What is an API Gateway?
Learn what an API Gateway does, how it differs from a service mesh, and its role in auth, rate limiting, and routing — with an interview answer.
Expected Interview Answer
An API Gateway is a single, managed entry point that sits in front of a set of backend services, handling cross-cutting concerns like authentication, rate limiting, request routing, and response aggregation so individual services do not each reimplement them.
Instead of clients calling dozens of microservices directly, they call the gateway, which routes each request to the correct backend based on path, header, or version, terminates TLS, validates API keys or JWTs, applies rate limits per client, and can aggregate multiple backend calls into one response for the client. This centralizes concerns like authentication and throttling so they are enforced consistently in one place rather than duplicated across every service, and it also gives operators a single place to observe traffic, apply canary routing, and version APIs without touching backend code. An API Gateway differs from a service mesh in scope: the gateway manages north-south traffic between external clients and the system’s edge, while a service mesh manages east-west traffic between internal services, though both apply similar concepts like retries and observability. Popular implementations range from managed cloud offerings like AWS API Gateway and Kong to self-hosted Envoy-based gateways.
- Single point for authentication, rate limiting, and TLS termination
- Decouples client-facing API versioning from internal service refactors
- Centralized observability and traffic control at the system edge
- Enables response aggregation, reducing client-side round trips
AI Mentor Explanation
An API Gateway is like a team’s official media liaison who is the single point of contact for every journalist, checking press credentials, limiting how many questions each outlet can ask, and routing specific questions to the right player instead of reporters chasing eleven different players directly. If a journalist asks something covering both batting and bowling, the liaison collects answers from both specialists and returns one combined statement. This keeps individual players from being overwhelmed and ensures a consistent, controlled message reaches the public. The liaison also tracks exactly who asked what, giving management a single record of all media interactions.
Step-by-Step Explanation
Step 1
Receive the client request
The gateway terminates TLS and accepts the incoming request as the single external entry point.
Step 2
Authenticate and authorize
It validates API keys, JWTs, or OAuth tokens before any backend is reached.
Step 3
Apply policy
Rate limiting, quota enforcement, and request/response transformation happen centrally at the gateway.
Step 4
Route and aggregate
The request is routed to the correct backend service, optionally aggregating multiple backend calls into one response.
What Interviewer Expects
- Understanding that the gateway is a single entry point for north-south traffic
- Ability to list cross-cutting concerns it centralizes: auth, rate limiting, TLS, routing
- Awareness of the difference between an API gateway and a service mesh
- Knowledge of concrete gateway products or patterns (Kong, AWS API Gateway, Envoy-based)
Common Mistakes
- Confusing an API Gateway with a plain load balancer
- Not distinguishing north-south (gateway) from east-west (service mesh) traffic
- Assuming the gateway must be a single point of failure rather than horizontally scaled
- Forgetting authentication/authorization as a primary gateway responsibility
Best Answer (HR Friendly)
“An API Gateway is the single front door that all external traffic goes through before it reaches our internal services. It handles things like checking who is allowed to call the API, limiting how many requests they can make, and routing each call to the right service, so we do not have to build that same logic into every single microservice.”
Code Example
_format_version: "3.0"
services:
- name: orders-service
url: http://orders.internal:8080
routes:
- name: orders-route
paths:
- /api/orders
plugins:
- name: rate-limiting
config:
minute: 100
policy: local
- name: jwtFollow-up Questions
- How does an API Gateway differ from a service mesh?
- How would you version an API through a gateway without breaking existing clients?
- How does a gateway avoid becoming a single point of failure?
- What is response aggregation and when would you use it at the gateway layer?
MCQ Practice
1. What kind of traffic does an API Gateway primarily manage?
An API Gateway sits at the system edge, managing north-south traffic between external clients and internal services.
2. Which of these is a typical API Gateway responsibility?
API Gateways centralize cross-cutting concerns like authentication, rate limiting, and TLS termination for incoming client traffic.
3. How does an API Gateway differ from a service mesh?
Gateways focus on the client-facing edge, while service meshes focus on internal service-to-service communication, though both share concepts like routing and observability.
Flash Cards
What is an API Gateway? — A single entry point handling auth, rate limiting, routing, and aggregation for backend services.
North-south vs east-west traffic? — Gateway manages north-south (client-to-system); service mesh manages east-west (service-to-service).
Name two gateway concerns centralized at the edge. — Authentication/authorization and rate limiting.
Give an example API Gateway product. — Kong, AWS API Gateway, or an Envoy-based gateway.