Skip to main content
Tech Blog
Tech Blog

System Design: The Path to API Gateway

·2071 words·10 mins
System Design Architecture API Gateway Microservices Monolith
Yash Sachdeva
Author
Yash Sachdeva
Software Engineer | Turning Complex Problems into Simple Solutions
Software engineer by trade, problem solver by nature. I write about the systems I build in my free time and the experiences that shape them.
Table of Contents
Every great architecture starts simple. But as we scale from a single monolith to a swarm of microservices, we hit a wall that only one pattern can break: the API Gateway.

Phase 1: The Blissful Monolith
#

You have one server, one database, and one endpoint. Everything is easy:

  • Discovery? A non-issue for the UI. The client only needs to know one URL (e.g., api.yourdomain.com). All requests go to the same place, and the monolith routes them internally.
  • Security? Handled in one place. A single centralized middleware validates the session/token once. Since everything runs in one process, that “Authenticated” state is automatically trusted by every internal function.
  • Data? A single SQL join away.

The Hidden Bottleneck
#

While “simple,” this centralized model has a ceiling. As your platform grows, certain features demand disproportionate resources. Imagine you add a heavy “Search and Recommendation” engine. Suddenly, every time a user searches for a product, the monolith’s CPU spikes.

  • The “Noisy Neighbor” Problem: Your critical “Checkout” process now has to compete for CPU and RAM with the heavy, analytical “Search” process. If a sudden spike in search traffic crashes the server, your users can’t check out.
  • Scaling Inefficiency: To keep Search fast, you are forced to scale the entire monolith—cloning your whole codebase across massive, expensive servers just to give that one specific feature more compute power.

The First Split: Extracting the Bottleneck
#

To protect the core business and scale efficiently, we make the first logical move: we extract the Search Engine into its own independent service. Now, Search can scale on its own high-CPU instances, while the rest of the monolith handles standard operations efficiently.

We’ve solved the bottleneck, but we’ve unknowingly crossed the Rubicon. We are no longer a monolith; we are a Distributed System.

Phase 2: The Breaking Point (The Problem)
#

Even with just two destinations (the core Monolith and the new Search Service), the simplicity of Phase 1 shatters. We solved our internal scaling, but pushed a massive amount of complexity onto the client and the network.

1. The “Endpoint Explosion”
#

In a monolith, the mobile app knew one URL. Now, the client must maintain a mapping for different hostnames. If we eventually split out “Checkout” or “User Profiles,” the client’s configuration file grows. The client now needs to know the internal topography of your backend. Every internal infrastructure move now requires an app store update, risking breakages for users on older app versions.

2. The Multi-Round-Trip Latency
#

Modern UIs are data-hungry. To render a single “Dashboard,” the app might need user data from the Monolith, and tailored product suggestions from the new Search/Recommendation service. On a slow mobile connection, forcing the client to make multiple sequential network calls drastically increases latency. We’ve introduced a “Network Tax” on the user experience.

3. Security Fragmentation
#

How do you ensure both the Monolith and the Search service are equally secure? If you implement JWT validation in both places, you’re repeating complex cryptographic logic in multiple codebases (potentially across different languages). If a vulnerability is found in your security middleware, you now have multiple separate deployment cycles to manage just to patch your system.

Phase 3: The Solution (The API Gateway)
#

The API Gateway is the “Hero” that restores the simplicity of the monolith while keeping the scaling benefits of microservices. It acts as a smart facade for your entire system.

1. Implementation: The Single Entry Point
#

The client goes back to knowing just one URL: api.yourdomain.com. The Gateway handles Internal Routing. It knows that requests to /search go to the new service, while everything else routes to the Monolith. As you split off more pieces, the Gateway simply updates its routing table. The client is completely shielded from your backend evolution.

2. Efficiency: Request Aggregation (API Composition)
#

To fix the multi-round-trip latency, the Gateway can perform API Composition (often referred to as the Backend-for-Frontend or BFF pattern). Instead of the mobile app making three separate network calls to build a dashboard, it makes one call to the Gateway. The Gateway talks to the internal services simultaneously over the high-speed internal VPC network, merges the data into a single JSON response, and sends it back. We’ve traded slow, public network hops for blazing-fast internal ones.

3. Security: The Centralized Guard
#

By centralizing the “Front Door,” we offload the heavy lifting from all internal services:

  • SSL Termination: The Gateway handles HTTPS encryption and decryption at the edge, saving internal CPU cycles.
  • Unified Authentication: The Gateway validates the user’s token once, and simply passes a trusted payload (like a user ID header) to the backend services. Your microservices no longer need to know how to decode a JWT; they just trust the Gateway.
  • Centralized Policy: Want to add rate-limiting, IP-allowlisting, or WAF (Web Application Firewall) rules? You apply it once at the Gateway, and every sub-service is instantly protected.

Phase 3.5: Putting it into Practice (Spring Cloud Gateway)
#

To see how this works in reality, let’s look at a modern Java implementation using Spring Cloud Gateway. In just a few lines of code, we can define our routing rules and implement our centralized security guard.

1. The Routing Rules
#

Using a simple Java Bean, we can configure our Gateway to route /search traffic to our newly extracted Search service, while letting everything else fall back to the Monolith.

import org.springframework.cloud.gateway.route.RouteLocator;
import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class GatewayConfig {

    @Bean
    public RouteLocator systemRouteLocator(RouteLocatorBuilder builder, AuthFilter authFilter) {
        return builder.routes()
            // 1. Route specific traffic to the new Search Service
            .route("search_service", r -> r.path("/search/**")
                .filters(f -> f.filter(authFilter)) // Apply our security guard
                .uri("http://search-service-internal:8081"))
                
            // 2. Default route: Everything else goes to the Monolith
            .route("monolith_service", r -> r.path("/**")
                .filters(f -> f.filter(authFilter)) // Apply our security guard
                .uri("http://monolith-internal:8080"))
            .build();
    }
}

2. The Centralized Guard (Auth Filter)
#

Instead of forcing the Monolith and the Search service to both validate JWTs, we do it once at the Gateway. If the token is valid, the Gateway strips it and injects a trusted, simple header (X-User-Id) for the internal microservices to use.

import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

@Component
public class AuthFilter implements GatewayFilter {

    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        String authHeader = exchange.getRequest().getHeaders().getFirst("Authorization");
        
        // 1. Check if token exists and is valid (Implementation hidden for brevity)
        if (authHeader == null || !isValidJwt(authHeader)) {
            exchange.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
            return exchange.getResponse().setComplete(); // Block the request early
        }

        // 2. Extract data and modify the request for internal services
        String userId = extractUserIdFromJwt(authHeader);
        
        ServerHttpRequest modifiedRequest = exchange.getRequest().mutate()
                .header("X-User-Id", userId) // Pass a simple, trusted header downstream
                .build();

        // 3. Forward the modified request to the routed microservice
        return chain.filter(exchange.mutate().request(modifiedRequest).build());
    }
    
    // ... private helper methods for JWT validation ...
}

By adding these two classes, we have successfully shielded our client from the endpoint explosion and offloaded security paperwork from our backend services.

Phase 3.6: Beyond Routing—The Swiss Army Knife
#

While routing and security get us through the door, a production-grade Gateway solves the “invisible” problems that plague distributed systems: traffic chaos and observability gaps.

1. The “Neighbor from Hell” (Rate Limiting)
#

In a monolith, one “noisy neighbor” (a user or bot spamming an endpoint) can consume all database connections, crashing the site for everyone. In microservices, this is even more dangerous—a spike in “Search” traffic can cascade and knock out “Inventory” if they share resources.

The Reasoning: Instead of every microservice writing its own rate-limiting logic (and potentially letting too much traffic through anyway), the Gateway acts as a Pressure Valve. It tracks requests per User ID or IP address at the very edge. If a user exceeds their quota, the Gateway drops the request before it even touches your expensive internal network.

Java Implementation (Spring Cloud Gateway + Redis):

@Bean
public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
    return builder.routes()
        .route("search_service", r -> r.path("/search/**")
            .filters(f -> f.requestRateLimiter(config -> config
                .setRateLimiter(redisRateLimiter())
                .setKeyResolver(userKeyResolver()))) // Limit by User ID
            .uri("lb://search-service"))
        .build();
}

@Bean
public RedisRateLimiter redisRateLimiter() {
    // 10 requests per second, with a "burst" capacity of 20
    return new RedisRateLimiter(10, 20);
}

2. The “Silent Failure” (Centralized Observability)
#

In a distributed system, a single user request might travel through five different services. If the request fails, where did it die? Without a Gateway, you’re searching through five different log files, trying to stitch timestamps together.

The Reasoning: The Gateway becomes the Source of Truth. It generates a unique Correlation ID (Trace ID) for every incoming request. It injects this ID into the headers, ensuring it travels through every microservice. Now, you can search one ID in your logging tool (like ELK or Splunk) and see the entire journey of that request across your entire fleet.

3. The “Legacy Bridge” (Protocol Transformation)
#

Your modern frontend might want to speak REST/JSON, but your high-performance internal services might use gRPC, or perhaps an old legacy service only understands XML.

The Reasoning: You don’t want to force your mobile developers to learn gRPC or handle SOAP XML. The Gateway acts as a Translator. It accepts a standard JSON POST from the client, transforms the payload into the required internal format, calls the service, and translates the response back to JSON. The client remains blissfully unaware of the “tech debt” hiding behind the curtain.

Phase 3.7: The “Safety Net” (Deployment Control)
#

In the old monolith days, a deployment was a “hold your breath” moment. If the new code had a bug, the whole site went down. With an API Gateway, you can move away from “All-or-Nothing” releases toward Traffic Shifting.

1. Blue-Green Deployments (The “Instant Flip”)
#

Instead of updating your service in place, you spin up a brand-new version (Green) alongside the old one (Blue).

The Reasoning: The Gateway points to Blue. You test Green in isolation. Once you’re confident, you tell the Gateway to flip all traffic to Green. If something breaks 30 seconds later? You flip the Gateway back to Blue instantly. No DNS propagation delays, no server restarts—just a routing change.

2. Canary Releases (The “Slow Drip”)
#

A “Canary” release is the gold standard for risk management. You roll out the new version to only 5% of your users—perhaps your internal employees or a specific geographic region.

The Reasoning: The Gateway looks at the incoming request (maybe a cookie, a Header, or just a random weight) and decides where to send it. If the error rates for that 5% remain low, you bump it to 25%, then 50%, and finally 100%. The Gateway acts as a Blast Shield, ensuring a bad bug only affects a tiny fraction of your users.

Java Implementation (Spring Cloud Gateway Weighted Routing): Spring Cloud Gateway makes Canary releases trivial using the Weight route predicate. In this example, we send 95% of traffic to the stable “v1” and 5% to the new “v2” canary.

@Bean
public RouteLocator canaryRouteLocator(RouteLocatorBuilder builder) {
    return builder.routes()
        // 1. The Stable Production Service (95% of traffic)
        .route("search_v1", r -> r.path("/search/**")
            .and().weight("search_group", 95)
            .uri("http://search-v1:8081"))
            
        // 2. The Canary Service (5% of traffic)
        .route("search_v2", r -> r.path("/search/**")
            .and().weight("search_group", 5)
            .uri("http://search-v2:8082"))
        .build();
}

Phase 4: Choosing the Right Tool
#

Depending on your scale and operational capacity, an API Gateway can take many forms:

  • Managed Cloud Services: AWS API Gateway, Azure API Management, or Google Cloud API Gateway (Best if you want zero infrastructure maintenance).
  • Self-Hosted / Control Planes: Kong, Tyk, or Apache APISIX (Highly extensible with plugins, great for hybrid-cloud or custom routing needs).
  • Edge Proxies / Ingress: Envoy or HAProxy (Often used as the foundation for modern service meshes, excellent for high-performance, complex traffic routing).

Conclusion: The Final Verdict
#

The transition to an API Gateway marks the “coming of age” of a system. It’s the moment you stop thinking about individual servers and start thinking about Traffic Flow.

By centralizing the “boring” stuff—Rate Limiting, Security, and Deployment Control—you free your feature teams to do what they do best: build business value. The “Gateway Tax” of a single extra network hop is a small price to pay for a system that is resilient, observable, and easy for frontend developers to love.

The path to an API Gateway is paved with the lessons learned from scaling. It’s not just a proxy; it’s the brain of your distributed architecture. When you find yourself repeating code across services or struggling to coordinate releases, the message is clear: it’s time to move to the Gateway.

Related

Rate Limiters

·1921 words·10 mins
System Design Architecture Rate Limiting
Life Without a Rate Limiter # Imagine a public web API that allows clients to fetch user data without any rate limiting. Under normal conditions this might work, but during traffic spikes or abuse (e.g., bots or scrapers) the backend can be overwhelmed, leading to resource exhaustion, cascading failures, and poor availability for legitimate users. Without any form of control, a single noisy neighbor can starve others, increase infrastructure costs, and make it difficult to meet SLAs.