.png)
Federated /Global API Gateway in Multi Cloud
- Anand Nerurkar
- Oct 19
- 11 min read
Updated: Oct 20
🧭 Context
You have a multi-cloud hybrid setup:
Region A (Azure) → Hosts digital lending & onboarding
Region B (AWS) → Hosts fraud analytics & AI models
Region C (On-Prem DC) → Hosts CBS & PII-sensitive data
You now need a common API exposure strategy across all three — to securely expose and consume APIs between services, partners, and external channels.
⚙️ Step 1: Decide the API Management Pattern
You have two main architecture choices here:
Pattern | Description | When to Use |
Pattern 1: Federated API Gateways (Per Cloud) | Each environment uses its own native API gateway — e.g., Azure API Management (APIM), AWS API Gateway, Apigee (GCP). They synchronize metadata or routing through a central control plane. | ✅ Best for regulatory and latency-sensitive BFSI environments. |
Pattern 2: Centralized Global API Gateway (Cloud-neutral) | One enterprise-level API gateway (e.g., Kong, Apigee, or Tyk) deployed centrally — acts as global entry point for all traffic, routing to backends in different clouds. | ✅ Best for global multi-cloud where single entry and uniform policy control needed. |
🧩 Step 2: BFSI Recommended Approach (Federated + Central Control)
In regulated BFSI (like Deut Bank, HDFCC, or ICICCI), the federated model with central governance is preferred.Here’s why 👇
✅ Advantages:
Each region can operate independently (DR or isolation friendly).
Data residency — Indian PII data never leaves Azure India region.
Cloud-native integration — each gateway integrates natively with respective cloud IAM, logging, WAF, etc.
You maintain central policy synchronization using API catalog & governance.
🧱 Step 3: Architecture Flow (Text Version)
Example: Loan Origination API (Azure) → Fraud Scoring (AWS) → Account Creation (On-Prem CBS)
Client / Mobile App calls https://api.bank.com/lending/loan/initiate(entry via central API gateway DNS, e.g., api.bank.com).
Global DNS (Traffic Manager / Cloudflare) routes call to nearest cloud (Azure in India region).
Azure API Management (APIM) receives the request
Authenticates via Azure AD
Applies rate limiting, JWT validation, logging
Routes call to Azure Loan microservice
Loan service calls Fraud Scoring API hosted on AWS →calls are proxied via Azure APIM → AWS API Gateway (via private interconnect / VPC Peering)
Fraud Score returned → Loan Approved Event → Published to Kafka (Azure)
Kafka MirrorMaker replicates event to on-prem Kafka →CBS adapter consumes it → Creates account → Sends acknowledgment.
Each gateway (Azure APIM, AWS API GW, On-Prem API GW like Kong)syncs API specs with central API Catalog (ServiceNow / SwaggerHub) for governance and discovery.
🛡️ Step 4: Security & Governance
Layer | Control |
Authentication | Central IAM (Azure AD / PingFed) integrated with each gateway |
Authorization | Token-based + fine-grained scopes (OpenID / OAuth2) |
Transport Security | Mutual TLS across gateways |
Governance | Central API registry with version control & approval workflow |
Observability | Common tracing via OpenTelemetry or API Observability platform (Datadog / Dynatrace) |
🧩 Step 5: Alternate — Cloud-Agnostic Gateway (Centralized)
If the bank wants a single unified control plane, you can use:
Kong Enterprise, Apigee X, or Tyk Cloud-Native Gateway
Deployed across all clouds in cluster mode
Federated agents installed on Azure, AWS, and on-prem
Architecture Flow
Single API Gateway cluster spans clouds.
Agents in each cloud route requests locally (for latency).
Policies, throttling, and keys managed centrally.
Common developer portal for internal & partner developers.
🧠 Step 6:
“In a multi-cloud BFSI setup like ABC Bank, I recommend a federated API gateway architecture — where each region (Azure, AWS, and on-prem) hosts its own API gateway component (Azure APIM, AWS API Gateway, and Kong on-prem). This ensures compliance with data residency, low latency, and independent failover, while maintaining centralized governance and discoverability through a global API catalog and policy repository. Secure private interconnects (ExpressRoute, Direct Connect, VPN) link the environments, allowing cross-cloud API calls using mTLS and token-based authentication. Alternatively, if the enterprise prefers uniform policy enforcement across all clouds, we can deploy a cloud-agnostic API gateway (e.g., Kong or Apigee) with federated data planes across clouds and a unified control plane.”
✅ Key takeaway
There’s no single API gateway across clouds unless you deploy a cloud-agnostic one (e.g., Kong, Apigee, Tyk).
In BFSI, most prefer “federated API gateways per region + central governance” for compliance and resiliency.
Excellent follow-up 👏 — and yes, you’re absolutely right to think in terms of “common URL” because that’s where most architects get confused during multi-cloud design.
Let’s go step by step — this is a subtle but very important concept for your Enterprise Architect interview.
🧭 Context
You have a multi-cloud hybrid deployment:
Region | Platform | Hosted Workloads |
Azure (India) | Digital Lending APIs | Loan origination, onboarding |
AWS (Singapore) | Fraud & Analytics APIs | Fraud scoring, AI models |
On-Prem (India DC) | CBS & Regulatory Systems | Account management, reporting |
You now want to expose a single consistent API endpoint to internal/external consumers (e.g., mobile app, partner APIs).
⚙️ Step 1: Understand What “Centralized API Gateway” Really Means
A centralized API gateway does not mean a single physical instance or one URL sitting in one cloud.It means a logically unified control plane (policies, API catalog, tokens, developer portal, rate limits) and distributed data planes in each region/cloud.
So yes — consumers see one common entry point (URL),but traffic is actually routed to the nearest or most appropriate region behind the scenes.
🌐 Step 2: Common URL Strategy (DNS Layer)
Yes, you can have a common URL for all multi-cloud regions, e.g.:
This URL is managed by Global DNS — examples:
Azure Traffic Manager
AWS Route 53
Cloudflare
Akamai GTM
How It Works
Client calls https://api.bank.com/loan/initiate.
DNS routes based on:
Geo-proximity (nearest region)
Health check / availability
Business routing logic (e.g., India → Azure, EU → AWS)
Once request lands in chosen region:
It is handled by the local API gateway (Azure APIM or AWS API Gateway).
Policies, authentication, rate limits, etc. are applied.
Gateway routes internally to respective microservice (cloud-native or on-prem via private link).
✅ Result
Single public URL
Multi-region, multi-cloud backend
Central governance and consistent experience
🧩 Step 3: Implementation Variants
Option 1 – DNS-Based Routing (Most Common)
api.bank.com → DNS routes → region-specific API gateways
Cloud-agnostic
Low complexity
Recommended for BFSI with strict data sovereignty
Option 2 – Global API Gateway (Cloud-Agnostic Tool)
e.g. Kong Enterprise, Apigee X, Tyk Hybrid
Single control plane manages global policies, users, and rate limits.
Each cloud has local data plane (API gateway instance).
Common developer portal & catalog.
DNS/Load balancer routes to nearest data plane.
Option 3 – Cloud Load Balancer Fronting Regional Gateways
Cloudflare, F5, or Avi Networks frontends route to multiple cloud gateways.
Common URL terminates at global LB → forwards to respective gateway via private interconnect.
🛡️ Step 4: Security & Compliance
Control | Implementation |
Authentication | OAuth2.0 / OIDC via centralized IAM (Azure AD / PingFed / ForgeRock) |
Encryption | mTLS end-to-end between consumer ↔ gateway ↔ backend |
Data Residency | DNS routes India traffic only to Azure India (PII compliant) |
DR | Secondary region routing via health probe failover |
Audit | Central API analytics + per-region log retention |
🧠 Step 5: Summary
“In a multi-cloud environment, yes — we can absolutely have a common URL for all APIs (like https://api.bank.com), even though services are deployed across Azure, AWS, and on-prem. We achieve this through global DNS routing or a centralized API gateway control plane. The DNS resolves the common URL to the nearest or compliant regional gateway — for instance, Azure APIM for India workloads and AWS API Gateway for global fraud analytics. Each gateway enforces consistent policies, authentication, and logging as defined centrally. So, while the endpoint appears unified to consumers, the traffic is regionally terminated, ensuring low latency, compliance, and resilience. This pattern is widely used in BFSI where you want global consistency with local control.”
✅ Key Takeaways:
Question | Answer |
Can we have one URL for multi-cloud APIs? | ✅ Yes — via global DNS / centralized control plane |
Is the API Gateway physically common? | ❌ No — logically unified, physically distributed |
Why is this better? | Data residency, low latency, independent failover, consistent security |
Tools to achieve this | Cloudflare, Azure Traffic Manager, Apigee X, Kong Enterprise |
🔹 api.bank.com (common URL)
🔹 DNS routing to Azure / AWS / On-Prem
🔹 Local gateways applying policies
🔹 Backends communicating over hybrid links
🎯 Question:
In a multi-cloud + on-prem hybrid setup (e.g., Azure + AWS + On-Prem), can we have a centralized API Gateway with a single common URL for all environments?
✅ Step-by-Step Explanation and Realistic Enterprise Approach (e.g., Deutsche Bank Scenario)
Step 1️⃣ — Understand the Enterprise Setup
Let’s assume:
Azure Region A → hosts Digital Lending platform
AWS Region B → hosts Customer Engagement and CRM microservices
On-Prem (Private DC) → hosts Core Banking System (CBS) and Regulatory Data Hub
So, there are 3 environments:
Azure Cloud
AWS Cloud
On-Prem Data Center
Now, each environment could have its own API Gateway for internal microservice routing.But the enterprise wants a common public endpoint — for example:
instead of separate ones like:
https://azure-api.deutschebank.com/
https://aws-api.deutschebank.com/
Step 2️⃣ — Identify the Design Options
Option A — Distributed Gateways (Per Cloud)
Each cloud uses its native gateway:
Azure → Azure API Management (APIM)
AWS → AWS API Gateway
On-Prem → Kong / Apigee / NGINX
Then, these gateways are fronted by a Global DNS + Reverse Proxy layer to route based on subdomain or path:
https://api.deutschebank.com/lending → Azure APIM
https://api.deutschebank.com/crm → AWS API Gateway
https://api.deutschebank.com/core → On-Prem API Gateway
✅ Pros:
Native integration with each cloud platform
High performance within each cloud region
❌ Cons:
Complex routing configuration
Multiple gateway management overhead
Option B — Centralized Global Gateway
Use one single enterprise API gateway as the entry point (e.g., Apigee, Kong, Mulesoft, or Azure Front Door + Global Traffic Manager).It then routes requests internally to each environment’s services.
For example:
Global Gateway (Apigee X) deployed in multi-region mode
Routes traffic securely via VPN / ExpressRoute / Private Link to:
Azure microservices (via internal APIM)
AWS microservices (via AWS PrivateLink)
On-Prem CBS (via MPLS / ExpressRoute / VPN)
✅ Pros:
Unified URL and developer experience
Single point for policies (AuthN/Z, throttling, logging, transformation)
Easier to enforce standards, compliance, and security
❌ Cons:
Slight latency due to routing through global gateway
Requires redundant setup for HA (active-active gateways)
Step 3️⃣ — Connectivity Setup
To ensure hybrid connectivity:
Azure ↔ On-Prem: via ExpressRoute
AWS ↔ On-Prem: via Direct Connect
Azure ↔ AWS: via Private interconnect or VPNAll connected through Transit Gateway or SD-WAN overlay network.
So your Global Gateway can reach internal services securely via private IPs — no public exposure.
Step 4️⃣ — Routing Mechanism (How Centralized API Works)
Let’s say the user calls:
POST https://api.deutschebank.com/lending/loan/apply
Request hits Global API Gateway (Apigee X or Azure Front Door)
Gateway performs:
Authentication (OAuth2/JWT)
Request validation
Policy enforcement
Based on route mapping, gateway forwards:
/lending/* → Azure APIM (via ExpressRoute)
/crm/* → AWS API Gateway (via PrivateLink)
/core/* → On-Prem NGINX gateway (via MPLS)
Response flows back through the same secure channel.
Step 5️⃣ — Deployment & Governance
Use Terraform or Pulumi to automate multi-cloud gateway deployments
Maintain a centralized API catalog (e.g., Azure API Center or SwaggerHub)
Enable observability (logs, metrics, tracing) via a central system like Datadog / Splunk / Dynatrace
Step 6️⃣ — Why Common URL Matters
Consistent branding (api.deutschebank.com)
Simplifies integration for fintech partners and mobile apps
Enables centralized API key / token management
Avoids hardcoding per-cloud endpoints
Step 7️⃣ — Summary
Layer | Component | Cloud/Location | Purpose |
Entry | Global API Gateway (Apigee / Mulesoft / Front Door) | Multi-Region | Single public endpoint |
Routing | Azure APIM | Azure | Routes to lending APIs |
Routing | AWS API Gateway | AWS | Routes to CRM APIs |
Routing | NGINX / Kong | On-Prem | Routes to CBS APIs |
Connectivity | ExpressRoute + DirectConnect + VPN | Hybrid | Secure interconnect |
Observability | Central APM + Logging | Multi-Cloud | End-to-end monitoring |
Summary
How will you design a centralized API gateway for multi-cloud and hybrid banking architecture?
Answer: In a regulated banking setup like Deutsche Bank, we use a centralized enterprise API gateway (e.g., Apigee X) that exposes a single unified URL for all public APIs. The gateway enforces global policies and routes requests internally to regional gateways — Azure APIM, AWS API Gateway, or On-Prem Kong — via secure private links (ExpressRoute, Direct Connect, MPLS). This allows us to maintain hybrid connectivity, ensure zero-trust security, and present a unified API experience to fintech partners and digital channels, while keeping sensitive systems like CBS within the on-prem boundary.
Excellent — this is the real-world, production-level explanation 👇Let’s look at exactly how large banks like Deutsche Bank, HSBC, Citi, or HDFC implement this multi-cloud + on-prem hybrid API gateway model in production.
🏦 Real Enterprise Scenario — Production Hybrid Setup
1️⃣ Typical Landscape
Environment | Platform | Example Workload |
Azure Cloud (Mumbai Region) | Azure Kubernetes Service (AKS), Azure SQL, Azure APIM | Digital Lending, Customer Onboarding |
AWS Cloud (Mumbai Region) | EKS, RDS, AWS API Gateway | CRM, Digital Marketing, Notifications |
On-Prem Data Center (Pune or Navi Mumbai) | IBM / VMware clusters, Oracle DB, Finacle CBS, Payment Switch | Core Banking, Payments, Regulatory Systems |
2️⃣ Why Hybrid Is Needed
Even though lending, onboarding, and CRM are cloud-native:
Regulatory or sensitive systems (CBS, AML, Payment Hub) cannot move to public cloud.
They are retained on-prem due to RBI, GDPR, and internal data sovereignty policies.
Still, these systems must interact with cloud-native systems (like lending).
👉 So hybrid connectivity becomes mandatory — not optional.
3️⃣ Network & Connectivity Setup (Production Reality)
a. Private Network Links
Each environment is privately connected — no traffic goes over the public internet.
Connection Type | From | To | Description |
Azure ExpressRoute | Azure VNet | On-Prem | Private 10 Gbps MPLS link for CBS and regulatory data exchange |
AWS Direct Connect | AWS VPC | On-Prem | Secure pipe for CRM and notification systems |
Azure ↔ AWS Peering | Azure VNet | AWS VPC | Private VPN or Megaport / Equinix interconnect for cross-cloud service calls |
💡 These links terminate in a central DMZ zone within the bank’s enterprise network where firewalls, load balancers, and proxies enforce all traffic rules.
b. DNS & Routing
DNS zones like api.deutschebank.com are managed centrally (often via Akamai, Infoblox, or Azure DNS).
Routing policies (geo + latency-based) ensure:
Requests from India hit Azure Mumbai first
Failover to AWS Mumbai if needed (active-active setup)
4️⃣ API Gateway Design in Production
Layered Architecture
Layer | Product Used | Purpose |
Global Gateway (Entry Point) | Apigee X / Mulesoft / Kong Enterprise | Common external endpoint (api.deutschebank.com) |
Regional Gateways | Azure APIM / AWS API Gateway / NGINX (On-Prem) | Environment-specific service routing |
Internal Mesh | Istio / Dapr / Consul | Service-to-service discovery within each region |
How Traffic Flows in Real Life
Example → Customer applies for a loan via mobile app.
https://api.deutschebank.com/lending/apply→ Hits Apigee Global Gateway hosted in HA across Azure & AWS.
Apigee authenticates (OAuth2 token validation with Azure AD / PingFed).
Apigee routes the call to the right backend:
Lending microservice on Azure AKS
via private ExpressRoute peered network
Lending service needs to check CBS account eligibility.
Publishes message to Kafka topic hosted on Azure (private endpoint)
On-Prem CBS adapter consumes from same topic via ExpressRoute link
Adapter writes back loan_account_created event
Response sent back to Apigee → client.
End-to-end observability through Splunk + Prometheus + Dynatrace.
5️⃣ API URL Strategy (Real Production Style)
API | Gateway | URL | Hosted Where |
Lending APIs | Azure APIM | Azure | |
CRM APIs | AWS API Gateway | AWS | |
Core Banking APIs | On-Prem Kong | On-Prem | |
Global Entry | Apigee X | Multi-cloud |
All traffic uses the same top-level URL, but internally routes via gateway mappings.
6️⃣ Deployment & Governance Setup
a. Code + Config Deployment
Infra as Code (IaC): Terraform or Ansible for all cloud resources
API Config: GitOps with Azure DevOps or Jenkins pipelines
Deployment Pattern: Canary or Blue-Green releases for gateway updates
Change Governance: Controlled via CAB (Change Advisory Board)
b. Observability & Security
Concern | Tool | Implementation |
Logging | Splunk / ELK | Correlated transaction IDs across clouds |
Tracing | OpenTelemetry / Jaeger | API latency breakdown |
Security | Azure AD + Ping + WAF | Centralized authentication & policy enforcement |
Secrets | HashiCorp Vault / AWS Secrets Manager | Managed credentials |
7️⃣ Typical Security & Compliance Measures
No direct public IP exposure from on-prem or internal microservices
All communication is over private links (ExpressRoute/DirectConnect)
Mutual TLS + JWT validation between API Gateway and backend
WAF (Web Application Firewall) at entry (Akamai / Azure Front Door)
API rate limiting per client ID
Continuous compliance monitoring for RBI / GDPR
8️⃣ How This Looks in Practice
🔹 External partner (FinTech / mobile app) calls api.deutschebank.com🔹 Global API Gateway (Apigee) authenticates & routes internally🔹 API policies (quota, token, schema validation) are applied centrally🔹 Data flows over private interconnect to cloud/on-prem microservices🔹 Observability tools track every hop with trace IDs🔹 Security teams get real-time dashboards in Splunk & Dynatrace
✅ Summary — What Happens in Real Production
Layer | Product / Tech | Hosted In | Function |
Global API Gateway | Apigee X / Mulesoft | Azure + AWS | Unified entry & routing |
Regional Gateway | Azure APIM / AWS API Gateway | Respective Clouds | Cloud-specific routing |
Hybrid Connectivity | ExpressRoute, Direct Connect, VPN | Azure ↔ AWS ↔ On-Prem | Secure private network |
Internal Mesh | Istio / Dapr | AKS / EKS | Service discovery & routing |
Security Layer | Azure AD, Ping, WAF | Central | AuthN, AuthZ, rate limiting |
Monitoring | Splunk, Dynatrace | Multi-region | Central observability |
Governance | Terraform + GitOps | Global | Infra and config consistency |
Comments