An API gateway sits at the edge of your infrastructure, handling cross-cutting concerns that would otherwise be repeated in every microservice: authentication, rate limiting, SSL termination, request routing, logging, and caching. Clients call one endpoint; the gateway routes to the correct backend. Kong (open-source), AWS API Gateway (managed), Azure APIM (enterprise), and nginx with plugins are common choices. The gateway pattern reduces boilerplate but adds a single-point-of-failure risk if not made highly available.
Order of plugins/middleware in an API gateway request pipeline.
Validate JWTs at the gateway, inject X-User-Id and X-User-Scopes headers, and have backend services trust these forwarded headers. Eliminates duplicate JWT validation in every microservice.
All traffic flows through the API gateway. If it goes down, everything goes down. Deploy in HA mode: 3+ replicas across availability zones, health checks, and automatic failover.
API gateways are for infrastructure concerns: auth, routing, rate limiting, logging. When you add business logic (calculate discounts, validate order rules), you create a maintenance nightmare. Keep it thin.
Sign in to share your feedback and join the discussion.