Service mesh vs. API gateway: what IAM teams need to know

TL;DR: API gateways and service meshes solve different trust problems in distributed systems, with gateways enforcing edge policy and meshes securing service-to-service traffic, according to Kong. The governance gap is not architecture choice but assuming one layer can replace the other when identity, authorization, and observability need to be enforced at different boundaries.

NHIMG editorial — based on content published by Kong: Service Mesh vs. API Gateway: What’s the Difference?

By the numbers:

• Sidecar memory consumption can vary widely from roughly 40 MB in baseline setups to over 1 GB in more complex environments.
• Latency may increase by about 1.7 ms at the 90th percentile and up to 2.7 ms at the 99th percentile when two proxies sit in the data path.
• According to the Cloud Native Computing Foundation, 54% of enterprises use Envoy as their proxy solution.

Questions worth separating out

Q: How should security teams split responsibilities between API gateways and service meshes?

A: Security teams should assign API gateways to external request control and service meshes to internal service-to-service control.

Q: Why do service meshes matter for identity governance in microservices?

A: Service meshes matter because microservices create internal trust relationships that a gateway cannot see.

Q: What breaks when organisations rely on an API gateway alone?

A: An API gateway alone leaves the internal service layer largely governed by network assumptions.

Practitioner guidance

• Define separate trust boundaries for edge and internal traffic Map which identities are external users, partner systems, and internal workloads.
• Bind workload identity to every service-to-service call Use cryptographic workload identities and automated certificate rotation for internal service communication.
• Unify identity telemetry across gateway and mesh layers Correlate gateway logs, mesh traces, and identity events so security teams can reconstruct who accessed what, from where, and through which service chain.

What's in the full article

Kong's full blog covers the implementation detail this post intentionally leaves for the source:

• Protocol-specific gateway functions for REST, GraphQL, gRPC, WebSocket, and event-streaming traffic.
• Service mesh rollout stages, including observability-first deployment and gradual mTLS activation.
• Resource trade-offs such as sidecar memory consumption and added latency in proxy-heavy paths.
• Kubernetes Gateway API and ambient mesh trends that affect how teams design the control plane.

👉 Read Kong's analysis of service mesh and API gateway roles in modern architectures →

Service mesh vs. API gateway: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →