Design an API Gateway

Design an API Gateway — the single entry point for all client requests in a microservices architecture. The gateway handles cross-cutting concerns (authentication, rate limiting, routing, circuit breaking, observability) so that individual backend services don't have to.

Scale Estimates

Metric	Value
Total API requests	1 billion / day (~12,000 per second)
Peak traffic	50,000 requests per second
Backend services	50–200 microservices
Gateway instances	10–50 (auto-scaled)
Auth token validations	12,000 / sec (cached: ~90% hit rate)
Rate-limit checks	12,000 / sec (Redis: < 1ms per check)
Average response time	< 5ms gateway overhead (excluding backend latency)
Concurrent connections	100,000+ per gateway instance (non-blocking I/O)

Non-Functional Requirements

Ultra-low overhead: Gateway adds < 5ms to request latency; non-blocking I/O handles 100K+ concurrent connections per instance
High availability: Stateless gateway behind NLB; multi-AZ deployment; no SPOF; auto-scaling on request rate
Security: TLS termination, JWT/OAuth2 validation, mTLS for service-to-service, WAF integration for DDoS protection
Observability: Distributed trace ID propagation (OpenTelemetry); structured logging; Prometheus metrics (rate, errors, duration per endpoint)
Resilience: Circuit breaker per backend service; bulkhead isolation; fallback responses; automatic retry with exponential backoff
Configurability: Dynamic route table, rate-limit rules, and circuit breaker thresholds — hot-reloaded via config service without restarts

Scale Estimates

Metric

Value

Total API requests

1 billion / day (~12,000 per second)

Peak traffic

50,000 requests per second

Backend services

50–200 microservices

Gateway instances

10–50 (auto-scaled)

Auth token validations

12,000 / sec (cached: ~90% hit rate)

Rate-limit checks

12,000 / sec (Redis: < 1ms per check)

Average response time

< 5ms gateway overhead (excluding backend latency)

Concurrent connections

100,000+ per gateway instance (non-blocking I/O)

Non-Functional Requirements

Ultra-low overhead: Gateway adds < 5ms to request latency; non-blocking I/O handles 100K+ concurrent connections per instance

High availability: Stateless gateway behind NLB; multi-AZ deployment; no SPOF; auto-scaling on request rate

Security: TLS termination, JWT/OAuth2 validation, mTLS for service-to-service, WAF integration for DDoS protection

Observability: Distributed trace ID propagation (OpenTelemetry); structured logging; Prometheus metrics (rate, errors, duration per endpoint)

Resilience: Circuit breaker per backend service; bulkhead isolation; fallback responses; automatic retry with exponential backoff

Configurability: Dynamic route table, rate-limit rules, and circuit breaker thresholds — hot-reloaded via config service without restarts

Scale Estimates

Non-Functional Requirements

Functional Requirements

Approach Guide(Click to expand each section)

Follow-up Deep Dives(Questions an interviewer might ask)

Design an API Gateway

Scale Estimates

Non-Functional Requirements

Functional Requirements

Approach Guide(Click to expand each section)

Follow-up Deep Dives(Questions an interviewer might ask)

Design an API Gateway

Scale Estimates

Non-Functional Requirements

Functional Requirements

Approach Guide(Click to expand each section)

Non-Functional Requirements~3 min

Core Entities~2 min

API Design~3 min

High-Level Design~5 min

Follow-up Deep Dives(Questions an interviewer might ask)

1How would you design the request routing layer? How do routes get configured and updated?

2How would you implement authentication and authorisation at the gateway?

3How would you implement the circuit breaker pattern at the gateway?

4How would you design the API composition (aggregation / BFF) layer?

5How would you ensure the API gateway itself is highly available and doesn't become a bottleneck?

6How would you implement distributed tracing and observability through the gateway?

7How would you handle traffic splitting for canary deployments and A/B testing?

Key Topics

Asked At

Design an API Gateway

Scale Estimates

Non-Functional Requirements

Functional Requirements

Approach Guide(Click to expand each section)

Non-Functional Requirements~3 min

Core Entities~2 min

API Design~3 min

High-Level Design~5 min

Follow-up Deep Dives(Questions an interviewer might ask)

1How would you design the request routing layer? How do routes get configured and updated?

2How would you implement authentication and authorisation at the gateway?

3How would you implement the circuit breaker pattern at the gateway?

4How would you design the API composition (aggregation / BFF) layer?

5How would you ensure the API gateway itself is highly available and doesn't become a bottleneck?

6How would you implement distributed tracing and observability through the gateway?

7How would you handle traffic splitting for canary deployments and A/B testing?

Key Topics

Asked At