Swiftorial Logo
Home
Swift Lessons
AI Tools
Learn More
Career
Resources

System Design FAQ: Top Questions

11. How would you design an API Gateway?

An API Gateway acts as a reverse proxy that routes client requests to appropriate backend services, handles authentication, logging, rate limiting, and can aggregate multiple responses. It is a key component in microservices architectures.

📋 Functional Requirements

  • Route API calls to microservices
  • Authentication and authorization
  • Request/response transformation
  • Rate limiting and IP throttling
  • Logging and metrics

📦 Non-Functional Requirements

  • Low latency and high throughput
  • Highly available and horizontally scalable
  • Secure against DDoS and abuse

🏗️ Key Components

  • Routing Layer: Maps endpoints to services
  • Security Layer: JWT verification, OAuth2, API keys
  • Rate Limiter: Enforces client quotas
  • Metrics & Logging: Tracks usage and health

🚦 Example Routing Config (Kong)


routes:
  - name: user-service
    paths:
      - /users
    service:
      name: user-service
      url: http://user-service:8080

🔒 JWT Authentication (Kong plugin)


{
  "name": "jwt",
  "config": {
    "secret_is_base64": false,
    "key_claim_name": "iss",
    "anonymous": "",
    "run_on_preflight": true
  }
}

📈 Rate Limiting with Redis


-- Lua plugin for NGINX
local client_ip = ngx.var.remote_addr
local key = "ratelimit:" .. client_ip
local current = redis:get(key)

if current and tonumber(current) >= 100 then
  return ngx.exit(429)
else
  redis:incr(key)
  redis:expire(key, 60)
end

🛠️ Open Source API Gateway Options

  • Kong: Lua-based, plugin support, cloud native
  • NGINX: Highly performant, extensible with Lua
  • Envoy: gRPC support, cloud native, observability
  • AWS API Gateway: Fully managed, integrates with Lambda

📊 Observability

  • Prometheus for latency and error metrics
  • ELK or Loki for request logs
  • Custom headers for tracing (X-Request-ID, B3)

⚙️ Design Considerations

  • Multi-region deployment to reduce latency
  • Custom plugins for header injection or A/B testing
  • Support for circuit breakers and retries

📌 Final Insight

An API Gateway centralizes cross-cutting concerns for microservices. Choosing the right platform and plugins ensures extensibility, while rate limiting and observability protect and optimize backend services.