When you're managing authentication and API access across 80 companies with different identity providers, you need a solution that's both flexible and robust. This is why we chose Traefik Hub. The API management layer with operation sets, managed subscriptions, and configuration as code gave us the tools to properly govern who can see and consume our APIs at scale
Unified Gateway for VMs, Containers, and AI
Traefik is the solution to fragmented operations caused by the VMware exodus, Ingress NGINX retirement, API sprawl, and Enterprise AI adoption.
Run Anywhere · Sovereign-by-Design · Infra-as-Code · Composable · Memory-safe
TRAEFIK LABS IS TRUSTED BY LEADING ENTERPRISES WORLDWIDE
Migrate, Modernize, & Transform Any Workload, Across Any Environment.
Most teams are running VMs, containers, and AI workloads across separate stacks while navigating VMware price spikes, the Ingress NGINX retirement, and ungoverned AI. Traefik helps you address all this with a single, lightweight binary.
Migrate
Move Workloads, Not Risk.
Whether you're escaping VMware licensing, replacing Ingress NGINX, or switching cloud providers, Traefik is the safe landing.
VMware Migration, On Your Timeline
One unified gateway governs your VM workloads across any environment. Migrate to any hypervisor or container without changing policies.
Ingress NGINX Migration, Zero Configuration
90%+ of real-world Ingress NGINX annotations are supported natively. Bring your existing YAML, enable the provider, & ship. No rewrite required.
WAF Protection, Continued
ModSecurity support preserves your Ingress NGINX WAF behavior during migration for security parity from day one.
Modernize
Use One Gateway for VMs, Containers, and APIs
Stop running three control planes. Govern Kubernetes workloads, VM-based services, and any APIs, including AI endpoints, through one programmable and declarative gateway.
Kubernetes-Native, Actually
Traefik is the default ingress in NKP, RKE2, K3s, IKS, MicroK8s, & more; validated with top NeoClouds; & has full Gateway API & Ingress support. Deployed on-prem or with any hyperscaler, with the same control plane everywhere.
VMs & Containers, Side by Side
Most teams run both, so Traefik fronts VMs & Kubernetes simultaneously, all with the same routes, auth policies, & observability, so both modernized & legacy workloads are governed via a single control plane.
API Management, Built-In
API catalog, lifecycle, dev portal, & multi-cluster federation are all in one governed surface. OpenAPI schema validation is enforced at the gateway, so undocumented paths & malformed payloads are rejected before reaching services.
Transform
Govern AI and APIs via the Same Control Plane
Agents, models, and MCP traffic need runtime governance like APIs, but with specialized controls only a unified gateway can optimally enforce.
Triple Gate Architecture
Traefik’s API Gateway, AI Gateway, & MCP Gateway are rolled into a single binary, so the same auth & observability that fronts your microservices also fronts your model & agentic traffic.
Cost & Safety at the Edge
Token rate limits & content guardrails are enforced before requests reach your models. Burst-tolerant token limits & parallel inspection ensure defense-in-depth without added latency.
Agent-Aware Refusals
Structured refusals are returned in the format the client expects: Chat Completions, Responses API, Messages API, raw text, or custom. Agents handle blocked requests as control flow, not a crash.
One Binary. Six Dimensions. Zero Lock-In.
All six share the same declarative config model, governance as a first-class primitive, and a unified control plane. Start with Proxy and add capabilities seamlessly when you're ready. Same routes. No rewrites.
Routing & Traffic
Dynamic L4/L7 routing, traffic shifting, canaries, blue/green, request mirroring, & retry/failover across VMs & containers.
- HTTP/2, HTTP/3, gRPC
- TCP / UDP / mTLS
- Weighted + header-based routing
Auth & Policy
OAuth2/OIDC, JWT, mTLS, OPA-compatible authorization at the edge. Rate limits, quotas, & header transformations included.
- IdP-agnostic
- Per-route policy
- Fine-grained authZ
Observability
First-class OpenTelemetry: metrics, traces, & structured access logs with OTel-conformant trace context. Correlate gateway & service behavior in one pane.
- OTel native
- Streaming OTLP + stdio access logs
- Any observability tool (Prometheus, Grafana, Datadog, Dash0, etc.)
API Management
Catalog, lifecycle, versioning, & developer portal for internal & external APIs. Multi-cluster federation brings them into a single governed surface.
- API catalog + portal
- OpenAPI schema validation at the gateway
- Multi-cluster federation
AI Governance
One gateway for every model creates consistent auth, token metering, & prompt safety. Reject oversized or over-budget prompts before they reach the model.
- AI Token Rate Limit & Quota
- Parallel LLM Guard middleware
- Content Guard Regex & NLP Engine
MCP Governance
Govern MCP traffic the way you govern APIs. Discoverable, observable, & policy-bound from day one, where refusals are returned as control flow, not crashes.
- MCP server registry
- TBAC for per-tool & per-task AuthZ
- Observability for Audit + replay
What Users Have to Say.
Frequently Asked Questions
Yes. Traefik supports 90%+ of Ingress NGINX annotations used in production natively. Enable the Ingress NGINX provider, bring your existing manifests, and ship. No rewrite required.
