Microservices API Gateway
A microservices gateway coordinates traffic for distributed services without requiring a full service mesh. It handles north-south traffic (public internet to your services) with JWT authentication and intelligent routing, providing a central place to route, secure, and monitor distributed microservices.
With this setup, you can:
- Handle public API traffic with JWT authentication and rate limiting
- Route requests to different microservices based on URL paths
- Apply consistent authentication and authorization policies
- Deploy and test services independently without rewriting routing logic
- Debug distributed request flows from a central gateway
1. Install the ngrok Kubernetes Operator
Install the ngrok Kubernetes Operator in your cluster. For detailed installation instructions, see the Kubernetes CRDs getting started guide.
2. Create AgentEndpoints for your microservices
Create AgentEndpoint to expose your microservices. These create internal endpoints that are not publicly accessible but can be routed through your gateway.
User service:
Loading…
Order service:
Loading…
Notification service:
Loading…
Apply these configurations:
Loading…
3. Reserve a domain
Navigate to the Domains section of the ngrok dashboard to use your free dev domain, click New + to reserve a custom domain like https://your-service.ngrok.app, or use a custom domain you already own.
We'll refer to this domain as $NGROK_DOMAIN from here on out.
4. Create a Cloud Endpoint
Navigate to the Endpoints section of the ngrok dashboard, then click New + and Cloud Endpoint.
In the URL field, enter the domain you just reserved to finish creating your Cloud Endpoint.
5. (Optional) Create secrets for authentication
Store your JWT validation keys using Traffic Policy Secrets.
Loading…
6. Apply Traffic Policy to your Cloud Endpoint
Configure your Cloud Endpoint with JWT authentication and routing to your microservices. Make sure you change each of the following values:
$JWT_ISSUER: Replace with your JWT issuer URL$JWT_AUDIENCE: Replace with your JWT audience claim$JWT_PUBLIC_KEY_URL: Replace with your JWKS endpoint URL- Service URLs: Replace with your actual internal service endpoints
Loading…
What's happening here? This policy creates a secure, centralized API gateway for your microservices architecture. On every HTTP request, the policy first applies Core Rule Set protection to block malicious requests like SQL injection and XSS attacks, then validates JWT tokens to ensure only authenticated users can access your APIs, and applies per-user rate limiting based on the JWT subject to prevent abuse.
The gateway intelligently routes traffic to the appropriate microservice based on URL paths—user management requests go to the user service, order-related requests to the order service, and notification requests to the notification service. On responses, it applies OWASP protection to scan outgoing content for vulnerabilities and adds service tracing headers for observability and debugging across your distributed system.
7. Try out your microservices gateway
Visit the domain you reserved either in the browser or in the terminal using a tool like curl.
You should see the app or service at the port connected to your internal Agent Endpoint.
Test the public API gateway:
Loading…
What's next?
- Read about other gateway shapes you can build with ngrok
- Learn about AgentEndpoint CRDs for more advanced Kubernetes configurations
- Explore JWT validation with different token sources and validation rules
- Use Traffic Inspector to debug microservice request flows
- Configure endpoint pooling for high availability across multiple service replicas
- Set up rate limiting with different bucket keys for fine-grained control