.png)
API Gateway
- Anand Nerurkar
- Jun 7
- 5 min read
✅ What is an API Gateway?
An API Gateway is a centralized entry point that sits in front of your backend services or microservices. It manages, secures, monitors, routes, and scales API traffic between clients (like apps, browsers, or systems) and backend services.
Think of it as the front desk or receptionist for your APIs — handling requests, applying rules, and forwarding them securely to the correct internal services.
🔹 Key Functions of an API Gateway
Function | Description |
Routing | Forwards requests to appropriate backend service or microservice |
Authentication & Authorization | Validates tokens (e.g., JWT, OAuth2), API keys, client certs |
Rate Limiting / Throttling | Prevents abuse by limiting number of API calls per second/minute |
Caching | Stores frequent API responses to reduce backend load |
Logging & Monitoring | Tracks usage, latency, errors for observability |
Transformation | Converts payloads (JSON ↔ XML), headers, or even protocol (SOAP → REST) |
Load Balancing | Distributes incoming API traffic across multiple instances |
Security | Integrates with WAF, SSL/TLS termination, and IP restrictions |
🏦 Example in Banking
Use Case: Customer checks loan status on mobile app
Mobile App → API Gateway → Loan Status Microservice → Database
API Gateway authenticates user via OAuth2
It routes the request to the right service (Loan)
Applies rate limiting (e.g., max 10 calls/min)
Logs the request and response for monitoring
Transforms the response format for mobile client
🔧 Popular API Gateway Products
Platform | API Gateway |
Azure | Azure API Management (APIM) |
AWS | Amazon API Gateway |
GCP | Apigee or Google Cloud Endpoints |
Open Source | Kong, NGINX, Tyk, Envoy |
🧭 Where Does It Sit in Architecture?
+-------------+
Client --> | API Gateway | --> Internal Microservices (KYC, Loan, Risk, etc.)
+-------------+
|
+----------------------+
| Security, AuthN/Z, Logging |
+----------------------+
✅ Why Use API Gateway in Enterprise?
Benefit | Why It Matters |
Central Security | Enforces unified security policies |
Abstraction | Shields backend complexity from clients |
Governance | Allows teams to publish/manage APIs with versioning |
Resilience | Fallback, retries, and circuit breaking features |
Analytics | Tracks API usage for business and technical decisions |
API Gateway Public/Private Mode
Choosing between private and public modes for an API Gateway (like Azure API Management, AWS API Gateway, or Apigee) depends on security posture, audience, and network topology.
✅ Difference Between Private and Public Mode
Mode | Description | Key Use Case |
Public | Exposed to the internet via public endpoint | APIs for external consumers (partners, customers, apps) |
Private | Only accessible from within your VNet or internal network | Internal microservices communication, compliance-sensitive APIs |
📌 When to Use Public Mode
✅ Scenarios
Public-facing APIs for:
Mobile apps (banking, wallet apps)
Third-party integrations (e.g., UPI, billers, partners)
Web portals for customers (personal banking dashboard)
APIs that require developer onboarding:
Developer portal, API productization
Monetized APIs
Federated security with OAuth2, JWT, or API keys over HTTPS with WAF and throttling
Rate limiting and security posture is managed via gateway and security layers like Azure Front Door, App Gateway, WAF, etc.
🔐 When to Use Private Mode
✅ Scenarios
Internal Microservices APIs:
For example: KYC, Credit Score, Loan Evaluation running in Azure AKS or VNet-joined App Services
Regulatory/Compliance Requirement:
Banking/Insurance APIs that cannot be exposed publicly due to RBI/SEBI/PPI guidelines
Enterprise Integration:
APIs consumed by internal systems like ERP, core banking, CRM, etc.
High-security workloads:
Use Azure API Management in Internal VNet mode
Expose through Private Endpoints, Application Gateway + WAF, or ExpressRoute
Zero Trust Architecture:
Internal APIs require authentication and are hidden from public exposure
🎯 Hybrid Strategy (Recommended in BFSI)
Type | Approach |
Public | Expose via API Gateway + WAF + OAuth2 for B2C/B2B |
Private | Internal-only APIs accessed via Private DNS + Private Link + NSG rules |
Shared APIs | Use Dual-hosted API Gateway: Internal VNet + External DNS; route based on tiers or network security |
🏦 Example from BFSI – Lending Platform
Use Case | API Gateway Mode | Notes |
KYC Verification API | Private | Internal call to Aadhaar Vault, PAN verification service |
Loan Application Status API | Public | Used by customers from mobile app |
Partner Integration API (e.g., CIBIL, UIDAI) | Public with IP Whitelisting | Limited to trusted partners |
Admin Dashboard APIs | Private | Internal to Ops/CS teams via VNet-bound web app |
Chatbot APIs | Public | Used on mobile banking apps, secured via OAuth2 |
✅ — enterprises commonly use both public and private modes of API Gateway simultaneously, especially in hybrid, layered, and microservices-based architectures like in BFSI, insurance, or fintech platforms.
This is called a dual-mode API strategy or multi-tiered API exposure.
✅ Realistic Example: Personal Banking Platform Using Azure API Management (APIM)
🎯 Use Case: A modern digital banking platform with public-facing apps + internal service orchestration
🔹 Architecture Overview
Layer | API Gateway Mode | Examples | Notes |
Customer-Facing | Public Mode | APIs for mobile banking app, online account opening | Exposed to internet via WAF + OAuth2 |
Partner Integrations | Public Mode with IP restrictions | CIBIL, UIDAI, NSDL, UPI gateway | Uses mutual TLS or IP whitelisting |
Internal Services | Private Mode | KYC microservice, credit evaluation, fraud engine | Only accessible within VNet or AKS |
Admin Tools/APIs | Private Mode | Ops dashboard, audit logs, reporting APIs | Accessed only from internal jumpbox or private subnet |
🔐 How It Works on Azure
Azure API Management (APIM) is deployed in Premium Tier (multi-region, supports VNet injection).
It has two custom domains configured:
api.bankxyz.com → Public mode (exposed via Azure Front Door + WAF)
internal-api.bankxyz.com → Private mode (reachable only via VNet)
Routing:
Public APIs routed via Azure Front Door + WAF + APIM Public Endpoint
Private APIs accessed over Azure Private Link or via App Gateway (Internal Mode)
Security:
Public APIs secured via OAuth2, rate limiting, client certs
Private APIs secured via VNet, NSG, Private DNS, role-based access
🏦 Example API Mapping
API | Endpoint | Mode | Access Type |
Get Account Balance | Public | Internet (OAuth2) | |
Submit Loan Request | Public | Internet/Mobile App | |
KYC Verification API | Private | Internal AKS | |
Credit Bureau Fetch | Public (with IP whitelisting) | External trusted | |
Risk Scoring Engine | Private | Internal only | |
Admin Report Download | Private | Jumpbox/VPN access only |
📌 Key Azure Components Used
Azure API Management (Premium) with multi-region deployment
Azure Front Door + WAF (for secure internet-facing APIs)
Azure Private Link for private APIs
Azure Application Gateway (internal mode for routing within VNet)
Network Security Groups (NSG) to restrict private access
Azure DNS Private Zones for internal-api.bankxyz.com
⚠️ Best Practices
Area | Practice |
Isolation | Use separate API products/groups for public vs. internal APIs |
Rate Limiting | Apply stricter limits on public APIs |
Monitoring | Use Azure Monitor, App Insights, and Azure Defender for APIs |
Security | Always enforce zero trust: AuthN + AuthZ on both public and private |
DevOps | Deploy public/internal APIs via CI/CD with tagging and approval flows |
Comments