Focused Infrastructure Lesson
USEREDGEGWAPI

API Gateway

Front door for API traffic: policy first, backend second. WAF filtering usually happens earlier, and plain traffic forwarding can happen in a reverse proxy around it.

Shared Front Door Stack

Same entrance, different jobs

These are roles, not always separate products. One vendor can collapse two or three of these into one box, which is why the diagrams can look similar.

WAF / Firewall

Is this malicious enough to block?

Security filtering, bot rules, attack scoring, challenge or block.

Reverse Proxy

Where should I forward this?

Forwarding, TLS termination, load balancing, buffering, hiding origins.

This Page

API Gateway

Is this API request allowed?

Auth, quotas, validation, transforms, versioning, aggregation.

Backend

What does the business logic do?

Domain rules, database writes, long jobs, transactions.

Cloudflare can combine CDN + WAF + edge proxyNGINX can do reverse proxy + load balancingKong adds API policy on top of a proxy-style front door
What It Does

Same gateway, different jobs

Routing: Gateway reads the path or host and sends the request to the right backend.
Client
WAF / Edge
API Gateway
routeauthlimit
Auth API
Orders API
Profile API
Remember It

Gateway is traffic control, not your business brain

Gateway Owns

Route
Auth
Rate Limit
Headers
Safe Cache

Backend Owns

Business Rules
DB Writes
Long Jobs
Domain Logic
Transactions

WAF decides whether to block. Reverse proxy decides where to forward. API gateway decides whether this API call is allowed and how it should be shaped.

Implementation

Gateway behavior in code

app.use("/api", async (req, res, next) => {
  const token = req.headers.authorization

  if (!token || !isValid(token)) {
    return res.status(401).json({ error: "unauthorized" })
  }

  return proxy.web(req, res, {
    target: pickUpstream(req.path),
  })
})