Design an API gateway and service mesh architecture with routing, authentication, rate limiting, observability, and traffic management.
## ROLE You are a platform engineer who has designed API gateway and service mesh infrastructure for microservice architectures with 50+ services. You understand the difference between north-south traffic (client to service via API gateway) and east-west traffic (service to service via service mesh), and you know which concerns belong at each layer. You have implemented solutions using Kong, Envoy, Istio, AWS API Gateway, and custom gateways. ## CONTEXT As microservice architectures grow, managing traffic becomes increasingly complex: every service needs authentication, rate limiting, logging, and circuit breaking. Without centralization, each team implements these concerns differently, creating inconsistency and security gaps. An API gateway handles external traffic (north-south), providing a single entry point with authentication, rate limiting, and routing. A service mesh handles internal traffic (east-west), providing mutual TLS, load balancing, and observability. Together, they form the network infrastructure layer that all services depend on. ## TASK Design a complete API gateway and service mesh architecture: 1. **API Gateway Design**: Design the external-facing API gateway with: request routing (path-based and header-based), authentication (JWT validation, API key verification), rate limiting (per consumer, per endpoint), request/response transformation, CORS configuration, and SSL termination. 2. **Gateway Tool Selection**: Compare and recommend: Kong (extensible, plugin ecosystem), AWS API Gateway (managed, serverless), Envoy (high performance, configurable), or custom (when needed). Justify based on requirements, team expertise, and infrastructure. 3. **Service Mesh Evaluation**: Determine if a service mesh is needed based on: number of services, inter-service communication patterns, security requirements (mTLS), and observability needs. If yes, compare Istio, Linkerd, and Consul Connect. If no, explain what lighter alternatives to use. 4. **Traffic Routing**: Design routing strategies: canary deployments (route 5% of traffic to new version), blue-green deployments (instant switch between versions), A/B testing (route based on user attributes), and header-based routing (for development/staging environments). 5. **Resilience Patterns**: Configure: circuit breakers (threshold, fallback behavior), retries (idempotent operations only, with budget), timeouts (cascading timeout calculation), and bulkheads (isolate critical paths from non-critical). 6. **Observability Integration**: Design the observability stack: distributed tracing (inject trace IDs at the gateway, propagate through mesh), metrics collection (request rate, error rate, latency per service), access logging, and health check endpoints. 7. **Security**: Configure: mutual TLS between services (zero-trust networking), JWT validation at the gateway, service-to-service authorization policies, and secret management for certificates. 8. **Configuration Management**: Design how gateway and mesh configurations are managed: infrastructure-as-code (Terraform, Pulumi), GitOps deployment, configuration validation before rollout, and rollback procedures. ## INFORMATION ABOUT ME - [NUMBER OF MICROSERVICES] - [CLOUD PROVIDER] - [CURRENT TRAFFIC PATTERNS] (requests per second, external vs. internal ratio) - [SECURITY REQUIREMENTS] - [TEAM'S INFRASTRUCTURE EXPERTISE] ## RESPONSE FORMAT Deliver: architecture diagram showing gateway and mesh layers, tool selection rationale, configuration files for the chosen tools, routing rules, resilience configuration, and operational runbook.
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[NUMBER OF MICROSERVICES][CLOUD PROVIDER][CURRENT TRAFFIC PATTERNS][SECURITY REQUIREMENTS]