{"title":"API Gateways","description":null,"content":"**APIs**, or **Application Programming Interfaces**, are a set of rules and protocols that allows two software applications or services to communicate with each other.\n\nAs applications grow in size, the number of APIs increases too. Without the right tools and infrastructure, managing these APIs can quickly become a challenge.\n\nThis is where **API Gateway** comes into play.\n\n> An API Gateway acts as a \n>\n> **central server**\n>\n> that sits between clients (e.g., browsers, mobile apps) and backend services.\n\nInstead of clients interacting with multiple microservices directly, they send their requests to the API Gateway. The gateway processes these requests, enforces security, and forwards them to the appropriate microservices.\n\nIn this chapter, we will explore why do we need an API gateway, the key features it provides and how it works step by step.\n\n---\n\n# 1. Why Do We Need an API Gateway?\n\nModern applications, especially those built using microservices architecture, have multiple backend services managing different functionalities.\n\nFor example, in an e-commerce service:\n\n- One service handles **user accounts**.\n- Another handles **payments**.\n- Another manages **product inventory**.\n\n#### **Without an API Gateway:**\n\n\n[Embed: https://link.excalidraw.com/readonly/3mZbGlaBKQmMZiVKlSbp](https://link.excalidraw.com/readonly/3mZbGlaBKQmMZiVKlSbp)\n\n\n- Clients would need to know the location and details of all backend services.\n- Developers would need to manage authentication, rate limiting, and security for each service individually.\n\n#### **With an API Gateway:**\n\n\n[Embed: https://link.excalidraw.com/readonly/4pYh6SVGN1vHmZHsdkVN](https://link.excalidraw.com/readonly/4pYh6SVGN1vHmZHsdkVN)\n\n\n- Clients send all requests to one place – the API Gateway.\n- The API Gateway takes care of routing, authentication, security, and other operational tasks, simplifying both client interactions and backend management.\n\n---\n\n# 2. Core Features of an API Gateway\n\n\n[Embed: https://link.excalidraw.com/readonly/F6npW2FUGbyHCxB7bArL](https://link.excalidraw.com/readonly/F6npW2FUGbyHCxB7bArL)\n\n\n#### 1. **Authentication and Authorization**\n\nAPI Gateway secures the backend systems by ensuring only authorized users and clients can access backend services.\n\nIt handles tasks like:\n\n- **Authentication:** Verifying the identity of the client using tokens (e.g., OAuth, JWT), API keys, or certificates.\n- **Authorization:** Checking the client’s permissions to access specific services or resources.\n\nBy centralizing these tasks, the API gateway eliminates the need for individual services to handle authentication, reducing redundancy and ensuring consistent access control across the system.\n\n#### 2. **Rate Limiting**\n\nTo prevent abuse and ensure fair usage of resources, most API Gateways implement **rate limiting**.\n\nThis feature:\n\n- Controls the frequency of requests a client can make within a given timeframe.\n- Protects backend services from being overwhelmed by excessive traffic or potential denial-of-service (DoS) attacks.\n\n> For example, a public API might allow a maximum of 100 requests per minute per user. If a client exceeds this limit, the API Gateway will block additional requests until the rate resets.\n\n#### 3. **Load Balancing**\n\nHigh-traffic applications rely on **load balancing** to distribute incoming requests evenly across multiple instances of a service.\n\nThe API Gateway can:\n\n- Redirect requests to healthy service instances while avoiding ones that are down or overloaded.\n- Use algorithms like round-robin, least connections, or weighted distribution to manage traffic intelligently.\n\n#### 4. **Caching**\n\nTo improve response times and reduce the strain on backend services, most API Gateways provide **caching**.\n\nThey temporarily store frequently requested data, such as:\n\n- Responses to commonly accessed endpoints (e.g., product catalogs or weather data).\n- Static resources like images or metadata.\n\n> Caching helps in reducing latency and enhancing user experience while lowering the operational cost of backend services.\n\n#### 5. **Request Transformation**\n\nIn systems with diverse clients and backend services, **request transformation** is essential for compatibility.\n\nAn API Gateway can:\n\n- Modify the structure or format of incoming requests to match the backend service requirements.\n- Transform responses before sending them back to the client, ensuring they meet the client’s expectations.\n\n> For instance, it might convert XML responses from a legacy service into JSON for modern frontend applications.\n\n#### 6. **Service Discovery**\n\nModern systems often involve microservices that scale dynamically.\n\nThe **service discovery** feature of an API Gateway dynamically identifies the appropriate backend service instance to handle each request.\n\nThis ensures seamless request routing even in environments where services frequently scale up or down.\n\n#### 7. **Circuit Breaking**\n\nCircuit breaking is a mechanism that temporarily stops sending requests to a backend service when it detects persistent failures, such as:\n\n- Slow responses or timeouts.\n- Server errors (e.g., HTTP 500 status codes).\n- High latency or unavailability of a service.\n\nThe API Gateway continuously monitors the health and performance of backend services and uses circuit breaking to block requests to a failing service.\n\n#### 8. **Logging and Monitoring**\n\nAPI Gateways provide robust **monitoring and logging** capabilities to track and analyze system behavior.\n\nThese capabilities include:\n\n- Logging detailed information about each request, such as source, destination, and response time.\n- Collecting metrics like request rates, error rates, and latency.\n\nThis data helps system administrators detect anomalies, troubleshoot issues, and optimize the system’s performance. Many API Gateways also integrate with monitoring tools like Prometheus, Grafana, or AWS CloudWatch.\n\n---\n\n# **3. How Does an API Gateway Work?**\n\nImagine you're using a food delivery app to order dinner. When you tap \"Place Order\" your phone makes an API request. But instead of talking directly to various backend services, it communicates with an API Gateway first.\n\n#### **Step 1: Request Reception**\n\nWhen you tap \"Place Order,\" the app sends a request to the **API Gateway**, asking it to process your order.\n\nThis request includes things like:\n\n- Your user ID\n- Selected restaurant and menu items\n- Delivery address\n- Payment method\n- Authentication tokens\n\nThe API Gateway receives the request as the single entry point to the backend system.\n\n#### **Step 2: Request Validation**\n\nBefore forwarding the request, the API Gateway validates it to ensure:\n\n- The required parameters or headers are present.\n- The data is in the correct format (e.g., JSON).\n- The request conforms to the expected structure or schema.\n\n\n```javascript\n// Example of initial request handling\napp.post('/api/v1/orders', async (req, res) => {\n // Check if request has required headers\n if (!req.headers['content-type'].includes('application/json')) {\n return res.status(400).send('Invalid content type');\n }\n // Continue processing...\n});\n```\n\n\nIf any information is missing or incorrect, the gateway immediately rejects the request and notifies the app with an appropriate error message.\n\n#### **Step 3: Authentication & Authorization**\n\nThe gateway now verifies your identity and permissions to ensures only legitimate users can place orders:\n\n- It forwards your authentication token (e.g., OAuth or JWT) to an identity provider to confirm your identity.\n- It checks your permissions to ensure you’re authorized to use the app for placing an order.\n\n\n```javascript\nconst authenticateRequest = async (req) => {\n // Extract JWT token from header\n const token = req.headers.authorization?.split(' ')[1];\n\n // Verify token and get user details\n const user = await verifyToken(token);\n\n // Check if user has permission to place orders\n return user.permissions.includes('place_orders');\n};\n```\n\n\nIf authentication or authorization fails, the API Gateway sends a `401 Unauthorized` or `403 Forbidden` error back to the app.\n\n#### **Step 4: Rate Limiting**\n\nTo prevent abuse, the API Gateway checks how many requests you’ve made recently. For example:\n\n- If you’ve made 10 \"Place Order\" requests in the last minute (maybe by accident), the gateway might block additional requests temporarily and return `429 Too Many Requests` response.\n\n\n```javascript\nconst checkRateLimit = async (userId) => {\n const key = `rate_limit:order:${userId}`;\n const current = await redis.incr(key);\n\n // If first request in window, set expiry\n if (current === 1) {\n await redis.expire(key, 60); // 1 minute window\n }\n\n return current <= 10; // Allow 10 order requests per minute\n};\n```\n\n\nThis ensures the system remains stable and fair for all users specially during traffic spikes or malicious attacks, such as distributed denial-of-service (DDoS) attempts.\n\n#### **Step 5: Request Transformation (if needed)**\n\nIf any of these backend services require specific data formats or additional details, the API Gateway transforms the request.\n\nFor example:\n\n- The app sends the delivery address in plain text, but the Delivery Service expects GPS coordinates. The API Gateway converts the address into coordinates before forwarding the request.\n\n\n```javascript\nconst transformRequest = async (originalRequest) => {\n const address = originalRequest.deliveryAddress;\n\n // Convert address to GPS coordinates using a geocoding API\n const coordinates = await getCoordinatesFromAddress(address);\n\n if (!coordinates) {\n throw new Error('Failed to fetch GPS coordinates');\n }\n\n // Transform the request for the Delivery Service\n return {\n orderId: originalRequest.orderId,\n customerName: originalRequest.customerName,\n deliveryLocation: {\n latitude: coordinates.lat,\n longitude: coordinates.lng\n },\n deliveryInstructions: originalRequest.instructions || \"\"\n };\n};\n```\n\n\n#### Step 6: Request Routing\n\nThe API Gateway now needs to coordinate several backend services to process your order.\n\nUsing **service discovery**, it identifies:\n\n- **Order Service:** To create a new order record.\n- **Inventory Service:** To check if the restaurant has your selected items available.\n- **Payment Service:** To process your payment.\n- **Delivery Service:** To assign a delivery driver to your order.\n\nThe gateway dynamically routes the request to these services using a **load balancing** algorithm, ensuring it connects to available and healthy service instances.\n\n\n```javascript\nconst routeRequest = async (req, serviceType) => {\n // Get service registry\n const services = await serviceDiscovery.getServices(serviceType);\n\n // Select instance\n const targetService = selectServiceInstance(services);\n\n // Forward request\n return await axios.post(\n `${targetService.url}/api/orders`,\n req.body,\n { headers: req.headers }\n );\n};\n```\n\n\n#### **Step 7: Response Handling**\n\nOnce the API Gateway receives the response(s) from the backend service(s), it performs the following tasks:\n\n- **Transformation:** Adjusts the response format or structure to match the client’s requirements.\n- **Caching (Optional):** Stores the response temporarily for frequently accessed data, reducing future latency.\n\n\n```javascript\nconst handleResponse = async (serviceResponse) => {\n // Transform response if needed\n const transformedResponse = {\n orderId: serviceResponse.order_reference,\n estimatedDelivery: serviceResponse.eta,\n status: serviceResponse.current_status\n };\n\n // Cache response if applicable\n if (serviceResponse.cacheable) {\n await cacheResponse(\n transformedResponse.orderId,\n transformedResponse\n );\n }\n\n return transformedResponse;\n};\n```\n\n\nFinally, the API Gateway sends the processed response back to the client in a format they can easily understand.\n\n#### Step 8: Logging & Monitoring\n\nThroughout this process, the gateway records important metrics to track each request:\n\n\n```javascript\nconst logRequest = async (req, res, timing) => {\n await logger.log({\n timestamp: new Date(),\n path: req.path,\n method: req.method,\n responseTime: timing,\n statusCode: res.statusCode,\n userId: req.user?.id\n });\n};\n```\n","pageType":"system-design"}

API Gateways

Ashish Pratap Singh

Get Premium