| name | api-gateway-configurator |
| description | Configure and manage API gateways including Kong, Tyk, AWS API Gateway, and Apigee. Activates when users need help setting up API gateways, rate limiting, authentication, request transformation, or API management. |
| allowed-tools | ["Read","Write","Edit","Bash","Grep","Glob"] |
API Gateway Configurator
Enterprise skill for configuring and managing API gateways for microservices architectures.
When to Use
This skill should be used when:
- Setting up API gateway for microservices
- Configuring rate limiting and throttling
- Implementing API authentication and authorization
- Setting up request/response transformation
- Configuring API routing and load balancing
- Implementing API versioning strategies
- Setting up API monitoring and analytics
- Managing API documentation and developer portals
Instructions
Step 1: Choose API Gateway Platform
Select the appropriate API gateway based on requirements:
Kong Gateway (Open Source/Enterprise):
- Best for: Kubernetes-native, plugin ecosystem
- Strengths: Performance, extensibility, cloud-native
- Use cases: Microservices, multi-cloud, hybrid cloud
AWS API Gateway:
- Best for: AWS-native applications, serverless
- Strengths: AWS integration, managed service, scalability
- Use cases: Lambda functions, AWS services, serverless APIs
Tyk:
- Best for: GraphQL, multi-cloud, analytics
- Strengths: Developer portal, analytics, open source
- Use cases: GraphQL federation, API analytics
Apigee (Google Cloud):
- Best for: Enterprise API management, monetization
- Strengths: Analytics, developer portal, API products
- Use cases: External APIs, partner APIs, API monetization
Step 2: Configure Core Features
Kong Configuration Example:
_format_version: "3.0"
services:
- name: user-service
url: http://user-service:8080
routes:
- name: user-routes
paths:
- /api/v1/users
methods:
- GET
- POST
strip_path: false
plugins:
- name: rate-limiting
config:
minute: 100
policy: local
- name: jwt
config:
claims_to_verify:
- exp
- name: cors
config:
origins:
- "*"
methods:
- GET
- POST
headers:
- Accept
- Authorization
max_age: 3600
- name: order-service
url: http://order-service:8080
routes:
- name: order-routes
paths:
- /api/v1/orders
plugins:
- name: rate-limiting
config:
minute: 50
- name: request-transformer
config:
add:
headers:
- "X-Gateway:Kong"
plugins:
- name: prometheus
config:
per_consumer: true
- name: correlation-id
config:
header_name: X-Correlation-ID
generator: uuid
AWS API Gateway Configuration:
provider:
name: aws
runtime: nodejs18.x
apiGateway:
apiKeys:
- name: premium-api-key
value: ${env:API_KEY}
usagePlan:
- premium:
quota:
limit: 5000
period: MONTH
throttle:
burstLimit: 200
rateLimit: 100
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
functions:
getUsers:
handler: users.getUsers
events:
- http:
path: users
method: get
cors: true
authorizer:
name: jwtAuthorizer
type: request
request:
parameters:
querystrings:
page: false
limit: false
throttling:
maxRequestsPerSecond: 100
maxConcurrentRequests: 50
createUser:
handler: users.createUser
events:
- http:
path: users
method: post
cors: true
authorizer: jwtAuthorizer
Step 3: Implement Authentication & Authorization
JWT Authentication (Kong):
consumers:
- username: mobile-app
jwt_credentials:
- key: mobile-app-key
algorithm: HS256
secret: ${JWT_SECRET}
services:
- name: protected-service
plugins:
- name: jwt
config:
header_names:
- Authorization
claims_to_verify:
- exp
- nbf
OAuth2 (Kong):
plugins:
- name: oauth2
config:
scopes:
- read
- write
- admin
mandatory_scope: true
enable_authorization_code: true
enable_client_credentials: true
enable_implicit_grant: false
token_expiration: 3600
refresh_token_ttl: 2592000
Step 4: Configure Rate Limiting & Throttling
plugins:
- name: rate-limiting
consumer: mobile-app
config:
second: 10
minute: 100
hour: 1000
policy: redis
redis:
host: redis-cluster
port: 6379
database: 0
- name: rate-limiting-advanced
config:
limit:
- minute: 100
- hour: 1000
window_size:
- 60
- 3600
sync_rate: 10
strategy: cluster
dictionary_name: kong_rate_limiting_counters
Step 5: Set Up Request/Response Transformation
plugins:
- name: request-transformer
config:
add:
headers:
- "X-Request-ID:$(uuid)"
- "X-Forwarded-For:$(client_ip)"
querystring:
- "version:v1"
remove:
headers:
- "Authorization"
replace:
headers:
- "Host:backend-service"
plugins:
- name: response-transformer
config:
add:
headers:
- "X-Response-Time:$(latency)"
- "X-Gateway:Kong"
remove:
headers:
- "X-Internal-Secret"
replace:
json:
- "$.metadata.source:api-gateway"
Step 6: Implement API Versioning
services:
- name: user-service-v1
url: http://user-service-v1:8080
routes:
- paths:
- /api/v1/users
- name: user-service-v2
url: http://user-service-v2:8080
routes:
- paths:
- /api/v2/users
routes:
- name: versioned-route
paths:
- /api/users
plugins:
- name: request-transformer
config:
add:
headers:
- "X-API-Version:$(header.Accept-Version)"
Step 7: Configure Monitoring & Analytics
plugins:
- name: prometheus
config:
per_consumer: true
status_code_metrics: true
latency_metrics: true
bandwidth_metrics: true
upstream_health_metrics: true
plugins:
- name: file-log
config:
path: /var/log/kong/access.log
reopen: true
- name: http-log
config:
http_endpoint: http://log-aggregator:8080/logs
method: POST
content_type: application/json
timeout: 10000
keepalive: 60000
plugins:
- name: datadog
config:
host: datadog-agent
port: 8125
metrics:
- name: request_count
stat_type: counter
- name: latency
stat_type: timer
Best Practices
Security:
- โ
Always use HTTPS/TLS for API gateway
- โ
Implement JWT or OAuth2 for authentication
- โ
Use API keys for external partners
- โ
Enable CORS with specific origins
- โ
Implement request size limits
- โ
Add security headers (HSTS, CSP, etc.)
Performance:
- โ
Enable caching for GET requests
- โ
Use Redis for distributed rate limiting
- โ
Configure connection pooling to backends
- โ
Set appropriate timeouts
- โ
Enable gzip compression
- โ
Use CDN for static content
Reliability:
- โ
Configure health checks for backends
- โ
Implement circuit breakers
- โ
Set up retry policies
- โ
Configure fallback responses
- โ
Use multiple gateway instances
- โ
Monitor gateway metrics
Operations:
- โ
Use declarative configuration (GitOps)
- โ
Version control gateway configs
- โ
Implement blue-green deployments
- โ
Set up comprehensive logging
- โ
Configure alerts for anomalies
- โ
Regular security audits
Examples
Example 1: Microservices E-Commerce Gateway
services:
- name: product-catalog
url: http://catalog-service:8080
routes:
- paths: ["/api/v1/products"]
plugins:
- name: rate-limiting
config:
minute: 1000
- name: cors
- name: jwt
- name: response-cache
config:
strategy: memory
memory:
dictionary_name: kong_cache
- name: shopping-cart
url: http://cart-service:8080
routes:
- paths: ["/api/v1/cart"]
plugins:
- name: rate-limiting
config:
minute: 100
- name: jwt
- name: request-size-limiting
config:
allowed_payload_size: 10
- name: checkout
url: http://checkout-service:8080
routes:
- paths: ["/api/v1/checkout"]
plugins:
- name: rate-limiting
config:
minute: 50
- name: jwt
- name: bot-detection
- name: ip-restriction
config:
allow:
- 10.0.0.0/8
Example 2: AWS API Gateway with Lambda
functions:
getUserProfile:
handler: handlers/users.getProfile
events:
- http:
path: users/{userId}/profile
method: get
cors:
origin: 'https://app.example.com'
headers:
- Content-Type
- Authorization
authorizer:
arn: arn:aws:lambda:us-east-1:123456789:function:authorizer
resultTtlInSeconds: 300
identitySource: method.request.header.Authorization
request:
parameters:
paths:
userId: true
caching:
enabled: true
ttlInSeconds: 300
dataEncrypted: true
Common Mistakes to Avoid
- โ Not implementing rate limiting
- โ Exposing internal service URLs
- โ No authentication on public APIs
- โ Missing CORS configuration
- โ No monitoring or logging
- โ Hardcoding credentials in config
- โ Not versioning APIs
- โ Single gateway instance (no HA)
- โ No request/response validation
- โ Missing error handling
โ
Correct approach:
- Implement multi-layer rate limiting
- Use service discovery internally
- JWT/OAuth2 authentication
- Proper CORS with allowed origins
- Comprehensive monitoring
- Use environment variables/secrets
- Version APIs from day one
- Deploy in HA configuration
- Validate all inputs/outputs
- Implement circuit breakers
Tips
- ๐ก Start with managed API gateway for faster setup
- ๐ก Use declarative configuration for repeatability
- ๐ก Implement caching to reduce backend load
- ๐ก Monitor gateway metrics continuously
- ๐ก Use API gateway for security boundary
- ๐ก Implement request tracing for debugging
- ๐ก Version APIs early, migrate gradually
- ๐ก Test rate limiting before production
Related Skills/Commands
Skills:
microservices-orchestrator - Microservices architectureservice-mesh-integrator - Service mesh integrationdistributed-tracing-setup - Request tracing
Commands:
/dependency-graph - Visualize API dependencies/load-test-suite - Test API gateway performance/security-posture - Security assessment
Agents:
enterprise-architect - Architecture designsecurity-architect - Security configurationsre-consultant - SLO/SLI setup
Notes
API Gateway Selection Criteria:
- โ
Kong: Best for Kubernetes, open source, plugin ecosystem
- โ
AWS API Gateway: Best for AWS Lambda, managed service
- โ
Tyk: Best for GraphQL, analytics, multi-cloud
- โ
Apigee: Best for enterprise API management
Common Patterns:
- Backend for Frontend (BFF) pattern
- API composition
- API aggregation
- Protocol translation (REST to gRPC)
- Request/response transformation
Production Checklist:
