The company has also added an AI-based API portal where developers can use plain language to query data from multiple tools.
Wen posits API7 Enterprise as an all-in-one solution for helping enterprises solve the problems of multicloud and hybrid cloud access and cross-cloud difficulties. While it competes with full lifecycle management platforms like Mulesoft and 3scale, Wen doesn’t consider them direct rivals. Open source options like Kong, Envoy and Spring Cloud are closer competitors he said.
Spring Cloud uses a Java technology stack while Envoy specializes in tackling issues of service mesh, east-west traffic and zero trust security. Kong and APISIX use some of the libraries and boast similar architectural advantages, though he argues that APISIX provides better performance.
Yang Li, a committer to the APISIX project and technical platform lead at Airwallex, discusses the six criteria his company used in selecting the API gateway, problems solved as well as challenges, in this post.