An API Gateway acts as a single entry point for API requests, handling routing, authentication, and cross-cutting concerns.

Key Responsibilities

Request Routing

  • Routes requests to appropriate backend services
  • Acts as reverse proxy
  • Load balancing across service instances

Authentication & Authorization

  • Centralized auth logic
  • Token validation (JWT, OAuth)
  • API key management

Cross-Cutting Concerns

  • Rate limiting and throttling
  • Request/response transformation
  • Protocol translation (HTTP to gRPC, etc.)
  • Response aggregation from multiple services

Observability

  • Centralized logging
  • Metrics collection
  • Distributed tracing
  • Request/response inspection

Benefits

  • Simplified clients: Single endpoint instead of multiple service URLs
  • Centralized policy enforcement: Auth, rate limiting in one place
  • Backend flexibility: Change backend services without affecting clients
  • Security: Internal services never directly exposed

Design Patterns

Lambda-Based API

From System Design:

API Gateway handles auth and routing, leaving Lambda to handle processing only. This design:

  • Centralizes auth as configuration-based
  • Minimizes compiled code in containers
  • Reduces build time and artifact size
  • Keeps Lambda code focused on business logic

Aggregation Pattern

  • Gateway calls multiple services
  • Combines responses
  • Returns unified response to client

Challenges

  • Single point of failure: Gateway must be highly available
  • Performance bottleneck: All traffic flows through gateway
  • Complexity: Can become monolithic if too much logic added
  • Kong
  • AWS API Gateway
  • Azure API Management
  • Traefik
  • NGINX

References

See also: Microservices