Intermediate

API Gateway

Architecture & Deployment

Single entry point for routing, auth, rate limits, and protocol bridging

Core Idea

Centralize cross-cutting concerns like authentication, rate limiting, request/response transforms, and routing in a highly available ingress layer.

When to Use

When exposing multiple services to clients, needing consistent authN/Z, quotas, and canary/AB testing at the edge.

Recognition Cues
Indicators that this pattern might be the right solution
  • Multiple backends behind one public hostname
  • Inconsistent auth and limits across services
  • Need for protocol bridging (REST/gRPC/WebSocket)

Pattern Variants & Approaches

Overview
A single ingress enforces auth, limits, and routing to downstream services; supports canaries and transforms.

Overview Architecture

HTTPS/v1/*/v2/*👤Client⚖️API Gateway⚙️Service A⚙️Service B

When to Use This Variant

  • One public hostname for many services
  • Need uniform authN/Z
  • Canary/blue-green support

Use Case

Mobile/web clients hitting multiple backends with cross-cutting concerns.

Advantages

  • Consistent security
  • Client simplification
  • Traffic shaping

Implementation Example

# Gateway rule sketch (NGINX/Kong/etc.)
route /api/v1 -> svc-a
route /api/v2 -> svc-b
plugins: authz, rate-limit, transform
Tradeoffs

Pros

  • Consistent security and policy enforcement
  • Simplifies client interactions
  • Supports migrations and canaries

Cons

  • Extra hop adds latency
  • Operational complexity and config sprawl
  • Risk of central bottleneck
Common Pitfalls
  • Embedding business logic in the gateway
  • Single point of failure without HA
  • Latency from heavy filters/plugins
  • Complex rules not versioned or tested
Design Considerations
  • HA and horizontal scaling with health checks
  • mTLS/JWT/OAuth for authN/Z and zero-trust
  • 429 handling and client hints
  • Canary and blue/green routing
  • Observability: logs, metrics, tracing at ingress
Real-World Examples
AWS

API Gateway + Lambda/API backends

Global multi-tenant
Kong

Open-source and enterprise gateway

Thousands of routes
NGINX

Ingress controller for Kubernetes

Large clusters
Complexity Analysis
Scalability

Edge-level scaling

Implementation Complexity

Medium - Policies and plugins

Cost

Low to Medium - Gateway infra

Related Patterns
Rate LimitingCDN/Edge CachingService MeshLoad Balancing