api-gateway-configurator
Configure and manage API gateways including Kong, Tyk, AWS API Gateway, and Apigee. Activates when users need help setting up API gateways, rate limiting, authentication, request transformation, or API management.
allowed_tools: Read, Write, Edit, Bash, Grep, Glob
$ 설치
git clone https://github.com/Dexploarer/hyper-forge /tmp/hyper-forge && cp -r /tmp/hyper-forge/.claude/skills/api-gateway-configurator ~/.claude/skills/hyper-forge// tip: Run this command in your terminal to install the skill
SKILL.md
name: api-gateway-configurator description: Configure and manage API gateways including Kong, Tyk, AWS API Gateway, and Apigee. Activates when users need help setting up API gateways, rate limiting, authentication, request transformation, or API management. allowed-tools: [Read, Write, Edit, Bash, Grep, Glob]
API Gateway Configurator
Enterprise skill for configuring and managing API gateways for microservices architectures.
When to Use
This skill should be used when:
- Setting up API gateway for microservices
- Configuring rate limiting and throttling
- Implementing API authentication and authorization
- Setting up request/response transformation
- Configuring API routing and load balancing
- Implementing API versioning strategies
- Setting up API monitoring and analytics
- Managing API documentation and developer portals
Instructions
Step 1: Choose API Gateway Platform
Select the appropriate API gateway based on requirements:
Kong Gateway (Open Source/Enterprise):
- Best for: Kubernetes-native, plugin ecosystem
- Strengths: Performance, extensibility, cloud-native
- Use cases: Microservices, multi-cloud, hybrid cloud
AWS API Gateway:
- Best for: AWS-native applications, serverless
- Strengths: AWS integration, managed service, scalability
- Use cases: Lambda functions, AWS services, serverless APIs
Tyk:
- Best for: GraphQL, multi-cloud, analytics
- Strengths: Developer portal, analytics, open source
- Use cases: GraphQL federation, API analytics
Apigee (Google Cloud):
- Best for: Enterprise API management, monetization
- Strengths: Analytics, developer portal, API products
- Use cases: External APIs, partner APIs, API monetization
Step 2: Configure Core Features
Kong Configuration Example:
# kong.yml - Declarative configuration
_format_version: "3.0"
services:
- name: user-service
url: http://user-service:8080
routes:
- name: user-routes
paths:
- /api/v1/users
methods:
- GET
- POST
strip_path: false
plugins:
- name: rate-limiting
config:
minute: 100
policy: local
- name: jwt
config:
claims_to_verify:
- exp
- name: cors
config:
origins:
- "*"
methods:
- GET
- POST
headers:
- Accept
- Authorization
max_age: 3600
- name: order-service
url: http://order-service:8080
routes:
- name: order-routes
paths:
- /api/v1/orders
plugins:
- name: rate-limiting
config:
minute: 50
- name: request-transformer
config:
add:
headers:
- "X-Gateway:Kong"
# Global plugins
plugins:
- name: prometheus
config:
per_consumer: true
- name: correlation-id
config:
header_name: X-Correlation-ID
generator: uuid
AWS API Gateway Configuration:
# serverless.yml for AWS API Gateway
provider:
name: aws
runtime: nodejs18.x
apiGateway:
apiKeys:
- name: premium-api-key
value: ${env:API_KEY}
usagePlan:
- premium:
quota:
limit: 5000
period: MONTH
throttle:
burstLimit: 200
rateLimit: 100
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*/*/*
functions:
getUsers:
handler: users.getUsers
events:
- http:
path: users
method: get
cors: true
authorizer:
name: jwtAuthorizer
type: request
request:
parameters:
querystrings:
page: false
limit: false
throttling:
maxRequestsPerSecond: 100
maxConcurrentRequests: 50
createUser:
handler: users.createUser
events:
- http:
path: users
method: post
cors: true
authorizer: jwtAuthorizer
Step 3: Implement Authentication & Authorization
JWT Authentication (Kong):
# Create JWT consumer
consumers:
- username: mobile-app
jwt_credentials:
- key: mobile-app-key
algorithm: HS256
secret: ${JWT_SECRET}
# Apply JWT plugin to service
services:
- name: protected-service
plugins:
- name: jwt
config:
header_names:
- Authorization
claims_to_verify:
- exp
- nbf
OAuth2 (Kong):
plugins:
- name: oauth2
config:
scopes:
- read
- write
- admin
mandatory_scope: true
enable_authorization_code: true
enable_client_credentials: true
enable_implicit_grant: false
token_expiration: 3600
refresh_token_ttl: 2592000
Step 4: Configure Rate Limiting & Throttling
# Kong - Multiple rate limiting strategies
plugins:
# Per-consumer rate limiting
- name: rate-limiting
consumer: mobile-app
config:
second: 10
minute: 100
hour: 1000
policy: redis
redis:
host: redis-cluster
port: 6379
database: 0
# Advanced rate limiting
- name: rate-limiting-advanced
config:
limit:
- minute: 100
- hour: 1000
window_size:
- 60
- 3600
sync_rate: 10
strategy: cluster
dictionary_name: kong_rate_limiting_counters
Step 5: Set Up Request/Response Transformation
# Request transformation
plugins:
- name: request-transformer
config:
add:
headers:
- "X-Request-ID:$(uuid)"
- "X-Forwarded-For:$(client_ip)"
querystring:
- "version:v1"
remove:
headers:
- "Authorization" # Don't pass to backend
replace:
headers:
- "Host:backend-service"
# Response transformation
plugins:
- name: response-transformer
config:
add:
headers:
- "X-Response-Time:$(latency)"
- "X-Gateway:Kong"
remove:
headers:
- "X-Internal-Secret"
replace:
json:
- "$.metadata.source:api-gateway"
Step 6: Implement API Versioning
# URL path versioning
services:
- name: user-service-v1
url: http://user-service-v1:8080
routes:
- paths:
- /api/v1/users
- name: user-service-v2
url: http://user-service-v2:8080
routes:
- paths:
- /api/v2/users
# Header-based versioning
routes:
- name: versioned-route
paths:
- /api/users
plugins:
- name: request-transformer
config:
add:
headers:
- "X-API-Version:$(header.Accept-Version)"
Step 7: Configure Monitoring & Analytics
# Prometheus metrics
plugins:
- name: prometheus
config:
per_consumer: true
status_code_metrics: true
latency_metrics: true
bandwidth_metrics: true
upstream_health_metrics: true
# Logging
plugins:
- name: file-log
config:
path: /var/log/kong/access.log
reopen: true
- name: http-log
config:
http_endpoint: http://log-aggregator:8080/logs
method: POST
content_type: application/json
timeout: 10000
keepalive: 60000
# Datadog integration
plugins:
- name: datadog
config:
host: datadog-agent
port: 8125
metrics:
- name: request_count
stat_type: counter
- name: latency
stat_type: timer
Best Practices
Security:
- ✅ Always use HTTPS/TLS for API gateway
- ✅ Implement JWT or OAuth2 for authentication
- ✅ Use API keys for external partners
- ✅ Enable CORS with specific origins
- ✅ Implement request size limits
- ✅ Add security headers (HSTS, CSP, etc.)
Performance:
- ✅ Enable caching for GET requests
- ✅ Use Redis for distributed rate limiting
- ✅ Configure connection pooling to backends
- ✅ Set appropriate timeouts
- ✅ Enable gzip compression
- ✅ Use CDN for static content
Reliability:
- ✅ Configure health checks for backends
- ✅ Implement circuit breakers
- ✅ Set up retry policies
- ✅ Configure fallback responses
- ✅ Use multiple gateway instances
- ✅ Monitor gateway metrics
Operations:
- ✅ Use declarative configuration (GitOps)
- ✅ Version control gateway configs
- ✅ Implement blue-green deployments
- ✅ Set up comprehensive logging
- ✅ Configure alerts for anomalies
- ✅ Regular security audits
Examples
Example 1: Microservices E-Commerce Gateway
# Kong configuration for e-commerce platform
services:
- name: product-catalog
url: http://catalog-service:8080
routes:
- paths: ["/api/v1/products"]
plugins:
- name: rate-limiting
config:
minute: 1000
- name: cors
- name: jwt
- name: response-cache
config:
strategy: memory
memory:
dictionary_name: kong_cache
- name: shopping-cart
url: http://cart-service:8080
routes:
- paths: ["/api/v1/cart"]
plugins:
- name: rate-limiting
config:
minute: 100
- name: jwt
- name: request-size-limiting
config:
allowed_payload_size: 10
- name: checkout
url: http://checkout-service:8080
routes:
- paths: ["/api/v1/checkout"]
plugins:
- name: rate-limiting
config:
minute: 50
- name: jwt
- name: bot-detection
- name: ip-restriction
config:
allow:
- 10.0.0.0/8
Example 2: AWS API Gateway with Lambda
# API Gateway with Lambda integration
functions:
getUserProfile:
handler: handlers/users.getProfile
events:
- http:
path: users/{userId}/profile
method: get
cors:
origin: 'https://app.example.com'
headers:
- Content-Type
- Authorization
authorizer:
arn: arn:aws:lambda:us-east-1:123456789:function:authorizer
resultTtlInSeconds: 300
identitySource: method.request.header.Authorization
request:
parameters:
paths:
userId: true
caching:
enabled: true
ttlInSeconds: 300
dataEncrypted: true
Common Mistakes to Avoid
- ❌ Not implementing rate limiting
- ❌ Exposing internal service URLs
- ❌ No authentication on public APIs
- ❌ Missing CORS configuration
- ❌ No monitoring or logging
- ❌ Hardcoding credentials in config
- ❌ Not versioning APIs
- ❌ Single gateway instance (no HA)
- ❌ No request/response validation
- ❌ Missing error handling
✅ Correct approach:
- Implement multi-layer rate limiting
- Use service discovery internally
- JWT/OAuth2 authentication
- Proper CORS with allowed origins
- Comprehensive monitoring
- Use environment variables/secrets
- Version APIs from day one
- Deploy in HA configuration
- Validate all inputs/outputs
- Implement circuit breakers
Tips
- 💡 Start with managed API gateway for faster setup
- 💡 Use declarative configuration for repeatability
- 💡 Implement caching to reduce backend load
- 💡 Monitor gateway metrics continuously
- 💡 Use API gateway for security boundary
- 💡 Implement request tracing for debugging
- 💡 Version APIs early, migrate gradually
- 💡 Test rate limiting before production
Related Skills/Commands
Skills:
microservices-orchestrator- Microservices architectureservice-mesh-integrator- Service mesh integrationdistributed-tracing-setup- Request tracing
Commands:
/dependency-graph- Visualize API dependencies/load-test-suite- Test API gateway performance/security-posture- Security assessment
Agents:
enterprise-architect- Architecture designsecurity-architect- Security configurationsre-consultant- SLO/SLI setup
Notes
API Gateway Selection Criteria:
- ✅ Kong: Best for Kubernetes, open source, plugin ecosystem
- ✅ AWS API Gateway: Best for AWS Lambda, managed service
- ✅ Tyk: Best for GraphQL, analytics, multi-cloud
- ✅ Apigee: Best for enterprise API management
Common Patterns:
- Backend for Frontend (BFF) pattern
- API composition
- API aggregation
- Protocol translation (REST to gRPC)
- Request/response transformation
Production Checklist:
- TLS/HTTPS enabled
- Authentication configured
- Rate limiting implemented
- CORS configured
- Monitoring enabled
- Logging configured
- Health checks set up
- High availability (3+ instances)
- Backup and disaster recovery
- Documentation updated
Repository
Dexploarer
Author
Dexploarer/hyper-forge/.claude/skills/api-gateway-configurator
2
Stars
1
Forks
Updated2d ago
Added1w ago