Legend: ✅ = supported • ⚠️ = limited/indirect • ❌ = not supported
| # | Capability | K8s Service (ClusterIP / NodePort) | AWS NLB (L4) | AWS ALB (L7) | Amazon API Gateway (REST/HTTP/WebSocket) | Istio / Envoy / Traefik (service mesh / gateways) |
|---|---|---|---|---|---|---|
| 1 | Basic gRPC communication | ✅ (in-cluster TCP/HTTP/2) | ✅ (TCP/TLS pass-through) | ✅ (HTTP/2 end-to-end incl. gRPC) (Amazon Web Services, Inc.) | ❌ (no native gRPC; use translation/proxy) | ✅ |
| 2 | Internal service-to-service gRPC | ✅ (ClusterIP) | ⚠️ possible via internal NLB, uncommon | ⚠️ possible via internal ALB, uncommon | ❌ (private APIs exist, but not gRPC) | ✅ (the mesh sweet spot) |
| 3 | External gRPC exposure | ❌ (ClusterIP), ⚠️ NodePort (raw) | ✅ | ✅ (AWS Documentation) | ❌ (not native gRPC) | ✅ (via ingress gateway) |
| 4 | gRPC load balancing | ✅ (per-connection RR) | ✅ (L4) | ✅ (L7; HTTP/2 to targets) (Amazon Web Services, Inc.) | ❌ | ✅ (advanced, per-method, etc.) |
| 5 | Path-based routing (L7, gRPC aware) | ❌ | ❌ | ✅ | ❌ for gRPC (yes for HTTP) | ✅ |
| 6 | Host-based routing (virtual hosts) | ❌ | ❌ | ✅ (Host header rules) (Amazon Web Services, Inc.) | ✅ (via custom domains; see notes) | ✅ |
| 7 | Weighted routing (canary/A-B) | ❌ | ❌ | ✅ (weighted target groups) (Amazon Web Services, Inc.) | ✅ (stage canaries) (AWS Documentation) | ✅ |
| 8 | Circuit breaking | ❌ | ❌ | ❌ | ❌ | ✅ |
| 9 | gRPC retries & timeouts | ❌ | ❌ | ❌ (only idle timeouts) | ⚠️ timeouts yes, retries limited | ✅ |
| 10 | mTLS (client cert auth) | ❌ (done in app) | ❌ mTLS at NLB (can pass through to app) (AWS Documentation) | ✅ (ALB mTLS verify/passthrough modes) (AWS Documentation) | ✅ (custom domains mTLS) (AWS Documentation) | ✅ |
| 11 | API auth (JWT/OIDC/OAuth/keys) | ❌ | ❌ | ✅ (Cognito/OIDC authenticate action) (AWS Documentation) | ✅ (JWT/OIDC/keys) (AWS Documentation) | ✅ (JWT, OPA/Ext AuthZ) |
| 12 | Rate limiting / throttling | ❌ | ❌ | ✅ via AWS WAF on ALB (AWS Documentation) | ✅ (built-in) | ✅ |
| 13 | Request/response transforms | ❌ | ❌ | ⚠️ headers only (no body transform) | ✅ (mapping templates/param mapping) (AWS Documentation) | ✅ (filters/Lua/Envoy) |
| 14 | Header-based routing | ❌ | ❌ | ✅ (rule conditions) (AWS Documentation) | ✅ (new) dynamic routing by headers/base path (custom domains) (Amazon Web Services, Inc.) | ✅ |
| 15 | TLS termination (HTTPS for gRPC) | ❌ (app terminates) | ✅ (TLS listener; watch h2c to backends) (kubernetes-sigs.github.io) | ✅ | ✅ | ✅ |
| 16 | Observability (logs/metrics/traces) | ⚠️ (via app/Prometheus) | ⚠️ (CloudWatch metrics) | ⚠️ (CW metrics + access logs) | ✅ (CW logs/metrics, X-Ray) | ✅ (Prometheus/Jaeger/OTel) |
| 17 | “API gateway” features (quotas, keys, usage plans) | ❌ | ❌ | ❌ | ✅ | ✅ (via gateway add-ons) |
| 18 | WebSocket & streaming support | ✅ (TCP) | ✅ | ✅ | ✅ (WebSocket APIs) | ✅ |
| 19 | Service discovery | ✅ (kube-DNS) | ❌ | ❌ | ❌ | ✅ (mesh SD) |
| 20 | Canary / blue-green deployments | ⚠️ (via K8s/rollouts) | ❌ | ✅ (weighted TG) (Amazon Web Services, Inc.) | ✅ (stage canary %) (AWS Documentation) | ✅ |
| 21 | Multi-cluster gRPC routing | ❌ | ❌ | ❌ | ❌ | ✅ (Istio multi-cluster) |
| 22 | Obs dashboards (Grafana/Jaeger/Prom) | ⚠️ (DIY) | ❌ | ❌ | ⚠️ (CW/X-Ray dashboards) | ✅ |
| 23 | Integrate with AWS Lambda | ❌ | ❌ | ✅ (Lambda targets) (AWS Documentation) | ✅ (native) | ❌ |
| 24 | Auto-failover / self-healing | ⚠️ via K8s readiness/endpoints | ✅ (health-based) | ✅ (health-based) | ✅ (regional HA) | ✅ (retries/outlier detection) |
Notes & gotchas
- API Gateway & gRPC: API Gateway doesn’t natively terminate/route gRPC. If you need an API façade in front of gRPC, use grpc-gateway (REST↔︎gRPC translation) or put ALB (or CloudFront) in front of your gRPC origin. (grpc-ecosystem.github.io)
- ALB + gRPC: ALB supports HTTP/2 end-to-end and gRPC health checks—this is the recommended L7 option on AWS for public gRPC. (Amazon Web Services, Inc.)
- mTLS:
- ALB now supports mTLS (verify mode with trust stores or passthrough). (AWS Documentation)
- NLB does not do client-certificate auth (mTLS). You can either terminate TLS at your app (TCP listener pass-through) or switch to ALB for mTLS. (AWS Documentation)
- API Gateway supports mTLS on custom domains for REST/HTTP APIs. (AWS Documentation)
- Header-based routing with API Gateway: Newly added in 2025 for custom domains; you can route by HTTP header values and/or base path (this is HTTP/REST—still not gRPC). (Amazon Web Services, Inc.)
- Weighted routing:
- ALB: multiple weighted target groups in a forward action (great for canary/blue-green). (Amazon Web Services, Inc.)
- API Gateway: stage canaries (% traffic). (AWS Documentation)
- NLB: no weighted rule concept. (AWS Documentation)
- Auth at ALB (OIDC/Cognito): ALB “authenticate” action (HTTPS only). Use it for browser flows; headless gRPC clients won’t follow redirects—prefer JWT at gateway/mesh for programmatic RPC. (AWS Documentation)
- Rate limiting on ALB: attach AWS WAF rate-based rules to the ALB. (AWS Documentation)
If you want, I can export this as a one-page PDF/cheat sheet and tailor it to your stack (what you actually plan to run where).
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
