Computer Networks
API Gateway
In a microservices architecture, clients should not need to know about dozens of internal services. An API Gateway is the single front door: one URL, unified authentication, a consistent API. It is an essential component of any production microservices deployment.
- **Netflix Zuul/Zuul2**: handles billions of requests per day, dynamic routing, canary releases
- **Stripe API**: a single endpoint for payments, all cross-cutting concerns handled at the gateway level
- **AWS API Gateway + Lambda**: serverless architecture for startups with no ops overhead
Предварительные знания
API Gateway Pattern
**API Gateway** - a single entry point for all client requests. Instead of calling microservices directly, the client communicates only with the gateway, which handles routing, authentication, and request transformation.
**API Gateway ≠ Load Balancer**: an LB distributes load. A gateway adds business logic: auth, transformation, aggregation. A gateway typically uses an LB under the hood.
The Backend For Frontend (BFF) pattern: different gateways for different clients. A Mobile BFF optimizes the payload, a Web BFF returns more data. Each BFF knows the specifics of its client.
What is the primary advantage of an API Gateway in a microservices architecture?
Kong Gateway
**Kong** is a popular open-source API gateway built on top of Nginx/OpenResty. It is extended through plugins: auth, rate limiting, logging, transformation. It is configured via the Admin API.
**Kong plugins**: 100+ official and community plugins. Rate Limiting, JWT/OAuth, CORS, Request Transformer, Prometheus, Zipkin tracing. You can write custom plugins in Lua or Go.
Kong DB-less mode: configuration in a YAML file, no PostgreSQL/Cassandra required. Simpler deployment, ideal for Kubernetes (ConfigMap). The Kong Ingress Controller integrates natively with k8s.
When should you use Kong instead of a plain Nginx reverse proxy?
AWS API Gateway
**AWS API Gateway** is a managed service for building REST, HTTP, and WebSocket APIs. It integrates with Lambda, EC2, and any HTTP endpoint. Pay-per-request pricing, automatic scaling.
**Lambda + API Gateway** - serverless architecture. No servers to manage, pay only for what you use. Cold start ~100-500ms for Node.js, reducible via provisioned concurrency.
When should you choose AWS HTTP API over REST API?
Gateway Authentication
An API Gateway is the ideal place for **centralized authentication**. Instead of validating tokens in every service, the gateway validates them and passes verified user information downstream.
**Security**: services trust headers only from the internal network. External requests directly to services must be blocked (network policies in k8s, security groups in AWS).
Why is authentication at the gateway better than in each individual service?
Request/Response Transformation
A gateway can **transform** requests and responses: modify headers, rewrite the body, and aggregate responses from multiple services into one. This allows the internal API to be adapted for different clients.
**API Composition** (aggregation) - the gateway assembles data from multiple services. The client needs one request instead of five. Especially valuable for mobile clients on slow networks.
Transformation aids API versioning: the gateway converts v1 requests to the format expected by a new service, maintaining backwards compatibility. Old clients keep working.
An API Gateway is just a smart reverse proxy
An API Gateway is an architectural pattern for microservices: a single entry point, encapsulation, cross-cutting concerns (auth, rate limiting, transformation), often with service discovery integration
A reverse proxy only routes requests. A gateway adds application-level logic: JWT validation, per-user rate limiting, request transformation, API versioning. This is a different level of abstraction.
What is the primary use case for API aggregation at the gateway?
Key Ideas
- **API Gateway**: single entry point, encapsulates the internal architecture
- **Cross-cutting concerns**: auth, rate limiting, logging are centralized
- **Kong**: open-source, plugin-based, self-hosted or Kong Cloud
- **AWS API Gateway**: managed service, pay-per-request, Lambda integration
- **Transformation**: adapts the API for different clients, supports aggregation
Related Topics
An API Gateway is a central component in modern architecture:
- Reverse Proxy — Gateway is built on top of the reverse proxy concept
- Rate Limiting — Centralized rate limiting at the gateway level
- Authentication Flow — JWT/OAuth validation at the gateway
Вопросы для размышления
- When does an API Gateway become a bottleneck, and how do you address that?
- How do you implement canary releases through a gateway?
- Gateway per team (BFF) vs. a central gateway - what are the trade-offs?