API Gateway Configurator
Enterprise skill for configuring and managing API gateways for microservices architectures.
When to Use
This skill should be used when:
- Setting up API gateway for microservices
- Configuring rate limiting and throttling
- Implementing API authentication and authorization
- Setting up request/response transformation
- Configuring API routing and load balancing
- Implementing API versioning strategies
- Setting up API monitoring and analytics
- Managing API documentation and developer portals
Instructions
Select the appropriate API gateway based on requirements:
Kong Gateway (Open Source/Enterprise):
- Best for: Kubernetes-native, plugin ecosystem
- Strengths: Performance, extensibility, cloud-native
- Use cases: Microservices, multi-cloud, hybrid cloud
AWS API Gateway:
- Best for: AWS-native applications, serverless
- Strengths: AWS integration, managed service, scalability
- Use cases: Lambda functions, AWS services, serverless APIs
Tyk:
- Best for: GraphQL, multi-cloud, analytics
- Strengths: Developer portal, analytics, open source
- Use cases: GraphQL federation, API analytics
Apigee (Google Cloud):
- Best for: Enterprise API management, monetization
- Strengths: Analytics, developer portal, API products
- Use cases: External APIs, partner APIs, API monetization
Kong Configuration Example:
yaml
1# kong.yml - Declarative configuration
2_format_version: "3.0"
3
4services:
5 - name: user-service
6 url: http://user-service:8080
7 routes:
8 - name: user-routes
9 paths:
10 - /api/v1/users
11 methods:
12 - GET
13 - POST
14 strip_path: false
15 plugins:
16 - name: rate-limiting
17 config:
18 minute: 100
19 policy: local
20 - name: jwt
21 config:
22 claims_to_verify:
23 - exp
24 - name: cors
25 config:
26 origins:
27 - "*"
28 methods:
29 - GET
30 - POST
31 headers:
32 - Accept
33 - Authorization
34 max_age: 3600
35
36 - name: order-service
37 url: http://order-service:8080
38 routes:
39 - name: order-routes
40 paths:
41 - /api/v1/orders
42 plugins:
43 - name: rate-limiting
44 config:
45 minute: 50
46 - name: request-transformer
47 config:
48 add:
49 headers:
50 - "X-Gateway:Kong"
51
52# Global plugins
53plugins:
54 - name: prometheus
55 config:
56 per_consumer: true
57 - name: correlation-id
58 config:
59 header_name: X-Correlation-ID
60 generator: uuid
AWS API Gateway Configuration:
yaml
1# serverless.yml for AWS API Gateway
2provider:
3 name: aws
4 runtime: nodejs18.x
5 apiGateway:
6 apiKeys:
7 - name: premium-api-key
8 value: ${env:API_KEY}
9 usagePlan:
10 - premium:
11 quota:
12 limit: 5000
13 period: MONTH
14 throttle:
15 burstLimit: 200
16 rateLimit: 100
17 resourcePolicy:
18 - Effect: Allow
19 Principal: "*"
20 Action: execute-api:Invoke
21 Resource:
22 - execute-api:/*/*/*
23
24functions:
25 getUsers:
26 handler: users.getUsers
27 events:
28 - http:
29 path: users
30 method: get
31 cors: true
32 authorizer:
33 name: jwtAuthorizer
34 type: request
35 request:
36 parameters:
37 querystrings:
38 page: false
39 limit: false
40 throttling:
41 maxRequestsPerSecond: 100
42 maxConcurrentRequests: 50
43
44 createUser:
45 handler: users.createUser
46 events:
47 - http:
48 path: users
49 method: post
50 cors: true
51 authorizer: jwtAuthorizer
Step 3: Implement Authentication & Authorization
JWT Authentication (Kong):
yaml
1# Create JWT consumer
2consumers:
3 - username: mobile-app
4 jwt_credentials:
5 - key: mobile-app-key
6 algorithm: HS256
7 secret: ${JWT_SECRET}
8
9# Apply JWT plugin to service
10services:
11 - name: protected-service
12 plugins:
13 - name: jwt
14 config:
15 header_names:
16 - Authorization
17 claims_to_verify:
18 - exp
19 - nbf
OAuth2 (Kong):
yaml
1plugins:
2 - name: oauth2
3 config:
4 scopes:
5 - read
6 - write
7 - admin
8 mandatory_scope: true
9 enable_authorization_code: true
10 enable_client_credentials: true
11 enable_implicit_grant: false
12 token_expiration: 3600
13 refresh_token_ttl: 2592000
yaml
1# Kong - Multiple rate limiting strategies
2plugins:
3 # Per-consumer rate limiting
4 - name: rate-limiting
5 consumer: mobile-app
6 config:
7 second: 10
8 minute: 100
9 hour: 1000
10 policy: redis
11 redis:
12 host: redis-cluster
13 port: 6379
14 database: 0
15
16 # Advanced rate limiting
17 - name: rate-limiting-advanced
18 config:
19 limit:
20 - minute: 100
21 - hour: 1000
22 window_size:
23 - 60
24 - 3600
25 sync_rate: 10
26 strategy: cluster
27 dictionary_name: kong_rate_limiting_counters
yaml
1# Request transformation
2plugins:
3 - name: request-transformer
4 config:
5 add:
6 headers:
7 - "X-Request-ID:$(uuid)"
8 - "X-Forwarded-For:$(client_ip)"
9 querystring:
10 - "version:v1"
11 remove:
12 headers:
13 - "Authorization" # Don't pass to backend
14 replace:
15 headers:
16 - "Host:backend-service"
17
18# Response transformation
19plugins:
20 - name: response-transformer
21 config:
22 add:
23 headers:
24 - "X-Response-Time:$(latency)"
25 - "X-Gateway:Kong"
26 remove:
27 headers:
28 - "X-Internal-Secret"
29 replace:
30 json:
31 - "$.metadata.source:api-gateway"
Step 6: Implement API Versioning
yaml
1# URL path versioning
2services:
3 - name: user-service-v1
4 url: http://user-service-v1:8080
5 routes:
6 - paths:
7 - /api/v1/users
8
9 - name: user-service-v2
10 url: http://user-service-v2:8080
11 routes:
12 - paths:
13 - /api/v2/users
14
15# Header-based versioning
16routes:
17 - name: versioned-route
18 paths:
19 - /api/users
20 plugins:
21 - name: request-transformer
22 config:
23 add:
24 headers:
25 - "X-API-Version:$(header.Accept-Version)"
yaml
1# Prometheus metrics
2plugins:
3 - name: prometheus
4 config:
5 per_consumer: true
6 status_code_metrics: true
7 latency_metrics: true
8 bandwidth_metrics: true
9 upstream_health_metrics: true
10
11# Logging
12plugins:
13 - name: file-log
14 config:
15 path: /var/log/kong/access.log
16 reopen: true
17
18 - name: http-log
19 config:
20 http_endpoint: http://log-aggregator:8080/logs
21 method: POST
22 content_type: application/json
23 timeout: 10000
24 keepalive: 60000
25
26# Datadog integration
27plugins:
28 - name: datadog
29 config:
30 host: datadog-agent
31 port: 8125
32 metrics:
33 - name: request_count
34 stat_type: counter
35 - name: latency
36 stat_type: timer
Best Practices
Security:
- ✅ Always use HTTPS/TLS for API gateway
- ✅ Implement JWT or OAuth2 for authentication
- ✅ Use API keys for external partners
- ✅ Enable CORS with specific origins
- ✅ Implement request size limits
- ✅ Add security headers (HSTS, CSP, etc.)
- ✅ Enable caching for GET requests
- ✅ Use Redis for distributed rate limiting
- ✅ Configure connection pooling to backends
- ✅ Set appropriate timeouts
- ✅ Enable gzip compression
- ✅ Use CDN for static content
Reliability:
- ✅ Configure health checks for backends
- ✅ Implement circuit breakers
- ✅ Set up retry policies
- ✅ Configure fallback responses
- ✅ Use multiple gateway instances
- ✅ Monitor gateway metrics
Operations:
- ✅ Use declarative configuration (GitOps)
- ✅ Version control gateway configs
- ✅ Implement blue-green deployments
- ✅ Set up comprehensive logging
- ✅ Configure alerts for anomalies
- ✅ Regular security audits
Examples
Example 1: Microservices E-Commerce Gateway
yaml
1# Kong configuration for e-commerce platform
2services:
3 - name: product-catalog
4 url: http://catalog-service:8080
5 routes:
6 - paths: ["/api/v1/products"]
7 plugins:
8 - name: rate-limiting
9 config:
10 minute: 1000
11 - name: cors
12 - name: jwt
13 - name: response-cache
14 config:
15 strategy: memory
16 memory:
17 dictionary_name: kong_cache
18
19 - name: shopping-cart
20 url: http://cart-service:8080
21 routes:
22 - paths: ["/api/v1/cart"]
23 plugins:
24 - name: rate-limiting
25 config:
26 minute: 100
27 - name: jwt
28 - name: request-size-limiting
29 config:
30 allowed_payload_size: 10
31
32 - name: checkout
33 url: http://checkout-service:8080
34 routes:
35 - paths: ["/api/v1/checkout"]
36 plugins:
37 - name: rate-limiting
38 config:
39 minute: 50
40 - name: jwt
41 - name: bot-detection
42 - name: ip-restriction
43 config:
44 allow:
45 - 10.0.0.0/8
Example 2: AWS API Gateway with Lambda
yaml
1# API Gateway with Lambda integration
2functions:
3 getUserProfile:
4 handler: handlers/users.getProfile
5 events:
6 - http:
7 path: users/{userId}/profile
8 method: get
9 cors:
10 origin: 'https://app.example.com'
11 headers:
12 - Content-Type
13 - Authorization
14 authorizer:
15 arn: arn:aws:lambda:us-east-1:123456789:function:authorizer
16 resultTtlInSeconds: 300
17 identitySource: method.request.header.Authorization
18 request:
19 parameters:
20 paths:
21 userId: true
22 caching:
23 enabled: true
24 ttlInSeconds: 300
25 dataEncrypted: true
Common Mistakes to Avoid
- ❌ Not implementing rate limiting
- ❌ Exposing internal service URLs
- ❌ No authentication on public APIs
- ❌ Missing CORS configuration
- ❌ No monitoring or logging
- ❌ Hardcoding credentials in config
- ❌ Not versioning APIs
- ❌ Single gateway instance (no HA)
- ❌ No request/response validation
- ❌ Missing error handling
✅ Correct approach:
- Implement multi-layer rate limiting
- Use service discovery internally
- JWT/OAuth2 authentication
- Proper CORS with allowed origins
- Comprehensive monitoring
- Use environment variables/secrets
- Version APIs from day one
- Deploy in HA configuration
- Validate all inputs/outputs
- Implement circuit breakers
Tips
- 💡 Start with managed API gateway for faster setup
- 💡 Use declarative configuration for repeatability
- 💡 Implement caching to reduce backend load
- 💡 Monitor gateway metrics continuously
- 💡 Use API gateway for security boundary
- 💡 Implement request tracing for debugging
- 💡 Version APIs early, migrate gradually
- 💡 Test rate limiting before production
Skills:
microservices-orchestrator - Microservices architectureservice-mesh-integrator - Service mesh integrationdistributed-tracing-setup - Request tracing
Commands:
/dependency-graph - Visualize API dependencies/load-test-suite - Test API gateway performance/security-posture - Security assessment
Agents:
enterprise-architect - Architecture designsecurity-architect - Security configurationsre-consultant - SLO/SLI setup
Notes
API Gateway Selection Criteria:
- ✅ Kong: Best for Kubernetes, open source, plugin ecosystem
- ✅ AWS API Gateway: Best for AWS Lambda, managed service
- ✅ Tyk: Best for GraphQL, analytics, multi-cloud
- ✅ Apigee: Best for enterprise API management
Common Patterns:
- Backend for Frontend (BFF) pattern
- API composition
- API aggregation
- Protocol translation (REST to gRPC)
- Request/response transformation
Production Checklist:
