API Gateway

Single entry point for API traffic: routing, authentication, rate limiting, and protocol translation.

1. Concept Overview

An API gateway sits between clients and backend services. It handles cross-cutting concerns (auth, rate limiting, logging, routing) so individual services can stay focused on business logic.

Why it exists: Without a gateway, every service would implement auth, rate limits, and routing; clients would need to know many endpoints. The gateway centralizes these and provides a single API surface.

2. Core Principles

Typical responsibilities

Responsibility

Description

Routing

Path/host → backend service (e.g. /users → user service)

Authentication

Verify JWT, API key, or OAuth; reject unauthenticated requests

Authorization

Check permissions (e.g. scope, role)

Rate limiting

Limit requests per user/key/IP; return 429 when exceeded

Protocol translation

REST (public) → gRPC (internal); or GraphQL → REST backends

Caching

Cache responses for read-heavy endpoints

Circuit breaking

Fail fast when backend is down; avoid cascading failure

Logging / metrics

Centralized access logs, latency, error rate

Architecture

  Clients (Web / Mobile / Partners)
        │
        ▼
  ┌─────────────────┐
  │   API Gateway   │  Auth, rate limit, route, cache
  └────────┬────────┘
           │
     ┌─────┼─────┬─────────┐
     ▼     ▼     ▼         ▼
  User  Order  Payment  Notification
  Svc   Svc    Svc      Svc

3. Real-World Usage

Kong: Open-source; plugins for auth, rate limit, logging; on-prem or managed.
AWS API Gateway: Managed; Lambda integration; usage plans and keys.
Google Apigee: Enterprise; monetization, analytics.
Nginx / Envoy: Often used as gateway with custom config or Lua/WASM.

4. Trade-offs

Aspect

Pros

Cons

Centralized

One place for auth, rate limit, routing

Gateway is critical path and potential bottleneck

Protocol translation

Clients use REST; internals use gRPC

Extra hop and complexity

Managed vs self-hosted

Managed: less ops

Cost; less control

When to use: Multiple services exposed as one API; need central auth, rate limit, or versioning. When not: Single service; or when a simple reverse proxy is enough.

5. Failure Scenarios

Scenario

Mitigation

Gateway down

Multiple gateway instances behind LB; stateless

Backend down

Circuit breaker; return 503; retry with backoff

Auth/rate-limit bypass

Validate at gateway only; don’t trust client to send correct headers

Latency spike

Timeouts; circuit breaker; scale gateway horizontally

6. Performance Considerations

Latency: Gateway adds one hop; minimize logic and use connection pooling to backends.
Throughput: Scale gateway horizontally; avoid heavy logic in hot path.
Caching: Reduces backend load and latency for cacheable GETs.

7. Implementation Patterns

Gateway per environment: One gateway for public API; optional separate for internal.
Backend for Frontend (BFF): Different gateway or route per client type (e.g. mobile vs web) to tailor responses.
Gateway + service mesh: Gateway at edge; mesh handles service-to-service (mTLS, retries, discovery).

Quick Revision

Role: Single entry; routing, auth, rate limit, protocol translation, caching, circuit breaking.
Vs reverse proxy: Gateway adds auth, rate limit, and often API-specific logic; reverse proxy is more generic.
Failure: Stateless; multiple instances; circuit breaker to backends.
Interview: “We use an API gateway for authentication and rate limiting so backends don’t each implement it; we route by path to the right microservice and can translate REST to gRPC internally.”

PreviousService Discovery NextDistributed Locks

Last updated 18 days ago

hashtag1. Concept Overview

hashtag2. Core Principles

hashtagTypical responsibilities

hashtagArchitecture

hashtag3. Real-World Usage

hashtag4. Trade-offs

hashtag5. Failure Scenarios

hashtag6. Performance Considerations

hashtag7. Implementation Patterns

hashtagQuick Revision