MuleSoft’s Flex Gateway is a powerful, lightweight API gateway designed for speed and security. It helps us control, secure, and monitor our APIs. But there’s an important choice to make: Should we use it in local mode or connected mode?
In this post, we will see the how both modes work and will analyze the pros and cons of each mode. This way, in future scenarios, we will understand better which mode is best for our case.
Local Mode: Independence and Control
Local mode runs Flex Gateway on your infrastructure. It does not need a constant connection to Anypoint Platform. Policies and configurations are applied manually.In local mode, Flex Gateway operates independently on our infrastructure, without needing a constant connection to Anypoint Platform. It’s like having a standalone engine that runs and processes everything within our own environment. This mode is often used when we need to keep everything internal, such as in private data centers or environments with strict security requirements.
How Local Mode Works
- Deployment: We download and deploy the Flex Gateway software directly on our servers or virtual machines. It can be deployed as a Linux Service, Docker container or as an Ingress Controller in a Kubernetes cluster. It runs entirely on our local network, meaning all API management and security functions are executed locally.
- Configuration: We configure the gateway manually, using configuration files, including setting up APIs, policies, and traffic routing. There’s no reliance on the Anypoint Control Plane, so all configurations are handled within our local environment.
- Traffic Handling: Flex Gateway in local mode handles incoming API requests directly. It can manage API traffic and apply policies like rate limiting, security checks, and traffic routing—all locally.
- Monitoring: Monitoring is usually done through logs or third-party tools. We need to set up our own systems to track and analyze performance. Flex Gateway itself doesn’t send data back to Anypoint Platform in this mode, so monitoring features are limited to local systems.
What are the Pros of the Local Mode?
- Full Control – We manage everything. No external dependencies
In local mode, we have complete autonomy over our API gateway and infrastructure. We can configure, monitor, and manage everything internally without relying on external services or cloud providers, giving us flexibility and control over every aspect of our deployment.
- Lower Latency – API requests stay within your network, reducing delays
Since API requests are processed locally within our network, there’s minimal delay compared to cloud-based processing. This reduced latency enhances the performance of time-sensitive applications and ensures that data flows quickly and efficiently between users and backend services.
- Offline Capability – The gateway runs even if the cloud is unreachable
Local mode ensures that the Flex Gateway remains fully functional even if the Anypoint Control Plane is temporarily unreachable. This capability is essential for organizations operating in environments with unreliable internet access, providing continuity and reliability even during outages.
- Stronger Data Security – Sensitive data never leaves your network, reducing exposure to external threats
With local mode, sensitive data is kept entirely within our private network. This reduces the risk of data breaches or unauthorized access that could occur when data is transmitted to and from the cloud, offering an added layer of protection for compliance-heavy industries.
- CI/CD and Automation - In local mode, we can automate configuration updates through CI/CD pipelines, streamlining deployments and reducing manual errors. This ensures consistent configurations across multiple environments, such as development and production. With automated deployment, we can quickly test and apply changes, while also enabling easy rollbacks if issues arise. This approach accelerates iterations and ensures minimal downtime during updates.
Cons:
- Manual Configuration – Changes require local updates, which can be time-consuming
In local mode, we must manually apply configuration changes on each gateway instance. This process can be slow and error-prone, especially in large environments with multiple gateways or frequent updates.
- Limited Monitoring – No real-time analytics from Anypoint Platform
Since local mode doesn’t connect to Anypoint Platform, we lose access to centralized dashboards, real-time metrics, and alerts. Monitoring must be set up separately using third-party tools, which adds overhead and reduces visibility.
- Policy Enforcement Complexity – Requires careful management of security and compliance rules
Without the built-in policy management from Anypoint, we must manually define, test, and maintain each policy locally. This increases the risk of inconsistent enforcement and makes it harder to meet security or regulatory standards.
Connected Mode: Seamless Cloud Integration
In connected mode, Flex Gateway links to the Anypoint Control Plane, creating a continuous connection between our gateway and the Anypoint platform. This integration brings powerful capabilities, like centralized management and access to Anypoint’s cloud-based features. With connected mode, Flex Gateway becomes part of a larger, more robust infrastructure.How Connected Mode Works
- Deployment: Flex Gateway is installed on our on-premises or cloud infrastructure, similar to local mode. The key difference is that, once deployed, it establishes a secure connection to the Anypoint Platform.
- Configuration: In connected mode, we handle configurations through Anypoint Platform. Instead of configuring policies, APIs, and traffic rules directly on the gateway, we do so via Anypoint's user interface, which then syncs these settings with the gateway.
- Traffic Handling: Flex Gateway in connected mode still handles the core task of routing API traffic. However, it now integrates with the broader API management framework provided by Anypoint Platform. This integration allows the gateway to dynamically adjust policies and rules in real time based on inputs from the Anypoint Control Plane.
- Monitoring: One of the biggest advantages of connected mode is advanced monitoring. Flex Gateway sends real-time metrics and logs to Anypoint Platform, where we can visualize them in detailed dashboards. This allows us to track API performance, set up alerts, see traffic patterns, monitor security events, and troubleshoot issues from a centralized location.
Pros:
- Centralized Control – Configure and update gateways from Anypoint Platform
Connected mode lets us manage all Flex Gateways from a single, unified interface in Anypoint Platform. This central control simplifies operations by allowing us to deploy APIs, update configurations, and apply changes across gateways without logging into each one.
- Real-time Monitoring – Gain insights into API traffic and performance
With connected mode, we get real-time metrics, logs, and dashboards directly from Anypoint Platform. This visibility helps us monitor API usage, detect anomalies, and quickly troubleshoot performance or security issues.
- Simplified Policy Enforcement – Apply security and traffic policies easily
We can apply prebuilt policies, such as rate limiting or OAuth, through the Anypoint UI with a few clicks. This saves time, reduces manual errors, and ensures policies are enforced uniformly without editing local configurations.
- Consistent Security Policies – Policies are enforced across multiple environments, reducing misconfigurations
Connected mode ensures that security and traffic policies remain consistent across development, testing, and production. This alignment helps prevent gaps in enforcement and lowers the risk of misconfigurations that could expose vulnerabilities.
Cons:
- Internet Dependency – If the connection to Anypoint Platform fails, updates stop
Connected mode relies on continuous connectivity to Anypoint Platform. If the gateway loses internet access, it cannot receive configuration updates, policy changes, or new deployments until the connection is restored.
- Less Local Control – Configuration changes rely on the cloud interface
In connected mode, we must use Anypoint Platform to manage settings. This reduces our ability to make direct local changes quickly, which can be limiting during urgent troubleshooting or in isolated environments.
- Potential Data Exposure – API logs and metadata are sent to the cloud, which may introduce risks in highly regulated industries
Connected mode streams operational data, such as traffic logs and metrics, to the Anypoint Control Plane. In regulated sectors, this data movement may raise compliance concerns if not properly encrypted and governed.
Summary - Which one is better?
There’s not right or wrong here. Both modes work differently and serve different purposes. The right choice depends on our API strategy. It is up to us to understand the key differences between both to make the right choice. In summary, for any use case we have to decide think of the key differences in the way they operate:- Independence vs. Platform Integration: In local mode, Flex Gateway operates independently on our infrastructure, while in connected mode, it integrates with Anypoint Platform. In connected mode, Flex Gateway essentially becomes an extension of the cloud-based API management tools, enabling centralized control.
- Configuration and Management: In local mode, configuration and management are done manually, while in connected mode, they’re managed through the Anypoint Platform interface. This gives connected mode a more streamlined and efficient approach, especially when dealing with large, complex environments.
- Scalability: With connected mode, scaling is easier because Flex Gateway can communicate with Anypoint’s cloud infrastructure. We can adjust our resources dynamically without manual intervention. In contrast, local mode requires manual adjustments and scaling based on our local resources.
- Security: Both modes have strong security, but local mode ensures that all data and API traffic are kept within our private network. In connected mode, while still secure, there’s a small trade-off because our gateway communicates with the cloud.