Module 5 · API Gateways & Zero-Trust at Scale 🔒

At scale — hundreds of services, dozens of teams, multiple regions — consistent API security depends on infrastructure, not per-service discipline. API gateways and service meshes provide that infrastructure: centralized auth, traffic management, observability, and policy enforcement. This module covers the major API gateway products in 2026, service mesh patterns, and zero-trust architecture for APIs.

What an API gateway provides

• Single entry point for clients — clients hit gateway, not backends directly
• AuthN / AuthZ enforcement centralised — JWT validation, OAuth introspection, API key check
• Rate limiting + quota — per-consumer policies in one place
• Request/response transformation — header injection, body shape changes
• Observability — every request logged, metric’d, traced
• Routing — path-based, header-based to specific backend services
• Caching — at the edge for read-heavy endpoints
• Circuit breaking — failing backends isolated from cascading failure

Major API gateways in 2026

Cloud-managed

• AWS API Gateway — REST + HTTP + WebSocket APIs; integrates with Lambda, AppSync; expensive at high scale
• Azure API Management — full lifecycle (developer portal, versioning, monetization); strong policy engine
• GCP API Gateway / Apigee — Apigee is the heavyweight enterprise tool; basic API Gateway is the budget option

Self-hosted / open source

• Kong Gateway — Lua-based plugins, broad ecosystem; Konnect SaaS variant
• Tyk — Go-based, lightweight, multi-tenant friendly
• KrakenD — Go-based aggregator-style; strong for backend-for-frontend (BFF) patterns
• Envoy — not a gateway but the underlying proxy used by many; Gloo / Contour build gateways on it
• Traefik — Kubernetes-native ingress + gateway features

Service mesh — east-west traffic security

API gateways handle north-south (client to first service). Service meshes handle east-west (service to service inside the network). What a mesh provides:

• mTLS everywhere — automatic cert provisioning, rotation, enforcement between services
• Service identity — every service has a SPIFFE-style identity
• Traffic policy — which service can call which; deny by default
• Observability — distributed tracing without instrumenting code
• Resilience — retries, timeouts, circuit breaking centrally configured

Major mesh products

• Istio — most feature-rich, also most complex. Sidecar architecture (Envoy proxy injected into every pod)
• Linkerd — lighter-weight alternative; Rust-based proxy; faster, simpler, fewer features
• Consul Connect — HashiCorp’s mesh; integrates with Consul service discovery
• Cilium Service Mesh — eBPF-based; no sidecar overhead; gaining adoption
• App Mesh (AWS) — managed mesh; lock-in but operational simplicity

Zero-trust API architecture

Zero-trust principles applied to APIs:

CLIENT
  │
  ▼
EDGE / WAF (Cloudflare, Akamai)
  - DDoS, geo-block, basic rate limit
  │
  ▼
API GATEWAY (Kong, Apigee)
  - JWT validation, per-consumer rate limit, routing
  - Logs every request to SIEM
  │
  ▼
SERVICE MESH ENVOY SIDECAR (Istio, Linkerd)
  - Validates upstream service identity (mTLS)
  - Enforces policy: "service A may call service B's read-only methods"
  │
  ▼
APPLICATION
  - Business-logic authorization
  - Object-level access checks
  - Audit log entry