API Gateway
Routing, auth, aggregation, throttling at the edge.
Theory
API gateways terminate TLS, authenticate clients (JWT, API keys, mTLS), route to backend services, and enforce rate limits and quotas.
They enable protocol translation (REST to gRPC), request/response transformation, and API versioning without changing every service.
BFF (Backend for Frontend) pattern: separate gateway graphs for mobile vs web clients to reduce over-fetching and tailor payloads.
Kong, AWS API Gateway, Envoy/Gateway API, and NGINX are common implementations — pick based on latency, ops model, and plugin ecosystem.
Gateways cache responses where safe (GET with Cache-Control), collapsing thundering herds on hot endpoints.
Observability: per-route metrics, distributed tracing headers (traceparent), and structured access logs feed SLO dashboards.
Failure modes: gateway becomes single point of failure — run multi-AZ, health-check upstreams, circuit-break when backends degrade.
Architecture Diagram
Clients (web/mobile/partners)
|
API Gateway
/ | \ \
auth rate route cache
|
+-------+-------+
v v v
Orders Users Payments
service service serviceExamples
_format_version: "3.0"
services:
- name: orders
url: http://orders:8080
routes:
- name: orders-route
paths: ["/api/orders"]
plugins:
- name: rate-limiting
config: { minute: 100 }
if (!verifyJwt(req.headers.authorization)) return 401;
req.headers["X-User-Id"] = claims.sub;
forwardToUpstream(req);
Interview Questions
Gateway vs load balancer?
LB distributes traffic L4/L7; gateway adds auth, routing, transformation, developer portal, and API product features.
How prevent gateway overload?
Rate limits, circuit breakers, autoscale gateway pool, cache idempotent GETs, shed load with 429 + Retry-After.
Design Stripe-like public API.
Versioned routes, API keys + OAuth, idempotency keys, per-key rate limits, webhooks, comprehensive audit logs.
What is a BFF (Backend for Frontend)?
A gateway graph tailored to mobile vs web clients — reduces over-fetching and hides microservice chattiness from clients.
Where terminate mTLS?
Often at gateway for public clients; service mesh mTLS inside the cluster for east-west zero trust.
Idempotency at the gateway?
Accept Idempotency-Key header, dedupe within TTL, return same response on retries — critical for payment APIs.
Gateway as single point of failure?
Run multi-AZ replicas, health-check upstreams, circuit-break degraded backends, autoscale on CPU/latency.
Best Practices
- Version-control all API Gateway configuration and review changes like application code.
- Automate validation (lint, policy checks) in CI before production apply.
- Document ownership, on-call runbooks, and rollback for every production change.
- Use least privilege for credentials and rotate secrets regularly.
- Measure before/after: error rate, deploy time, cost, or toil hours saved.
Common Mistakes
- Adopting API Gateway without a written problem statement or success metric.
- Skipping staging that mirrors production networking and data volume.
- No rollback path — forward-only changes during incidents.
- Alert noise without actionable runbooks — on-call ignores pages.
Trade-off Analysis
Central gateway simplifies policy but can become a monolith — mitigate with strict plugin governance and horizontal scale.
Synchronous aggregation at gateway increases latency vs client-side parallel calls — aggregate only when round-trip savings justify it.
Managed cloud gateways reduce ops but add vendor lock-in and per-request cost at extreme scale.
mTLS everywhere is secure but painful for mobile/public clients — often terminate TLS at gateway and use JWT inside.
Cheat Sheet
Practical Exercises
Design free vs paid quota model at gateway.
Route 5% traffic to v2 upstream based on header.
Inject W3C trace context through gateway to services.