Stage 4 · Provision
Load Balancing & Traffic Management
API Gateway Patterns
Authentication, rate limiting, request transformation, and the single entry point for your API.
Why an API Gateway?
An API gateway is the single entry point for all client requests. It handles cross-cutting concerns — authentication, rate limiting, request transformation, logging — so individual services do not have to. Without a gateway, every service must implement these concerns independently.
Core Functions
- Request routing — Direct /users to the user service, /orders to the order service.
- Authentication — Validate JWTs, API keys, or OAuth tokens at the edge.
- Rate limiting — Protect backend services from traffic spikes.
- Request transformation — Convert between API versions, add/remove headers.
- Response aggregation — Combine multiple service responses into one.
- Logging and metrics — Capture request/response data for every API call.
Mobile/Web ──► API Gateway ──► User Service
│──► Order Service
│──► Payment Service
│──► Notification Service
Gateway handles:
✓ Authentication (JWT validation)
✓ Rate limiting (1000 req/min per user)
✓ Request routing (/users → user service)
✓ Response caching (GET /products)
✓ API versioning (/v1/*, /v2/*)The gateway absorbs all cross-cutting concerns. Backend services focus on business logic only.
Request Routing
upstream user_service:
server user-svc:8080
upstream order_service:
server order-svc:8080
server:
listen 443 ssl;
location /api/v1/users {
proxy_pass http://user_service;
proxy_set_header X-Request-ID $request_id;
}
location /api/v1/orders {
proxy_pass http://order_service;
proxy_set_header X-Request-ID $request_id;
}
location /api/v2/users {
proxy_pass http://user-svc-v2:8080;
}Route requests based on path prefix, HTTP method, headers, or query parameters. The gateway maps external URLs to internal service endpoints.
Authentication & Authorization
The gateway validates authentication tokens before requests reach backend services. This eliminates the need for each service to implement token validation. The gateway passes user identity in headers (X-User-ID, X-User-Role) for services to use for authorization.
The gateway handles authentication (who are you?) but services must handle authorization (what can you do?). A compromised gateway can forge headers. Services should validate critical permissions independently.
Rate Limiting
Rate limiting at the gateway protects backend services from abuse and traffic spikes. Common strategies include per-user limits, per-IP limits, global limits, and token bucket algorithms. Redis-backed rate limiters enable distributed rate limiting across gateway instances.
Gateway Comparison
| Gateway | Language | Strength |
|---|---|---|
| Kong | Lua/Nginx | Plugin ecosystem, enterprise features |
| Envoy | C++ | High performance, Istio integration |
| Traefik | Go | Auto-discovery, Let's Encrypt |
| AWS API Gateway | Managed | Serverless, Lambda integration |
Kong provides a rich plugin ecosystem for authentication, rate limiting, and transformation. Envoy provides raw performance and service mesh integration. Choose based on whether you need plugins or performance.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.