Code-Memo

API Gateway Concepts

What an API gateway does

1. Sits at the edge in front of services: routing, TLS termination, auth, quotas, observability.
2. Can compose multiple backends behind one hostname or path prefix.
3. Offloads cross-cutting work so services stay focused on domain logic.

Routing, authentication, rate limiting

1. Route by path, host, header, or weight for blue/green and canary deploys.
2. Validate JWT/OAuth centrally; forward trusted identity headers to upstreams (carefully).
3. Enforce rate limits and WAF rules before traffic hits fragile services.

Aggregation of services

1. BFF (backend-for-frontend) pattern aggregates calls for one client type to reduce chattiness.
2. Watch latency stacks: one slow dependency blocks the whole aggregate unless you parallelize or degrade gracefully.
3. Avoid turning the gateway into a god service with business rules that belong downstream.

Examples in cloud architectures

1. AWS API Gateway, Azure API Management, Google Apigee, Kong, Traefik, Envoy-based ingress.
2. Often paired with service mesh (mTLS, retries) inside the cluster while the gateway handles north-south.
3. Use stage/prod separation and infrastructure-as-code for gateway config.