What Is an API Gateway and How Does It Work?
What exactly is an API gateway? This article explains what it is, which problems it solves, and how it works in practice.
Who needs an API Gateway?
For a small number of APIs, few clients, and non-critical use cases, an API gateway is usually not needed. In simple setups, clients can communicate directly with backend services without introducing additional infrastructure.
As time passes, the number of APIs and clients typically increases. Requirements become more complex, and APIs may need to be exposed to external partners over the public internet.
Operating APIs now becomes more challenging. Security, monitoring, and access control must be implemented in each backend service. These services often run on different platforms and use different mechanisms for authentication and logging. This leads to duplicated effort, inconsistent security policies, and higher operational overhead.
At this point, an API gateway becomes valuable. It introduces a central layer that handles cross-cutting concerns such as security, traffic control, and monitoring.
Instead of implementing these concerns in every service, the API gateway manages them in one place. This simplifies backend services and enforces consistent behavior across all APIs.
How an API Gateway Works
An API gateway works by acting as the single entry point for all communication between clients and backend services. To achieve this, all API traffic must pass through the gateway.
This is done by placing the API gateway in front of the backend services. Instead of calling a backend directly, clients are configured to send requests to the gateway. For example, rather than connecting to an internal host such as server7.local, a client connects to an endpoint like api.predic8.de. Using a dedicated subdomain such as api is a common practice.
The API gateway acts as a proxy that exposes the same interface as the backend. From the client’s perspective, there is no visible difference. The gateway receives the request, applies policies such as authentication, and forwards it to the appropriate service.
To ensure that all traffic flows through the gateway, direct access to backend services must be restricted. This can be achieved through network routing, firewall rules, or by allowing access only from the gateway. A common approach is to establish trust between the gateway and backend services using mutual TLS (mTLS).
Unlike network gateways, which operate at the IP layer, an API gateway works at the application layer of the network stack.
Instead of routing raw network packets, the API gateway understands application protocols such as HTTP. This allows it to make routing decisions based on API-specific information such as HTTP methods (GET, POST) and request paths.
For example, a request to /products can be routed to one service, while a request to /orders is routed to another.
Functions such as access control, rate limiting, and monitoring are also implemented at the application layer.
To securely expose internal APIs to the public internet, an API gateway can be deployed in a demilitarized zone (DMZ), a network segment between external and internal systems.
Typically, there is no direct routing between these networks. All communication must pass through an application-layer gateway such as an API gateway.
The gateway has two network interfaces: one facing the external network and one facing internal services. It routes traffic between both sides while applying security controls. Each side can belong to a different network.
Many of these concepts also apply to HTTP reverse proxies. An API gateway builds on this foundation.
However, API gateways extend reverse proxies with API-specific capabilities.
They understand technologies such as OpenAPI, JSON, OAuth2, and JSON Web Tokens (JWT). This allows them to validate requests, enforce security policies, and manage API traffic at a higher level.
These capabilities are typically implemented as components in the request and response flow. Depending on the product, they are called interceptors, plugins, or policies.
Responsibilities
Backend services implement business logic. An API gateway adds cross-cutting concerns that help operate APIs securely and efficiently at scale.
- Routing: Forwarding requests to the appropriate backend service.
- Security: Authenticating clients (OAuth2, API keys) and authorizing access. Protecting against attacks targeting JSON, XML, and GraphQL. Validating requests against OpenAPI, GraphQL schemas, WSDL, or XML Schema.
- Operations: Collecting metrics and logs to understand API usage. Serving as an entry point for distributed tracing.
- Integration: Transforming requests and responses to bridge different formats and protocols.
- Legacy Integration: Exposing existing systems through modern interfaces, for example by providing a REST façade for a legacy web service.
- Load Balancing: Distributing traffic across multiple backend instances.
- Accounting and Billing: Tracking API usage and allocating costs, for example for expensive AI or external service calls.
Some of these responsibilities overlap with other infrastructure components such as web application firewalls and load balancers. However, the API gateway provides a unified, API-focused layer that combines these capabilities.
Incoming, Outgoing, and Internal API Gateways
API gateways are often placed at the boundaries between networks. Based on their position, they can be classified as incoming, outgoing, or internal gateways. A single gateway can fulfill all three roles, but in larger architectures they are often deployed separately.
Incoming API gateways expose APIs to external clients such as customers or partners over the public internet. This increases the attack surface, so the gateway enforces security measures such as authentication, authorization, and traffic control.
Outgoing API gateways manage calls from internal systems to external APIs. They control which applications are allowed to access external services, which operations they may use, and what data can leave the organization. They can also enforce an allow list of approved APIs and block access to unapproved endpoints. Outgoing traffic is often underestimated as a risk: sensitive data may be exposed, and compromised external services could return malicious responses.
Internal API gateways route traffic within the organization. They are used for network segmentation, consistent security enforcement, system integration, and tracking API usage.
Kinds of API Gateway
In the past, organizations often used a single API gateway for all use cases. Most gateway products are flexible and can serve multiple purposes. Over time, however, it became clear that some scenarios are not well supported by a single deployment. As a result, specialized API gateways have emerged for different use cases.
| Kind | Description |
|---|---|
| Microgateway | Lightweight API gateway designed to run many instances with minimal resource usage. In container environments such as Kubernetes, it is common to deploy one gateway per application or service. |
| Legacy Integration Gateway | Focused on integrating legacy systems and protocols. Typically provides strong support for XML technologies such as XSLT and XPath, as well as web service standards like SOAP and WSDL. |
| AI Gateway | Manages traffic related to artificial intelligence and large language models. Helps control costs, restrict capabilities, and govern interactions, for example when using model context protocols (MCP). |
| Cloud Gateway | Controls API traffic to cloud-based services. Major cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud offer integrated API gateways, but independent solutions can also be used. |
| Edge Gateway | Globally distributed gateway that provides low-latency API access close to users. Improves user experience and is especially useful for latency-sensitive and real-time applications. |
Summary
In API management, API gateways take on an enforcement role. They act as a control point at the system boundary, ensuring that defined policies are consistently applied.
They centralize concerns such as security, traffic control, and monitoring, allowing backend services to focus on business logic.
Further details and practical examples are available in the API Gateway Handbook:
This overview provides a foundation for understanding how API gateways work and why they are a key component of modern API architectures.