toolkit

How API Gateway Works

Routing, Authentication, Rate Limiting, and Protocol Translation at the Edge.

Kong Guide
Clients
Gateway Pipeline
Backends
Mobile
Web App
Partner
TLS Term
WAF
Rate Limit
Auth
Router
Product V1
Pricing
Legacy XML
HTTPS
1 / 9

Ingress & TLS

The Handshake

What Happens

A client (Web/Mobile) initiates a secure connection via HTTPS.

Why

Encryption is mandatory. The Gateway holds the SSL Certificates.

Technical Detail

TLS 1.3 Handshake. Terminates encryption here.

Example ClientHello -> ServerHello (Cipher Suite Exchange)

Key Takeaways

9-Layer Pipeline

It's not just a proxy. It handles WAF, Rate Limits, and Auth before anything touches your backend.

Aggregation

Combine multiple service calls into one, reducing client battery usage and network chatter.

Legacy Support

Translate JSON to XML automatically to support ancient backend systems without updating clients.

The Architecture of API Gateways: An Engineering Deep Dive

As monolithic architectures fractured into fleets of hundreds of distributed microservices, a critical architectural void emerged. Mobile clients, web apps, and third-party consumers suddenly needed to authenticate, route, and interact with dozens of independent backend services asynchronously. The API Gateway evolved to fill this exact void, shifting from a simple reverse proxy to a complex, edge-deployed control plane governing all ingress network traffic.

Part 1: The Evolution from Proxy to Gateway

To understand the modern API Gateway, we must contrast it with its ancestors: the standard Reverse Proxy (like classic NGINX or HAProxy) and the traditional Hardware Load Balancer (like an F5 BIG-IP).

A Reverse Proxy operates primarily at Layer 4 (Transport) or basic Layer 7 (Application). Its job is simple: take inbound TCP connections on port 443, terminate TLS, and blindly forward the HTTP payload to a pool of application servers using Round Robin. It knows nothing about the meaning of the payload.

An API Gateway, however, is deeply context-aware. It actively parses, inspects, and modifies the JSON payloads, HTTP headers, and JWT claims. It runs complex Lua or WebAssembly (Wasm) scripts mid-flight to enforce business logic before the packet ever reaches the internal network.

Part 2: The Security Perimeter (Zero Trust Ingress)

The Gateway acts as the unyielding front door to the microservice cluster. In modern "Zero Trust" architectures, backend services (like the Inventory service) should completely reject any traffic that did not originate from the Gateway. The Gateway enforces this perimeter through several mechanisms.

1. The Phantom Token Pattern

Sending extensive JWTs (JSON Web Tokens) over the public internet to mobile clients exposes sensitive internal claims and wastes bandwidth (JWTs can exceed 2KB). Furthermore, true JWTs cannot be easily revoked before expiration.

The Gateway implements the Phantom Token Pattern:

  • The client authenticates and receives an Opaque Token (a random 32-character string that means nothing cryptographically).
  • The client sends this Opaque Token to the Gateway in the `Authorization` header.
  • The Gateway arrests the request, queries an internal centralized cache (like Redis) or Identity Provider (IdP) to fetch the real JWT associated with that Opaque Token.
  • The Gateway injects the real JWT into the header and forwards the request internally. The backend services securely read the JWT claims without the client ever seeing it.

2. Web Application Firewall (WAF)

Before auth even occurs, the Gateway inspects the raw HTTP stream for malicious payloads. Built-in WAF modules (like ModSecurity) utilize regex signatures to block SQL Injection (`' OR 1=1--`), Cross-Site Scripting (`<script>`), and path traversal attacks mid-flight, returning a 403 Forbidden before backend CPU cycles are wasted.

mTLS (Mutual TLS)

Once traffic passes the Gateway, how do we secure internal service-to-service communication? Modern Gateways (especially those acting as Ingress in a Service Mesh like Istio/Envoy) utilize mTLS. The Gateway acts as a Certificate Authority, issuing short-lived certificates to internal pods so they mathematically verify each other's identities upon connection.

Part 3: Rate Limiting & Traffic Shaping

If a rogue script or DDoS attack hits the system, it is the Gateway's responsibility to shield the fragile underlying databases by dropping traffic at the edge. The Gateway implements complex Rate Limiting algorithms.

Token Bucket Algorithm

A "bucket" holds 100 tokens. Every request costs 1 token. A background process adds 10 tokens per second (the refill rate). If the bucket empties, the Gateway returns `429 Too Many Requests`. The "bucket size" allows for initial traffic bursts, while the "refill rate" enforces a steady long-term limit.

Distributed Limiting (Redis)

Because you run multiple Gateway nodes behind a Load Balancer, an "in-memory" rate limit fails (Node A doesn't know Node B processed 50 requests). Gateways utilize ultra-fast `INCR` commands against a centralized Redis cluster to track global API usage in real-time.

Part 4: Protocol Translation & Aggregation

Microservices often utilize highly optimized binary protocols (like gRPC/Protobuf over HTTP/2) for internal communication. However, external web browsers and mobile apps overwhelmingly expect standard JSON over REST over HTTP/1.1 or HTTP/2.

The API Gateway masks this complexity. The Gateway accepts standard JSON, maps the fields to Protobuf binary structures, establishes a multiplexed gRPC stream to the internal microservice, awaits the binary response, deserializes it back to JSON, and forwards it to the client. This allows backend engineers to utilize bleeding-edge tech without breaking public client contracts.

Backend For Frontend (BFF) & Aggregation

In complex architectures, rendering a single "User Dashboard" might require querying the User Service, the Billing Service, and the Notification Service. If a mobile app on a 3G network makes three separate sequential HTTP requests, latency accumulates catastrophically.

The Gateway solves this via Response Aggregation (often utilizing GraphQL or custom Lua scripts). The mobile app sends one request to the Gateway. The Gateway executes three network calls simultaneously across the data center's 10Gbps internal network, stitches the three JSON responses into a single combined payload, and sends that single payload back to the phone.

Part 5: Advanced Traffic Control (Circuit Breakers)

When microservices fail, they often don't fail by crashing instantly—they fail by slowing down. If the internal Payment Service's database locks up, HTTP requests from the Gateway start timing out after 30 seconds.

Because the Gateway handles thousands of concurrent requests, those 30-second hung connections quickly exhaust the Gateway's thread pool, causing the Gateway itself to crash and taking down the entire system (a cascading failure).

To prevent this, Gateways implement the Circuit Breaker Pattern:

  • CLOSED: Traffic flows normally. The Gateway monitors the error/timeout rate of the Payment Service.
  • OPEN: If the error rate crosses a threshold (e.g., 50% in 10 seconds), the circuit "trips". The Gateway instantly fails all future requests to the Payment Service, returning a cached response or a `503 Service Unavailable` immediately. This saves the Gateway's thread pool and gives the Payment Service breathing room to recover.
  • HALF-OPEN: After a timeout, the Gateway lets a trickle of traffic through to the Payment Service to test if it has recovered. If it succeeds, the circuit closes. If it fails, it remains Open.

Part 6: The Modern Gateway Landscape

The landscape of Gateway technology is dominated by a few core engines, mostly built upon highly optimized C/C++ or Rust foundations to minimize latency.

  1. NGINX: The classic workhorse. Written in C, it utilizes an event-driven, non-blocking asynchronous architecture. Still massive for raw routing and basic rate limiting, though complex logic requires Lua scripting (OpenResty).
  2. Envoy Proxy: Created by Lyft in C++ specifically for cloud-native microservices. It introduced dynamic configuration via APIs (xDS) so routes can be updated automatically as Kubernetes pods spin up and down without reloading the process. It forms the backbone of modern Service Meshes like Istio.
  3. Kong: Built entirely on top of NGINX and OpenResty, Kong abstracts away massive complexity by offering a vast plugin ecosystem (Datadog integration, OAuth2 validation, Prometheus metrics) manageable via an API or Postgres database.
  4. AWS API Gateway: A fully managed, serverless offering tightly coupled with AWS Lambda. While extremely convenient, its pricing model (charging per million requests) makes it prohibitively expensive for high-throughput, low-latency streaming applications.

Conclusion: The Nervous System

The API Gateway prevents the microservice utopia from devolving into chaotic, unmanageable anarchy. By centralizing the heavy lifting of authentication, security logging, TLS negotiation, and failure mitigation at the very edge of the network, backend developers are freed to focus strictly on business logic. It sits as the invisible, ultra-resilient sentinel guarding the modern internet.

Key Concepts & Terminology

Standard Pipeline

The strict order of operations every request must pass through. Security (WAF) and Auth MUST happen before Routing to ensure no malicious or unauthenticated traffic ever touches your backend services.

Circuit Breaker

A stability pattern. If a service (e.g. Inventory) fails repeatedly, the Gateway "opens the circuit" and immediately returns an error or fallback data without waiting for timeouts. This prevents cascading failures.

Canary Release

A deployment strategy where a small percentage (e.g., 5%) of traffic is routed to a new version (V2) of a service to test stability before rolling it out to everyone.

Token Bucket (Rate Limiting)

An algorithm used to control traffic. Users are given a "bucket" of tokens that refills at a fixed rate. Each request costs a token. If the bucket is empty, requests are rejected (429 Too Many Requests).

BFF (Backend for Frontend)

An API Gateway pattern where you create distinct entry points for different clients (e.g., MobileBFF, WebBFF), allowing you to tailor responses (smaller payloads for mobile) without changing the core backend.

TLS Termination

The process of decrypting HTTPS traffic at the Gateway. This allows the Gateway to inspect headers and body for routing, while offloading the expensive crypto work from your microservices.

Related Resources

Kong Learning Center

What is an API Gateway?

Reverse Proxy

Compare with API Gateway