The GitOps-Driven API Gateway for Any Infrastructure
Traefik API Gateway runs identically across VMs and containers from a single control plane on any orchestrator, including AKS, EC2, ECS, RKE2, K3s, SUSE Virtualization, NKP, and Nutanix AHV. It’s a seamless upgrade from Traefik Proxy and every route and policy is defined as code.
TRAEFIK LABS IS TRUSTED BY LEADING ENTERPRISES WORLDWIDE





















































Why Choose Traefik API Gateway?
Organizations choose Traefik for many reasons (3.5 billion downloads and counting). Here are six of the most common reasons:
Replace Ingress NGINX, WAF Included
Traefik supports over 90% of ingress-nginx annotations used in production and includes native ModSecurity WAF built in, so teams migrate without configuration changes and block SQLi, XSS, and OWASP Top 10 threats from day one.
Migrate from VMware to a Modern Hypervisor
Traefik works across Nutanix AHV, SUSE Virtualization, and other modern hypervisors, providing Layer 7 routing, security, and policy enforcement without assembling separate tools.
Run VMs, Containers, & AI in a Hybrid Environment
Most teams run VMs, containers, & AI across separate stacks. Traefik unifies routing & governance across all three from a single control plane, standardizing routing, auth, & observability without replacing the underlying infrastructure.
Security & Compliance in Regulated Industries
Traefik supports OIDC, JWT, OAuth 2.0, LDAP, WAF, distributed rate limiting, & distributed TLS with FIPS validated cryptography—fully self-hosted, air-gap ready, & suitable for FedRAMP, PCI DSS, & GDPR environments.
Run AI & APIs Across Multiple Orchestrators
Most API gateways require separate policies for each orchestrator. Traefik natively integrates with AKS, EC2, ECS, RKE2, K3s, NKP, & other distributions, enabling organizations to use the same configurations across the board.
Infrastructure as Code
Traefik is fully declarative by design. Every route, policy, & middleware is defined in code, stored in Git, & applied automatically through ArgoCD, FluxCD, or standard CI/CD pipelines. No UI configuration required.
Compare Traefik Proxy with Traefik API Gateway
| Capability | |
|---|---|
| Traefik Proxy | Traefik API Gateway |
| Ingress Controller + Reverse Proxy + Load balancer | |
| Default Ingress in IBM IKS, Nutanix NKP, SUSE Rancher RKE2, K3s | |
| Services Auto-Discovery | |
| HTTP/2/3, TCP, UDP, gRPC, Websockets | |
| Lightweight & Cloud-Native | |
| Real-time Metrics & Distributed Tracing | |
| Public Plugins with Rich Catalog | |
| Ingress-View Dashboard | |
| Canary Deployments | |
| Supports Docker Swarm, Hashicorp Nomad, Azure Service Fabric, K8s Distros, Virtual Machines, & Bare Metal | |
| OpenTelemetry Metrics, Traces, & Logs | |
| Graceful Configuration Reload | |
| Advanced Security & Access Control: LDAP, JWT, API Key, HMAC, OAuth, OIDC, Open Policy Agent | |
| Native Web Application Firewall (WAF) | |
| FIPS 140-2 Compliance (Linux & Windows), 140-3 ready | |
| Distributed Let's Encrypt | |
| Distributed Rate Limiting | |
| HTTP Caching | |
| Multi-Cluster Management | |
| Traefik Elastic AWS Provider | |
| Nutanix Prism Central Provider | |
| HashiCorp Vault Integration | |
| Request-Response Debugger | |
| Add-On | |
| AI Gateway | |
| Add-On | |
| MCP Gateway | |
| Add-On | |
| Capability | Traefik Proxy | Traefik API Gateway |
|---|---|---|
| Ingress Controller + Reverse Proxy + Load balancer | ||
| Default Ingress in IBM IKS, Nutanix NKP, SUSE Rancher RKE2, K3s | ||
| Services Auto-Discovery | ||
| HTTP/2/3, TCP, UDP, gRPC, Websockets | ||
| Lightweight & Cloud-Native | ||
| Real-time Metrics & Distributed Tracing | ||
| Public Plugins with Rich Catalog | ||
| Ingress-View Dashboard | ||
| Canary Deployments | ||
| Supports Docker Swarm, Hashicorp Nomad, Azure Service Fabric, K8s Distros, Virtual Machines, & Bare Metal | ||
| OpenTelemetry Metrics, Traces, & Logs | ||
| Graceful Configuration Reload | ||
| Advanced Security & Access Control: LDAP, JWT, API Key, HMAC, OAuth, OIDC, Open Policy Agent | ||
| Native Web Application Firewall (WAF) | ||
| FIPS 140-2 Compliance (Linux & Windows), 140-3 ready | ||
| Distributed Let's Encrypt | ||
| Distributed Rate Limiting | ||
| HTTP Caching | ||
| Multi-Cluster Management | ||
| Traefik Elastic AWS Provider | ||
| Nutanix Prism Central Provider | ||
| HashiCorp Vault Integration | ||
| Request-Response Debugger | Add-On | |
| AI Gateway | Add-On | |
| MCP Gateway | Add-On |

Benefits for DevOps and Platform Teams
Reduce Complexity and Increase Extensibility
Traefik Hub API Gateway centralizes access control and traffic management to simplify teams' workflows while making it easy to add advanced capabilities (rate limiting, distributed Let's Encrypt, etc.) through turnkey middlewares, custom plugins, and third-party integrations.
- Access Control: OIDC, LDAP, JWT, HMAC & OAuth2
- Protocols: HTTP, HTTP/2, TCP, UDP, Websockets, gRPC
- Distributed Let's Encrypt
- HashiCorp Vault integration
- Middlewares (circuit breakers, retries, buffering, etc.)
- Go- and Wasm-based plugin catalog & custom plugin support (No Lua)

Boost Productivity with Cloud Native Automation
Dynamic configuration, automated service discovery and routing, flexible rate limiting, and high availability features enable application teams to deploy quickly with zero downtime and ensure peak performance and availability.
- Dynamic configuration & service discovery
- Traffic mirroring
- Blue / Green & Canary deployments
- Active health checks
- Distributed rate limiting
- High availability & disaster recovery

Adapt to Your Evolving Infrastructure
Because Traefik Hub API Gateway is compatible with any environment—whether cloud, legacy, or hybrid—DevOps and Platform teams can adopt new technologies and services quickly.
- Centralized control & data planes
- Automatic configuration & route syncing
- Infrastructure & orchestrator agnostic
- Hybrid cloud, multi-cloud, & on-prem compatible
- Progressive migration & deployment

Ensure Consistency, Repeatability, and Scalability
By automating tedious manual configurations and keeping your ecosystem up-to-date with your GitOps repository, Traefik Hub API Gateway saves teams time, increases consistency, and allows them to be more productive.
- Automated service discovery & configuration
- Dynamic routing to correct endpoints
- Distributed rate limiting
- Circuit breaker protection
- IP whitelisting & blacklisting
- Automatic application of Git configuration changes
- Auditable record of changes over time

Protect Your SLAs and SLOs
Clearly understand the flow of traffic, service dependencies, and where to prioritize team efforts to troubleshoot issues and protect your SLAs and SLOs.
- Cluster-wide dashboard
- Proxy health checks
- Distributed tracing (Jaeger, Open Tracing, Zipkin)
- Support for OpenTelemetry monitoring (Datadog, Grafana, InfluxDB, Prometheus, StatsD)
- Embedded caches
- Developer portal with OpenAPI (Swagger) support


Get Help When You Need It
While Traefik is built to ensure uptime, our team of experts is here for you 24/7/365. Additionally, we provide extensive resources to help beginners and experts master Traefik in all use cases.
- 24/7/365 Global Support
- Onboarding
- Documentation
- Community
- Traefik Academy
Frequently Asked Questions
Traefik Hub API Gateway is an enterprise-grade API gateway built on top of Traefik Proxy, the world's most downloaded cloud-native proxy, with 3.5 billion downloads and counting. It adds centralized access control, distributed security, AI Gateway, MCP Gateway, native WAF, and premium integrations, all in a fully declarative, GitOps-driven platform. It is the only API gateway that is both fully declarative and cloud-native from inception.





