<< back to Guides
π‘οΈ Guide: API Gateway β A Systems Design Deep Dive
An API Gateway is a centralized entry point that manages, routes, secures, and scales API requests in a microservices architecture.
It decouples clients from backend services, enabling simplified API access, load management, security, and observability.
π§ 1. What Is an API Gateway?
An API Gateway acts as a reverse proxy between clients and backend services.
It:
- Accepts all client API requests
- Routes them to the appropriate internal service
- Enforces policies such as authentication, rate limiting, caching, etc.
Client β API Gateway β Auth Service
β User Service
β Payment Service
π― 2. Why Use an API Gateway?
| Purpose |
Benefit |
| Decoupling |
Clients are not tied to internal service structure |
| Security |
Central place to enforce authentication, TLS |
| Rate Limiting |
Prevents overload, abuse |
| Routing & Load Balancing |
Directs traffic efficiently |
| Protocol Translation |
Converts REST β gRPC β WebSockets |
| Aggregation |
Combines responses from multiple services |
| Monitoring |
Unified logging and metrics |
𧱠3. Core Components
| Component |
Role |
| Request Router |
Routes to appropriate backend |
| Authentication Layer |
Verifies tokens, keys |
| Rate Limiter |
Prevents overuse per client or route |
| Caching Layer |
Stores frequent responses |
| Transformation Layer |
Request/response shaping (e.g., JSON β XML) |
| Logging & Analytics |
Centralized observability |
π§° 4. API Gateway vs Load Balancer
| Feature |
API Gateway |
Load Balancer |
| Layer |
Application layer (L7) |
Transport layer (L4/L7) |
| Aware of APIs |
Yes |
No |
| Auth, Throttling |
Built-in |
Not available (unless L7) |
| Protocol Translation |
Yes (REST β gRPC, etc.) |
No |
| Routing Logic |
Fine-grained (method/path/service) |
IP/port-based |
π§ͺ 5. API Gateway Patterns
π οΈ 1. Simple Gateway
Routes requests directly based on path or method:
GET /users β User Service
POST /payments β Payment Service
π 2. Gateway with Auth & Rate Limiting
// Request Flow:
β Verify JWT Token
β Check quota in Redis
β Forward to service
β Log + return response
π¦ 3. Backend for Frontend (BFF)
Custom gateway per frontend (mobile, web, admin):
- Tailored aggregation and payload shaping
- Avoids over-fetching/under-fetching
π 4. Aggregator Gateway
Combines multiple backend calls into one response:
GET /profile β calls:
/user/123
/user/123/orders
/user/123/preferences
β returns combined JSON
βοΈ 6. API Gateway Architecture Diagram
βββββββββββββββββ
Client ββββββββΆβ API Gateway ββββββΆ Auth Service
β ββββββΆ User Service
β ββββββΆ Order Service
βββββββββββββββββ
β
Logging & Metrics
𧱠7. Real-World Gateways
| Tool/Platform |
Features |
| Kong |
Open source, plugin-based, Lua core |
| NGINX |
Lightweight reverse proxy, Lua scripting available |
| Envoy |
L7 proxy with native gRPC support |
| AWS API Gateway |
Fully managed, integrates with Lambda, IAM, etc. |
| Istio Ingress Gateway |
Part of service mesh, tightly integrated with Envoy |
| Zuul (Netflix) |
Java-based, Spring Cloud integrated |
π§ 8. Common Design Considerations
| Concern |
Solution / Notes |
| Latency |
Add caching, keep transformations minimal |
| Single point of failure |
Deploy gateway replicas + load balancer |
| Scaling |
Use stateless design, autoscale pods |
| Auth overhead |
Use opaque token + caching |
| Rate limiting |
Global counters in Redis or in-memory |
π§ͺ 9. Example: Kong Gateway Rate Limiting Plugin (Declarative Config)
plugins:
- name: rate-limiting
config:
minute: 100
policy: local
β
10. Summary
| Feature |
Why It Matters |
| Entry point |
One place to manage all API traffic |
| Central policies |
Auth, rate limiting, monitoring |
| Decoupled services |
Clients stay unaware of backend complexity |
| Scalable |
Stateless, horizontally scalable |
| Flexible |
Works across REST, GraphQL, gRPC, WebSockets |
π Further Reading
<< back to Guides