Mastering API Gateways: Design Principles, Types, and Best Practices

This article covers seven key topics about API gateways: basic concepts, design ideas, design focus, traffic gateways, business gateways, and a comparison of common gateways.

What Is a Gateway

A gateway connects two different networks and can perform packaging, unlike a bridge which only forwards frames at the data‑link layer.

Colloquial Understanding

Using an office building analogy, a gateway acts as a guarded entrance that authenticates visitors, routes requests dynamically, and may add packaging before forwarding them to backend services, thereby reducing client‑server coupling.

Why a Gateway Is Needed

In micro‑service architectures, exposing each service directly creates security issues and tight coupling; a gateway centralizes functions like authentication, routing, load‑balancing, and resilience.

Gateway and Server Cluster

Gateways can be deployed per service instance, per service group, or globally, simplifying architecture complexity.

Gateway Design Ideas

A gateway should provide the following functions:

1. Request Routing

Clients send all requests to the gateway, which forwards them to appropriate backend services without the client needing to know service addresses.

2. Service Registration

Backend services register their endpoints (e.g., HTTP REST URIs) so the gateway can route requests correctly.

3. Load Balancing

The gateway distributes traffic among service instances using strategies such as round‑robin, weighted distribution, or session affinity.

4. Elastic Design

Features like asynchronous processing, retries, idempotency, flow control, circuit breaking, and monitoring are implemented within the gateway.

5. Security

SSL termination, session validation, authorization, data validation, and protection against malicious attacks are handled at the gateway level.

Gray Release

The gateway can route traffic to different service versions and collect related metrics, aiding software quality and product experimentation.

API Aggregation

Multiple backend requests can be combined into a single request, reducing client‑server round trips and improving performance.

API Orchestration

Complex business flows can be defined and executed via the gateway, similar to a workflow engine.

Gateway Design Focus

The three main focuses are high performance, high availability, and high scalability.

1. High Performance

Implementations should use high‑performance languages (C, C++, Go, Java) and asynchronous non‑blocking I/O to avoid becoming a bottleneck.

2. High Availability

The gateway must avoid single‑point failure through clustering, hot‑reloading configurations, and graceful restarts.

Clustering – the gateway should form its own cluster and synchronize data internally.

Service‑oriented – support runtime configuration changes via an Admin API.

Graceful Restart – new processes handle new requests while old ones finish existing work before exiting.

3. High Scalability

The gateway should be extensible for business logic, allowing plug‑in development or module extensions.

Operational principles include loose business coupling, tight protocol coupling, application monitoring with tracing IDs, anomaly detection, and DevOps practices for reliability.

Gateway Design Considerations

Avoid embedding aggregation logic directly in gateway code; use plug‑ins or serverless functions.

Place the gateway close to backend services on the same internal network to reduce latency.

Scale the gateway horizontally via DNS round‑robin, CDN, or dedicated load balancers.

Cache service discovery results when appropriate.

Consider bulkhead designs to isolate traffic for different backend services.

Traffic Gateway

A traffic gateway controls inbound traffic, handling global policies such as monitoring, logging, rate limiting, black‑/white‑listing, and load balancing, similar to a firewall.

Kong is a typical traffic gateway.

Business Gateway

Business gateways sit after the traffic gateway, closer to application services, handling functions like authentication, logging, encryption, circuit breaking, and API management.

Common Gateway Comparison

Open‑source gateways are categorized by language:

Nginx+Lua : OpenResty, Kong, Orange, etc.

Java : Zuul, Spring Cloud Gateway, Gravitee, Dromara Soul, etc.

Go : Janus, fagongzi, grpc‑gateway.

.NET : Ocelot.

NodeJS : Express Gateway, Micro Gateway.

The mainstream choices are OpenResty, Kong, Zuul (1.0/2.0), and Spring Cloud Gateway.

OpenResty

OpenResty builds on Nginx and Lua, providing a high‑performance web platform for handling massive concurrent requests.

Kong

Kong, based on OpenResty, is a cloud‑native, scalable API gateway offering authentication, traffic control, monitoring, and plugin extensibility.

For Kong plugins and configuration, see the tutorial at https://www.jianshu.com/p/a68e45bcadb6

Zuul 1.0

Zuul is Netflix’s edge service that supports dynamic routing, monitoring, resilience, and security.

Zuul 2.0

Zuul 2 adopts an asynchronous, non‑blocking Netty architecture, improving throughput by about 20% over Zuul 1.

Spring Cloud Gateway

Spring Cloud Gateway, built on Spring 5, Spring Boot 2, and Project Reactor, provides a reactive, high‑performance gateway using Netty.

Key features include integration with Hystrix, DiscoveryClient, predicate‑based routing, and filters for security, monitoring, and rate limiting.

Gateway Comparison Chart

Source: developer.aliyun.com/article/889271