API Gateway

Infrastructure & Governance Security Notes Jan 6, 2025 YAML

Definition

Picture the lobby of a large corporate building. You can’t just wander in and go wherever you want. There’s a security desk where you check in, get a visitor badge, and they direct you to the right floor. The security staff also keeps track of how many visitors are in the building, prevents unauthorized access, and can shut down access entirely in an emergency. An API Gateway does all of this for your APIs.

An API Gateway is the single entry point for all client requests to your backend services. Instead of clients talking directly to dozens of different microservices (users service, orders service, payments service, etc.), they all talk to the gateway. The gateway then handles authentication (who are you?), authorization (are you allowed to do this?), routing (which backend service should handle this?), rate limiting (are you asking too often?), and many other cross-cutting concerns.

Without a gateway, every microservice would need to implement its own authentication, rate limiting, logging, and SSL termination. That’s a lot of duplicated work and many opportunities for inconsistency or security holes. The gateway centralizes all of this, providing a consistent security boundary and simplifying the internal services. It’s the bouncer, receptionist, traffic cop, and security guard for your API infrastructure.

Example

Netflix: When your Netflix app requests your watchlist, the request hits their API Gateway first. The gateway validates your authentication token, checks if you’re rate-limited, logs the request for analytics, and routes it to the correct backend service. The app never talks directly to Netflix’s hundreds of microservices.

AWS API Gateway: If you build serverless applications on AWS, API Gateway sits in front of your Lambda functions. It handles all the HTTP overhead - parsing requests, validating inputs, managing API keys, throttling requests - so your Lambda functions just process business logic.

E-commerce Platform: A shopping site’s gateway receives requests for product listings, cart operations, and checkout. It validates JWT tokens on every request, applies different rate limits for anonymous vs logged-in users, and routes to the appropriate microservices. If the payment service is down, the gateway can return a friendly error without exposing internal details.

Mobile App Backend: A mobile app talks to a single gateway endpoint. The gateway handles API versioning (routing v1 calls to legacy services, v2 to new ones), compresses responses for mobile bandwidth, caches frequently-requested data, and aggregates responses from multiple services into single responses optimized for mobile screens.

Partner API Program: Companies like Stripe expose their APIs through gateways that manage API keys for thousands of partners, enforce usage quotas per pricing tier, provide detailed usage analytics, and ensure that a bug in one partner’s integration can’t affect others.

Analogy

The Airport Terminal: An API Gateway is like an airport terminal. All passengers (requests) enter through security checkpoints (authentication). They’re directed to specific gates (routing to services). The terminal enforces boarding times (rate limiting), handles multiple airlines (services), and provides a consistent experience regardless of destination. Individual airlines don’t need their own security - the terminal handles it centrally.

The Hotel Reception Desk: When you arrive at a hotel, you don’t go directly to your room - you check in at reception. They verify your reservation (authentication), give you a key card (authorization token), tell you which floor your room is on (routing), and can track who’s in the building (monitoring). If there’s a problem, you go to reception, not directly to maintenance.

The Call Center Switchboard: Old telephone switchboards connected callers to the right extension. The operator verified who you were calling, could limit calls during busy periods, and routed calls efficiently. An API Gateway does the same - it receives all incoming requests and connects them to the right backend “extension” while managing the overall traffic.

The Theme Park Entrance: At a theme park, everyone enters through the main gate. Security checks your ticket (authentication), you might get a FastPass wristband (rate limiting), and you’re given a map to find attractions (routing). The main gate handles all visitors consistently so individual rides don’t need to check tickets. If the park is at capacity, the gate stops admitting people rather than having chaos at each ride.

Code Example


# Kong API Gateway configuration
services:
  - name: orders-service
    url: http://orders-backend:8080
    routes:
      - name: orders-route
        paths:
          - /orders
    plugins:
      - name: jwt
      - name: rate-limiting
        config:
          minute: 100
      - name: cors

Security Notes

SECURITY NOTES
API Gateway is a critical security boundary. Implement defense in depth: validate all inputs, enforce authentication/authorization, use TLS everywhere, implement rate limiting per client/IP.

Standards & RFCs

Standards & RFCs
1)- [OpenAPI 3](https://reference.apios.info/terms/openapi-3/).x Specification - API description format for gateway configuration
2)RFC 6749- [OAuth 2.0](https://reference.apios.info/terms/oauth-example/) ([](https://reference.apios.info/terms/rfc-6749/)) - Authorization framework commonly implemented at gateway
3)- Kong Gateway Specification - Popular open-source API gateway standard