Architecture Patterns

The API Gateway Pattern

18 min Lesson 2 of 10

The API Gateway Pattern

When you break a monolith into a dozen microservices, you immediately face a new problem: every client now has to know about every service. A mobile app that needs to render a home screen must call an auth service, a user-profile service, a recommendations service, and a feed service — stitching together four responses before painting a single pixel. Add rate-limiting, authentication, and logging to each of those, and you have duplicated cross-cutting concerns scattered across the entire backend.

The API Gateway solves this by introducing a single, intelligent entry point that sits in front of all backend services. Clients talk only to the gateway; the gateway routes, transforms, and aggregates on their behalf.

What the Gateway Does

An API gateway is far more than a dumb reverse proxy. In a production system it typically handles:

  • Routing — maps incoming URLs or gRPC methods to the correct downstream service (GET /orders/123 → Order Service).
  • Authentication & Authorization — validates JWT tokens or API keys once at the edge; services trust the forwarded identity header and skip re-validation.
  • Rate Limiting & Throttling — enforces quotas per client, per endpoint, or per tier (free vs. paid), protecting services from burst traffic.
  • Request / Response Transformation — rewrites headers, translates JSON to gRPC, strips internal fields before returning to the client.
  • Response Aggregation (Fan-out) — calls multiple services in parallel and merges their responses into one payload, reducing client round-trips.
  • Caching — stores responses at the edge (e.g., 60-second TTL on product catalogues) to cut load on services and slash latency for common reads.
  • Observability — centralises access logs, request tracing (injecting a X-Trace-ID header), and error-rate dashboards in one place.
  • SSL Termination — decrypts HTTPS at the gateway; internal traffic can travel over plain HTTP on a trusted private network, reducing CPU cost on every service.
API Gateway as a single entry point routing to multiple backend services Web Client Mobile App 3rd-Party Partner API API Gateway Auth / Rate-Limit Routing / Transform Aggregation / Cache SSL Termination Observability User Service :8001 Order Service :8002 Product Service :8003 Payment Service :8004 HTTPS Internal HTTP/gRPC
The API Gateway is the sole external-facing entry point; all backend services are invisible to clients and communicate over an internal network.

A Concrete Example: E-Commerce Home Screen

Imagine a mobile app rendering a personalised home screen. Without a gateway the app makes four sequential or parallel HTTP calls — user profile, recommendations, active promotions, and cart summary — each adding a round-trip. With a gateway, the app sends one request to GET /api/home and the gateway fans out to all four services in parallel (~80 ms each), merges the responses, and returns a single JSON payload in ~85 ms total — instead of the ~320 ms the client would have spent doing it itself on a mobile network.

Key idea: The gateway moves network-expensive orchestration logic from the client (which may be on a 4G connection with high latency) to the server-side edge, where service-to-service calls travel over a fast, low-latency internal network.

Request Lifecycle Through a Gateway

Sequence diagram of a request traveling through the API Gateway pipeline Client API Gateway Auth Service Backend Svc 1. HTTPS request + JWT 2. Validate token 3. 200 OK + claims 4. Rate-limit check 5. Route + inject X-User-ID header 6. Service response 7. Transform / log 8. Final response to client
Every inbound request passes through a structured pipeline: authenticate, rate-limit, route, transform, log — then return.

Real-World Gateway Products

You rarely build a gateway from scratch. The industry converges on a small set of proven tools:

  • AWS API Gateway — fully managed, deep integration with Lambda and IAM; ideal when you are already on AWS. Handles hundreds of thousands of requests per second with zero ops overhead.
  • Kong — open-source, plugin-based, runs on-prem or on any cloud. ~50k GitHub stars. Powers Expedia, Nasdaq, and others.
  • NGINX / NGINX Plus — started as a load balancer; the Plus tier and the NGINX gateway edition add auth, rate-limiting, and developer portal features.
  • Envoy Proxy — originally designed by Lyft; now the standard data plane behind service meshes (Istio, Consul Connect). Also used as a standalone edge gateway.
  • Traefik — cloud-native, auto-discovers Docker/Kubernetes services, zero downtime updates. Popular in self-hosted Kubernetes setups.

Trade-offs and Pitfalls

The API Gateway pattern is powerful but comes with real costs you must plan for:

  • Single point of failure. The gateway now sits in every request path. If it goes down, the entire product goes down. Mitigate by running multiple gateway instances behind a cloud load balancer and keeping health checks aggressive (every 5 seconds).
  • Added latency. Each request pays an extra network hop. In practice, a well-tuned gateway adds 1–5 ms — acceptable for most APIs but worth measuring. Caching at the gateway layer often saves far more than this.
  • Risk of becoming a monolith again. The temptation to put business logic — pricing rules, discount calculations — into the gateway is real and dangerous. The gateway should be a routing and policy layer, not a service. Keep it stateless and logic-free.
  • Operational complexity. You now have an extra system to deploy, version, and monitor. Invest in configuration-as-code (e.g., kong.yaml in Git) so changes are reviewable and reversible.
  • Fan-out latency budget. If the gateway aggregates five services and one of them is slow, the entire response waits. Use timeouts and circuit breakers on each downstream call; return a partial response with a degraded flag rather than timing out the whole payload.
Best practice: Apply the timeout + fallback pattern on every downstream call the gateway makes. Set a per-service timeout (e.g., 200 ms) and return a cached or empty value instead of blocking the response. Netflix popularised this as graceful degradation — users see a home screen without recommendations rather than a spinner forever.
Pitfall — the "God Gateway": Teams routinely start by routing through the gateway and end by computing business rules there too. Once a second team adds their logic, it becomes impossible to deploy any service independently. Draw a hard line: the gateway holds only cross-cutting infrastructure concerns (auth, rate-limit, routing, SSL). Everything else belongs in a service.

When NOT to Use an API Gateway

Not every system needs one. If you are running a small monolith with two or three internal services, adding a gateway is pure overhead. The pattern shines when:

  1. You have multiple client types (web, mobile, CLI, partner API) with different data-shape needs.
  2. You have five or more backend services that clients would otherwise have to address directly.
  3. You need to enforce consistent policy (auth, rate-limits, logging) without duplicating code in every service.

Below that threshold, a well-configured NGINX reverse proxy or a simple load balancer is often all you need.

Summary

The API Gateway pattern gives large-scale distributed systems a single, controllable front door. It centralises authentication, rate-limiting, routing, aggregation, and observability — eliminating duplication and simplifying client code. The price is an additional hop in every request path and a system that, if left undisciplined, risks absorbing business logic it should never own. Run it in a high-availability configuration, enforce strict timeouts on downstream calls, and keep business logic out of it, and it becomes one of the most valuable pieces of infrastructure in your stack.

Previous Lesson Monolith vs Microservices
Next Lesson Service Mesh (Introduction)
Back to Course