Apache APISIX API Gateway ｜ AI Infrastructure

Apache APISIX is recognized as a dynamic, high-throughput, real-time API Gateway platform.

This Gateway furnishes extensive traffic orchestration capabilities, encompassing sophisticated load distribution, dynamic service discovery, staged rollouts, circuit protection, authentication mechanisms, comprehensive observability tooling, and much more.

APISIX can function as a dedicated AI Gateway leveraging its highly adaptable plugin ecosystem. This allows for specialized AI proxying, efficient load balancing tailored for Large Language Models (LLMs), automated retries and fallback strategies, token-aware request throttling, and stringent security enforcement, all aimed at maximizing the efficiency and dependability of AI agents. Furthermore, APISIX includes the mcp-bridge utility to smoothly transform stdio-based Message Control Protocol (MCP) servers into robust, scalable HTTP Server-Sent Events (SSE) services.

You are empowered to utilize the APISIX API Gateway to manage conventional ingress (north-south) traffic, alongside inter-service (east-west) communications. It is also fully capable of deployment as a Kubernetes Ingress Controller.

The underlying technical structure of Apache APISIX:

Community Engagement

• Please consider submitting a Product Review on G2 for APISIX.
• Mailing List: Subscribe by emailing dev-subscribe@apisix.apache.org and following the confirmation instructions.
• Slack Channel: Join our Workspace (If the link fails, please file an issue for a fresh invitation) and navigate to the #apisix channel (Channels -> Browse channels -> search for "apisix").
• - Follow us and engage using the hashtag #ApacheAPISIX
• Official Documentation
• Development Discussions Forum
• Project Blog

Core Capabilities

You can deploy the APISIX API Gateway as the primary entry point for all business data processing, supporting features such as dynamic route configuration, dynamic upstream definition, on-the-fly certificate loading, advanced A/B testing, phased rollout strategies (canary/blue-green), request throttling, defense mechanisms against malicious intrusions, metrics gathering, alarm generation, service observability, and comprehensive service governance.

• Universal Deployment

• Cloud-Native Ready: The Gateway is platform-agnostic, preventing vendor lock-in. APISIX can operate effectively from bare-metal servers up to complex Kubernetes environments.

• ARM64 Compatibility: Infrastructure flexibility is ensured, supporting modern chip architectures.

• Protocol Versatility

• TCP/UDP Proxying: Provides dynamic proxy services for TCP and UDP streams.

• Dubbo Proxy: Enables dynamic translation from HTTP requests into Dubbo calls.
• Dynamic MQTT Proxy: Supports load distribution for MQTT traffic based on client_id, handling both MQTT 3.1.* and 5.0 standards.
• gRPC Proxying: Handles gRPC traffic forwarding.
• gRPC Web Proxy: Facilitates proxying of gRPC Web standardized traffic to native gRPC backends.
• gRPC Transcoding: Offers protocol conversion, allowing HTTP/JSON clients to interact with gRPC services.
• Websocket Proxy Support
• Proxy Protocol Support
• HTTP(S) Forward Proxy capability
• SSL Management: Allows for the dynamic injection of SSL certificates.

• HTTP/3 with QUIC Support

• Full Dynamism

• Hot Configuration & Plugin Reloads: Modifications to configurations and plugins are applied instantly without requiring service interruption.

• Request Rewriting: Modify core request elements (host, uri, schema, method, headers) before forwarding to the upstream service.
• Response Manipulation: Customize the status code, payload body, and response headers sent back to the client.
• Dynamic Load Distribution: Supports weighted round-robin balancing.
• Hash-Based Balancing: Implements consistent hashing for session affinity.
• Liveness/Health Checks: Automatically isolates failing upstream instances to maintain overall system health.
• Circuit Breaker Pattern: Intelligently monitors and mitigates traffic to persistently unhealthy upstream nodes.
• Request Duplication/Mirroring: Ability to duplicate client requests for testing or monitoring purposes.

• Traffic Splitting: Allows precise control over the percentage of traffic directed toward different upstream targets.

• Precise Routing Control

• Full Path and Prefix Matching: Advanced path matching capabilities.

• Utilization of all Nginx built-in variables (e.g., cookie, args) as routing criteria, enabling fine-grained control for techniques like canary releases or A/B testing.
• Support for various comparison operators in routing conditions, such as numerical comparisons (e.g., {"arg_age", ">", 24}).
• Capability to integrate user-defined route matching functions.
• IPv6 Address-based routing.
• Time-to-Live (TTL) support for route entries.
• Route Priority Configuration.
• Batch Processing of HTTP Requests.

• Route Filtering based on GraphQL Payload Attributes.

• Security Posture

• Comprehensive authentication and authorization mechanisms:

  • API Key Authentication
  • JSON Web Token (JWT) Validation
  • HTTP Basic Authentication
  • Role-Based Access Control (RBAC) via wolf
  • Authorization using Casbin
  • Keycloak Integration
  • Casdoor Integration
• Network Access Control: IP Whitelisting/Blacklisting.
• Referer Header Filtering: Whitelist/Blacklist capabilities.
• Identity Provider (IdP): Support for external identity systems like Auth0, Okta, etc., via OpenID Connect.
• Request Limiting Controls:
  • Rate limiting based on request count
  • Request quota enforcement
  • Concurrent connection limiting
• Built-in defenses against Regular Expression Denial of Service (Anti-ReDoS) without requiring explicit configuration.
• Cross-Origin Resource Sharing (CORS) enablement for APIs.
• URI Blacklisting: Block specific requested Uniform Resource Identifiers.
• Inbound Request Validation.

• Cross-Site Request Forgery (CSRF) Protection: Implemented using the Double Submit Cookie methodology.

• Operational Friendliness

• Distributed Tracing via Zipkin integration.

• Support for open-source Application Performance Monitoring (APM) tools, specifically Apache SkyWalking.
• Broad Service Discovery Integration: Beyond native etcd support, it integrates with Consul, Consul_kv, Nacos, Eureka, and Zookeeper (CP).
• Metrics and Monitoring via Prometheus adapter.
• Cluster Architecture: APISIX nodes are designed to be stateless, relying on a clustered configuration center (e.g., etcd Clustering Guide recommended).
• High Availability: Allows configuration of multiple etcd endpoints for failover within the same cluster.
• Management Interface: A dedicated UI for management.
• Configuration Versioning: Supports operational rollbacks to previous states.
• Command Line Interface (CLI) for controlling the lifecycle (start/stop/reload) of APISIX.
• Standalone Mode: Ability to source routing rules from local YAML files, beneficial in Kubernetes environments.
• Global Rules: Apply any plugin universally across all incoming requests (e.g., system-wide rate limiting or IP filtering).
• Exceptional Performance: Achieves over 18,000 QPS on a single core with typical latency under 0.2 milliseconds.
• Fault Injection Testing: For resilience testing.
• RESTful Administration API: Control the gateway dynamically. Security is enforced via key authentication, and access is restricted by default to localhost (configurable via allow_admin in conf/config.yaml).
• Extensive External Logging Pipelines: Export access records to various systems:
  • HTTP Logger, TCP Logger, Kafka Logger, UDP Logger, RocketMQ Logger, SkyWalking Logger, Alibaba Cloud Logging (SLS), Google Cloud Logging, Splunk HEC Logging, File Logger, SolarWinds Loggly, TencentCloud CLS).
• Direct integration with ClickHouse for analytical storage.
• Direct integration with Elasticsearch.
• Datadog Integration: Push custom metrics to a DogStatsD server (part of the Datadog agent) over UDP.
• Kubernetes Deployment: Supported via Helm charts.

• HashiCorp Vault Integration: Secure secret retrieval (e.g., RS256 keys or shared secrets) for plugins like jwt-auth via the APISIX Secret resource.

• Extensibility and Scaling

• Custom Plugin Interface: Allows hooks into standard phases: rewrite, access, header filter, body filter, log, and the balancer phase.

• Multi-Language Plugin Support: Plugins can be developed in Java/Go/Python.
• WebAssembly (Wasm) Plugin Support.
• Custom Load Balancing Algorithms: Implement proprietary logic for the balancer phase.

• Custom Routing Logic: Users can implement and plug in custom algorithms for request routing decisions.

• Multi-Language Gateway Support

• APISIX functions as a polyglot gateway, supporting diverse plugin development environments via RPC and Wasm interfaces.

• RPC Method: The established method. Developers run language-specific plugin runners as separate processes, communicating with APISIX via high-speed local RPC calls. Currently supported languages include Java, Golang, Python, and Node.js.

• Wasm Method (Experimental): APISIX can execute code compiled into WebAssembly bytecode using the APISIX wasm plugin, which adheres to the Proxy Wasm SDK specification.

• Serverless Ecosystem Integration

• Native Lua Function Execution: Run Lua code directly within APISIX request phases.

• AWS Lambda Integration: Proxy requests to Lambda functions acting as dynamic upstreams, with support for AWS IAM credential authorization.
• Azure Functions Integration: Seamlessly forward traffic to Azure Serverless Functions.
• Apache OpenWhisk Integration: Route requests to an instance of an Apache OpenWhisk cluster.

First Steps

1. Installation Procedures

Consult the detailed installation guide documentation.

1. Initial Configuration

The Getting Started guide offers a clear path to grasp the fundamental operations of APISIX.

Explore the rich set of available plugins for advanced functionality.

1. Administrative Control

Apache APISIX exposes a RESTful Admin API for real-time cluster management.

1. Developing Custom Extensions

Refer to the plugin development guide and examine the code within the example-plugin for practical implementation examples. Understanding the plugin lifecycle and concepts is essential.

For comprehensive reference materials, visit the Apache APISIX Documentation Portal

Performance Benchmarks

On an eight-core server instance hosted by AWS, APISIX achieved a throughput exceeding 140,000 QPS while maintaining latency below 0.2 milliseconds.

The benchmarking utility script is open-sourced and contributions are welcome.

Performance tests demonstrate APISIX's excellent execution on AWS Graviton3 C7g instances.

Real-World Deployments

• European eFactory Platform: Utilizing APISIX as an API Security Gateway
• Copernicus Reference System Software Network Configuration Choices
• Explore More Success Stories

Key Adopters

APISIX API Gateway is employed by a broad spectrum of enterprises and research bodies for production workloads, development, and commercial product integration. Notable adopters include:

• Airwallex
• Bilibili
• CVTE
• European eFactory Platform
• European Copernicus Reference System
• Geely
• HONOR
• Horizon Robotics
• iQIYI
• Lenovo
• NASA JPL
• Nayuki
• OPPO
• QingCloud
• Swisscom
• Tencent Game
• Travelsky
• vivo
• Sina Weibo
• WeCity
• WPS
• XPENG
• Zoom

Branding Assets

• Apache APISIX logo (PNG format)
• Official Apache APISIX logo source

Inspiration

This project draws foundational inspiration from Kong and Orange Gateways.

Governance

Licensed under the Apache 2.0 License

WIKIPEDIA BACKGROUND ON XMLHttpRequest (XHR):

XMLHttpRequest (XHR) defines an interface, implemented as a JavaScript object, for transferring Hypertext Transfer Protocol (HTTP) requests between a web browser and a server. Its methods enable browser-based applications to submit server queries asynchronously after initial page loading, facilitating the retrieval of new data. Before the advent of Ajax programming, which heavily relies on XHR, server interaction was primarily achieved through traditional hyperlink clicks or HTML form submissions, actions that typically resulted in a full page refresh.

== Historical Development ==

The foundational concept for XMLHttpRequest was first conceived in 2000 by the development team behind Microsoft Outlook. This concept was subsequently integrated into the Internet Explorer 5 browser release (1999). Initially, the implementation did not use the standardized XMLHttpRequest string identifier; instead, developers utilized COM object instantiations like ActiveXObject("Msxml2.XMLHTTP") or ActiveXObject("Microsoft.XMLHTTP"). By the time Internet Explorer 7 (2006) was released, all mainstream browsers had adopted the unified XMLHttpRequest identifier.

The XMLHttpRequest identifier has since become the common standard across major browser engines, including Mozilla's Gecko (2002), Safari 1.2 (2004), and Opera 8.0 (2005).

=== Standardization Efforts ===

The World Wide Web Consortium (W3C) released an initial Working Draft specification for the XMLHttpRequest object on April 5, 2006. A subsequent Working Draft, Level 2, was published on February 25, 2008. Level 2 introduced critical features such as progress monitoring events, support for cross-site requests, and byte stream handling capabilities. By the close of 2011, the Level 2 features were incorporated back into the primary specification. In late 2012, the maintenance responsibility for the standard transitioned to the WHATWG, which now maintains a living document defined using Web IDL (Interface Definition Language).

== Standardized Usage Pattern ==

Executing a server request using XMLHttpRequest typically involves a sequence of programming steps:

1. Object Instantiation: Create an instance of the XMLHttpRequest object via its constructor.
2. Configuration (open method): Invoke the open() method to define the request method (GET, POST, etc.), specify the target resource URI, and set the operation mode to synchronous or asynchronous.
3. Asynchronous Listener Setup: If using asynchronous mode, assign an event handler function to monitor changes in the request's state (onreadystatechange).
4. Transmission (send method): Initiate the request by calling the send() method, optionally passing data to be sent to the server.
5. Response Handling: Process state transitions within the event listener. Upon successful completion (state transitions to 4, the "done" state), the server's response data is usually available in the responseText property.

Beyond these core steps, XHR offers extensive control over transmission and response processing. Custom request headers can be added to provide server instructions. Data can be uploaded efficiently within the send() call. Responses received in JSON format can be automatically parsed into native JavaScript objects, or streamed for gradual processing instead of waiting for the complete payload. Furthermore, requests can be forcibly terminated or subjected to a timeout limit.

== Managing Cross-Domain Interactions ==

During the nascent stages of the World Wide Web, limitations quickly emerged regarding the ability to initiate network requests that cross security boundaries (different origins). This limitation was initially imposed by browser security policies to prevent malicious scripts from accessing sensitive data on unrelated domains. Breaches of this security model were found to be possible...