Progressive programmability provides a proven blueprint for modernization
Let’s be real: building reliable tech products is hard. Modernizing that same tech without compromising the user experience is even harder. The "rip and replace" approach to modernization can severely disrupt your customers’ integration efforts and workflows. When it doesn’t work, reversing course might be the least-worst option.
By contrast, the evolution of the HAProxy One application delivery platform architecture at HAProxy Technologies over 25 years has been gradual and consistent. This approach has yielded a mature platform that has stood the test of time. Its modern control-plane/data-plane architecture makes application delivery and security fully programmable, with automation and Infrastructure as Code (IaC) built in.
1. The challenge of modernizing the control plane and data plane
Application delivery, like any traffic management and routing system, divides cleanly into distinct layers: the “data plane” and “control plane.” The data plane handles the heavy lifting, forwarding packets, load balancing, and encrypting traffic. The control plane makes the decisions and exposes them through the API and UI.
Data plane | Control plane | |
Primary function | Data movement, packet forwarding | Decision making, management |
Operation frequency | Continuous, real-time | Less frequent, non-real-time |
Performance requirements | High throughput, low latency | Lower throughput, higher complexity |
Scaling considerations | Scales with traffic volume | Scales with configuration complexity and fleet size |
Failure impact | Directly impacts traffic flow | Affects system configuration |
Traditional architecture integrates the control plane and data plane into a single appliance. However, modern architectures tend to separate control plane and data plane components. A centralized control plane can be used to manage a distributed data plane for greater scalability and simpler management.
Since these architectures require very different approaches, re-architecturing an integrated appliance into a distributed control-plane/data-plane can be incredibly complex (if not impossible). While it might be tempting to start from scratch by building an entirely new platform, this comes with its own cost in customer adoption and reintegration.
At HAProxy Technologies, we have pursued a different path with a gradual and consistent approach to product development, and the progressive addition of programmatic management to extend the platform’s capabilities and simplify operation.
2. The path to authoritative central control
From our open source products (HAProxy, HAProxy Data Plane API, HAProxy Kubernetes Ingress Controller, and HAProxy Unified Gateway) to our HAProxy One platform for enterprise customers (including HAProxy Enterprise load balancer, HAProxy Fusion Control Plane, and HAProxy Edge), we have gone from standalone proxies to an authoritative control plane and data plane without re-architecting the core technologies. It's the kind of evolution that's only possible when you consistently build on the fundamentals.
A philosophy of building blocks, not band-aids
Our evolution is rooted in the philosophy that has guided HAProxy’s development from the beginning and infuses both our open source products and enterprise platform.
Willy Tarreau, who wrote HAProxy’s first source code and now serves as CTO and lead developer, has always held a fierce commitment to the community and an understanding that the critical attributes of performance, reliability, and flexibility must be prioritized evenly so that the product is well-balanced and not compromised in any one area.
Crucially, Willy’s approach to product development was never about delivering a single, bespoke feature. Instead, sound product development meant creating the flexible, high-performance building blocks that would enable that feature and many others besides, refined by robust community feedback.
This foundational philosophy – prioritizing performance, reliability, flexibility, and community – has always been the DNA of HAProxy Technologies. Our long-term commitment to this approach has enabled us to continuously deliver the building blocks of progressive programmability, and is the reason why we are uniquely positioned to manage modern complexity without disruption.
The foundational data plane of HAProxy
Since its first release in 2001, the open-source HAProxy has been the de-facto standard reverse proxy and load balancer, known for its performance, reliability, flexibility, and security.
HAProxy is a trusted foundation on which the world's leading companies build the most demanding applications. Our focus on the core data plane is our starting point, and the reason we have never had to abandon our past to build for the future.
From the beginning, HAProxy has used file-based configuration. Administrators would connect via SSH to an HAProxy instance, make changes to the config file, then reload HAProxy to apply the changes. Simple, direct configuration management. That was true then, and it’s still true today. However, this method was designed primarily for manual use and not for automation driving configuration at scale.
Scenario 1: Admin uses SSH to log in to an HAProxy instance, update the configuration (e.g. to add a server), and reload the process.
Adding programmability with HAProxy Runtime API
As application delivery grew more complex, the need for greater programmability in the data plane became essential. Rather than start over with a new platform, we built a native, programmable interface directly in HAProxy.
Early versions of HAProxy made certain parts of the HAProxy configuration and operations more dynamic, with in-memory changes. In 2016, these capabilities were combined and enhanced to form the HAProxy Runtime API, providing robust, general-purpose programmability.
This development enabled real-time configuration changes and fine-grained control over everything from SSL certificate management to debugging metrics, without dropped connections or downtime, which our customers continue to appreciate.
This was a principled first step: we built the ability for the data plane to be dynamically controlled from within. This approach ensured that any future external control layers would work with a data plane that was designed, in its very fabric, to be orchestrated. What’s more, the HAProxy Runtime API continues to evolve as we extend dynamic, in-memory programmability to cover more of HAProxy’s capabilities, as well as the new capabilities available in each release.
Scenario 2: Admin uses SSH to log in to an HAProxy instance, connect to the exposed Unix socket (e.g., using socat), and send a command to add a server. The HAProxy Runtime API makes the change in-memory so the process does not need to be reloaded.
Config file management with HAProxy Native Client
With the HAProxy Runtime API providing dynamic control over in-memory changes, the next crucial step was to provide programmatic management of the HAProxy configuration file itself. This HAProxy Native Client, which launched in 2017, exposes methods for programmatically reading and changing HAProxy configuration files, allowing for the management of the persistent configuration state.
This capability was pivotal because it allowed automation engines to manage the configuration without requiring manual SSH access or a full product reload.
We made a deliberate and strategic choice: we released this core capability as an open-source library. This decision was a direct reflection of our commitment to the community, ensuring flexibility and programmatic access were available to all.
The HAProxy Native Client was the key component that enabled us to move on to the next step (the HAProxy Data Plane API). It also provided the flexibility needed to launch new products, such as the HAProxy Kubernetes Ingress Controller. The HAProxy Native Client dramatically extended HAProxy’s programmatic flexibility in the cloud-native era.
Automating HAProxy with HAProxy Data Plane API
With the HAProxy Runtime API providing internal control, and the HAProxy Native Client providing configuration management, the next logical step was to create a robust, programmatic bridge for external systems. The open-source HAProxy Data Plane API, which launched in 2019, operates as a sidecar to HAProxy, fully incorporates the HAProxy Native Client, and provides a RESTful interface to programmatically configure HAProxy instances at scale. The HAProxy Data Plane API is conformant with the OpenAPI Specification (OAS), which enables users to interact with the API with any common coding language via a generator.
It allows administrators to use simple HTTP calls to configure and update HAProxy, instead of using SSH to connect directly to the HAProxy instance. This allows for programmatic remote management of both the HAProxy configuration file (for persistent changes) and the HAProxy Runtime API (for dynamic, real-time changes) through a single interface.
The HAProxy Data Plane API also removes complexity: it validates input, decides whether HAProxy needs to be reloaded, minimizes interference with user traffic, and can manage map files, ACL files, and SSL/TLS certificate files.
This API was the key to empowering modern automation, allowing users to manage their application delivery infrastructure dynamically through CI/CD pipelines, orchestration tools, and Infrastructure-as-Code (IaC) platforms. It brought our battle-tested data plane fully into the dynamic, multi-cluster environments that were rapidly becoming the standard.
Scenario 3: Admin uses HAProxy Data Plane API (REST JSON API) to call POST /services/haproxy/configuration/servers with options. The HAProxy Data Plane API adds a new server to the active process through the HAProxy Runtime API, so the process does not need to be reloaded; it also updates the config, so the change will persist after reloading. The HAProxy Data Plane API validates and verifies that all the changes are valid and successful.
Central control with HAProxy Fusion Control Plane
The final and most powerful management layer in our architectural journey is the HAProxy Fusion Control Plane. HAProxy Fusion is the authoritative control plane that provides centralized management, observability, and automation for a distributed HAProxy Enterprise data plane across multi-cluster, multi-cloud, and multi-team environments.
HAProxy Fusion itself is an API, enabling automation via scripts and other control systems, as well as integration with third-party services, infrastructure layers, and data providers. For example, service discovery for Kubernetes and Consul can be used to generate HAProxy configuration for automated traffic routing for dynamic servers, while Ansible Playbooks and a Terraform Provider enable full-lifecycle automation.
HAProxy Fusion extends programmability to HAProxy Enterprise's full security stack: the Threat Detection Engine, WAF, ACLs, Global Profiling Engine, and more. This is managed through Security Profiles (customizable policies deployable in a few clicks) and the Threat-Response Matrix (a visual policy builder requiring no HAProxy configuration expertise).
This successful control-plane/data-plane architecture enables modern solutions such as Load-Balancing-as-a-Service (LBaaS), sovereign edge security, and automated traffic management for blue/green application deployments.
Critically, all of this is built on a shared, first-party code base, ensuring seamless integration and authoritative support that simply isn't possible with a collection of disparate, acquired technologies.
The launch of HAProxy Fusion empowered our users and extended the capability set available to them. In fact, we planned this milestone many years in advance, starting with the HAProxy Native Client. The excitement among our users, and the rapid adoption of HAProxy Fusion in real customer deployments, proves that we made the right choices, and gives us confidence that building with and for our community is always the right path forward.
Scenario 4: Admin uses HAProxy Fusion Control Plane (through API or web UI) to call POST /services/haproxy/configuration/servers with options. HAProxy Fusion adds a new server to all the load balancers in a cluster, through the HAProxy Data Plane API in each instance. The HAProxy Data Plane API then proceeds with Scenario 3.
Combining everything into one application delivery platform with HAProxy One
To make it as simple as possible to deploy and manage these products, and to consolidate all the architectural advances, we've arranged the three key layers of our enterprise products into a single platform called HAProxy One. The platform consists of a flexible data plane (HAProxy Enterprise), a scalable control plane (HAProxy Fusion), and a secure edge network (HAProxy Edge).
In this platform architecture, HAProxy Fusion communicates bi-directionally with HAProxy Enterprise: the control plane pushes security policies and configuration updates to the data plane, and the data plane returns observability data to the control plane (such as logs and metrics).
Meanwhile, HAProxy Edge (which processes billions of requests per day for our ADN customers) produces global threat intelligence, enhanced by machine learning, to power the security layers in the control plane and data plane. This includes the HAProxy Enterprise Bot Management Module (powered by the Threat Detection Engine) and the HAProxy Enterprise WAF (powered by the Intelligent WAF Engine).
HAProxy One’s intelligent integration between its components provides class-leading threat mitigation and centralized control, with the flexibility to deploy the data plane in any environment. Crucially, with this model, administrators have complete control of their infrastructure from deployment and ecosystem integration to updates and security settings.
Summary
Component | Launch | Purpose | Key Features |
HAProxy (open source) | 2001 | Foundational data plane | Performance, reliability, security |
HAProxy Runtime API | 2016 | First step towards dynamic control | Real-time configuration changes, fine-grained control |
HAProxy Data Plane API | 2019 | Bridge to programmatic automation | RESTful interface for CI/CD and orchestration |
HAProxy Fusion | 2022 – present | Authoritative control plane | Multi-cluster load balancer and security management, observability, and automation with REST API and UI |
3. The approach that powers customer success
First-party authority, seamless integration
Our most significant advantage is a matter of core principle: we're authoritative on all of our components. Our data plane, control plane, and edge network work together because they are built from the same DNA and maintained by the same team. We own the entire stack, which allows us to provide unparalleled support, integration, and optimization.
A consistent approach to product development
We built new capabilities to seamlessly extend our existing, trusted foundation. We started with our core data plane, then built programmatic APIs, and finally built a control plane on top. Our path was incremental and non-disruptive, adapting as much as possible to customer environments and habits. This has allowed our existing customer base, which includes the world's leading companies, to adopt new capabilities without starting from scratch.
Real-world validation
The power of our architecture is visible in the success of our customers, as showcased at HAProxyConf 2025. HAProxy Fusion serves as an enabling technology that allows these customers to creatively design and implement solutions optimized for their specific needs:
PayPal uses HAProxy Fusion to manage dynamic service discovery for tens of thousands of Kubernetes backends, and to create a universal mesh across multiple public clouds, resulting in a 24% reduction in latency.
Clover uses HAProxy Fusion to manage a "rainbow deployment" strategy with a service mesh, demonstrating the platform’s advanced traffic management and automation.
Dartmouth College uses HAProxy Fusion to enable Load-Balancing-as-a-Service (LBaaS), empowering application teams to self-service their delivery needs within guardrails set by the infrastructure team.
Additionally, the integration between HAProxy Edge and the security layers in HAProxy Enterprise enables customers to build their own edge to secure millions of requests per second.
Roblox uses HAProxy Enterprise WAF to provide ultra-low latency protection against application attacks, with no impact on resource consumption.
Infobip uses HAProxy Enterprise WAF to significantly reduce false positives and set up new applications without fine-tuning WAF rules.
4. Vision for the future
Our commitment to the cloud-native ecosystem is underscored by the HAProxy Fusion Operator, which brings the full control plane natively into Kubernetes clusters. This joins the HAProxy Unified Gateway, which will unify Gateway API and Ingress-based traffic management together in a single component, available now as a standalone open source product (v1.0) and to be incorporated into HAProxy Fusion for managing multiple Kubernetes clusters and Gateway classes.
The official Terraform Provider and enhanced Ansible Playbooks for HAProxy Fusion make IaC workflows easily achievable for application delivery: the same configuration objects that administrators once managed manually over SSH can now be declared, version-controlled, and deployed reproducibly at scale.
In our relentless drive to push performance boundaries, we announced the adoption of a modern high-performance SSL/TLS library and performance optimizations for massively multi-core systems.
Finally, we continue to dream big! With the power of centralized control and ML/AI automation, HAProxy Fusion and HAProxy Edge have the potential to unlock more revolutionary capabilities and use cases. Subscribe to our blog to be the first to know what’s next.
A modern application delivery platform, built to last
Core architectural decisions are supremely important. We're reminded of this when even big companies face dead ends, cancellations, and costly reversals with their products.
HAProxy Technologies, through a gradual and consistent evolution, has built a modern platform that's authoritative, forward-looking, and trusted by the world's leading companies and cloud providers to deliver the most demanding applications.
The difference isn't only what you build, but how you build it. Our foundational data plane, our programmatic APIs, and our authoritative control plane with next-gen security orchestration represent an elegant and unified solution to the challenges of modern application delivery and serve as the platform for innovation by our customers.
In 2026, HAProxy celebrates its 25th anniversary. It was always built to last, and will continue to be. Here’s to the next quarter-century.
Schedule a demo with our experts to see how HAProxy One can simplify your app delivery at scale.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
