High-Level Design Tutorial 0/42 lessons ~6 min read Lesson 13

    API Gateway

    An API Gateway is the single entry point for client applications (mobile, web, partners) into your microservice ecosystem.

    Course progress0%
    Focus
    10 guided sections
    Practice signal
    Examples included
    Career prep
    Interview Q&A included

    Introduction

    An API Gateway is the single entry point for client applications (mobile, web, partners) into your microservice ecosystem. Beyond routing, it centralizes cross-cutting concerns: authentication, rate limiting, request transformation, API versioning, and response aggregation (BFF pattern).

    Without a gateway, every service would expose public endpoints, duplicate auth logic, and leak internal topology. Kong, AWS API Gateway, Spring Cloud Gateway, and Envoy-based ingress controllers are common implementations.

    This lesson positions the gateway in HLD, contrasts it with load balancers and service mesh, and covers BFF patterns for mobile vs web clients.

    Understanding the topic

    Key concepts

    • Edge authentication: validate JWT/OAuth2 before forwarding to internal services.
    • Rate limiting and quota enforcement per API key or user tier.
    • Request/response transformation: JSON ↔ gRPC, field filtering for mobile payloads.
    • API composition: one mobile screen calls one gateway endpoint aggregating 3 services.
    • Version routing: /v1 → legacy cluster, /v2 → new cluster (canary).
    • Not a replacement for service mesh — gateway is north-south; mesh is east-west.
    text
    flowchart TB
    Mobile --> GW[API Gateway]
    Web --> GW
    GW --> Auth
    GW --> Orders
    GW --> Catalog

    Internal architecture

    Architecture overview

    text
    flowchart TB
    Mobile --> GW[API Gateway]
    Web --> GW
    GW --> Auth
    GW --> Orders
    GW --> Catalog

    Step-by-step explanation

    1. Mobile/Web → CDN (static) + API Gateway (dynamic API).
    2. Gateway plugins/filters: auth → rate limit → route → circuit breaker → upstream service.
    3. Internal services on private network; only gateway has public ingress.
    4. Optional BFF services per client type behind dedicated gateway routes.
    5. Centralized OpenAPI docs and developer portal for partner APIs.
    6. Observability: gateway emits access logs, metrics per route, trace root span.

    Informative example

    Spring Cloud Gateway route with JWT validation and Redis rate limiter:

    yaml
    spring:
    cloud:
    gateway:
    routes:
    - id: orders
    uri: lb://order-service
    predicates:
    - Path=/api/v1/orders/**
    filters:
    - name: RequestRateLimiter
    args:
    redis-rate-limiter.replenishRate: 100
    redis-rate-limiter.burstCapacity: 200
    key-resolver: "#{@userKeyResolver}"
    - TokenRelay=
    - name: CircuitBreaker
    args:
    name: orderCb
    fallbackUri: forward:/fallback/orders
    security:
    oauth2:
    resourceserver:
    jwt:
    issuer-uri: https://auth.example.com/realms/shop

    Gateway validates JWT once; internal services trust mTLS or internal network. Rate limit key = userId or API key.

    Real-world use

    Real-world use cases

    • Fintech mobile app: gateway aggregates balance, transactions, offers in one call.
    • Partner B2B e-commerce: API keys, quotas, webhook registration at gateway.
    • OTT: device-specific BFF routes optimize payload for TV vs phone.
    • Healthcare patient portal: gateway enforces OAuth scopes before PHI services.

    Best practices

    • Keep gateway thin — no heavy business logic; use BFF services if aggregation complex.
    • Propagate trace and auth headers to downstream (X-Request-Id, Authorization).
    • Configure timeouts per route matching downstream SLOs.
    • Use circuit breakers and fallbacks for graceful degradation.
    • Document breaking changes with versioned paths.
    • Separate public partner gateway from internal admin ingress.

    Common mistakes

    • God gateway with business rules — becomes distributed monolith choke point.
    • No timeout — slow service hangs all client requests.
    • Double auth validation overhead without caching JWKS keys.
    • Exposing internal service URLs in error responses.
    • Rate limit only by IP — shared NAT blocks legitimate users.

    Advanced interview questions

    Q1BeginnerWhat is an API Gateway?
    Single client-facing entry that routes, secures, and manages cross-cutting concerns for backend microservices.
    Q2BeginnerGateway vs load balancer?
    LB distributes traffic; gateway adds auth, rate limits, API versioning, composition at application layer.
    Q3IntermediateWhat is BFF (Backend for Frontend)?
    Dedicated API layer tailored to a client type (mobile BFF) aggregating and shaping backend responses.
    Q4IntermediateWhere put rate limiting — gateway or service?
    Coarse limits at gateway (per user/API key); fine-grained business limits inside domain services.
    Q5AdvancedDesign gateway for multi-tenant SaaS.
    Tenant ID from JWT, per-tenant rate quotas in Redis, route to shared or dedicated shards by tier, WAF, audit log, canary by tenant flag, OpenAPI per tenant scope.

    Summary

    API Gateway is the secure front door for microservices. Centralizes auth, rate limits, routing, and versioning. BFF pattern optimizes payloads per client type. Keep business logic in services, not gateway plugins. Pair with service mesh for internal mTLS and retries. CDN offloads static content complementary to gateway.

    Ready to mark this lesson complete?Track your journey across the entire course.