Self-Hosted APIM · Kong · Gravitee · IBM

01

Who they are, in one card each

The three contenders

Three platforms with genuinely different philosophies. They look superficially similar — gateway + control plane + dev portal — but the operating model, ecosystem, and total cost diverge sharply.

Kong OSS-first

Kong

Lua + Nginx, plugin-rich

OSS license Apache 2.0
Core runtime OpenResty / Nginx
Plugin language Lua · Go · JS · Python
Managed SaaS Konnect
K8s native Kong Ingress Controller
Plugin count ~100+ official, hundreds OSS
Best for cloud-native, plugin-heavy

Gravitee Full APIM

Gravitee

Java + APIM + Event-driven gateway

OSS license Apache 2.0
Core runtime Java / Reactor
Policy language Groovy · Java · Spring EL
Managed SaaS Gravitee Cloud
K8s native Operator + Helm
Unique angle Native Kafka / MQTT / Webhook gateway
Best for full APIM + event streams

IBM API Connect Enterprise

IBM API Connect

DataPower-derived, enterprise-grade

OSS license None (closed)
Core runtime DataPower Gateway
Policy assembly GatewayScript · XSLT
Managed SaaS IBM Cloud
K8s native OpenShift operator
Heritage Decades of WebSphere ESB DNA
Best for existing IBM shops

▸ One-line summary

Kong if you want plugins. Gravitee if you want event streams. IBM if you're already on the IBM stack.

The fourth answer ("don't self-host APIM") is also valid for many teams. Self-hosting buys data residency, customization, and lower per-call cost at scale — at the cost of operational burden you don't get from Apigee SaaS or AWS API Gateway.

02

What you get for free

The open-source story

Two of these are genuinely OSS. One is not. The difference matters for both cost and ecosystem lock-in.

Vendor	License	OSS scope	Production-grade on OSS alone?
Kong	Apache 2.0	Gateway + Kong Ingress Controller + many plugins.	Yes. Many large companies run Kong OSS in production unmodified.
Gravitee	Apache 2.0	Full APIM (Gateway + Console + Portal + AM) is OSS.	Yes. OSS edition is feature-rich; Enterprise adds federation, governance, premium support.
IBM API Connect	None	Closed source.	N/A — license required.

OSS-only limit	Kong	Gravitee
Dev portal	Community-built ones only	Bundled developer portal
Advanced plugins	OAuth, OIDC, OPA: Enterprise	Most policies in OSS
Multi-cluster control plane	Enterprise / Konnect	OSS + Enterprise
Vault integration	Enterprise plugin	OSS
RBAC + audit	Enterprise	Bundled
Support SLA	Enterprise	Enterprise

▸ Counterintuitive truth

Gravitee's OSS edition is more complete than Kong's OSS edition.

Kong's OSS gateway is excellent but most enterprise features (RBAC, advanced auth, portal, multi-cluster) are paid. Gravitee bundles much more into OSS, including the developer portal and Access Management. This often surprises teams who default to Kong.

03

If you live in Kubernetes

Kubernetes nativity

All three run on Kubernetes. How well they run on K8s varies a lot.

Capability	Kong	Gravitee	IBM
Ingress Controller	Best in class. Implements Gateway API + Ingress.	Yes, via Kubernetes Gateway Controller.	Via OpenShift operator.
Helm chart	Official, mature.	Official, mature.	Operator-only; no public Helm chart.
Operator pattern	Kong Operator (Konnect).	Gravitee APIM Operator.	API Connect Operator for OpenShift.
CRDs for API config	Yes — gitops-friendly.	Yes — full CRD support.	Limited — config still via Console UI mostly.
Service mesh integration	Kong Mesh (built on Kuma).	External; works with Istio.	Limited.
Data plane / Control plane split	Yes — DB-less data plane.	Yes — distributed gateway.	Yes.

▸ Pattern

Kong wins on GitOps. Gravitee wins on bundled features. IBM wins on existing OpenShift estates.

If you're running ArgoCD with everything-as-yaml, Kong's CRD story is the cleanest. If you want a turnkey APIM in K8s with portal included, Gravitee. If you already have OpenShift, IBM is the path of least resistance.

04

License + ops + people

Total cost

Self-hosted means you pay for license + infrastructure + ops people. The license is the obvious part; the other two often surprise.

Cost component	Kong	Gravitee	IBM
License — OSS	$0	$0	N/A
License — Enterprise (indicative)	$50k–$300k/yr	$60k–$250k/yr	$150k–$500k+/yr
License model	Per cluster, per node, or per req in Konnect.	Per cluster + features.	Per cluster + Processor Value Units.
Konnect / Cloud SaaS	Konnect: req-based.	Gravitee Cloud: managed plane.	IBM Cloud: bundled with subscription.
Infrastructure (K8s)	Yours	Yours	Yours (or IBM Cloud)
Ops burden	Moderate — runtime + DB.	Moderate — runtime + ES + Mongo.	High — DataPower expertise required.
Talent availability	High — large community.	Growing — smaller community.	Low — DataPower skills scarce.

▸ Hidden cost

Self-hosting all three needs at least 1 dedicated SRE at any non-trivial scale.

The license is the most-quoted figure. The real total includes K8s infra (~$50k–$200k/yr for prod-grade clusters), monitoring stack, DR replication, and at least one engineer who owns runtime upgrades, capacity planning, and incident response. Apigee SaaS or AWS API GW absorb that.

05

What you extend with

Plugin ecosystems

The extension story is what makes self-hosted compelling. You can build what the vendor didn't.

Kong

~100 official + Enterprise plugins.
Plugin SDKs in Lua, Go, JS, Python. Lua is fastest.
Strong community plugin marketplace (Plugin Hub).
Plugin chain composition is mature; ordering well-documented.
Native OPA, OIDC, AWS Lambda, Datadog plugins.
Konnect adds AI Gateway plugins (LLM routing, semantic caching).

Gravitee

~50 built-in policies covering API + event-stream cases.
Policy authoring in Groovy, Java, Spring EL.
Unique: Event-driven policies for Kafka, MQTT, AMQP, Webhooks.
Custom resource plugins (e.g., custom auth backends).
Plugin marketplace smaller than Kong's but well-curated.
Strong story for "async APIs" alongside REST/GraphQL.

IBM API Connect

Assembly editor — visual policy chain construction.
Policies written in GatewayScript (JS dialect) or XSLT.
Strong heritage in SOAP, MQ, IMS, CICS integrations.
Tight integration with IBM MQ and IBM Cloud Pak for Integration.
Smaller community; most extension is via IBM PS or partners.
DataPower XML/XSLT performance is hard to beat for SOAP-heavy workloads.

Common pitfalls

Custom plugins drift. Test against runtime upgrades — Kong/Gravitee bump majors regularly.
Ordering of plugins matters — auth before rate limit, not after.
Custom plugins lock you in just like vendor lock-in does.
Performance benchmarking each plugin is non-negotiable at scale.
OSS plugin maintenance often falls on the team that adopted it.

06

A decision tree

When to pick which

A simple decision tree from most common patterns observed in 2026 procurement cycles.

If your situation is…	Pick	Why
Cloud-native shop, K8s + GitOps, lean ops team	Kong	Best CRD/Operator story; largest talent pool; plugin SDK is a competitive moat.
Mixed REST + event-streams (Kafka, MQTT)	Gravitee	Only vendor with first-class async / event-driven APIs in the same gateway.
Need full APIM (gateway + portal + AM) on OSS budget	Gravitee	OSS edition includes more out of the box than Kong's.
Existing IBM customer with OpenShift + MQ + DataPower	IBM API Connect	Procurement path of least resistance; existing skills transfer.
SOAP-heavy legacy modernization	IBM API Connect	DataPower XML/XSLT performance is unmatched; SOAP→REST tooling mature.
Want to start free, upgrade later	Kong OSS or Gravitee OSS	Either path; Gravitee gives more for free but Kong has more eyes.
Don't want to operate it at all	None — go SaaS	Apigee X, AWS API GW, Azure APIM, Konnect, Gravitee Cloud.

▸ Final honest take

If you're not certain you need self-hosted — don't. The ops cost surprises everyone.

Self-hosted makes sense when (a) data residency mandates require it, (b) per-call SaaS pricing dominates at your scale, or (c) you need extension capabilities only OSS provides. Otherwise SaaS APIM is genuinely easier and cheaper. Be honest about your team's K8s operational capacity.