System Design FAQ: Top Questions

67. How would you design an API Gateway for Microservices?

An API Gateway acts as a reverse proxy that centralizes access to microservices. It handles concerns such as routing, authentication, rate limiting, caching, and observability.

📋 Functional Requirements

Route client requests to appropriate microservices
Support for path-based routing and versioning
Centralized authentication and authorization
Request/response transformation, logging

📦 Non-Functional Requirements

Low latency and high availability
Rate limiting and circuit breaking
Horizontal scalability

🏗️ Architecture Overview

Clients: Browser, mobile app, API consumer
API Gateway: Routes to backend services
Microservices: REST/GraphQL/gRPC endpoints
Service Registry: Tracks healthy service instances

🔐 JWT Auth Middleware Example (Express.js)


app.use(async (req, res, next) => {
  const token = req.headers.authorization?.split(" ")[1];
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch {
    res.status(401).send("Unauthorized");
  }
});

🧪 Kong Gateway Config (OpenResty)


routes:
  - name: users_v1
    paths: ["/v1/users"]
    strip_path: true
    service: users-service
plugins:
  - name: jwt
    config:
      key_claim_name: "iss"
      secret_is_base64: false
  - name: rate-limiting
    config:
      minute: 100
      hour: 1000

📈 Observability Features

Request logging (path, latency, status)
Tracing headers propagation (X-Request-ID, Traceparent)
Metrics export to Prometheus

📌 Rate Limiting Example (Nginx + Lua)


limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;

server {
  location /api {
    limit_req zone=mylimit burst=10 nodelay;
    proxy_pass http://backend;
  }
}

🧰 Tools & Stack

Gateway: Kong, NGINX, Ambassador, Apigee
Service Discovery: Consul, Eureka, Kubernetes
Security: JWT, OAuth2, mTLS

📌 Final Insight

API Gateways streamline client-to-service interactions, enforce security, and improve observability. Use declarative routing configs and plugin-based middleware to minimize code duplication across services.

←→