No, API gateway is not a “fancy load balancer”, it doesn’t secure your APIs like a API gateway.
Think of them as two different tools, not competing ones.
ALB – Helps guide web requests to the right service.
NLB – Moves network traffic fast and keeps connections steady.
API Gateway – Checks requests, applies rules, and controls how APIs are used.
To use them efficiently:
1. Separate concerns
– Let the load balancer handle L4/L7 routing, TLS termination, and health checks.
– Let the gateway handle auth, rate limiting, request validation, routing by path/version.
2. Keep the gateway “thin but smart”
– Put cross-cutting concerns there, not heavy business logic.
– Expensive work (large payload transforms, long fan-out calls) belongs in services.
3. Reduce hops
– Do not chain multiple gateways unless you really need to.
– One LB in front, one gateway layer, then services is usually enough.\
4. Reuse policies
– Centralize auth, API keys, quotas, IP allow/deny lists at the gateway so we don’t have to re-implement them.
5. Design for failure and scale
– Use health checks and autoscaling on the LB side.
– Use circuit breakers, timeouts, and sensible limits in the gateway.
6. Invest in observability
– LB for connection stats.
– Gateway for per-API metrics, structured logs, and traces.
