🌐 API Gateway in Microservices

 🔑 What is API Gateway?

• An API Gateway is a single entry point for all client requests in a microservices architecture.

• Instead of the client calling each microservice directly, requests go through the Gateway which:

  • Routes the request to the right microservice.

  • Applies authentication, rate limiting, caching, logging, transformation, etc.

• It’s like a traffic controller for microservices.

Popular API Gateways

• Ocelot (for .NET Core)

• Azure API Management (APIM)

• Kong, NGINX, Zuul, AWS API Gateway, Istio

---

⚙️ How to Configure and Use API Gateway

Example: Ocelot in .NET Core

1. Install Ocelot

dotnet add package Ocelot

2. Configure Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddOcelot();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseOcelot().Wait();
}

3. Add ocelot.json

{
  "Routes": [
    {
      "DownstreamPathTemplate": "/api/products",
      "UpstreamPathTemplate": "/products",
      "DownstreamScheme": "http",
      "DownstreamHostAndPorts": [
        { "Host": "localhost", "Port": 5001 }
      ]
    }
  ],
  "GlobalConfiguration": {
    "BaseUrl": "https://localhost:5000"
  }
}

👉 Now, clients call https://localhost:5000/products and Ocelot forwards to http://localhost:5001/api/products.

---

🔒 How to Authenticate in API Gateway

Approaches:

1. JWT Authentication

   • Client gets a JWT token from Identity Service.

   • API Gateway validates the token before forwarding.

   • Example Ocelot config:

   "AuthenticationOptions": {
     "AuthenticationProviderKey": "TestKey",
     "AllowedScopes": []
   }
   

2. API Keys

   • Clients pass an API Key in the header → Gateway validates.

3. OAuth2 / OpenID Connect

   • API Gateway integrates with Identity Provider (Azure AD, Okta, IdentityServer).

4. mTLS (Mutual TLS)

   • Client certificates are validated at the Gateway.

---

🛠 Responsibilities of API Gateway

1. Routing → Forward request to correct microservice.

2. Authentication & Authorization → Validate tokens/keys.

3. Rate Limiting & Throttling → Protect services from overload.

4. Load Balancing → Distribute traffic across instances.

5. Caching → Improve performance by caching responses.

6. Request/Response Transformation → Convert formats (e.g., XML ↔ JSON).

7. Logging & Monitoring → Track requests, errors, performance.

8. Security → Block malicious requests before reaching services.

9. Versioning → Support multiple API versions (/v1/orders, /v2/orders).

---

🔥 Firewall in Microservices

What is Firewall in Microservices?

• A firewall is a security layer that filters incoming/outgoing traffic based on rules.

• In microservices, firewall ensures:

  • Only API Gateway can access microservices (direct external calls are blocked).

  • Only whitelisted IPs/ports are allowed.

  • Blocks malicious requests (SQL injection, DDoS, etc.).

Types of Firewalls

1. Network Firewall → Controls traffic between external world and cluster (e.g., Azure NSG, AWS Security Groups).

2. Application Firewall (WAF) → Protects against web attacks (SQL Injection, XSS).

3. Service Mesh Security (Istio, Linkerd) → Provides fine-grained firewall-like policies inside the cluster.

---

✅ Summary

• API Gateway = single entry point, routing + auth + monitoring + transformations.

• Configuration = define routes, downstream services (ocelot.json, APIM policies, etc.).

• Authentication = JWT, OAuth2, API Keys, mTLS.

• Responsibilities = routing, security, rate limiting, logging, caching.

• Firewall = network/application-level security that blocks unauthorized traffic before reaching microservices.