Why is Apache APISIX the best API gateway?

Today, we can accomplish various things through mobile phones and various APPs, such as social networking, online shopping, etc. Behind these behaviors, APIs play a key role. As API users, we do not care about the stability, security and efficiency of APIs, but enterprises that provide data services through APIs need to choose a suitable API gateway to ensure that thousands or even tens of thousands of APIs provide fast and secure services. service.

In CNCF's API Gateway landscape , there are nearly 20 API gateway options (excluding products from public cloud vendors), including Apache APISIX, Kong, Tyk, and so on. Many gateways claim to be the next generation API gateway, the most popular open source API gateway project, so what is the truth? This article will take a look at why Apache APISIX is the next-generation API gateway through multiple dimensions such as developers, intellectual property and brand, technology, and ecology.

Engineers have sharp eyes

Engineers are the users and developers of APIs and API gateways. The API gateway projects that more engineers pay attention to and participate in represent the trend of technology. From the dimension of GitHub code contributors, we selected 4 open source API gateways for comparison: Apache APISIX, Kong, Tyk and Gloo.

Both Kong and Tyk were developed before 2015, and Apache APISIX and Envoy-based Gloo were developed around 2019. As can be seen from the Github Contributor Over Time in the above figure, after nearly 7 years of development, Kong has more than 250 contributors, far more than Tyk and Gloo; and the youngest Apache APISIX has more than 320 contributors , the number and growth rate far exceed Kong, and it has become the API gateway project with the most developers participating and contributing.

In addition to the total number of contributors, there is another metric to see deeper data: the monthly activity of contributors. The graph below shows the monthly active developer counts for the above four open source API gateways:

The monthly active number of contributors of Tyk is always around 5 people, rarely more than 10 people; the monthly active number of contributors of Kong and Gloo both fluctuate between 10 and 20; and Apache APISIX basically maintains more than 20 people , with a maximum of nearly 40 people, and is the most active API gateway for developers.

Behind these four open source API gateway projects, there are corresponding commercial companies, so there is a third indicator data, which is the comparison of the number of open source project contributors and commercial company employees:

The current (Q3 2022) open source investment ratio (monthly active contributors/total number of employees) for Kong and Tyk is 4%, Gloo is 24%, and APISIX is close to 100%. Even back in 2017, Kong's monthly active contributors were around 5.

Obviously, the open source project Apache APISIX and the commercial company behind it, API7.ai, have maintained continuous investment in open source projects from the very beginning, winning the love of many developers.

Open Source Protocols: Top Considerations for Enterprise Users in Selecting Open Source Projects

Since MongoDB modified the license of open source projects, the license risk of open source projects is the primary consideration for enterprise users when selecting basic software.

On the surface, Apache APISIX, Kong, and Gloo all use the commercial-friendly Apache License Version 2.0, and Tyk uses the contagious Mozilla Public License Version 2.0.

Looking more deeply, Kong, Gloo, and Tyk are all open source projects that are completely controlled by commercial companies. Like MongoDB, they can modify their licenses in new versions at any time, restricting the free use of public clouds or other companies, and then requiring you to download Open source users turn to paying customers to continue using the latest version.

No one knows if something like this will happen, and how likely it will be. This risk, like the sword of Damocles, hangs over the heads of business users.

In this case, it would be wisest to use an open source project from the Apache Software Foundation or CNCF. Apache APISIX is the world's largest software foundation - the top-level project of the Apache Software Foundation. All codes and brands belong to the Apache Software Foundation. No commercial company can control the Apache APISIX project, and it is impossible to modify the open source project. license. Enterprise users can always use it with confidence without worrying about receiving inquiry emails from lawyers and compliance departments.

Performance test comparison

Users often ask questions in the community: Gloo based on Envoy or APISIX based on NGINX, which has better performance?

Although performance is not the most important metric in selection, it is the most direct metric. The table below is the Benchmark results for Apache APISIX and Gloo. As can be seen from the table, the QPS of Apache APISIX is 4.6 times that of Gloo, while the latency of Apache APISIX is less than 7% of Gloo.

This is not just caused by the difference between NGINX and Envoy, but because APISIX has done a lot of optimization at the bottom, so APSIX based on NGINX also has a huge performance advantage over Kong.

Why is the performance advantage of APISIX so great? In front of the code, there are no secrets. Let's analyze it in detail from a technical point of view.

Technical advantages of APISIX

The following are the main technical advantages of Apache APISIX compared with Kong and Gloo, most of which are optimization and innovation in the underlying modules. The advantages of these technologies are not necessarily reflected in a simple PoC, but in a complex production environment, these advantages of Apache APISIX will cause a huge gap.

No database dependencies

Before the APISIX project appeared, there were also many commercial API gateways or open source API gateway products, but most of these products stored API data, routing, certificates and configuration information in a relational database.

The advantages of storing these data in a relational database are very obvious. Users can use SQL statements to perform flexible queries more conveniently, and it is also convenient for users to perform backup and subsequent maintenance.

However, as a basic middleware, the gateway handles all the traffic from the client, and in this case, the requirements for availability are very high. If your API gateway relies on a relational database, it means that once the relational database fails (such as downtime, loss of data), the API gateway will also be affected, and the availability of the entire business system will be greatly reduced.

At the beginning of its design, APISIX avoided the occurrence of downtime and data loss from the underlying architecture. Because on the control plane, APISIX uses etcd to store configuration information instead of using a relational database, the advantages of doing so are as follows:

1. It is more unified with the cloud native technology system of the product architecture;
2. It is more suitable for the data type stored by the API gateway;
3. It can better reflect the high availability characteristics;
4. Have sub-millisecond change notifications.

After using etcd to store configuration information, the data plane only needs to monitor the changes of etcd. If the polling database is used, it may take 5-10 seconds to obtain the latest configuration information; if monitoring etcd's configuration information changes, APISIX can control the time to obtain the latest configuration within milliseconds to achieve real-time effect.

Therefore, using etcd as storage not only makes APISIX more cloud-native at the bottom layer, but also brings more advantages in the embodiment of high system availability.

High-performance route matching algorithm

API Gateway needs to match the target rules from the characteristics of each request, such as Host, URI, HTTP method, etc., to decide how to process the request, so an excellent matching algorithm is essential. Hash algorithm has good performance, but cannot achieve fuzzy matching; regular can fuzzy matching, but the performance is not good, so Apache APISIX chooses to use tree, an efficient search data structure that supports fuzzy matching. To be more precise, Apache APISIX uses RadixTree, which provides a KV storage lookup data structure and compresses intermediate nodes with only one child node, so it is also called a compressed prefix tree. In addition, among the known API gateway products, Apache APISIX applies RadixTree to route matching for the first time, which supports the scenario of multiple different routes under one prefix. For the specific implementation, see lua- `resty-radixtree`.

When matching a request, RadixTree will use a progressive way to match, its complexity is O(K) (K is the length of the URI in the route, regardless of the number of APIs), this algorithm is very suitable for public Clouds, CDNs, and scenarios with a large number of routes can well meet the needs of the rapid increase in the number of routes.

High-performance IP matching algorithm

There are two notations for IP addresses: standard IP representation and CIDR representation. Take 32-bit IPv4 as an example:

• Standard IP notation: 192.168.1.1
• CIDR notation: 192.168.1.1/8

The principles and raw data used by Apache APISIX's IP matching algorithm and route matching algorithm are different. Taking the IP of 192.168.1.1 as an example, since the range of each IP segment is 0 to 255, we can think that the IP address is composed of four 16-bit integer numbers when matching the IP, and the IP length is fixed of. Then we can use a more efficient algorithm to complete the matching.

Assuming that there is an IP library with 500 IPv4 records, APISIX will cache the 500 IPv4 records in the Hash table, and use the hash method to search for IP matching, and the time complexity is O(1). Other API gateways complete IP matching by traversing, and each request sent to the gateway will be traversed one by one at most 500 times to see if the calculation result is equal. Therefore, APISIX's high-precision IP matching algorithm greatly improves the efficiency of scenarios that require massive IP black and white list matching (such as WAF).

refined routing

API Gateway completes the matching of preset rules through the traffic characteristics in the request. Common characteristics include the Host, URI path, URI query parameters, URI path parameters, HTTP request methods, request headers, etc. in the request. These characteristics are the most common API gateway products. supported. Compared with other products, Apache APISIX supports more features to solve complex and changing usage scenarios.

首先，Apache APISIX 支持NGINX 内置变量，意味着我们可以将诸如uri 、 server_name 、 server_addr 、 request_uri 、 remote_port 、 remote_addr 、 query_string 、 host 、 hostname 、 arg_name Variables are used as matching parameters to support more complex and varied matching scenarios. For a list of NGINX built-in variables, see NGINX Variables .

Second, Apache APISIX supports conditional expressions as matching rules, and its structure is [var, operator, val], ...]] , where:

• var value can use Nginx built-in variable;
• operator Supports operators such as equality, inequality, greater than, less than, regular, and contains.

Suppose the expression is ["arg_name", "==", "json"] , it means whether there is a parameter value of ---8699db2a774ecd63631c012929e8469b name in the URI query parameters of the current request is equal to json . Apache APISIX implements this capability through a self-developed library lua-resty-expr , please refer to lua-resty-expr for details. This feature gives the user the right of choice and is highly scalable.

In addition, Apache APISIX supports setting routing ttl time-to-live:

 $ curl http://127.0.0.1:9080/apisix/admin/routes/2?ttl=60 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d '
{
    "uri": "/aa/index.html",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "39.97.63.215:80": 1
        }
    }
}'

The above configuration indicates that APISIX will automatically delete the routing configuration after 60s, which is very suitable for some temporary verification scenarios, such as canary publishing, monitoring output, etc. It is very convenient for online traffic distribution, which is a capability that other gateway products do not have.

The last point is that Apache APISIX supports custom filter functions, you can write custom Lua functions in the filter_func parameter, for example:

 $ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d '
{
    "uri": "/index.html",
    "hosts": ["foo.com", "*.bar.com"],
    "filter_func": "function(vars)
                    return vars['host'] == 'api7.ai'
                end",
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    }
}'

Among them, filter_func parameter is vars , you can get Nginx variable from vars , and then implement custom filtering logic.

Supports multilingual plugins

Although API gateways, databases or other middleware are basic components, more often users do some customized development and system integration of API gateways according to usage scenarios.

APISIX currently supports more than 80 plug-ins, but it is still difficult to cover all usage scenarios of users. In actual usage scenarios, many enterprises will develop customized plug-ins for specific services, integrate more protocols or systems through gateways, and finally achieve unified management at the gateway layer.

In earlier versions of APISIX, developers could only use Lua language to develop plugins. Although plugins developed in native computing languages have very high performance, learning Lua, a new development language, requires time and understanding costs.

In response to this situation, APISIX provides two solutions:

The first way is to support more mainstream programming languages (such as Java, Python, Go, etc.) through Plugin Runner. In this way, back-end engineers can communicate through local RPC to develop APISIX plug-ins using familiar programming languages.

The advantage of this is to reduce development costs and improve development efficiency, but there will be some performance losses. So, is there a development efficiency solution that can not only achieve the native performance of Lua, but also take into account the high-level programming language?

The second way is to use Wasm to develop plug-ins, which is the left part of the above figure. Wasm (WebAssembly) was first used as a technology on the front end and browser, but now it is gradually showing its advantages on the server side. We embed Wasm into APISIX, and users can use Wasm to compile the bytecode into Wasm to run in APISIX. The final effect is to use high efficiency to develop an APISIX plug-in that is both high-performance and written in high-level computing languages.

Therefore, in the current APISIX version, users can use various methods such as Lua, Go, Python and Wasm to write custom plug-ins based on APISIX. In this way, the threshold for developers to use is lowered, and more possibilities are provided for the functions of APISIX.

Summarize

This article analyzes and compares some API gateway products from the perspectives of engineers, open source protocols, performance evaluation, technology, ecosystem, etc. It can be seen that Apache APISIX is the leader among them, leading innovation in the API gateway field.

Apache APISIX is not only an API gateway that can handle north-south traffic, but also has open source products such as APISIX Ingress Controller and Service Mesh. It is expected that at the end of this month, APISIX will also release the 3.0 preview version, bringing new functions and comprehensive product enhancements, so stay tuned!