What Is an API Gateway?
Introduction
An API Gateway is a server that acts as a single entry point for a set of microservices. It handles requests by routing them to the appropriate backend service, while also handling cross-cutting concerns like authentication, logging, and rate limiting.
The Problem: Without API Gateway
When building microservices or multiple APIs, challenges arise:
┌─────────────────────────────────────────────────────────────────────┐
│ WITHOUT API GATEWAY │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Client │ │ Client │ │ Client │ │ Client │ │
│ │ App │ │ Web │ │ Mobile │ │ API │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Orders │ │ Products│ │ Users │ │ Payments│ │
│ │ API │ │ API │ │ API │ │ API │ │
│ │ :5001 │ │ :5002 │ │ :5003 │ │ :5004 │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
│ │ │ │ │ │
│ └──────────────┴──────────────┴──────────────┘ │
│ | │
│ ▼ │
│ ┌───────────┐ │
│ │ Database │ │
│ └───────────┘ │
│ │
│ Problems: │
│ ❌ Client needs to know all service endpoints │
│ ❌ Each service needs its own authentication │
│ ❌ No centralized logging or monitoring │
│ ❌ Hard to implement rate limiting │
│ ❌ Service URLs change = client code changes │
│ ❌ Duplicated validation logic in each service │
│ │
└─────────────────────────────────────────────────────────────────────┘
Issues in Detail
- Tight Coupling — Clients are coupled to multiple backend services
- Scattered Security — Each service implements auth differently
- Inconsistent Rate Limiting — No unified throttling
- Multiple Round Trips — Clients call multiple services separately
- Maintenance Burden — Changes require updates across services
The Solution: With API Gateway
┌─────────────────────────────────────────────────────────────────────┐
│ WITH API GATEWAY │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Client │ │ Client │ │ Client │ │ Client │ │
│ │ App │ │ Web │ │ Mobile │ │ API │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │ │
│ └───────────────┴───────────────┴───────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ API GATEWAY │ │
│ │ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Routing │ │ Auth │ │ Caching │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Rate Limit │ │ Transform │ │ Logging │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └────────────────────────┬────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────┼──────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Orders │ │ Products│ │ Users │ │
│ │ API │ │ API │ │ API │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ Benefits: │
│ ✅ Single endpoint for all clients │
│ ✅ Centralized cross-cutting concerns │
│ ✅ Backend services can evolve independently │
│ ✅ Unified security and rate limiting │
│ ✅ Analytics and monitoring in one place │
│ │
└─────────────────────────────────────────────────────────────────────┘
Azure API Management (APIM)
Azure API Management is Microsoft's fully managed API gateway service that provides a complete solution for publishing, securing, transforming, maintaining, and monitoring APIs.
Core Components
| Component | Purpose | Description |
|---|---|---|
| Gateway | Traffic handling | Routes, secures, and accelerates API requests |
| Developer Portal | Self-service | Interactive API documentation, testing, onboarding |
| Management API | Automation | Programmatic control via REST API |
| Analytics | Monitoring | Usage patterns, health metrics, alerts |
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ APIM ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ Developers / Partners │ │
│ │ │ │
│ │ • API Documentation (Developer Portal) │ │
│ │ • API Keys and Subscriptions │ │
│ │ • Testing and Monitoring │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ API Gateway │ │
│ │ │ │
│ │ Request ──▶ Validation ──▶ Auth ──▶ Transform ──▶ Route │ │
│ │ ◀─── Response ◀── Transform ◀── Cache ◀── Backend│ │
│ │ │ │
│ │ Features: │ │
│ │ • JWT Validation, API Keys │ │
│ │ • Rate Limiting, Quotas │ │
│ │ • Request/Response Transformation │ │
│ │ • Caching │ │
│ │ • Logging │ │
│ └────────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Web API │ │Azure │ │ On- │ │
│ │ (App │ │Functions│ │ premise │ │
│ │ Service)│ │ │ │ API │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Key Features
1. Reverse Proxy
Client Request: GET /api/v1/orders/123
│
▼
APIM Gateway: /orders-api/orders/123 ──▶ Backend: http://internal-api/orders/123
- Hides actual backend URLs
- Provides consistent API surface
2. Authentication
<!-- JWT Validation Policy -->
<inbound>
<validate-jwt header-name="Authorization">
<openid-config url="https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>api://my-api</audience>
</audiences>
</validate-jwt>
</inbound>
- OAuth 2.0 / OpenID Connect
- API Keys
- Client Certificates
3. Rate Limiting
<inbound>
<rate-limit-by-key calls="100" renewal-period="60" counter-key="@(context.Subscription.Id)" />
</inbound>
- Per-subscription throttling
- Global rate limiting
- Custom rate key (by IP, user, etc.)
4. Caching
<outbound>
<cache-lookup vary-by-header="Accept" />
<cache-store duration="3600" />
</outbound>
- Response caching
- Custom cache keys
- Redis integration
5. Transformation
<!-- Rewrite URL -->
<rewrite-uri template="/orders/{orderId}" />
<!-- Add header -->
<set-header name="X-Backend" exists-action="override">
<value>orders-service-v2</value>
</set-header>
<!-- Convert XML to JSON -->
<xml-to-json policy="transform" apply="always" />
- URL rewriting
- Header manipulation
- Format conversion
6. Versioning
/api/v1/orders ──▶ Version 1
/api/v2/orders ──▶ Version 2
/api/orders ──▶ Current version
- Path-based versioning
- Header-based versioning
- Query parameter versioning
7. Monitoring
- Request/response logging
- Usage analytics
- Performance metrics
- Alerting
Use Cases
| Use Case | Description | Example |
|---|---|---|
| Microservices | Unified entry for multiple services | Single endpoint for all backend services |
| Legacy Modernization | Wrap old APIs in modern interface | Expose SOAP services as REST |
| Partner APIs | Controlled external access | Third-party developer access |
| Mobile Backends | Optimize for mobile clients | Reduced payloads, batching |
| Security | Central authentication | OAuth, token validation |
| Analytics | API usage insights | Track which APIs are popular |
Real-World Example: E-Commerce Platform
┌─────────────────────────────────────────────────────────────────────┐
│ E-COMMERCE API GATEWAY │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ APIM Gateway (api.mystore.com) │
│ │ │
│ ├── /api/v1/products ──▶ Products Microservice │
│ │ │
│ ├── /api/v1/orders ──▶ Orders Microservice │
│ │ │
│ ├── /api/v1/customers ──▶ Customer Microservice │
│ │ │
│ └── /api/v1/inventory ──▶ Inventory Microservice │
│ │
│ Applied Policies: │
│ ✓ JWT validation on all endpoints │
│ ✓ Rate limiting (100 req/min for standard, 1000 for premium) │
│ ✓ Response caching for product listings (5 min TTL) │
│ ✓ Request transformation for legacy backend │
│ ✓ Analytics for usage monitoring │
│ │
└─────────────────────────────────────────────────────────────────────┘
Pricing Tiers
| Tier | Best For | Features |
|---|---|---|
| Consumption | Low volume, serverless | Pay-per-request, auto-scale |
| Basic | < 5M requests/month | Core gateway features |
| Standard | Production workloads | Full gateway + portal |
| Premium | Enterprise, global | VNet, multiple regions, WAF |
Choosing a Tier
| Requirement | Recommended Tier |
|---|---|
| Test/Development | Consumption |
| Production with low traffic | Basic |
| Production with moderate traffic | Standard |
| Enterprise with global presence | Premium |
Next Steps
- Create Your First API in APIM — Learn how to import and publish an API
- Explore Developer Portal — Set up interactive documentation
- Understand Subscription Keys — Manage API access
Azure Integration Hub - Beginner Level