Every public-facing service sits behind a network stack at the edge — Transport Layer Security (TLS) termination, authentication, rate limiting, circuit breakers, observability. The boring-but-load-bearing layer between the internet and your application code.
You can build this yourself. You probably should not. Off-the-shelf gateways have been compounding capability for a decade.
I’d been building gateway-core — a side-project gateway — and wanted an honest answer to a question I kept dodging: where does it fit among the existing options, and which capabilities are already solved well enough that I should just use one of them instead? So I wrote a reference doc comparing four mature container gateways against gateway-core. This post is the short version.
What lives in an edge stack
Same five concerns, different vendors. Acronyms below: JSON Web Token (JWT), OpenID Connect (OIDC), Service Level Objective (SLO).
The four stacks at a glance
| Stack | Best at | Trade-off | In production at |
|---|---|---|---|
| Apache APISIX · diagram ↗ | One container with everything — JWT, OIDC, rate limit, circuit breaker, Prometheus, OpenTelemetry | You now operate etcd |   also Airwallex, WPS Office |
| Envoy + adjuncts · diagram ↗ | Deepest production feature set: adaptive concurrency, a real shadow router, outlier detection | Four containers, non-trivial filter chain |       |
| Traefik · diagram ↗ | Docker-native — service discovery from labels, auto-TLS in one flag | Single-instance state; rate limit and breaker do not share across replicas |    |
| Kong DB-less · diagram ↗ | Largest open-source plugin catalogue, declarative YAML hot-reloaded | No first-party circuit breaker plugin |     also Yahoo |
A short heuristic:
- Already on Docker / Compose / Swarm → Traefik.
- Want one binary with everything → APISIX.
- Need adaptive concurrency, distributed rate limits, or a real shadow router → Envoy.
- Need the largest plugin catalogue → Kong.
The reference doc has the full feature matrix, docker-compose sketches, and diagrams of how each stack wires together.
Where the off-the-shelf path stops
There is a layer above the deterministic gateway that none of these ship: structured gating of configuration changes — code-level constraints, per-parameter bounded deltas, cooldown on a change source, mandatory shadow simulation that scores against SLOs and can veto a change.
That layer matters when something other than a human is writing the configuration. An agent that adjusts rate limits is useful; an agent that adjusts them unsafely is a liability. The four gateways treat configuration as configuration — there is no built-in contract that says “this knob may not move more than ±20% per window.”
gateway-core is a side project studying what that contract looks like — an “Agentic Envelope” of constraints, bounds, dampener, and shadow simulator that any agent-driven change has to pass through. The four stacks above solve the deterministic half well. The second half is open territory.