Back to Solutions

Unified API Router

Custom Rust-based request router providing a single API endpoint for dozens of microservices

The Challenge

API Gateway doesn't scale naturally alongside dozens of microservices while maintaining a unified API surface. Each microservice team deploying their own API Gateway creates fragmentation—different endpoints, inconsistent authentication, and operational complexity. Clients shouldn't need to know which microservice handles which route.

The system needed a single entry point that could route requests to the correct backend service, enforce security policies consistently, and allow configuration changes without redeployment—all while keeping everything within a private VPC.

The Architecture

Request Flow

WAF CloudFront VPC Origins Private ALB ECS (Rust Router) VPC Endpoint Private API Gateways

A custom Rust-based router runs on ECS, sitting between CloudFront and multiple private REST API Gateways. Each microservice deploys its own private API Gateway with a custom private zone domain. The router handles all incoming requests and forwards them to the appropriate backend based on path matching.

Configuration Architecture

Configuration is split between two stores for security and operational separation:

S3 Bucket (Operations)

Controls which domains the router listens to and which domains it's allowed to route to. Managed by the operations team.

Security whitelist — unauthorized routes fail even if present in DynamoDB

DynamoDB Table (CI/CD)

Stores the mapping of root paths to API Gateway routes. Updated automatically by microservice deployment pipelines.

Route registry — microservices self-register during deployment

The router polls both stores for updates, eliminating the need for redeployment on configuration changes. This separation ensures different roles have appropriate permissions—operations controls the security boundaries, while CI/CD processes manage route registration.

Security Controls

Defense in Depth

  • • Routes to unauthorized destinations fail—DynamoDB entries without S3 whitelist approval are rejected
  • • No way for end users to inject hostnames or access local metadata addresses
  • • Entire flow restricted to isolated VPC with private zone DNS
  • • WAF at the edge provides additional request filtering

Authentication & Authorization

  • • Basic authorization header validation
  • • JWT token validation
  • • IAM authorization passthrough
  • • All headers forwarded (except Host, which is rewritten)

Certificate Handling

API Gateway certificates over VPC Endpoints come from execute-api rather than custom domains. The router overrides certificate validation to handle this correctly while maintaining security.

Technology Stack

Rust ECS CloudFront VPC Origins ALB VPC Endpoints Private API Gateway WAF S3 DynamoDB Route 53 Private Zones

Outcomes

Unified API Surface

Single endpoint for clients regardless of which microservice handles the request

Zero-Downtime Config

Route changes and security updates without router redeployment

Team Autonomy

Microservice teams deploy independently; routes self-register via CI/CD

Security Boundaries

Clear separation between operations (whitelist) and development (routes)

Related

OpenAPI SDK Pipeline DevOps Security

Need a Similar Solution?

Let's discuss your microservices architecture challenges.

Get in Touch