Reverse Proxies and API Gateways: The Smart Edge

TL;DR: A reverse proxy terminates client connections, hides origin topology, and adds TLS, compression, and retries. An API gateway is a reverse proxy with product policy: auth, rate limits, quotas, and developer portals. Netflix Zuul 2 handles over 1,000,000 req/s across 80+ clusters^[1], while Envoy typically adds single-digit millisecond p99 latency overhead as a sidecar proxy^[2]. Default to a thin reverse proxy (Envoy or NGINX) when you need routing and TLS. Reach for a full API gateway only when you need per-consumer auth, quotas, and a developer portal. Keep business logic out of the gateway or it becomes a distributed monolith.

Learning Objectives#

After this module, you will be able to:

• Distinguish a reverse proxy from a load balancer from an API gateway and pick the right tool
• Design TLS termination and mTLS between gateway and services
• Implement path and header routing, canary releases, and A/B splits at the edge
• Configure authentication (JWT, OAuth2, API keys) and per-tenant rate limits in a gateway filter chain
• Explain north-south vs east-west traffic patterns and why one gateway cannot serve both well
• Avoid the "distributed monolith" anti-pattern where the gateway owns business logic

Intuition#

You check into a large hotel. The concierge at the front desk does not carry your bags, cook your food, or clean your room. But every request you make passes through her. She verifies your reservation (authentication), checks whether your room type allows pool access (authorization), tells you which elevator bank serves your floor (routing), and politely limits how many towels you can take per day (rate limiting). Behind the desk, dozens of staff handle the actual work. You never see the kitchen, the laundry, or the maintenance crew. You just talk to the concierge.

A reverse proxy is that concierge. It sits between every client and every backend service. It terminates TLS so backends do not manage certificates. It compresses responses so backends do not burn CPU on gzip. It buffers slow clients so backends are not held hostage by a trickle of bytes. And it routes requests to the right upstream based on path, header, or hostname.

An API gateway is a concierge who also runs the loyalty program: she issues room keys (API keys), tracks how many requests each guest has made this month (quotas), and publishes a directory of hotel services (developer portal). The concierge role is the same. The scope of responsibility is wider.

The rest of this chapter makes that distinction precise and teaches you when a thin concierge is enough and when you need the full loyalty-program desk.

Theory#

Reverse proxy vs load balancer vs API gateway#

These three roles overlap heavily, and the same binary often plays all three. The distinction is about primary responsibility:

• A load balancer distributes traffic across N identical backends. Its job is even spread and health tracking. See Load Balancers.
• A reverse proxy terminates the client connection and forwards it to an upstream. Its job is protocol handling: TLS, HTTP/2, compression, buffering, header rewriting, and connection pooling.
• An API gateway enforces API product policy. Its job is business-layer concerns: authentication, authorization, per-consumer rate limits, request transformation, schema validation, and developer portals.

In practice, NGINX, Envoy, HAProxy, and Caddy can act as all three. Kong, Apigee, and AWS API Gateway push the gateway role up the stack with richer business features. The question is never "which category does my tool belong to?" but "which responsibilities does my deployment own?"

All three roles share routing as common ground; tools like Envoy and Kong span all three, while simpler tools specialize.

What reverse proxies do#

A reverse proxy owns six protocol-level concerns that you do not want every backend to implement:

1. TLS termination. The proxy holds certificates, negotiates TLS 1.3, and speaks cleartext (or re-encrypted mTLS) to backends. This centralizes certificate rotation and offloads expensive handshakes^[3].
2. HTTP/2 and HTTP/3 at the edge. The proxy speaks multiplexed protocols to clients while backends can stay on simple HTTP/1.1 with keepalive pools.
3. Compression. Gzip or Brotli on the response path, saving bandwidth without backend CPU.
4. Request buffering. The proxy absorbs slow clients (mobile on 3G) so backends are not blocked waiting for bytes. This is the defense against slowloris-style attacks^[4].
5. Connection pooling. Instead of each client opening a TCP connection to each backend, the proxy maintains a small pool of keepalive connections per upstream. Netflix's Zuul 2 reduced total fleet connections 10x by adding HTTP/2 multiplexing and deterministic subsetting to its pools^[5].
6. Header rewriting and request routing. Path-based, header-based, or hostname-based routing to different upstream clusters. Canary splits, A/B tests, and blue-green deploys are all routing rules at the proxy.

API gateway capabilities#

An API gateway adds product-layer concerns on top of the reverse proxy:

Authentication and authorization. JWT verification against a JWKS endpoint, OAuth2 token introspection, API key lookup, and mTLS client certificate validation. Centralizing auth in the gateway means individual services do not each re-implement JWT validation (badly)^[6].

Rate limiting and quotas. Per-consumer, per-endpoint, per-plan limits. A free-tier user gets 100 req/min; a paid user gets 10,000. The gateway enforces this before the request reaches the backend, saving compute on rejected traffic.

Request and response transformation. Rewrite paths, inject headers, translate protocols (REST to gRPC, JSON to Protobuf), validate request schemas against OpenAPI specs, and aggregate multiple backend calls into a single client response.

Developer portal and key management. Issue API keys, display documentation, track usage analytics, and manage subscription plans. This is where Kong, Apigee, and Tyk differentiate from raw Envoy.

The core tension: a fat gateway centralizes these concerns (good for consistency) but becomes a shared dependency where every team queues to ship changes and a bad deploy blasts every consumer^[6:1].

North-south vs east-west#

North-south traffic crosses the trust boundary: browsers, mobile apps, and partner APIs hitting your edge. It needs heavy security: WAF, DDoS defense, TLS termination, geographic routing, bot detection, and rate limiting by IP.

East-west traffic flows between internal services. It cares about mTLS, service discovery, retries, circuit breakers, and locality-aware load balancing. The threat model is different: you trust the network (mostly), but you need authenticated service identity.

North-south gateway faces untrusted clients with heavy security; east-west sidecars speak mTLS between trusted services with lightweight policy.

One gateway cannot be optimized for both. Lyft runs Envoy in both roles with different configs: a centralized front proxy for egress/ingress, and per-service Envoy sidecars for east-west^[2:1]. Envoy Gateway (CNCF, GA 2024) is the Kubernetes-native control plane for north-south; Istio is the control plane for east-west^[7].

Rule of thumb: default to Envoy for east-west (sidecar or ambient mesh). Use a managed API gateway (AWS API Gateway, Cloudflare) for north-south when your team is small. Graduate to self-hosted Envoy or Kong when per-request cost or feature needs outgrow the managed offering.

Patterns: BFF, strangler fig, and request coalescing#

Backend for Frontend (BFF). Instead of one general-purpose gateway, each client type (web, iOS, Android) gets its own dedicated edge service that aggregates downstream microservices into client-shaped responses^[8]. The web BFF concatenates four calls into a single response matching the web view model. The mobile BFF returns a smaller, battery-friendly shape. Each BFF is owned by the team that owns that client.

Strangler fig. The gateway fronts both the legacy monolith and new services, routing requests to the new service when ready and leaving the rest on the monolith. The monolith shrinks one route at a time until it can be decommissioned^[9]. Shopify built exactly this with Lua in NGINX+OpenResty: rules routed requests between the legacy Rails storefront and the new Storefront Renderer, with rates for render, forward-verify, reverse-verify, and self-verify^[10].

The gateway progressively routes paths from the legacy monolith to new services; rollback is setting one percentage to zero.

Request coalescing. When many clients request the same resource simultaneously (a cache stampede), the gateway collapses duplicate in-flight requests into one upstream call and fans the response back to all waiting clients. NGINX calls this proxy_cache_lock; Envoy achieves similar behavior through its cache filter configuration.

Canonical configurations#

NGINX. Single-binary C daemon, one worker per core, event-loop driven. Excels at static file serving and simple reverse proxying. Configuration is file-based and requires a reload (or NGINX Plus for dynamic upstreams). Community benchmarks report 50K to 80K rps on dual-Xeon hardware for simple reverse proxying (highly workload-dependent)^[11]. Slowloris defense requires explicit timeout tuning^[4:1].

Envoy. C++ proxy, single-process multi-threaded. First-class xDS API for dynamic configuration without restarts. Built-in support for HTTP/2, gRPC, circuit breakers, outlier detection, and distributed tracing. The default choice for service mesh sidecars (Istio, Consul Connect). Adds single-digit millisecond p99 latency overhead in typical sidecar deployments^[2:2].

Traefik. Go binary with native Kubernetes integration. Auto-discovers services via IngressRoute CRDs. Automatic Let's Encrypt certificates via ACME. Middlewares (rate limit, retry, circuit breaker) compose declaratively. Best for small-to-medium Kubernetes deployments where simplicity beats raw performance.

Caddy. Go binary that defaults to HTTPS. Provisions Let's Encrypt certificates automatically, including on-demand TLS for SaaS custom domains^[12]. The simplest reverse proxy to configure correctly. Use it when you want zero-config TLS and do not need mesh-level features.

Kong. Lua-based API gateway built on NGINX/OpenResty. Plugin ecosystem for auth, rate limiting, logging, and transformations. Enterprise edition adds a developer portal, RBAC, and analytics. The sweet spot for teams that need gateway product features without building from scratch.

Real-World Example#

Netflix Zuul 2: async gateway at 1M+ requests per second#

Netflix routes all external traffic through Zuul 2, an async gateway built on Netty. As of 2018, the fleet comprised 80+ Zuul 2 clusters routing to approximately 100 origin clusters, handling over 1,000,000 requests per second for 125M+ streaming members^[1:1].

Architecture. Zuul 2 processes requests through a three-stage filter pipeline: inbound filters (routing, auth, decoration), an endpoint filter (static response or proxy to origin), and outbound filters (compression, metrics, response shaping). Filter logic is written in Groovy/Java and owned by feature teams; the Netty plumbing (connection handling, proxying, bookkeeping) is owned by the platform team^[1:2].

Why async? Zuul 1 used a servlet-per-request model. At Netflix scale, connection cost dominates CPU cost. A slow origin holding 10,000 servlet threads blocks the entire gateway. Zuul 2's Netty event loops handle connections without dedicating a thread per request, which bought connection scaling and resilience against slow origins^[3:1].

The connection explosion problem. With one connection pool per event loop per origin, the math explodes: 16 cores x 800 origin servers x 100 Zuul instances = 1.28 million connections. When mTLS arrived, each connection required an expensive handshake. The fix: HTTP/2 multiplexing plus Google's Ringsteady deterministic subsetting algorithm, applied per event loop. Result: 10x fewer connections at peak with no load-balancing fairness loss, plus ~4% CPU, ~15% heap, and ~3% latency reduction^[5:1].

Self-serve routing. Teams publish routing rules (path/header predicates mapped to percentages and origins) that gateway instances pick up dynamically. This enables canary deploys, sticky canary, sharding, and dark testing without touching gateway code^[1:3].

A request through Zuul 2's filter pipeline: auth and rate limiting can short-circuit before the request reaches the origin, saving backend compute.

The lesson: separate filter logic (owned by feature teams) from data-plane plumbing (owned by platform). Let teams self-serve routing rules. And when connection math explodes, fix it with protocol multiplexing and subsetting, not more hardware.

Trade-offs#

Common Pitfalls#

Exercise#

You are launching a public API for a fintech product: 50 endpoints, OAuth2 with per-client rate limits, mTLS between gateway and services, audit logs, and a developer portal. Compare AWS API Gateway + Lambda authorizer, Kong on Kubernetes, and a hand-rolled Envoy configuration. Recommend one with cost and ownership justification.

Key Takeaways#

• A reverse proxy handles routing and TLS. An API gateway adds product features: auth, quotas, keys, portals. Most tools (Envoy, NGINX, Kong) can play multiple roles.
• Keep business logic out of the gateway. It should enforce cross-cutting policy, not implement features. If gateway config grows faster than your service fleet, you are centralizing logic that belongs in services.
• North-south and east-west traffic have different threat models and different optimal tools. Do not force one gateway to serve both.
• The BFF pattern gives each client team its own gateway, eliminating the shared-gateway coordination bottleneck. Use it when you have distinct client shapes (web, mobile, partner).
• The strangler fig pattern uses the gateway as a traffic splitter during migrations. Rollback is setting one percentage to zero.
• Cloud gateways win below ~5,000 rps sustained. Above that, per-request cost dominates and self-hosted wins.
• Netflix Zuul 2 proves that separating filter logic (team-owned) from data-plane plumbing (platform-owned) scales to 1M+ rps across 80+ clusters^[1:5].

Further Reading#

• Zuul 2: The Netflix Journey to Asynchronous, Non-Blocking Systems - The honest retro on why Netflix moved to Netty and what async actually bought them (connection scaling, not CPU).
• Curbing Connection Churn in Zuul - 2023 deep dive on HTTP/2 multiplexing + Ringsteady subsetting for 10x connection reduction; essential reading for anyone managing proxy connection pools.
• Designing Edge Gateway, Uber's API Lifecycle Management Platform - How Uber built a self-serve gateway deployed as 40+ independent services for 1,600 APIs (with 40% of engineering contributing code) without the gateway becoming a distributed monolith.
• Apollo Router: our GraphQL Federation runtime in Rust - Benchmarks showing 8x throughput vs Node.js gateway; read this before choosing a GraphQL composition layer.
• Eliminating Cold Starts 2: shard and conquer - Cloudflare's technique for 99.99% warm-request rate using consistent hash rings inside each datacenter; the counterpoint to Lambda cold starts.
• Pattern: Backends For Frontends (Sam Newman) - The canonical source for the BFF pattern; read before splitting your gateway per client type.
• Strangler fig pattern (AWS Prescriptive Guidance) - Incremental monolith-to-microservices migration via gateway routing; the safest path when "rewrite from scratch" is not an option.
• Envoy Proxy documentation - The canonical reference for filter chains, xDS dynamic configuration, and HTTP connection manager; required reading for any Envoy deployment.

Flashcards#

References#