Why API Gateway is essential in Microservices Architecture. Detailed comparison of Kong vs. Nginx vs. AWS API Gateway, deep dive into Rate Limiting algorithms, GraphQL integration strategies, and ensuring Observability.
A deep dive into Robert C. Martin's Clean Architecture. Learn how to decouple your business logic from frameworks, databases, and UI using Entities, Use Cases, and the Dependency Rule. Includes Screaming Architecture and Testing strategies.
A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
App crashes only in Release mode? It's likely ProGuard/R8. Learn how to debug obfuscated stack traces, use `@Keep` annotations, and analyze `usage.txt`.
Pringles can (Stack) vs Restaurant line (Queue). The most basic data structures, but without them, you can't understand recursion or message queues.
In the early days of transitioning from Monolithic to Microservices (MSA), I made a huge mistake.
Splitting the backend into Auth, User, Product, Order, and Payment services was a good start theoretically.
The problem was that I made the frontend call these services directly.
One day, I opened the app and noticed severe lag. I opened the Network tab to investigate.
To render a single main screen, the app was sending concurrent requests to User Server, Product Server, Promotion Server, and two others. Even worse, the Auth Server was suffering 5x the load because it had to verify the authentication token for every single request. Furthermore, mixed content warnings were popping up because some services were called via http and others via https.
It hit me: "It's like a guest trying to enter a hotel room, but having to show their ID separately to the cleaner, the chef, and the manager to get permission."
I desperately needed someone to organize this chaos—a "Hotel Front Desk". That was the API Gateway.
An API Gateway is a "Single Entry Point" that sits between clients (guests) and numerous backend services (hotel staff). It acts as a manager that not only opens the door but checks every request, routes it to the right place, and handles the response.
Routing: "Where do I check in?" -> "Go to Counter 1."
api.hotel.com./users are internally proxied to User Service, /orders to Order Service.Authentication & Authorization: "Show me your reservation."
Rate Limiting: "Group guests, please line up."
Load Balancing: "Counter 1 is busy, please go to Counter 2."
User Service has 3 instances, the Gateway distributes requests evenly using methods like Round-Robin.Ideally, how does the Gateway ensure system stability beyond just "connecting" thins? Let's check the algorithms.
This is the most critical feature to prevent server crashes. It's not just "block if too many." Implementing rules like "60 requests per minute" involves sophisticated algorithms.
Token Bucket:
Leaky Bucket:
limit_req_zone), Network packet processing, Strict SLAs.Fixed Window vs Sliding Window:
The Gateway is the gatekeeper of the castle. If this is breached, internal services are exposed.
DROP TABLE, it blocks immediately./admin to only company IPs.Imagine User Service dies due to DB overload. Users keep clicking "Login". The Gateway keeps sending requests to the dead service and waits for timeouts (e.g., 30s). Waiting threads pile up, and eventually, the Gateway itself hangs, causing a Cascading Failure.
This is when the Circuit Breaker trips.
User Service failed 5 times in a row? Cut the cord!" (Circuit Open).User Service are now rejected immediately with an error ("Under Maintenance").Popularized by Netflix Hystrix and Resilience4j, this is now a mandatory feature for Gateways.
Frontends love GraphQL. Does that eliminate the need for a Gateway? Conversely, the GraphQL Gateway (Federation) becomes crucial.
User Service and Product Service have their own small GraphQL schemas. The Gateway stitches them together and presents a single, giant API schema to the client.A downside of MSA is the difficulty in tracing errors. "Where did it fail?" Since the Gateway is the path for all requests, it must issue a Tracing ID.
X-Request-ID: abc-123.Service A -> Service B -> DB.abc-123 in logging systems (ELK, Datadog) reveals the entire flow.
This is the beginning of Distributed Tracing.So, what should you use?
| Feature | Nginx (Reverse Proxy) | Kong (API Gateway) | AWS API Gateway (Managed) |
|---|---|---|---|
| Identity | High-performance Web Server | Open-source specialized for API | Fully Managed Cloud Service |
| Extensibility | Config file (Static) | Global Plugin System (Dynamic) | Click-to-configure (Dynamic) |
| Features | LB, Caching, Basic Auth | + OAuth2, Rate Limit, Monitoring | + Serverless, Pay-per-use, IAM |
| Difficulty | High (Scripting) | Medium (Admin API) | Low (GUI) |
| Recommendation | Simple routing, Performance | On-Premise, Custom Plugins | Startups, No-ops, AWS Ecosystem |
My Choice: In the early startup phase, AWS API Gateway was overwhelmingly convenient. Management overhead was near zero. However, as traffic exceeded 100M requests/month, costs piled up. We eventually migrated to Kong on EC2, reducing costs by 80%.
Using a single Gateway can lead to conflicts where the "Mobile App Team" and "Web Admin Team" fight.
This is where BFF (Backend For Frontend) comes in. Instead of one giant Gateway, you create Dedicated Gateways per Client.
Mobile Gateway: Managed by the mobile team, aggregates data optimized for apps.Web Gateway: Managed by the web team, aggregates data for the dashboard.This decouples the strong coupling where "Frontend changes force Backend changes."
Microservices without an API Gateway is like an "8-lane intersection without traffic lights." It's fine when there are only a few cars, but as the service grows, a major crash is inevitable.
Remembering these 4 points will make your MSA significantly safer and more robust.