What is the main difference between Zuplo and Traefik?

Traefik is a container-native reverse proxy built for service routing inside Docker and Kubernetes environments. Zuplo is a fully managed API gateway deployed to 300+ edge locations that includes API management features like a developer portal, API key management, and monetization out of the box.

Can Zuplo replace Traefik as a Kubernetes ingress controller?

Zuplo is designed for external-facing API management rather than internal Kubernetes ingress. Many teams use Traefik for internal east-west service routing and Zuplo as the external API management layer for third-party developers.

Does Traefik have a developer portal?

Traefik Hub API Management, the highest commercial tier, includes a developer portal. Traefik Proxy and Traefik Hub API Gateway do not. Zuplo includes a developer portal on all plans, including the free tier.

How does Traefik pricing compare to Zuplo?

Traefik Proxy is free and open source but requires you to manage Kubernetes infrastructure. Traefik Hub API Gateway and API Management require contacting sales for pricing. Zuplo offers a free tier with API key management, rate limiting, and edge deployment included, with paid plans starting at $25/month.

Can I use Traefik and Zuplo together?

Yes. A common pattern uses Traefik for internal service-to-service routing inside Kubernetes clusters and Zuplo as the external-facing API gateway with developer portals, API keys, and rate limiting for third-party API consumers.

Do I need Kubernetes to use Zuplo?

No. Zuplo is fully managed and serverless, deploying to 300+ edge locations globally without any container orchestration. Traefik is designed for Docker and Kubernetes environments.

Zuplo vs Traefik: Managed Edge Gateway vs Container-Native API Proxy

If you’re evaluating API gateways, you’ve probably encountered Traefik — a popular open-source reverse proxy built for Docker and Kubernetes environments. Traefik excels at container-native service discovery and load balancing. But teams looking for full API lifecycle management — developer portals, API key management, rate limiting, and monetization — often find Traefik’s proxy-first architecture requires significant add-ons and operational overhead to fill those gaps.

This guide compares Traefik and Zuplo across architecture, API management capabilities, developer experience, and total cost of ownership so you can decide which approach fits your stack.

Here’s what sets them apart:

Architecture: Traefik is a container-native proxy that runs alongside your services in Docker or Kubernetes. Zuplo is a fully managed edge gateway deployed to 300+ global locations.
API management: Traefik is a routing proxy first; full API management requires upgrading to Traefik Hub API Management (enterprise tier). Zuplo includes a developer portal, API keys, and monetization on all plans.
Developer experience: Traefik uses YAML/TOML configuration and Go plugins. Zuplo uses TypeScript policies with native GitOps workflows.
Pricing: Traefik Proxy is free and open source but requires Kubernetes infrastructure and ops investment. Zuplo starts free with all infrastructure included.

In this guide:

What Traefik Is (and Isn’t)
What Zuplo Is
Feature Comparison at a Glance
Architecture Comparison
API Gateway Features
Service Discovery and Routing
Developer Experience
API Management Capabilities
Operations and Scaling
Pricing Comparison
When to Choose Traefik
When to Choose Zuplo
Using Traefik and Zuplo Together
FAQ

What Traefik Is (and Isn’t)

Traefik is a Go-based reverse proxy and load balancer designed for cloud-native environments. It automatically discovers services in Docker, Kubernetes, and other container orchestrators and configures routing based on labels, annotations, or CRDs. Traefik Proxy is open source and widely used for internal service routing, TLS termination, and ingress control.

Traefik Labs offers three product tiers:

Traefik Proxy — The free, open-source reverse proxy with middleware support for basic rate limiting, authentication, and circuit breaking. Distributed rate limiting with Redis is available as of Traefik Proxy v3.4.
Traefik Hub API Gateway — Adds enterprise security features like OAuth, OIDC, JWT validation, distributed rate limiting, a native WAF, and AI Gateway capabilities. Pricing is not public.
Traefik Hub API Management — The highest tier, adding API lifecycle management features like API discovery, versioning, subscriptions, and a developer portal. Pricing requires a sales conversation.

The key thing to understand: Traefik was built as a routing proxy first. API management features were added later as separate commercial products. This means getting the full API management experience requires upgrading from the free proxy to the most expensive tier, plus managing the Kubernetes infrastructure underneath it all.

What Zuplo Is

Zuplo is a fully managed API gateway built for API management from day one. It deploys to 300+ edge locations globally and handles the complete API lifecycle — authentication, rate limiting, request validation, a developer portal, API key management, and monetization — without requiring you to manage any infrastructure.

Core API management features — including API key management, rate limiting, a developer portal, and edge deployment — are available on every plan, including the free tier. Zuplo is OpenAPI-first: your routes are defined in an OpenAPI spec, policies are configured as code, and everything lives in a Git repository. Custom logic is written in TypeScript with full access to request and response context. Changes deploy globally in under 20 seconds.

Feature Comparison at a Glance

Capability	Traefik	Zuplo
Deployment model	Self-hosted containers (Docker/Kubernetes)	Fully managed, 300+ edge locations
Configuration	YAML/TOML, Docker labels, Kubernetes CRDs	OpenAPI spec + TypeScript, GitOps
Deployment speed	Depends on your CI/CD pipeline	Under 20 seconds globally
Developer portal	Traefik Hub API Management tier only	All plans (including free)
API key management	Traefik Hub tiers only	All plans (including free)
Rate limiting	Per-instance (Proxy); distributed with Redis	Globally distributed, no external stores
Custom logic	Go plugins (Yaegi/Wasm)	TypeScript policies
Git integration	Via Kubernetes CRDs in Git	Native GitHub integration; GitLab, Bitbucket, Azure DevOps on enterprise
Monetization	No native billing integration	Native Stripe integration
Pricing	OSS free; Hub tiers require sales contact	Free tier; Builder at $25/month

Architecture Comparison

The fundamental architectural difference between Traefik and Zuplo shapes everything downstream: operational burden, performance characteristics, and feature availability.

Traefik: Container-Native Proxy

Traefik runs as a container alongside your services. In Kubernetes, it’s typically deployed via Helm chart as an Ingress Controller or using the newer Gateway API. It watches the Kubernetes API server for changes and automatically generates routing configuration based on IngressRoute CRDs or labels.

This architecture means:

You manage the infrastructure — Helm charts, node pools, scaling policies, health checks, and upgrades are your responsibility.
Performance is bounded by your cluster — Traefik runs where your containers run. If your cluster is in us-east-1, that’s where all API traffic is processed, regardless of where your users are.
Distributed features require additional infrastructure — Distributed rate limiting requires a Redis cluster, whether you use Traefik Proxy (v3.4+) or Traefik Hub. Observability requires you to set up Prometheus, Grafana, or similar tooling.
High availability requires planning — Running multiple Traefik replicas across availability zones, configuring proper health checks, and managing failover is on your team.

Zuplo: Edge-Native Managed Gateway

Zuplo runs as a managed service across 300+ data centers worldwide. Your API gateway configuration — routes, policies, and custom TypeScript handlers — is deployed to every edge location automatically.

This architecture means:

Zero infrastructure to manage — No Helm charts, no Kubernetes operators, no sidecar proxies, no Redis clusters.
Requests are processed at the nearest edge — A user in Tokyo hits a Tokyo edge node; a user in Frankfurt hits a Frankfurt edge node. This reduces latency for geographically distributed API consumers.
Built-in global high availability — If one edge location has an issue, traffic automatically routes to the next nearest location.
Distributed features work out of the box — Rate limiting, API key validation, and caching are globally distributed by default with no additional infrastructure.

For a deeper look at deployment model tradeoffs, see Managed vs Self-Hosted API Gateway: Architecture, Cost, and Operations Decision Framework.

API Gateway Features

Both platforms handle core gateway functions, but their approaches reflect their different origins.

Rate Limiting

Traefik Proxy includes a RateLimit middleware that uses a token bucket algorithm configured via YAML labels or middleware definitions. In its default mode, each Traefik replica maintains its own counters. As of Traefik Proxy v3.4, distributed rate limiting with Redis is available in the open-source version, though it requires you to deploy and manage a Redis cluster.

Zuplo provides programmable rate limiting with a sliding window algorithm enforced globally across all edge locations. Limits can be set per user, per API key, per IP, or using custom identifiers. For more advanced scenarios, Complex Rate Limiting supports multiple limits with different thresholds and time windows in a single policy. No external data stores are required.

Authentication

Traefik Proxy supports basic authentication and forward auth middleware (delegating to an external auth service). Traefik Hub API Gateway adds OAuth, OIDC, JWT validation, API key auth, LDAP, and HMAC.

Zuplo includes multiple authentication methods out of the box: API key authentication with globally distributed validation, JWT and OpenID Connect authentication, and basic auth. All auth methods populate a standard request.user object that downstream policies and handlers can use for authorization decisions, per-user rate limiting, or forwarding identity to your backend.

Request Validation

Traefik does not include built-in request validation against an OpenAPI schema. You’d need a custom middleware or plugin.

Zuplo includes a Request Validation policy that validates every incoming request against your OpenAPI schema — checking request bodies, query parameters, headers, and path parameters. Malformed requests are rejected at the gateway before reaching your backend.

Custom Logic

Traefik supports custom middleware through Go plugins using the Yaegi interpreter or WebAssembly. Writing plugins requires Go knowledge and the plugin must conform to Traefik’s middleware interface.

Zuplo lets you write custom inbound and outbound policies in TypeScript. Policies have access to the full request/response context, user identity, API key metadata, and environment variables. Here’s an example that validates a required header and stores its value for downstream use:

typescript

import { ZuploContext, ZuploRequest, HttpProblems } from "@zuplo/runtime";

interface PolicyOptions {
  headerName: string;
}

export default async function (
  request: ZuploRequest,
  context: ZuploContext,
  options: PolicyOptions,
  policyName: string,
): Promise<ZuploRequest | Response> {
  const value = request.headers.get(options.headerName);
  if (!value) {
    return HttpProblems.badRequest(request, context, {
      detail: `Missing required header '${options.headerName}'.`,
    });
  }
  // Store the value for downstream consumption
  context.custom.tenantId = value;
  return request;
}

This approach gives you the full flexibility of a general-purpose programming language (TypeScript) rather than requiring you to learn Go or compile custom plugins.

Service Discovery and Routing

Traefik: Auto-Discovery from Container Labels

Traefik’s standout feature is its automatic service discovery. In Docker, you add labels to containers and Traefik automatically creates routes:

yaml

labels:
  - "traefik.http.routers.my-api.rule=Host(`api.example.com`)"
  - "traefik.http.services.my-api.loadbalancer.server.port=8080"

In Kubernetes, you use IngressRoute CRDs or the Gateway API:

yaml

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-api
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`api.example.com`) && PathPrefix(`/users`)
      kind: Rule
      services:
        - name: user-service
          port: 8080

This works very well for routing between internal microservices where services are constantly being created, scaled, and destroyed.

Zuplo: Declarative OpenAPI Routes

Zuplo takes an API-first approach. Your routes are defined in an OpenAPI specification (config/routes.oas.json), and each route specifies its handler and policy pipeline:

json

{
  "paths": {
    "/users": {
      "get": {
        "operationId": "get-users",
        "x-zuplo-route": {
          "handler": {
            "export": "urlForwardHandler",
            "module": "$import(@zuplo/runtime)",
            "options": {
              "baseUrl": "https://api.backend.example.com"
            }
          },
          "policies": {
            "inbound": ["api-key-auth", "rate-limit"]
          }
        }
      }
    }
  }
}

This approach is designed for external-facing APIs where you want explicit control over every route, its authentication, rate limiting, and documentation. The OpenAPI spec doubles as both your routing configuration and the source of truth for your auto-generated developer portal.

Developer Experience

Traefik

Traefik is configured through a combination of static configuration (TOML/YAML), dynamic configuration (Kubernetes CRDs, Docker labels, file providers), and the Traefik Hub web dashboard. This gives you flexibility but also fragmentation — configuration lives in multiple places and formats.

Traefik Hub adds a centralized dashboard for monitoring and management. GitOps workflows are supported through Kubernetes CRDs stored in Git, which is a natural fit for teams already using ArgoCD or Flux.

Zuplo

Zuplo is built around a GitOps-first workflow. Your entire API configuration — routes, policies, and custom code — lives in a Git repository. Every change goes through a pull request, every deployment is traceable, and branch-based deployments let you preview changes before merging to production.

The developer experience includes:

Native GitHub integration on all plans — GitLab, Bitbucket, and Azure DevOps are available on enterprise plans
Branch-based environments — Each branch creates a preview environment with its own URL
Sub-20-second global deployments — Push to main and your changes are live at 300+ edge locations in under 20 seconds
TypeScript programmability — Write custom logic in a language your team already knows

API Management Capabilities

This is where the gap between a routing proxy and an API management platform becomes most visible.

Developer Portal

Traefik Hub API Management (the highest commercial tier) includes a developer portal for API discovery and documentation. It supports OpenAPI specs and provides self-serve capabilities.

Zuplo includes a developer portal on all plans, including the free tier. It’s auto-generated from your OpenAPI spec and includes interactive API documentation, an API playground for testing, and self-serve API key management. Developers sign up, create their own keys, and start integrating — no manual provisioning needed. The portal is built on the open-source Zudoku framework and is fully customizable.

API Key Management

Traefik Proxy has no concept of API consumers, keys, or key lifecycle management. Traefik Hub API Gateway adds API key authentication, but the full key management experience requires the API Management tier.

Zuplo has a fully managed API key system with global edge validation, consumer metadata, self-serve access through the developer portal, and automatic leak detection (if a key appears in a public GitHub repository, Zuplo sends an alert). Keys validate at the edge in 300+ data centers, keeping latency low.

API Monetization

Traefik has no native billing or payment integration at any tier. Traefik Hub API Management does support subscription management and API plans for access control, but billing integration requires external tooling.

Zuplo includes native Stripe integration for usage-based billing. You can create subscription tiers, meter API usage, and let developers subscribe to paid plans directly through the developer portal.

Analytics

Traefik provides real-time metrics and distributed tracing through integrations with Prometheus, Grafana, OpenTelemetry, and similar observability tools. You need to set up and manage these integrations yourself.

Zuplo provides built-in analytics for both API operators and API consumers. Developers using your API can see their own usage and request history directly in the developer portal.

For a broader look at this distinction, see API Management vs API Gateways: Choosing the Right Solution.

Operations and Scaling

Running Traefik in Production

Running Traefik in production means managing Kubernetes infrastructure:

Helm chart management — Deploying, configuring, and upgrading Traefik via Helm, including managing values files across environments
Node pool sizing — Right-sizing compute for Traefik pods and planning for traffic spikes
High availability — Running multiple replicas across availability zones with proper pod disruption budgets
TLS certificate management — Traefik has excellent Let’s Encrypt integration, but you still manage the ACME configuration and certificate storage
Upgrades — Coordinating Traefik version upgrades with your Kubernetes cluster version and CRD schemas
Redis for distributed rate limiting — If using distributed rate limiting (available in Proxy v3.4+ or Hub), you also operate a Redis cluster

Running Zuplo in Production

With Zuplo, there is no infrastructure to manage:

TLS is automatic — Certificates are provisioned and renewed as part of the managed edge deployment
Scaling is automatic — The edge network handles traffic spikes without configuration
Upgrades happen transparently — The platform is updated without downtime or action on your part
Global distribution is the default — You don’t need to plan multi-region deployments; your API is already running in 300+ locations

The operational burden difference is significant. With Traefik, you need a platform engineering team comfortable with Kubernetes operations. With Zuplo, your team focuses on API design and business logic.

Pricing Comparison

Traefik

Traefik Proxy: Free and open source. No license cost, but you pay for the underlying infrastructure (Kubernetes cluster, compute, networking) and the engineering time to operate it.
Traefik Hub API Gateway: Pricing is not public — contact sales. Requires the same infrastructure investment plus the license fee.
Traefik Hub API Management: Pricing is not public — contact sales. This is the tier that includes a developer portal and API lifecycle management.

The infrastructure cost that isn’t reflected in the license price can be substantial. Running a production Kubernetes cluster with proper high availability, monitoring, and on-call support typically costs $2,000–$10,000+/month in cloud infrastructure alone, before accounting for the engineering time to manage it.

Zuplo

Free: $0/month with 100K requests, API key management, rate limiting, developer portal, and edge deployment included.
Builder: $25/month with custom domains and 100K requests included. Additional requests scale at additional cost.
Enterprise: Custom pricing with unlimited resources, SSO, observability integrations, and premium support.

Zuplo’s pricing includes everything — infrastructure, global distribution, TLS, high availability, and API management features. There are no separate infrastructure costs to factor in. See Zuplo pricing for current details.

When to Choose Traefik

Traefik is a strong choice when:

Internal service routing is your primary use case — Traefik’s auto-service discovery from Docker labels and Kubernetes annotations makes it excellent for routing between microservices inside your cluster.
You have a mature Kubernetes platform team — If your team is already running and maintaining Kubernetes clusters, adding Traefik as an ingress controller is straightforward.
You need east-west traffic management — Routing between internal services, canary deployments, and service-to-service load balancing within a cluster is Traefik’s sweet spot.
You don’t need external API management — If you’re not exposing APIs to third-party developers and don’t need a developer portal, API keys, or monetization, Traefik Proxy may be all you need.

When to Choose Zuplo

Zuplo is the better fit when:

You’re building an external-facing API product — Developer portals, self-serve API keys, rate limiting, and monetization are built in from day one.
You want zero infrastructure overhead — No Kubernetes clusters, no Helm charts, no Redis. Your team spends time on API design, not infrastructure operations.
Global performance matters — Your API consumers are geographically distributed and you want low-latency responses everywhere without managing multi-region infrastructure.
You want to move fast — Sub-20-second global deployments, GitOps workflows, and TypeScript programmability mean you ship API changes quickly.
You need API management, not just proxying — If your requirements go beyond routing and load balancing into authentication, key management, analytics, and developer onboarding, Zuplo covers the full lifecycle.

Using Traefik and Zuplo Together

Traefik and Zuplo are not mutually exclusive. A common architecture uses both:

Traefik handles east-west traffic — Internal service-to-service routing inside your Kubernetes cluster, where auto-discovery from labels and annotations keeps configuration in sync as services scale.
Zuplo handles north-south API traffic — External-facing API management at the edge, with developer portals, API keys, rate limiting, and analytics for your third-party API consumers.

This gives you the best of both worlds: Traefik’s container-native routing for internal traffic and Zuplo’s managed API management platform for external APIs — without trying to force a routing proxy into an API management role.

Ready to see how Zuplo handles your API management needs? Start for free — no credit card required — or check out the Choosing an API Gateway comparison for a broader landscape view.