Guided Lab Brief

API Gateway & Authentication

Add an API gateway for centralized auth, rate limiting, and request routing.

Start LabReview ChapterBrowse Guided Labs

Overview

Add an API gateway for centralized auth, rate limiting, and request routing.

In a real system, you don't let anyone hit your servers freely.

You will build 5 architecture steps that model production dependencies.

You will run 2 failure experiments to observe bottlenecks and recovery behavior.

Success target: All traffic is authenticated and rate-limited before reaching backend servers.

Learning Objectives

  • Understand the API Gateway pattern as a security boundary
  • Know how JWT authentication works at the gateway level
  • Learned about rate limiting algorithms (token bucket vs sliding window)
  • Experienced the impact of misconfigured rate limits

Experiments

  1. Set the API Gateway rate limit to 10 rps to see what happens with overly aggressive rate limiting
  2. Disable authentication on the API Gateway to see unprotected APIs

Failure Modes to Trigger

  • Trigger: Set the API Gateway rate limit to 10 rps to see what happens with overly aggressive rate limiting

    Observe: At 10 rps limit but 500 rps incoming, 98% of legitimate requests are rejected. Users see '429 Too Many Requests' everywhere. Your app is essentially broken for everyone.

  • Trigger: Disable authentication on the API Gateway to see unprotected APIs

    Observe: With auth disabled, anyone can hit your API endpoints. Attackers can read/modify user data, make unauthorized purchases, delete accounts - anything the API allows. This is a critical security vulnerability.

Next Guided LabReinforce with Quizzes