DEV.co
Open-Source DevOps · apache

apisix

Apache APISIX is a cloud-native API gateway written in Lua that routes and manages traffic for APIs, microservices, and AI workloads. It supports dynamic configuration, multiple protocols (HTTP, gRPC, MQTT, TCP/UDP), and runs on any infrastructure from bare metal to Kubernetes.

Source: GitHub — github.com/apache/apisix
16.8k
GitHub stars
2.9k
Forks
Lua
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryapache/apisix
Ownerapache
Primary languageLua
LicenseApache-2.0 — OSI-approved
Stars16.8k
Forks2.9k
Open issues269
Latest release3.17.0 (2026-06-16)
Last updated2026-07-08
Sourcehttps://github.com/apache/apisix

What apisix is

APISIX is a reverse proxy and API gateway built on OpenResty (Lua/LuaJIT) with hot-reload capabilities, offering load balancing, circuit breaking, authentication (JWT, key-auth, OAuth), rate limiting, observability (Zipkin), and pluggable middleware for traffic transformation and AI gateway use cases.

Quickstart

Get the apisix source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/apache/apisix.gitcd apisix# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Kubernetes Ingress Controller

Deploy as a native Kubernetes ingress controller (via apisix-ingress-controller) to manage north-south traffic for microservice clusters with dynamic route updates without pod restarts.

AI/LLM Gateway

Route and load-balance requests to multiple LLM backends with token-based rate limiting, retry/fallback logic, and MCP server bridging for AI agent architectures.

Multi-protocol Service Mesh Edge

Proxy heterogeneous protocols (HTTP/S, gRPC, WebSocket, MQTT, TCP/UDP, Dubbo) in a single gateway for hybrid microservice or IoT deployments without protocol-specific gateways.

Implementation considerations

  • OpenResty runtime (Lua/LuaJIT) must be present on host or container; plan for image size and native dependency management (libpcre, libssl, etc.).
  • Configuration is API-driven (REST/gRPC); decide on config store (etcd, Consul, Nacos) for distributed deployments; local file-based config simpler but not HA.
  • Plugin ecosystem is large; audit which plugins match your tech stack (e.g., OIDC, Keycloak, Casbin) and validate compatibility with your release version.
  • Hot-reload reduces downtime but requires careful testing of config syntax and plugin interactions before production pushes.
  • Memory footprint and CPU profiling under peak load (especially with many routes, upstream nodes, or complex plugins) should be baselined in staging.

When to avoid it — and what to weigh

  • Lua expertise unavailable — Custom plugin development and deep debugging require Lua/OpenResty knowledge. Teams without Lua proficiency may face maintenance friction.
  • Simple reverse proxy only — If you need only basic HTTP reverse proxying without plugins or dynamic config, APISIX's feature richness adds operational overhead vs. simpler alternatives like Nginx or HAProxy.
  • Strict zero-downtime mandate with frequent updates — While APISIX supports hot-reload, high-frequency plugin or core updates in production require careful rollout testing; not ideal for 'instant push' CI/CD workflows.
  • Minimal observability/monitoring setup — APISIX integrates with external systems (Zipkin, Prometheus); if you lack centralized observability infrastructure, gap analysis and integration cost rises.

License & commercial use

Apache License 2.0 (Apache-2.0): permissive open-source license. Source must be disclosed; redistribution allowed with license/attribution; no patent grant from contributors.

Apache-2.0 is OSI-approved for commercial use. Derived works must retain Apache-2.0 headers and provide a copy of the license. APISIX itself imposes no commercial restrictions. Verify any proprietary plugin or integration licenses separately. No warranty stated in license; production use should follow standard OSS due diligence (code audit, testing, support planning).

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

APISIX provides built-in defenses: Anti-ReDoS (regex DoS), IP/referer whitelisting, CSRF (Double Submit Cookie), request validation, and multiple auth schemes (JWT, key-auth, OIDC, Casbin RBAC). TLS/mTLS and dynamic certificate loading supported. No published security audit linked in data. Deployment security depends on config store (etcd) and admin API hardening. Regular security patching via Apache release process; review CVE history and subscribe to dev mailing list for alerts.

Alternatives to consider

Nginx Ingress Controller / Kong

Kong is also Lua-based (OpenResty), simpler for API gateway-only use; Nginx Ingress lighter-weight but less dynamic. Choose Nginx if minimal plugins needed or strict operational simplicity required.

Envoy / Istio

Envoy is C++, larger ecosystem, deeper observability integration, and full service mesh. Choose if full mTLS mesh governance and sidecar model fit your architecture.

HAProxy

Lightweight, battle-tested reverse proxy with minimal dependencies. Choose if you need only basic TCP/HTTP proxying and want zero Lua/OpenResty complexity.

Software development agency

Build on apisix with DEV.co software developers

We can help you assess deployment requirements, plugin strategy, and operational readiness. Contact Devco to discuss your API gateway architecture.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

apisix FAQ

Can APISIX replace my Kubernetes ingress controller?
Yes, deploy apisix-ingress-controller alongside APISIX to manage Kubernetes Service, Route, and Upstream CRDs. It is designed as a drop-in Ingress alternative but requires APISIX runtime.
How do I update routes/plugins without restarting APISIX?
APISIX uses hot-reload: POST config to the Admin API (REST or gRPC), and running instances apply changes in-memory without service interruption. Config can be sourced from etcd, Consul, Nacos, or local files.
What is the performance overhead vs. raw Nginx?
APISIX runs on OpenResty (Lua on top of Nginx), so there is inherent overhead from Lua execution. Benchmarks not provided in data; performance depends on plugin complexity and load profile. Test in your environment.
Is Lua development/debugging a blocker?
For built-in plugins and simple config, no. For custom plugins or complex transformations, yes—Lua expertise needed. Community and docs can help, but lack of Lua developers on team is a real constraint.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like apisix. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.

Ready to evaluate APISIX for your infrastructure?

We can help you assess deployment requirements, plugin strategy, and operational readiness. Contact Devco to discuss your API gateway architecture.