TL;DR: API gateways and service meshes solve different trust problems in distributed systems, with gateways enforcing edge policy and meshes securing service-to-service traffic, according to Kong. The governance gap is not architecture choice but assuming one layer can replace the other when identity, authorization, and observability need to be enforced at different boundaries.
NHIMG editorial — based on content published by Kong: Service Mesh vs. API Gateway: What’s the Difference?
By the numbers:
- Sidecar memory consumption can vary widely from roughly 40 MB in baseline setups to over 1 GB in more complex environments.
- Latency may increase by about 1.7 ms at the 90th percentile and up to 2.7 ms at the 99th percentile when two proxies sit in the data path.
- According to the Cloud Native Computing Foundation, 54% of enterprises use Envoy as their proxy solution.
Questions worth separating out
Q: How should security teams split responsibilities between API gateways and service meshes?
A: Security teams should assign API gateways to external request control and service meshes to internal service-to-service control.
Q: Why do service meshes matter for identity governance in microservices?
A: Service meshes matter because microservices create internal trust relationships that a gateway cannot see.
Q: What breaks when organisations rely on an API gateway alone?
A: An API gateway alone leaves the internal service layer largely governed by network assumptions.
Practitioner guidance
- Define separate trust boundaries for edge and internal traffic Map which identities are external users, partner systems, and internal workloads.
- Bind workload identity to every service-to-service call Use cryptographic workload identities and automated certificate rotation for internal service communication.
- Unify identity telemetry across gateway and mesh layers Correlate gateway logs, mesh traces, and identity events so security teams can reconstruct who accessed what, from where, and through which service chain.
What's in the full article
Kong's full blog covers the implementation detail this post intentionally leaves for the source:
- Protocol-specific gateway functions for REST, GraphQL, gRPC, WebSocket, and event-streaming traffic.
- Service mesh rollout stages, including observability-first deployment and gradual mTLS activation.
- Resource trade-offs such as sidecar memory consumption and added latency in proxy-heavy paths.
- Kubernetes Gateway API and ambient mesh trends that affect how teams design the control plane.
👉 Read Kong's analysis of service mesh and API gateway roles in modern architectures →
Service mesh vs. API gateway: what IAM teams need to know?
Explore further
API gateway and service mesh are identity controls for different trust boundaries, not interchangeable infrastructure layers. The gateway governs external access, where authentication and authorisation must stop untrusted traffic at the edge. The mesh governs internal service identity, where east-west communication needs cryptographic proof and continuous visibility. Practitioners should stop asking which layer replaces the other and instead ask where each boundary begins.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How do teams know whether gateway and mesh controls are working together?
A: Teams should look for consistent identity and traffic telemetry from the edge to internal services. If a request can be traced from external authentication through to service-to-service authorisation, the control model is functioning. If logs stop at the gateway or internal calls lack identity context, the architecture has a governance gap.
👉 Read our full editorial: Service mesh vs. API gateway for modern identity governance