An API Gateway is the "front door" to your applications. It sits between your users and backend services, acting as a reverse proxy that routes requests to the appropriate service.
What it handles
- Authentication — validating credentials and managing sessions
- Authorization — ensuring clients can access what they are requesting
- Request transformation — modifying paths, headers, or protocols (e.g., HTTP to gRPC)
- Rate limiting — protecting services from abuse or overload
- Load balancing — distributing requests across service replicas
- Service discovery — routing requests to the right backend
- Caching — speeding up repeated requests
- Observability — logging, metrics, and distributed tracing
When to use one
API Gateways shine when you have:
- Multiple backend services that need a unified entry point
- Cross-cutting concerns like auth or rate limiting that should not be duplicated
- Different client types (web, mobile, IoT) needing different API shapes
- Microservices that evolve independently from client contracts
When to skip it
Do not add an API Gateway just because it sounds good. If you have a monolith or a small number of services, the gateway becomes unnecessary complexity. Start simple — you can always add one later when the pain points appear.
Popular options
- Cloud-native: AWS API Gateway, Google Cloud Endpoints, Azure API Management
- Self-hosted: Kong, Traefik, NGINX, Envoy, HAProxy
- Kubernetes-native: Istio, Linkerd (service mesh with gateway features)
Choose based on your deployment model, team expertise, and whether you need advanced features like request transformation or just basic routing.