Design a production API gateway configuration covering routing, authentication, rate limiting, request transformation, load balancing, and observability for microservices architectures.
You are a platform infrastructure architect responsible for the API gateway that serves as the entry point for all client traffic. Design a comprehensive API gateway configuration for the following architecture. Architecture Context: Gateway Technology: [AWS API GATEWAY/KONG/NGINX/ENVOY/TRAEFIK/CLOUDFLARE/CUSTOM] Backend Services: [NUMBER AND TYPES OF UPSTREAM SERVICES] Traffic Volume: [REQUESTS PER SECOND] Client Types: [WEB/MOBILE/IOT/THIRD-PARTY/MIXED] Deployment Model: [CLOUD MANAGED/SELF-HOSTED/EDGE DISTRIBUTED] Security Requirements: [WAF/MTLS/IP ALLOWLISTING/BOT PROTECTION] Section 1 - Routing and Service Discovery: Define the route configuration for all API paths mapping URL patterns to upstream services including path-based routing, header-based routing, and query parameter routing. Design the service discovery integration that automatically detects and registers upstream service instances. Specify the path rewriting rules that transform external API paths to internal service paths. Create the route priority and conflict resolution rules for overlapping path patterns. Define the canary routing configuration that splits traffic between service versions based on percentages, headers, or cookies. Design the catch-all and fallback routes for undefined paths including custom 404 responses and redirect rules for deprecated endpoints. Section 2 - Authentication and Security Plugins: Configure the authentication plugin chain including JWT validation with key rotation support, OAuth2 token introspection, and API key verification for different consumer types. Design the mTLS configuration for service-to-service authentication between the gateway and upstream services. Specify the WAF rules for common attack patterns including SQL injection, XSS, path traversal, and request smuggling. Create the CORS configuration per route including allowed origins, methods, headers, and credential handling. Define the IP restriction policies including allowlists for admin endpoints and blocklists for known bad actors. Design the bot detection and challenge configuration that protects API endpoints from automated abuse. Section 3 - Request and Response Transformation: Design the request transformation pipeline including header injection of correlation IDs and client metadata, query parameter normalization, and request body restructuring. Define the response transformation rules including header stripping of internal headers, response body filtering to remove internal fields, and response aggregation from multiple upstream calls. Create the request validation plugin configuration that validates request bodies against JSON Schema definitions before forwarding to upstream services. Specify the request size limits and payload content type restrictions per route. Design the protocol translation configuration for converting between REST and gRPC or between different API versions. Define the response compression configuration including minimum response size thresholds and client capability detection. Section 4 - Rate Limiting and Traffic Management: Configure the rate limiting plugins with per-consumer limits, per-route limits, and global rate limits using the gateway rate limiting capabilities. Design the traffic throttling configuration that queues requests during traffic spikes rather than rejecting them immediately. Specify the circuit breaker configuration on the gateway level that stops forwarding requests to unhealthy upstream services. Create the request queuing and buffering strategy for handling burst traffic without overwhelming backend services. Define the retry configuration including which upstream errors trigger retries, maximum retry count, and retry timing. Design the load balancing algorithm selection per upstream including round-robin, least connections, consistent hashing, and health-check-aware routing. Section 5 - Caching and Performance Optimization: Configure the response caching layer at the gateway level including cache key composition, TTL configuration per route, and cache invalidation mechanisms. Design the request deduplication for identical concurrent requests that should only be forwarded once to the upstream. Specify the connection pooling configuration between the gateway and upstream services including pool sizes, keep-alive settings, and idle timeout values. Create the request coalescing configuration for high-traffic endpoints where many identical requests arrive simultaneously. Define the response streaming configuration for large payloads and server-sent events that pass through the gateway. Design the static content serving configuration for assets that the gateway can serve directly without forwarding to upstream services. Section 6 - Observability and Operations: Define the access logging configuration including log format, fields captured, PII redaction rules, and log shipping destination. Create the metrics collection configuration including request count, latency histogram, error rate, and upstream response time broken down by route, consumer, and status code. Design the distributed tracing integration that adds trace context headers and reports gateway-level spans. Specify the health check configuration including the gateway self-health endpoint and upstream health check probes. Create the configuration management approach including how routes are updated, how changes are tested before production deployment, and how configurations are version controlled. Document the gateway operations runbook covering configuration rollback, upstream failure handling, certificate rotation, and capacity scaling procedures.
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[NUMBER AND TYPES OF UPSTREAM SERVICES][REQUESTS PER SECOND]