What is an API Gateway (from a Networking Perspective)?
Learn what an API gateway is, how it routes, authenticates, and rate-limits requests to microservices — with interview Q&A.
Expected Interview Answer
An API gateway is a single, network-facing entry point that sits in front of a collection of backend services and handles cross-cutting request concerns — routing, authentication, rate limiting, and protocol translation — before forwarding each request to the correct downstream service.
From a pure networking standpoint, an API gateway is a specialized reverse proxy operating at Layer 7 (application layer): it terminates the client connection, parses the request path or headers to decide which microservice should handle it, and opens a separate connection to that backend on the client’s behalf. Beyond simple routing, it commonly enforces authentication and authorization, applies per-client rate limiting and quotas, aggregates responses from multiple services into one, and translates between protocols such as public REST/HTTP and internal gRPC. Because every external request funnels through this single choke point, it becomes the natural place to centralize logging, metrics, and security policy that would otherwise need to be duplicated in every microservice. Popular implementations include Kong, Amazon API Gateway, and Apigee.
- Single entry point centralizes auth, rate limiting, and routing
- Decouples public API surface from internal microservice topology
- Enables protocol translation between external and internal formats
- Centralizes observability (logging, metrics) for all API traffic
AI Mentor Explanation
An API gateway is like a stadium’s single accreditation checkpoint that every visitor — players, press, vendors — must pass through before reaching any internal area. The checkpoint checks credentials, decides which internal zone the visitor is authorized to enter, and directs them there, rather than each internal zone checking IDs independently. It also logs every entry centrally so security has one record instead of scattered logs per gate. This single controlled entry point deciding routing and access for every visitor is exactly what an API gateway does for backend service traffic.
Step-by-Step Explanation
Step 1
Request arrives at the gateway
A client sends a request to the gateway’s single public endpoint, terminating the connection at Layer 7.
Step 2
Authenticate and authorize
The gateway validates the client’s token or API key and checks it is permitted to call the requested resource.
Step 3
Route and rate-limit
Based on the path or headers, the gateway selects the correct downstream microservice and enforces per-client rate limits or quotas.
Step 4
Forward, translate, and respond
The gateway forwards the request (translating protocols if needed), waits for the backend response, and returns it to the client, optionally aggregating multiple service calls.
What Interviewer Expects
- Distinguishes API gateway from a plain reverse proxy (adds auth, rate limiting, aggregation)
- Explains it operates at the application layer (Layer 7)
- Understands it decouples public API surface from internal service topology
- Names real tools (Kong, Amazon API Gateway, Apigee)
Common Mistakes
- Treating an API gateway as identical to a basic load balancer
- Forgetting authentication/authorization is a core gateway responsibility
- Not knowing gateways can aggregate multiple backend calls into one response
- Assuming a gateway operates below Layer 7, e.g. at the transport layer
Best Answer (HR Friendly)
“An API gateway is the single front door that all outside requests to a company’s services go through before reaching the actual backend systems. It checks who is calling, makes sure they are allowed to make that request, decides which internal service should handle it, and can even limit how many requests someone makes to keep the system healthy — all in one place instead of every internal service handling that separately.”
Code Example
# kong.yml
services:
- name: orders-service
url: http://orders-internal.svc:8080
routes:
- name: orders-route
paths: ["/api/orders"]
plugins:
- name: key-auth
- name: rate-limiting
config:
minute: 60
policy: localFollow-up Questions
- How does an API gateway differ from a plain reverse proxy?
- How does an API gateway handle protocol translation between REST and gRPC?
- What is response aggregation and when does a gateway perform it?
- How would you design rate limiting per API key at the gateway layer?
MCQ Practice
1. At which OSI layer does an API gateway primarily operate?
API gateways inspect HTTP paths, headers, and payloads, which is application-layer (Layer 7) behavior.
2. Which capability distinguishes an API gateway from a plain reverse proxy?
API gateways build on reverse proxy routing with cross-cutting concerns like auth, rate limiting, and aggregation.
3. Why do clients benefit from an API gateway hiding internal microservice topology?
Hiding topology means internal services can evolve independently of the stable public API surface.
Flash Cards
What is an API gateway? — A single entry point that routes, authenticates, and rate-limits requests to backend microservices.
What OSI layer does it operate at? — Layer 7 (Application layer).
How does it differ from a reverse proxy? — It adds auth, rate limiting, and response aggregation on top of routing.
Name a real API gateway product. — Kong, Amazon API Gateway, or Apigee.