Architecture
API7 Enterprise is a suite of API management components, including API7 Gateway as its traffic processing layer. API7 Gateway uses a decoupled architecture that separates the management logic (Control Plane) from the request processing logic (Data Plane). This design ensures high availability, security isolation, and independent scalability.
Decoupled architecture
The control plane and data plane communicate over secure channels, allowing them to be deployed in different environments or regions.
Control plane (CP)
The control plane is the management hub for API7 Gateway. It is a Go-based service that provides the following components:
- Dashboard and Admin API: Provides a web-based interface and a RESTful API for managing all gateway configurations. Default port is
7443(HTTPS). - PostgreSQL Database: Stores all persistent configurations, including services, routes, consumers, and audit logs. PostgreSQL is the primary and recommended storage backend; the Control Plane also supports MySQL and Microsoft SQL Server as alternative backends — see Supported Versions and Interoperability for details.
- DP Manager: Exposes an etcd v3–compatible API on port
7943(mTLS) that data plane nodes connect to. Internally, the DP Manager serves this API via an embedded kine shim backed by the Control Plane database, so data plane nodes can use the standard Apache APISIX etcd client to watch configuration without requiring a real etcd cluster.
Data plane (DP)
The data plane is the high-performance proxy engine that processes incoming API requests. It is built on OpenResty and Lua.
Core components
- Proxy Engine: Handles HTTP, HTTPS, gRPC, and TCP/UDP traffic. Default ports are
9080(HTTP) and9443(HTTPS). - Stateless Operation: Data plane nodes are stateless. They receive configuration from the control plane and store it in memory for fast access.
- EE Agent: A specialized component (
agent/hook.lua) that handles communication with the control plane, manages shared dictionaries for discovery data, and merges configuration updates.
Health and observability
- Health Endpoints: Each DP node provides
/status(liveness) and/status/ready(readiness) endpoints on port7085. - Prometheus Metrics: Metrics are exposed on port
9091at/apisix/prometheus/metrics.
CP–DP communication
API7 Gateway uses the same pull/watch model as open-source Apache APISIX for configuration synchronization. Each data plane node runs the standard APISIX etcd client and connects outbound to the DP Manager on port 7943 over mTLS. Once connected, the data plane watches the etcd-compatible key space for configuration changes and applies them to its in-memory cache as soon as they arrive.
The only difference from upstream APISIX is the storage backend: instead of a real etcd cluster, the DP Manager uses kine to translate the etcd v3 API to PostgreSQL reads and writes. From the data plane's perspective, the DP Manager behaves exactly like an etcd cluster.
Secure communication
The connection between each data plane node and the DP Manager is secured with mutual TLS. The data plane presents a client certificate issued by API7's internal CA; the DP Manager verifies the client certificate before serving any configuration data, and the data plane verifies the DP Manager's server certificate. This ensures that only authorized data planes can read configuration and only an authorized control plane can serve it.
Fault tolerance
Because the data plane holds the last-known configuration in memory (and, optionally, on disk), it continues to serve traffic if the control plane becomes unreachable. Only administrative tasks — publishing new routes, adding consumers, rotating certificates — are blocked until the control plane is restored. For enhanced resilience, you can also configure a fallback configuration provider that lets the data plane survive extended CP outages.
Comparison: Open-Source vs. Enterprise
| Feature | Open-Source APISIX | API7 Enterprise |
|---|---|---|
| Primary storage | Standalone etcd cluster | PostgreSQL (via kine etcd shim) |
| Config API exposed to DP | etcd v3 (native) | etcd v3 (compatible, backed by PostgreSQL) |
| Config sync model | Pull / watch | Pull / watch (identical semantics) |
| CP–DP transport | Plain etcd client over gRPC or HTTP | mTLS on port 7943 |
| Management surface | Admin API | Dashboard + Admin API + ADC |
| Scaling | Scale etcd cluster and DP independently | Scale PostgreSQL, CP, and DP independently |
Next steps
- Deploy on Kubernetes — deploy the gateway in a Kubernetes cluster.
- Configure Control Plane — tune CP settings for your environment.
- Configure Data Plane — customize DP proxy behavior.