System Design

API Gateway

An API Gateway is not just a router - it's the nervous system of a microservice architecture. Get it right and months of cross-cutting work disappear.

**Netflix Zuul / Spring Cloud Gateway**: handles billions of requests per day, routes traffic to hundreds of internal services
**Shopify**: gateway handles OAuth for third-party apps, per-merchant rate limiting, and routing to 100+ internal services
**Cloudflare Workers**: edge gateway used by millions of sites for rate limiting, auth, and caching at the network edge

What Is an API Gateway

**API Gateway** is a single entry point for all clients. It routes requests to microservices and handles cross-cutting concerns in one place.

Gateway is a **reverse proxy** with extras: auth, rate limiting, request transformation, aggregation.

Why is SSL termination at the API Gateway considered a good practice?

API Gateway Functions

Gateway handles **cross-cutting concerns**: functionality nobody wants to duplicate inside every service.

**Anti-pattern: Fat Gateway**. The gateway should do routing and cross-cutting concerns. Business logic stays in services.

Which function should an API Gateway NOT perform?

Backend for Frontend (BFF)

**BFF** is a specialized gateway per client type. Mobile, Web, and TV apps have different data needs.

**Ownership**: the BFF belongs to the client team. The mobile team owns the Mobile BFF and can move independently of backend teams.

BFF also solves **aggregation**: combining data from several services into a single response.

A mobile app shows a home screen built from data in 5 services. Without BFF each request takes 50ms. How long does loading take?

Rate Limiting

**Rate Limiting** protects backends from overload and abuse. The gateway is the right place for centralized limits.

**Different limits**: per-user (authenticated), per-IP (anonymous), per-endpoint (expensive operations). Combine them for flexibility.

API allows 100 req/min. A user makes 99 requests at 12:00:59, then 100 more at 12:01:01. How many requests does Fixed Window allow through?

Solutions and Anti-patterns

Gateway choice depends on requirements: managed for simplicity, self-hosted for control.

**Anti-patterns** are typical mistakes when designing a gateway:

**HA**: gateway sits behind a Load Balancer. Run at least 2 instances across availability zones.

A BFF fires 4 parallel requests. One service responds in 5 seconds. What happens with no timeout configured?

Key API Gateway principles

**API Gateway** is the single entry point for all clients
**Cross-cutting concerns**: routing, auth, rate limiting, SSL termination
**BFF pattern**: a specialized gateway for each client type
**Rate Limiting**: Token Bucket or Sliding Window backed by Redis
**HA is mandatory**: at least 2 instances behind a Load Balancer
**Avoid fat gateway**: routing and infra only, business logic stays in services

Вопросы для размышления

If choosing between a single API Gateway and multiple BFFs, what factors would drive the decision?
When does the operational cost of running a self-hosted gateway start to outweigh the lock-in cost of a managed one?
What signals from production traffic would indicate the gateway has become a bottleneck rather than an enabler?

Связанные уроки

sec-01

System Design

API Gateway

An API Gateway is not just a router - it's the nervous system of a microservice architecture. Get it right and months of cross-cutting work disappear.

**Netflix Zuul / Spring Cloud Gateway**: handles billions of requests per day, routes traffic to hundreds of internal services
**Shopify**: gateway handles OAuth for third-party apps, per-merchant rate limiting, and routing to 100+ internal services
**Cloudflare Workers**: edge gateway used by millions of sites for rate limiting, auth, and caching at the network edge

What Is an API Gateway

**API Gateway** is a single entry point for all clients. It routes requests to microservices and handles cross-cutting concerns in one place.

Gateway is a **reverse proxy** with extras: auth, rate limiting, request transformation, aggregation.

Why is SSL termination at the API Gateway considered a good practice?

API Gateway Functions

Gateway handles **cross-cutting concerns**: functionality nobody wants to duplicate inside every service.

**Anti-pattern: Fat Gateway**. The gateway should do routing and cross-cutting concerns. Business logic stays in services.

Which function should an API Gateway NOT perform?

Backend for Frontend (BFF)

**BFF** is a specialized gateway per client type. Mobile, Web, and TV apps have different data needs.

**Ownership**: the BFF belongs to the client team. The mobile team owns the Mobile BFF and can move independently of backend teams.

BFF also solves **aggregation**: combining data from several services into a single response.

A mobile app shows a home screen built from data in 5 services. Without BFF each request takes 50ms. How long does loading take?

Rate Limiting

**Rate Limiting** protects backends from overload and abuse. The gateway is the right place for centralized limits.

**Different limits**: per-user (authenticated), per-IP (anonymous), per-endpoint (expensive operations). Combine them for flexibility.

API allows 100 req/min. A user makes 99 requests at 12:00:59, then 100 more at 12:01:01. How many requests does Fixed Window allow through?

Solutions and Anti-patterns

Gateway choice depends on requirements: managed for simplicity, self-hosted for control.

**Anti-patterns** are typical mistakes when designing a gateway:

**HA**: gateway sits behind a Load Balancer. Run at least 2 instances across availability zones.

A BFF fires 4 parallel requests. One service responds in 5 seconds. What happens with no timeout configured?

Key API Gateway principles

**API Gateway** is the single entry point for all clients
**Cross-cutting concerns**: routing, auth, rate limiting, SSL termination
**BFF pattern**: a specialized gateway for each client type
**Rate Limiting**: Token Bucket or Sliding Window backed by Redis
**HA is mandatory**: at least 2 instances behind a Load Balancer
**Avoid fat gateway**: routing and infra only, business logic stays in services

Вопросы для размышления

If choosing between a single API Gateway and multiple BFFs, what factors would drive the decision?
When does the operational cost of running a self-hosted gateway start to outweigh the lock-in cost of a managed one?
What signals from production traffic would indicate the gateway has become a bottleneck rather than an enabler?

Связанные уроки

sec-01

API Gateway

What Is an API Gateway

API Gateway Functions

Backend for Frontend (BFF)

Rate Limiting

Solutions and Anti-patterns

Key API Gateway principles

Related topics

Вопросы для размышления

Связанные уроки

API Gateway

What Is an API Gateway

API Gateway Functions

Backend for Frontend (BFF)

Rate Limiting

Solutions and Anti-patterns

Key API Gateway principles

Related topics

Вопросы для размышления

Связанные уроки