API Gateway
Front door for API traffic: policy first, backend second. WAF filtering usually happens earlier, and plain traffic forwarding can happen in a reverse proxy around it.
Same entrance, different jobs
These are roles, not always separate products. One vendor can collapse two or three of these into one box, which is why the diagrams can look similar.
WAF / Firewall
Is this malicious enough to block?
Security filtering, bot rules, attack scoring, challenge or block.
Reverse Proxy
Where should I forward this?
Forwarding, TLS termination, load balancing, buffering, hiding origins.
API Gateway
Is this API request allowed?
Auth, quotas, validation, transforms, versioning, aggregation.
Backend
What does the business logic do?
Domain rules, database writes, long jobs, transactions.
Same gateway, different jobs
Gateway is traffic control, not your business brain
Gateway Owns
Backend Owns
WAF decides whether to block. Reverse proxy decides where to forward. API gateway decides whether this API call is allowed and how it should be shaped.
Gateway behavior in code
app.use("/api", async (req, res, next) => {
const token = req.headers.authorization
if (!token || !isValid(token)) {
return res.status(401).json({ error: "unauthorized" })
}
return proxy.web(req, res, {
target: pickUpstream(req.path),
})
})