Gateway proxies
Learn more about the gateway proxies that kgateway supports.
About gateway proxies
Gateway proxies are the data plane in your kgateway setup. The data plane handles traffic between clients and servers, or backend applications.
The type of gateway proxy that you want to use depends on your use case, which is often related to the backend applications and the “direction” of the traffic.
Backend applications are commonly accessed by clients through application programming interfaces (APIs). Hence, an “API gateway” is a common use case for a gateway proxy. For more information, see the API gateway overview topic. If the client is outside your cluster, you need an ingress gateway to handle this “north-south” traffic. If the client is within the cluster or service mesh, you need an “east-west” gateway. To control traffic that leaves your environment, you need an egress gateway.
Increasingly, gateway proxies are designed to meet the challenges that are specific to artificial intelligence (AI) networking. In these scenarios, your backend applications might be cloud provider large language models (LLMs), your own LLMs and inferences, model context protocol (MCP) servers, agent-to-agent (A2A) servers, and similar AI use cases.
The best gateway proxies offer you ways to configure advanced routing, load balancing, security enforcement, protocol translation, and more. They also generate metrics and logs that you can use to monitor and troubleshoot your traffic.
Architecture
Kgateway is a control plane that manages the lifecycle of gateway proxies that adhere to the Kubernetes Gateway API spec.
When you install kgateway, you automatically get GatewayClasses out of the box. When you create a Gateway resource based on one of these GatewayClasses, kgateway automatically spins up a gateway proxy for you. The gateway proxy controls the data plane that routes traffic to the backend services. Kgateway then configures the data plane based on the Gateway API and kgateway custom resources that you configure, such as HTTPRoutes and TrafficPolicies. This way, you can standardize the configuration of your gateway proxies with the same set of open source resources.
For more information, see the other docs in this About section.
Supported gateway proxies
Kgateway supports the following gateway proxies. You can use both gateway proxies in the same Kubernetes cluster, depending on your use case.
| Gateway proxy | Primary use cases | Description | Doc sections |
|---|---|---|---|
| kgateway | API, ingress, egress, service mesh | The kgateway project includes its own proxy that is based on Envoy, an L3/L4/L7 network proxy. Beyond Envoy, kgateway provides a set of extensions for advanced configuration, security, and traffic management features. You can also integrate kgateway with the Istio service mesh in sidecar and ambient modes. For more information, see the kgateway FAQs and Envoy docs. | The entire doc set, with the exception of the agentgateway guides. |
| agentgateway | AI, A2A, MCP, LLM, Inference Extension | Agentgateway is an enterprise-grade gateway data plane that provides AI connectivity for agents and tools in any environment. For more information, see the Agentgateway docs. |
|
Reserved ports
The following ports are reserved by Kgateway and cannot be used when configuring your gateway proxy.
| Port | Description |
|---|---|
| 19000 | The Envoy admin port. Gateway proxies expose an admin interface on this port that you can use to access important proxy information, such as the config dump, heap dump, healthchecks, and memory allocation. |
| 15000 | The agentgateway admin port. Agentgateway proxies expose several endpoints on this port that you can use to access important proxy information, such as the config dump (15000/config_dump) and a read-only user interface (15000/ui). |
| 8082 | The readiness port. This port can be used to determine if the gateway proxy is ready to receive traffic. |
| 9091 | The Prometheus scraping port. Gateway proxies expose all metrics on this port so that Prometheus can scrape them. |
Note that if you configure one of these ports, the gateway proxy still deploys. However, you see error messages, such as the following in the logs.
err="failed to apply object apps/v1, Kind=Deployment example-gateway: failed to create typed patch object
(gwtest/example-gateway; apps/v1, Kind=Deployment): .spec.template.spec.containers[name=\"kgateway-proxy\"].
ports: duplicate entries for key [containerPort=9091,protocol=\"TCP\"]"