API Gateways

Defining and Describing API Gateways

Disambiguation

Primary sense — the innovation-consulting sense

• Common in startups building event-driven or hybrid systems, where it inspects REST, WebSocket, Kafka, or MQTT traffic before backend services, unlike simple proxies. [2][5]
• Handles "authentication and authorization, manage multiple API versions, transform protocols and payloads, and provide analytics" to boost performance and compliance. [1]
• Not an ingress controller, which offers basic routing but lacks "OAuth2 tokens, API keys, rate limits, or payload inspection." [2]
• Essential for founder decisions in Kubernetes or serverless stacks, enabling "consistent policy enforcement across all APIs" without backend changes. [2][3]

Other senses

1. Generic reverse proxy (legacy usage)

• Often conflated in early microservices but misses "threat mitigation, caching, traffic shaping" central to modern gateways. [2]
• Used in simple client-server models before microservices explosion. [7]
• Also used in network engineering to mean hardware gateways for IP routing; not relevant to innovation contexts.

Adjacent Vocabulary

• Synonyms:
  • API Management Platform: Broader, includes lifecycle tools beyond just traffic handling (e.g., versioning, monetization). [1]
  • Service Mesh Gateway: Focuses on internal service-to-service mesh like Istio, vs. external client-facing. [3]
  • Ingress Controller with Extensions: Kubernetes-native routing enhanced for APIs, but less feature-rich. [2]
• Antonyms:
  • Direct Service Calls: Clients hitting backends without intermediary, risking exposure and sprawl. [1]
  • Monolithic Endpoint: Single app handling all logic, opposite of distributed API patterns. [4]
• Adjacent terms: Microservices Architecture, OAuth, Kubernetes Ingress, Event-Driven Architecture

Usage in Practice

• "Think of the API Gateway as the entry point that sits between clients and the internal services. Instead of calling multiple services directly, the client sends requests to the API gateway, and the gateway takes care of the rest." — ByteByteGo [1]
• "API Gateways act as chokepoints, inspecting and routing every request—REST, WebSocket, Kafka, and more. They centralize security, handling authentication, authorization, and threat mitigation before traffic reaches backend services." — Gravitee.io [2]
• "An API Gateway is a single entry point that routes, secures, and manages API traffic. It simplifies client-to-service communication in microservices by centralizing authentication and request handling." — Gravitee.io [3]
• "Gravitee is differentiated by strong support for event-driven architectures and protocols like MQTT and Kafka. Asynchronous APIs are becoming increasingly common, but they’re not always as fully supported by most tools." — Nordic APIs [5]
• "Our top pick is Apache APISIX for its high performance (23,000+ QPS per node), dynamic configuration without restarts, and comprehensive plugin ecosystem." — API7.ai [6]

Common Misuses

• Calling a basic Kubernetes Ingress an "API Gateway"—better suited: Ingress Controller, as it lacks protocol translation or analytics. [2]
• Treating AWS API Gateway as a general-purpose tool outside serverless—better suited: Serverless API Layer, given its "$3.50 per million API calls" AWS-centric pricing. [6]
• Equating it with full service meshes like Linkerd—better suited: Service Mesh, which focuses on east-west traffic, not client-facing north-south. [3]
• Using for non-API traffic like raw TCP—better suited: Load Balancer, missing application-layer policies. [2]

Sources