API gateway patterns for microservices
API gateways have become the front door to microservices architectures. According to Kong's API Impact Report, API gateways handle over 90% of API traffic in enterprises, providing crucial capabilities for security, traffic management, and observability.
The role of API gateways
According to Gartner, organizations with mature API gateway implementations see 40% faster time-to-market for new APIs and 50% reduction in API-related security incidents.
Core gateway capabilities
Routing
Route requests to appropriate backend services
Authentication
Verify identity via OAuth, JWT, API keys
Rate Limiting
Protect backends from traffic spikes
Transformation
Request/response modification
Caching
Cache responses to reduce backend load
Observability
Metrics, logging, distributed tracing
Gateway vs Service Mesh: API gateways handle north-south traffic (external to internal). Service meshes handle east-west traffic (internal service-to-service). Many architectures use both.
Gateway architecture patterns
Edge Gateway
Single entry point for all external traffic. Simplest pattern for most organizations.
Backend for Frontend (BFF)
Separate gateways per client type (web, mobile, IoT). Optimized APIs per consumer.
Federated Gateway
Multiple gateways federating to central control plane. For multi-team, multi-region.
Sidecar Gateway
Gateway functionality in service sidecar. Common with service mesh adoption.
Gateway Pattern Adoption
Gateway selection criteria
API Gateway Comparison
| Feature | Kong | AWS API Gateway | Apigee | NGINX |
|---|---|---|---|---|
| Cloud Native | ✓ | ✓ | ✓ | ✓ |
| On-Premise Option | ✓ | ✗ | ✓ | ✓ |
| GraphQL Support | ✓ | ✓ | ✓ | ✗ |
| Rate Limiting | ✓ | ✓ | ✓ | ✓ |
| Developer Portal | ✓ | ✗ | ✓ | ✗ |
| Extensibility | ✓ | ✗ | ✓ | ✓ |
API Gateway Adoption (%)
Authentication patterns
API Keys
Simple, static authentication for internal or trusted clients
OAuth 2.0
Delegated authorization for third-party access
JWT
Stateless tokens for distributed validation
mTLS
Certificate-based authentication for service-to-service
OIDC
Identity layer on top of OAuth for user authentication
Rate limiting strategies
Fixed Window
X requests per time window (e.g., 100/minute). Simple but can have burst issues at window edges.
Sliding Window
Smooths out fixed window issues. More complex but fairer.
Token Bucket
Allows bursting while maintaining average rate. Good for variable traffic.
Concurrency
Limit simultaneous connections rather than rate. Good for expensive operations.
Rate Limiting Strategy Behavior
Gateway performance
Gateway as Single Point of Failure: The gateway handles all traffic—make it highly available. Deploy across availability zones, use health checks, and have failover strategies.
Best practices
Keep It Thin
Gateway should route and secure, not contain business logic
Version APIs
Support multiple versions, gradual deprecation
Cache Aggressively
Cache at gateway level for common responses
Monitor Everything
Latency, error rates, throughput per endpoint
Security First
Defense in depth, don't trust the network
Document APIs
OpenAPI specs, developer portal
FAQ
Q: Should we use managed or self-hosted gateway? A: Start with managed (cloud provider's gateway) for simplicity. Consider self-hosted for multi-cloud, on-premise requirements, or advanced customization needs.
Q: How do we handle gateway downtime? A: Multi-AZ deployment, health checks, circuit breakers, and cached responses for read operations. Consider direct service access for critical paths as fallback.
Q: Gateway or service mesh? A: Not mutually exclusive. Gateway for external traffic (north-south), service mesh for internal (east-west). Many mature architectures use both.
Q: How do we migrate to a new gateway? A: Run parallel, use traffic mirroring to validate, gradual traffic shifting, and maintain rollback capability.
Sources and further reading
- Kong API Impact Report
- API Gateway Pattern by Microsoft
- Building Microservices by Sam Newman
- API Gateway with Kong
- AWS API Gateway Documentation
Implement API Gateway Strategy: Choosing and implementing the right API gateway pattern is crucial for microservices success. Our team helps organizations design and build gateway architectures. Contact us to discuss your API gateway needs.
Need help with API gateway architecture? Connect with our architects to develop a tailored gateway strategy.
