Design an API Gateway / Edge Layer

APIsNetworkingSecurityCachingReliability

Interview Question

Design a multi-tenant API gateway that handles routing, auth, rate limiting, request/response transformations, canarying, and observability across regions.

Key Points to Cover

Request lifecycle: TLS termination, authn/z, routing, transforms
Policy control plane vs data plane separation; hot reload of rules
Rate limiting/quotas per tenant and endpoint; burst handling
Resilience: circuit breaking, retries, timeouts, hedging
Multi-region routing (Geo/DNS/Anycast) and canary/blue-green
Observability: structured logs, distributed tracing, per-route SLOs

Evaluation Rubric

Clear request lifecycle & components25% weight

Sound control/data plane separation25% weight

Robust resilience & rollout strategy25% weight

Strong observability & SLO thinking25% weight

Hints

💡Consider Envoy/NGINX at the edge with a declarative control plane.

Common Pitfalls to Avoid

⚠️Single point of failure for the gateway itself.
⚠️Inefficient or unscalable rate limiting implementation.
⚠️Lack of granular tenant isolation in policies and configuration.
⚠️Inadequate observability leading to blind spots in performance or security.
⚠️Complex and brittle request/response transformation logic that is difficult to manage.

Potential Follow-up Questions

❓How do you do multi-tenant isolation?
❓How would you ship breaking header transforms safely?

Back to System Design View All Categories