Announcing Built On Envoy: Making Envoy Extensions Accessible to Everyone

Learn more

Tetrate Agent Router vs. Envoy AI Gateway: Build vs. Buy — From the Creators

Tetrate Agent Router vs. Self-Hosting Envoy AI Gateway: Build vs. Buy — From the Creators

Last updated: June 2026

TL;DR

Envoy AI Gateway is a fast-maturing open-source project — v0.6.0 (May 2026) reached its first production-stable API surface (v1beta1), with fine-grained MCP authorization, CEL-based auth, multi-provider support, and body redaction. It is the right foundation if your team has Kubernetes depth and the bandwidth to operate it. Tetrate Agent Router is that same data plane productized: managed operations, admin UX, authenticated identity, per-team attribution, guardrails, SSO, and audit — built and run by the people who co-created the project.

Why this comparison is unique

Tetrate doesn’t just integrate with Envoy AI Gateway — Tetrate co-created it, with Bloomberg, and maintains it as part of the Envoy ecosystem. That means this page isn’t a vendor comparing against a third-party project; it is the team behind the project explaining when the OSS version is the right choice vs. when you should use the operated product built on top of it.

We will give you the honest answer.

What each option is

Envoy AI Gateway (OSS) is a Cloud Native Computing Foundation project that extends Envoy Gateway for AI/LLM use cases. As of v0.6.0 (May 2026) it includes: multi-provider routing (OpenAI, Anthropic, AWS Bedrock, Gemini, Vertex AI), OpenAI-compatible API translation, token-based rate limiting, fine-grained MCP authorization with CEL policies, OAuth authentication for MCP, prompt caching, body redaction, intelligent inference routing (InferencePool), and native OpenTelemetry observability. The v1beta1 API graduation means core CRDs are now stable. It runs on Kubernetes. You operate it.

Tetrate Agent Router is that same data plane, delivered as a product: managed operations, an admin UX, authenticated identity on every request, per-team cost attribution with showback/chargeback, MCP tool governance, runtime guardrails, SSO, immutable audit logs, enterprise SLA, and forward-deployed Tetrate engineers. Enterprise tier adds data-plane placement options (VPC, on-premises, edge, per-region) under a Tetrate-managed control plane.

Same foundation. Rapidly maturing OSS on one side. Fully operated, governed product on the other.

Head-to-head comparison

Envoy AI Gateway (OSS)Tetrate Agent Router
API stabilityv1beta1 as of v0.6.0 (May 2026) — production-ready core CRDsGA product
Who operates itYour team — K8s, upgrades, CVE patches, observabilityTetrate (managed) or jointly supported (Enterprise)
Distributed deploymentSingle K8s cluster you deploy and operate; multi-cluster requires your own automationTetrate-managed control plane + data planes in VPC/on-prem/per-region/edge
Admin UXBuild your own or use raw K8s toolingIncluded
MCP supportYes — fine-grained CEL authorization, OAuth, MCP Stdio servers, per-backend header forwardingNative: curated catalog, MCP profiles, OAuth + API-key auth
Identity / authCEL-based auth policies; integrate SSO yourselfAuthenticated identity bound to every request; SSO included
Cost attributionToken rate limiting; build attribution yourselfPer-person / team / agent / project; showback + chargeback
Runtime guardrailsBody redaction (v0.6.0); build other integrations yourselfPII redaction, policy enforcement, behavior supervision
Audit / complianceBuild your ownImmutable audit logs; EU AI Act-grade
SLA / supportCommunity (GitHub, Slack, Monday community meetings)Enterprise SLA; forward-deployed Tetrate engineers
CVE remediationYour team tracks and patchesTetrate-managed
Project maintained byEnvoy community, incl. TetrateThe co-creators of the project

One control plane, distributed data planes

This is where the build-vs-buy gap widens most. Self-hosting Envoy AI Gateway gives you one Kubernetes cluster you operate. Scaling to multi-region or multi-cloud means running and coordinating multiple clusters yourself — your team’s responsibility to automate, synchronize, and govern.

Tetrate Agent Router Enterprise runs a fundamentally different topology: one Tetrate-managed control plane governing distributed data planes deployed wherever your agents run — across multiple cloud VPCs (AWS, Azure, GCP), on-premises, at the edge, or per-region with localized model catalogs, region-specific guardrails, and data controls. Each data plane enforces the right policy for its environment; the control plane ensures consistency across all of them without duplicating logic in each application.

For enterprises running agents across multiple teams, geographies, or regulatory jurisdictions — a financial services firm with EU and US data planes, a retailer deploying edge inference per service area — this is the architectural capability that a self-hosted single-cluster model does not provide without significant build work. It is also the capability most grounded in Tetrate’s core lineage: the same distributed systems architecture Tetrate builds and runs for Envoy at enterprise scale.

The honest build vs. buy calculus

Envoy AI Gateway is maturing quickly — the v1beta1 graduation is a meaningful milestone. Self-hosting is increasingly viable for teams with the right skills. Here is an honest framework for deciding.

Self-hosting Envoy AI Gateway is the right choice when:

  • You have strong Envoy and Kubernetes operational expertise on your platform team.
  • You want full control, no licensing cost, and the flexibility to extend via the CNCF ecosystem.
  • Your governance and attribution needs are modest, or you are prepared to build them on top of the OSS primitives (CEL auth, body redaction, token rate limiting).
  • You want to contribute to and shape the open-source project directly.
  • You are comfortable operating at v1beta1 stability and tracking the release cadence yourself.

Tetrate Agent Router is the right choice when:

  • You want your engineers shipping agents, not operating gateway infrastructure.
  • You need org-wide governance — per-team attribution, showback/chargeback, identity on every request — without building it yourself on top of OSS primitives.
  • You need an enterprise SLA, compliance evidence, and data-residency control.
  • You want the same team that maintains the open-source project to run your production gateway.

Choose self-hosted Envoy AI Gateway when

  • Your platform team has Envoy/K8s depth and wants full control over the data plane.
  • You have operational capacity for upgrades, CVE tracking, and observability build-out.
  • OSS community support (GitHub, Slack, Monday community meetings) is sufficient.
  • You intend to contribute to or deeply customize the project.

Choose Tetrate Agent Router when

  • You want the Envoy AI Gateway foundation without the operational burden.
  • You need to run distributed data planes across multiple regions, VPCs, or on-prem environments — governed from one control plane, without building the multi-cluster automation yourself.
  • Governance, attribution, identity, and audit are requirements today, not future roadmap items.
  • You need an enterprise SLA, compliance evidence, and data-residency control.
  • You want to accelerate: ship agents in weeks, not build platform infrastructure for months.

Now Available

MCP Catalog with verified first-party servers, profile-based configuration, and OpenInference observability are now generally available in Tetrate Agent Router Service. Start building production AI agents today with $5 free credit.

Sign up now

Frequently asked questions

Is Tetrate Agent Router just Envoy AI Gateway with a UI? No — the UI is one component. Tetrate Agent Router adds managed operations, authenticated identity on every request, per-team cost attribution with showback/chargeback, MCP tool governance, runtime guardrails, SSO, immutable audit logs, enterprise SLA, forward-deployed engineers, and CVE-managed builds. The OSS project (v0.6.0) has body redaction and CEL-based auth — Tetrate Agent Router packages and operates those capabilities and adds the full governance layer on top.

Can I start with OSS Envoy AI Gateway and migrate to Tetrate Agent Router later? Yes — the shared data-plane foundation makes this a natural path. Your routing config, provider integrations, and Envoy expertise all carry over. Reach out to Tetrate’s forward-deployed engineers to plan a migration.

Does Tetrate contribute back to the Envoy AI Gateway project? Yes. Tetrate is a primary maintainer. Using Tetrate Agent Router supports ongoing development of the OSS project.

What if I need FIPS-compliant builds? Tetrate Enterprise Gateway for Envoy (TEG) provides FIPS-verified, CVE-protected builds. Ask about the full Tetrate product line for compliance-sensitive environments.

Compare other gateways: vs. Portkey · vs. Kong AI Gateway · vs. Bifrost · vs. Cloudflare AI Gateway · vs. LiteLLM

See the full 2026 enterprise AI gateway comparison.

MCP Catalog with verified first-party servers, profile-based configuration, and OpenInference observability are now generally available in Tetrate Agent Router Service . Start building production AI agents today.

related background

Related articles

MCP Architecture: Understanding Model Context Protocol Design

Master MCP's client-server architecture for production AI. Learn protocol design, transport patterns, and system components trusted by leading engineering teams.

Read More

MCP vs LangChain vs RAG: AI Context Management Comparison 2025

MCP vs LangChain vs RAG: 2025 comparison guide. Feature matrix, performance benchmarks, and decision framework to choose the right AI context management approach.

Read More

MCP Security Best Practices: Authentication, Authorization & Supply Chain Protection

Secure MCP deployments for enterprise compliance. Authentication, authorization, supply chain protection, and data privacy controls for production AI systems.

Read More
Decorative CTA background pattern background background
Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

Ready to enhance your
network
with more
intelligence?