Microservices API Gateway

When a client app — a mobile app or a website — needs data from a system with 50 microservices, it cannot call all 50 services directly. That would expose internal service addresses, require the app to handle dozens of authentication checks, and slow everything down. The API Gateway solves this problem.

What Is an API Gateway

An API Gateway is a single entry point that sits between clients and your microservices. Every request from the outside world passes through it. The gateway routes each request to the correct service, enforces security, and returns a unified response.

Think of it as the front desk of a large hotel. Every guest (client) speaks only to the front desk. The desk directs them to the right department — housekeeping, restaurant, concierge — without the guest needing to know where each department is or how it operates.

Without vs With a Gateway

WITHOUT GATEWAY (chaotic)
==========================
Mobile App ---> Order Service (address 1)
Mobile App ---> Payment Service (address 2)
Mobile App ---> User Service (address 3)
Mobile App ---> Inventory Service (address 4)

App must know all addresses. Each service handles auth separately.
If a service moves, the app breaks.


WITH GATEWAY (clean)
=====================
Mobile App ---> [API GATEWAY]
                     |
                     +---> Order Service
                     +---> Payment Service
                     +---> User Service
                     +---> Inventory Service

App knows only one address. Gateway handles routing.
Services move freely behind the gateway.

What the API Gateway Does

Request Routing

The gateway maps incoming URL paths to the correct service.

/api/orders    --> Order Service
/api/payments  --> Payment Service
/api/users     --> User Service

The client calls one base URL. The gateway decides where each request goes.

Authentication and Authorization

Instead of every service checking login tokens independently, the gateway validates the user's identity once. A valid token passes through. An invalid token returns an error immediately — the internal services never see the bad request.

Client sends token ----> [Gateway validates token]
                              |           |
                     Valid token     Invalid token
                          |                |
                   Route to service    Return 401 Error

Rate Limiting

The gateway limits how many requests a client can send per minute. This protects your services from being flooded. A user making 1,000 requests per second hits a limit at the gateway and never reaches internal services.

Request Aggregation

A mobile app's home screen might need data from three services: user profile, recent orders, and product recommendations. Without a gateway, the app makes three network calls. With a gateway, it makes one call. The gateway fetches from all three services and combines the results.

AGGREGATION EXAMPLE
===================
Client makes 1 request to /api/home

Gateway fetches:
  - User Profile from User Service
  - Recent Orders from Order Service
  - Recommendations from Product Service

Gateway combines all into 1 response and returns to client

Client makes 1 call instead of 3.

Protocol Translation

The client speaks HTTP. Some internal services speak gRPC. The gateway translates the HTTP request from the client into a gRPC call for the internal service and translates the response back to HTTP before returning it.

SSL Termination

HTTPS encryption and decryption requires computing power. The gateway handles encryption for all incoming requests. Internal services receive plain HTTP, which is faster. Security stays at the edge — the gateway — without burdening every service.

Popular API Gateway Tools

  • Kong — open source, plugin-based, widely used in production.
  • AWS API Gateway — managed service on Amazon Web Services.
  • NGINX — a fast web server often used as a gateway.
  • Traefik — built for containerized environments like Kubernetes.

The Risk: Single Point of Failure

The gateway is in every request path. If it goes down, all services become unreachable to external clients. Teams address this by running multiple gateway instances behind a load balancer.

                [Load Balancer]
                /             \
        [Gateway 1]        [Gateway 2]
             |                  |
    +---------+--------+---------+--------+
    |         |        |         |        |
 Orders  Payments   Users  Inventory  ...

If Gateway 1 fails, the load balancer sends all traffic to Gateway 2. External clients see no interruption.

Backend for Frontend (BFF) Pattern

Some systems use a different gateway for each type of client. A mobile app and a web app have different needs — different screen sizes, different data volumes, different speeds. The BFF pattern creates separate gateways for each client type.

[Mobile App]  --> [Mobile Gateway]  --> Services
[Web App]     --> [Web Gateway]     --> Services
[Partner API] --> [Partner Gateway] --> Services

Each gateway is optimized for its client's specific needs instead of forcing all clients through one generic gateway.

Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *