API gateway request lifecycle.
A request hits your API. Before it reaches the actual microservice, the gateway does nine specific things. Most of them are sub-millisecond. One of them is the real work. Watch the whole pipeline with realistic per-stage costs.
Decrypt incoming HTTPS. Typical cost on a hot path: 0.5 ms.
Why a gateway in front of your services
Without one, every microservice has to handle TLS, auth, rate limiting, CORS, retries, metrics, request validation — duplicated, slightly differently, in each language. With a gateway, those concerns live in one place. Backend services trust the gateway, run plain HTTP, focus on business logic. The trade-off: one more hop (~1-2 ms typically), and the gateway becomes a critical-path component you have to scale and protect.
Popular implementations
Envoy (data plane for Istio, Consul, also standalone), Kong (Lua + OpenResty), Traefik (Go, k8s-native), AWS API Gateway (managed, scales infinitely, ~30 ms cold), NGINX with custom Lua scripts, Cloudflare Workers + Cloudflare API Gateway. Most modern stacks pick Envoy because of its xDS protocol — programmable from a control plane without restarts.
Where the gateway breaks first
Almost always at the auth stage. Verifying a JWT signature is fast (~0.1 ms) but checking against a revocation list or fetching the user record is slow. Cache hits hide it; cache misses cost 50-200 ms. Rate limiting against a Redis backend can stall if Redis is slow. The upstream call is the dominant cost, but the gateway\'s own dependencies are the silent killer when they\'re sluggish.
API Gateway deep dive →
Envoy filter chain, JWT validation patterns, rate-limit algorithms, retry budgets, circuit breakers, gateway HA.
Open the Codex →