Knowledge Guide
HomeSystem DesignAPI Gateway

medium Design an API Gateway

Design an API Gateway (RESHADED)

An API gateway is the single front door that terminates TLS, authenticates the caller, enforces rate limits, routes to the right upstream, and emits telemetry — so every backend service does not re-implement those cross-cutting concerns. The whole design question is a latency-and-availability accounting: it adds one hop and one shared dependency (the rate-limit store), so you must show the arithmetic that says the hop pays for itself and pick an explicit consistency stance for the counter. This page synthesizes the scattered building blocks (fleet sizing, availability, the Redis limiter, the traced request) into the one end-to-end problem a senior must defend.

R — Requirements

E — Estimation (show the arithmetic; each number drives a decision)

StepArithmeticDecision it forces
Throughputpeak 60,000 RPS; each node sustains ~3,000 RPS → 60,000 ÷ 3,000 = 20 serving nodes (+2 headroom = 22)stateless nodes behind an L7 LB; scale out horizontally
Limiter load1 INCR per request → ~60,000 ops/s on the counter storea single Redis (~100k+ ops/s) fits, but for HA use a two-tier local+global limiter
Bandwidth60,000 × ~10 KB avg response ≈ 600 MB/s ≈ 4.8 Gbps egressNIC/LB capacity planning; response streaming, gzip
State sizeroute table ~10k routes × 1 KB = 10 MB (in-mem per node); counters ~5M clients × ~60 B ≈ 300 MB (Redis)route table cached in memory; counters in RAM with TTL, not on disk
Latency budgetWAN RTT ~40 ms dominates; gateway work (TLS+auth+INCR+route) ≈ <2 ms in-DCthe extra hop is cheap vs N direct client→service round-trips

S — System interface

Uniform edge API: ANY /{service}/{path} with the caller's JWT in Authorization. Internally the gateway owns: route(method, path) → upstream_pool, allow(client_id) → bool (limiter), and verify(jwt) → claims.

API gateway architecture with a numbered traced request path: client -> L7 LB -> gateway node (TLS, JWT auth, rate-limit INCR to Redis, route lookup) -> upstream services -> response, plus estimation arithmetic and the PA/EL CAP stance for the counter store.
API gateway architecture with a numbered traced request path: client -> L7 LB -> gateway node (TLS, JWT auth, rate-limit INCR to Redis, route lookup) -> upstream services -> response, plus estimation arithmetic and the PA/EL CAP stance for the counter store.

D — Data model

H/D — High-level & detailed: one traced write path (t=0)

  1. t=0 — request hits the L7 LB, which picks a healthy gateway node (least-conn).
  2. TLS terminate at the node (keep-alive to upstreams reused).
  3. AuthN — verify the JWT signature locally against cached JWKS (~0.1 ms, no network). Bad/expired → 401 immediately.
  4. Rate-limitINCR {client}:{minute} on Redis; if the result > limit → 429. If Redis times out → fail-open (allow) on normal endpoints.
  5. Route lookup — in-memory route table → upstream pool; apply timeout.
  6. Forward to the upstream (intra-DC ~1–2 ms), await, transform the response.
  7. Return to the client; emit metrics/traces asynchronously, off the hot path.

E — Evaluate: the explicit CAP/PACELC stance for the counter store

The rate-limit counter is the one shared, per-request dependency, so its consistency choice is the crux. Choose PA / EL: under a partition, prefer Availability (serve traffic, tolerate a slightly-loose count) over Consistency (blocking requests to agree on an exact count); and with no partition, prefer Latency (a fast local decision) over a strictly-consistent global count. Concretely:

Judgment layer — why, why-not, alternatives, trade-off

Pitfalls

Takeaways


Re-authored and deepened for this guide, synthesizing standard API-gateway design (Grokking / DesignGurus, Hello Interview), CAP/PACELC (Abadi), and rate-limiting patterns. Re-authored/Deepened for this guide.

🤖 Don't fully get this? Learn it with Claude

Stuck on Design an API Gateway? Open Claude, copy a block below, and it'll teach you this exact concept — visually and interactively.

🪜 Hint ladder (no spoilers)

Progressively stronger hints — you still solve it.

I'm working on the problem **Design an API Gateway** (System Design). Give me a HINT LADDER: start with the tiniest nudge, then wait. Only reveal the next, stronger hint when I ask. Do NOT show the full solution unless I type 'show solution'. Keep me doing the thinking. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🎨 Explain the approach visually

See the technique, not just code.

Explain the optimal approach to **Design an API Gateway** with a VISUAL walkthrough: trace it on a small concrete example using ASCII art / a step-by-step diagram, narrate what changes each step, then give time & space complexity with a one-line derivation. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🔍 Review my solution

Catch bugs, edge cases, sub-optimality.

I'll paste my solution to **Design an API Gateway**. Review it for correctness, missed edge cases, and time/space complexity, then coach me toward the optimal — don't just rewrite it. Ask me to paste my code now. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.
🔁 Drill the pattern

Lock in recognition with look-alikes.

Give me 2 problems that use the SAME underlying pattern as **Design an API Gateway**. For each, let me attempt first, then review my answer and name the trigger signal that reveals the pattern. If you're unsure or a claim isn't standard, say so and reason from first principles instead of guessing.

📝 My notes