System Design
API Gateway
An API Gateway is not just a router - it's the nervous system of a microservice architecture. Get it right and months of cross-cutting work disappear.
- **Netflix Zuul / Spring Cloud Gateway**: handles billions of requests per day, routes traffic to hundreds of internal services
- **Shopify**: gateway handles OAuth for third-party apps, per-merchant rate limiting, and routing to 100+ internal services
- **Cloudflare Workers**: edge gateway used by millions of sites for rate limiting, auth, and caching at the network edge
What Is an API Gateway
**API Gateway** is a single entry point for all clients. It routes requests to microservices and handles cross-cutting concerns in one place.
Gateway is a **reverse proxy** with extras: auth, rate limiting, request transformation, aggregation.
Why is SSL termination at the API Gateway considered a good practice?
API Gateway Functions
Gateway handles **cross-cutting concerns**: functionality nobody wants to duplicate inside every service.
**Anti-pattern: Fat Gateway**. The gateway should do routing and cross-cutting concerns. Business logic stays in services.
Which function should an API Gateway NOT perform?
Backend for Frontend (BFF)
**BFF** is a specialized gateway per client type. Mobile, Web, and TV apps have different data needs.
**Ownership**: the BFF belongs to the client team. The mobile team owns the Mobile BFF and can move independently of backend teams.
BFF also solves **aggregation**: combining data from several services into a single response.
A mobile app shows a home screen built from data in 5 services. Without BFF each request takes 50ms. How long does loading take?
Rate Limiting
**Rate Limiting** protects backends from overload and abuse. The gateway is the right place for centralized limits.
**Different limits**: per-user (authenticated), per-IP (anonymous), per-endpoint (expensive operations). Combine them for flexibility.
API allows 100 req/min. A user makes 99 requests at 12:00:59, then 100 more at 12:01:01. How many requests does Fixed Window allow through?
Solutions and Anti-patterns
Gateway choice depends on requirements: managed for simplicity, self-hosted for control.
**Anti-patterns** are typical mistakes when designing a gateway:
**HA**: gateway sits behind a Load Balancer. Run at least 2 instances across availability zones.
A BFF fires 4 parallel requests. One service responds in 5 seconds. What happens with no timeout configured?
Key API Gateway principles
- **API Gateway** is the single entry point for all clients
- **Cross-cutting concerns**: routing, auth, rate limiting, SSL termination
- **BFF pattern**: a specialized gateway for each client type
- **Rate Limiting**: Token Bucket or Sliding Window backed by Redis
- **HA is mandatory**: at least 2 instances behind a Load Balancer
- **Avoid fat gateway**: routing and infra only, business logic stays in services
Related topics
Gateway is part of the microservice infrastructure stack
- Load Balancer — LB sits in front of multiple gateway instances
- Service Mesh — Service-to-service communication after the gateway
- Caching — Response caching at the gateway tier
Вопросы для размышления
- If choosing between a single API Gateway and multiple BFFs, what factors would drive the decision?
- When does the operational cost of running a self-hosted gateway start to outweigh the lock-in cost of a managed one?
- What signals from production traffic would indicate the gateway has become a bottleneck rather than an enabler?