API Gateway
What Is an API Gateway and How Does It Work?
What exactly is an API gateway? This article explains what it is, which problems it solves, and how it works in practice.
Do We Need An API Gateway?
If you have only a small number of APIs and clients, and do not plan to expand your API landscape, you may not need an API gateway yet. In simple setups, clients can communicate directly with backend services without introducing additional infrastructure.
As time passes, the number of APIs and clients typically increases. Requirements become more complex, and APIs may need to be exposed to external partners over the public internet.
At this stage, operating APIs becomes more difficult. Security, monitoring, and access control must be implemented for each backend individually. These services often run on different platforms and use different mechanisms for authentication and logging. This leads to duplicated effort, inconsistent security policies, and increased operational overhead.
This is the point where an API gateway becomes useful. It introduces a central layer that handles cross-cutting concerns such as security, traffic control, and monitoring.
Instead of implementing these concerns in every service, the API gateway manages them in one place. This simplifies backend services and ensures consistent behavior across all APIs.
How an API Gateway Works
An API gateway works by acting as the single entry point for all communication between clients and backend services. To achieve this, all API traffic must pass through the gateway.
This is done by placing the API gateway in front of the backend services. Instead of calling a backend directly, clients are configured to send requests to the gateway. For example, rather than connecting to an internal host such as server7.local, the client connects to an endpoint like api.predic8.de. Using a subdomain such as api for the API gateway is a common practice.
The API gateway acts as a proxy that exposes the same API interface as the backend. From the client’s perspective, there is no difference between calling the backend directly or going through the gateway. The gateway receives the request, applies policies such as authentication and then forwards it to the appropriate service.
To ensure that all traffic flows through the API gateway, direct access to backend services must be restricted. This can be achieved through network routing, firewall configuration, or by allowing access only from the gateway. A common approach is to establish trust between the gateway and backend services using mutual TLS (mTLS) with certificates.
Network gateways operate at the IP layer and route Internet Protocol packets. In contrast, an API gateway works at a higher level in the network stack, the application layer. Instead of routing raw network traffic, an API gateway understands application protocols such as HTTP. This allows it to make routing decisions based on API-specific information, including the HTTP method (GET, POST, etc.) and the request path.
For example, a request to /products can be routed to one service, while a request to /orders is routed to another.
Other gateway functions such as access control, rate limiting, and monitoring are also implemented at the application layer using HTTP.
To securely expose internal APIs to the public internet, an API gateway can be placed in the demilitarized zone (DMZ). The DMZ is a perimeter network located between the external and internal networks.
Typically, there is no direct IP routing between these networks. Instead, all communication must pass through an application-layer gateway such as an API gateway.
The gateway has two “legs”: one in the external network and one in the internal network. It routes HTTP traffic between both sides while applying security policies to protect internal services.
Many of the concepts described so far also apply to HTTP reverse proxies. In fact, an API gateway is essentially built on top of HTTP proxy functionality.
However, API gateways go beyond HTTP proxies. They extend basic proxy capabilities with API-specific features that are not typically provided by standard proxies.
In addition to handling HTTP, an API gateway understands API technologies such as OpenAPI, JSON, OAuth2, and JSON Web Tokens (JWT). This allows it to validate requests, enforce security policies, and manage API traffic at a higher level.
API-specific functionality can be applied to a single API or to the entire API gateway by inserting interceptors into the request or response flow.
Different API gateway products use different terms for these components. They are commonly called interceptors, plugins, or policies.
Responsibilities
Backend services and applications typically provide business functionality and logic. An API gateway adds cross-cutting concerns that help operate APIs securely and efficiently at scale.
- Routing: Forwarding requests to the appropriate backend services.
- Security: Authenticating clients (OAuth2, API keys) and authorizing access to specific operations. Protecting against attacks targeting JSON, XML, and GraphQL.
- Operations: Collecting metrics and logs to understand who is calling which APIs and when. The gateway is often the starting point for distributed tracing.
- Integration: Transforming requests and responses to bridge different message formats and protocols.
- Legacy Integration: Adapting existing systems and exposing them through modern interfaces, for example by providing a REST API façade for a legacy web service.
- Load Balancing: Distributing traffic across multiple backend instances.
- Accounting and Billing: Tracking API usage and assigning costs to clients or departments, for example for expensive AI or external service calls.
Some of these responsibilities overlap with other infrastructure components such as web application firewalls and load balancers. However, the API gateway provides a unified, API-focused layer that combines these capabilities.
Incoming, Outgoing, and Internal API Gateways
API gateways are often placed at the boundaries between different networks. Depending on these boundaries, we distinguish between incoming, outgoing, and internal API gateways. A single API gateway can take on all three roles, but in some cases it makes sense to separate them into different deployments.
Incoming API gateways expose APIs to external clients such as customers or partners over the public internet. This introduces significant security risks, which the gateway helps to manage through authentication, authorization, and traffic control.
Outgoing API gateways handle calls from internal systems to external APIs. The gateway controls which applications may call external APIs, which operations they can access, and what data is allowed to leave the organization. It can also enforce an allow list of approved external APIs and block access to unapproved or unreleased APIs. Outgoing traffic is often overlooked, but it can also pose risks. Sensitive data may leave the organization, and if an external system is compromised, malicious responses could be used as part of an attack.
Internal API gateways route traffic within the organization. Internal API traffic may pass through a gateway for reasons such as network segmentation, security enforcement, integration between systems, or usage tracking and billing.
Kinds of API Gateway
In the past, companies often used a single API gateway for all use cases. Most API gateway products are flexible and can serve multiple purposes. However, over time many organizations discovered that certain scenarios are not well supported by a single gateway. As a result, specialized API gateways have emerged for different use cases.
| Kind | Description |
|---|---|
| Microgateway | Lightweight API gateway designed to run many instances with minimal resource usage. In container environments such as Kubernetes, it is not uncommon to deploy one gateway per application or service. |
| Legacy Gateway | Focused on integrating legacy systems and protocols. Often provides strong support for XML technologies such as XSLT and XPath, as well as web service standards like SOAP and WSDL. |
| AI Gateway | Manages traffic related to artificial intelligence and large language models. Helps control costs, restrict capabilities, and govern interactions, for example when using model context protocols (MCP). |
| Cloud Gateway | Controls API traffic to cloud-based services. Major cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud offer integrated API gateways, but independent solutions can also be used. |
| Edge Gateway | An edge gateway is a globally distributed gateway that provides low-latency API access close to users. It improves user experience and is especially valuable for latency-sensitive and real-time applications. |
Summary
In API management, API gateways take on an enforcement role. They act like guards at the entrance, controlling what passes through and ensuring that defined policies are consistently applied.
They centralize concerns such as security, traffic control, and monitoring, allowing backend services to focus on business logic.
In our API Gateway Handbook, you can find more detailed information about key concepts and many examples.
This overview provides a foundation for understanding how API gateways work and why they are an important part of modern API architectures.