Introduction
API gateways have become the essential entry point for modern microservices architectures in 2026. Acting as a reverse proxy, API gateways handle cross-cutting concerns like authentication, rate limiting, request transformation, and loggingโallowing developers to focus on business logic while the infrastructure handles everything else.
An API gateway is a server that acts as a single entry point for a defined group of microservices. It abstracts the underlying microservices architecture from clients, providing centralized handling of cross-cutting concerns.
Why API Gateways Matter
The Problem Without a Gateway
Without an API gateway, each microservice must implement:
- Authentication and authorization
- Rate limiting
- Request/response transformation
- Logging and monitoring
- Protocol translation
- Circuit breaking
This leads to code duplication and inconsistent implementations.
The Gateway Solution
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ API Gateway โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ AuthN/Z โ โRate Limiter โ โ Logger โ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ Transformerโ โ Circuit โ โ Router โ โ
โ โ โ โ Breaker โ โ โ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโ
โ โ โ
โผ โผ โผ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
โ Service Aโ โ Service Bโ โ Service Cโ
โโโโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโโ
Core API Gateway Features
1. Request Routing
# Kong route configuration
curl -X POST http://kong:8001/services/payment-service/routes \
-d "name=payment-api" \
-d "paths[]=/api/payments" \
-d "methods[]=GET" \
-d "methods[]=POST" \
-d "strip_path=false" \
-d "preserve_host=true"
2. Authentication
# Kong JWT plugin
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=jwt" \
-d "config.key_claim_name=kid" \
-d "config.uri_param_names=jwt" \
-d "config.cookie_names=jwt"
# Kong OAuth2 plugin
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=oauth2" \
-d "config.scopes=read,write" \
-d "config.mandatory_scope=true" \
-d "config.enable_authorization_code=true"
3. Rate Limiting
# Kong rate limiting
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=rate-limiting" \
-d "config.minute=100" \
-d "config.policy=local" \
-d "config.fault_tolerant=true" \
-d "config.hide_client_headers=false"
4. Request/Response Transformation
# Kong request transformer
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=request-transformer" \
-d "config.add.headers=X-Custom-Header:value" \
-d "config.add.querystring=api_version=v1" \
-d "config.remove.headers=X-Debug-Mode"
# Kong response transformer
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=response-transformer" \
-d "config.add.headers=X-Gateway:kong" \
-d "config.remove.headers=X-Internal-Error"
5. Circuit Breaker
# Kong circuit breaker
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=circuit-breaker" \
-d "config.basetimeout=60" \
-d "config.limit=10" \
-d "config.keepalive=60"
Kong: The Popular Choice
Architecture
Kong consists of:
- Kong Gateway: The core proxy server (Nginx + Lua)
- Kong Database: PostgreSQL or Cassandra for configuration
- Kong Admin API: Configure routes, services, and plugins
Installation
# Docker Compose
services:
kong:
image: kong:3.4
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: postgres
KONG_DECLARATIVE_CONFIG: /kong/kong.yml
ports:
- "8000:8000"
- "8443:8443"
- "8001:8001"
volumes:
- ./kong.yml:/kong/kong.yml:ro
Declarative Configuration
# kong.yml
_format_version: "3.0"
services:
- name: payment-service
url: http://payment:8080
plugins:
- name: jwt
- name: rate-limiting
config:
minute: 100
policy: local
- name: correlation-id
config:
header_name: X-Correlation-ID
generator: uuid
- name: user-service
url: http://user:8080
plugins:
- name: jwt
- name: oauth2
config:
scopes: ["read", "write"]
routes:
- name: payment-route
service: payment-service
paths: ["/api/payments"]
methods: ["GET", "POST"]
- name: user-route
service: user-service
paths: ["/api/users"]
methods: ["GET", "POST", "PUT", "DELETE"]
Envoy: The High-Performance Option
Architecture
Envoy is a C++ proxy designed for cloud-native applications:
- L4 proxy: TCP/UDP routing
- L7 proxy: HTTP/2 and gRPC
- Service discovery: Various backends
- Observability: Stats, tracing, logging
Configuration
# envoy.yaml
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match:
prefix: "/api/payment"
route:
cluster: payment_service
- match:
prefix: "/api/user"
route:
cluster: user_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: payment_service
type: EDS
lb_policy: ROUND_ROBIN
health_checks:
- timeout: 1s
interval: 10s
unhealthy_threshold: 3
healthy_threshold: 2
http_health_check:
path: /health
- name: user_service
type: EDS
lb_policy: ROUND_ROBIN
Rate Limiting
# Envoy rate limit
- name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 10000
tokens_per_period: 10000
period: 1s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
API Gateway Comparison
| Feature | Kong | Envoy | AWS API Gateway | Azure API Management |
|---|---|---|---|---|
| Deployment | Self-hosted | Self-hosted | Managed | Managed |
| Protocol Support | HTTP, REST, gRPC | HTTP, gRPC, WebSocket | HTTP, REST, WebSocket | HTTP, REST |
| Plugins | Extensive | Limited | Moderate | Moderate |
| Performance | Good | Excellent | Good | Good |
| Learning Curve | Low | High | Low | Medium |
| Cost | Open source | Open source | Pay per use | Pay per use |
Best Practices
1. Use Defense in Depth
# Multiple layers of protection
layers:
- API Gateway: Rate limiting, auth
- Service: Input validation
- Database: Row-level security
2. Implement Caching
# Kong response caching
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=response-cache" \
-d "config.cache_response_codes=[200]" \
-d "config.request_cache_control_header=true" \
-d "config.ttl=60"
3. Monitor Everything
# Kong logging to ELK
curl -X POST http://kong:8001/routes/payment-api/plugins \
-d "name=syslog" \
-d "config.log_level=info" \
-d "config.writers=[{syslog_address: logstash, syslog_port: 514}]"
4. Use Health Checks
# Kong upstream health checks
curl -X POST http://kong:8001/upstreams/payment-service/health \
-d "healthchecks=\
{\
\"active\": {\
\"http_path\": \"/health\",\
\"timeout\": 1,\
\"healthy\": 2\
}\
}"
Common Patterns
Canary Deployments
# Traffic splitting
- name: traffic-split
config:
targets:
- weight: 90
target: payment-service-v1
- weight: 10
target: payment-service-v2
Request Validation
# Kong request validation
curl -X POST http://kong:8001/services/payment-service/plugins \
-d "name=request-validator" \
-d "config.body_schema={\
\"type\": \"object\",\
\"properties\": {\
\"amount\": {\"type\": \"number\"},\
\"currency\": {\"type\": \"string\"}\
}\
}"
GraphQL Support
# Kong GraphQL protection
curl -X POST http://kong:8001/routes/graphql-api/plugins \
-d "name=graphql-rate-limiting" \
-d "config-max-cost=1000"
Conclusion
API gateways are essential infrastructure for microservices architectures. Whether you choose Kong’s plugin ecosystem or Envoy’s performance, implementing an API gateway provides centralized control over authentication, rate limiting, and observability.
In 2026, API gateways continue to evolve with support for gRPC, WebSocket, and GraphQL. The key is choosing the right gateway for your use case and implementing defense in depth across your architecture.
Comments