ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

API Gateway Architecture Diagram: Patterns, Tools, and Examples (2026)

How to draw an API gateway architecture diagram covering gateway patterns, Kong, AWS API Gateway, rate limiting, auth flows, and prompt templates for AI-generated gateway diagrams.

R
Ryan·Senior AI Engineer
·

An API gateway architecture diagram shows how a centralized entry point manages, routes, authenticates, and transforms traffic between clients and backend services. The API gateway pattern is foundational to microservice architectures — it handles cross-cutting concerns (auth, rate limiting, logging, SSL termination) so individual services don't have to.

This guide covers the core responsibilities of an API gateway, the major gateway products and their architectural differences, and ready-to-use prompt templates for generating accurate API gateway diagrams in seconds.

The seven responsibilities of an API gateway

Every API gateway handles some combination of these concerns. Your diagram should make clear which ones your gateway owns:

  • Routing: Match incoming requests to upstream services based on path, host, method, headers, or query parameters. Show routing rules as labeled edges from the gateway to each backend service.
  • Authentication & authorization: Validate API keys, JWT tokens, OAuth 2.0 access tokens, or mTLS certificates before forwarding requests. Show the token validation flow — especially if the gateway calls an external auth server (Auth0, Keycloak, AWS Cognito).
  • Rate limiting & throttling: Enforce per-client, per-route, or global request limits using a shared rate-limit store (Redis). Show the Redis store as a dependency in cluster-mode gateway deployments.
  • Load balancing: Distribute traffic across upstream service instances using round-robin, least-connections, or weighted algorithms.
  • Request/response transformation: Translate between protocols (REST to gRPC), add/strip headers, reshape JSON payloads, or aggregate multiple upstream calls into a single response (BFF pattern).
  • Observability: Emit access logs, distributed traces (OpenTelemetry), and RED metrics (Rate, Errors, Duration) for every request. Show the log/trace egress path to your observability backend.
  • SSL/TLS termination: Accept HTTPS from clients, terminate TLS at the gateway, and optionally use mTLS to upstream services. Show the cert store (Let's Encrypt, ACM, Vault PKI) in diagrams for compliance audiences.

Prompt templates for API gateway diagrams

Kong API Gateway with JWT auth

"Kong Gateway in DB-less mode deployed as a Kubernetes DaemonSet. External traffic hits an AWS NLB that routes to Kong. Kong validates JWT tokens using the JWT plugin (JWKS from Auth0). Rate limiting uses the Rate Limiting Advanced plugin with a Redis cluster as the shared counter store. Three upstream services: Order Service (REST), Product Service (REST), and Inventory Service (gRPC). Kong uses the gRPC-Gateway plugin to translate REST to gRPC for the Inventory Service. Access logs go to Datadog via the Datadog plugin. Show Kong pods, the Redis cluster, Auth0 JWKS endpoint, NLB, and the three upstream services."

AWS API Gateway with Lambda integration

"AWS API Gateway (HTTP API) serving a serverless backend. Cognito User Pool authorizer validates JWTs on all routes. /api/users routes to a Lambda function backed by DynamoDB. /api/orders routes to an ECS Fargate service (VPC Link integration). /api/products routes to a Lambda reading from Aurora Serverless. CloudFront sits in front of API Gateway for caching and WAF protection. API Gateway access logs go to CloudWatch. Show the CloudFront distribution, WAF, API Gateway, Cognito authorizer, the three route-to-backend paths, and the data stores."

Backend-for-Frontend (BFF) pattern

"BFF architecture with three specialized gateways: a Mobile BFF (optimized payloads for iOS/Android), a Web BFF (aggregated views for the React SPA), and a Partner API Gateway (versioned, rate-limited REST API for third-party integrations). All three BFFs sit behind a shared Nginx ingress. Each BFF calls a mix of: User Service, Order Service, and Notification Service. The Partner API Gateway adds an additional API key validation step via a custom auth Lambda. Show the three BFFs as separate gateway boxes, the shared Nginx ingress, the shared downstream services, and the partner-specific auth flow."

Multi-region active-active API gateway

"Multi-region API gateway using AWS Global Accelerator routing to API Gateway deployments in us-east-1 and eu-west-1. Each region runs its own Kong cluster with a local Redis for rate limiting. Rate limit counters are not synchronized across regions (eventual consistency accepted). Global Accelerator uses health checks to failover traffic from a failed region within 30 seconds. API keys are stored in a global DynamoDB table with multi-region replication. Show the Global Accelerator, both regional Kong clusters, DynamoDB global table, and the failover path."

API gateway tools compared

GatewayDeployment modelBest forDiagram complexity
AWS API GatewayManaged SaaSServerless / AWS-nativeLow — managed service box
KongSelf-hosted / Konnect SaaSKubernetes-native, plugin ecosystemMedium — show plugin chain
Apigee (Google)Managed SaaS / hybridEnterprise API programsHigh — portal, analytics, policies
Azure API ManagementManaged SaaSAzure-native workloadsMedium — policy pipeline
TraefikSelf-hostedDocker/K8s automatic discoveryLow — auto-discovery from labels
Nginx / Nginx PlusSelf-hostedHigh-performance, custom configsLow — single reverse proxy box

Frequently asked questions about API gateway architecture diagrams

What is an API gateway in microservices architecture?

An API gateway is the single entry point for all external client traffic into a microservice system. It handles authentication, routing, rate limiting, and protocol translation so that individual microservices remain focused on business logic. In architecture diagrams, it appears as a central node with client connections on one side and upstream service connections on the other.

What is the difference between an API gateway and a service mesh?

An API gateway handles north-south traffic — requests entering your system from external clients. A service mesh handles east-west traffic — service-to-service communication within your cluster. Many production architectures use both: a gateway at the perimeter and a mesh (Istio, Cilium, Linkerd) for internal observability and mTLS. Both need separate architecture diagrams because they operate at different layers.

How do I diagram a BFF (Backend for Frontend) pattern?

Draw one gateway box per client type (mobile, web, partner) rather than a single shared gateway. Each BFF box connects to the same set of downstream services but with different request aggregation, payload shaping, and auth logic. Show the shared services as a tier below all BFF boxes, with arrows from each BFF to the relevant services.

Related guides: microservice architecture patterns, service mesh architecture diagrams, authentication architecture diagrams, and API design use case.

Ready to try it yourself?

Start Creating - Free