Two terms, lots of overlap
If you've ever argued about whether NGINX is a "reverse proxy" or an "API gateway," you've felt the confusion. The honest answer is that these aren't two cleanly separated products — they're two *roles*, and the same software can play either or both. Let's draw the line carefully.
What a reverse proxy does
A reverse proxy sits in front of one or more backend servers and forwards client requests to them. "Reverse" because, unlike a forward proxy (which sits in front of clients), it sits in front of servers and represents them to the outside world.
Core responsibilities:
- Request forwarding to backends based on host/path.
- Load balancing across backend instances (round-robin, least-connections, etc.).
- TLS termination — decrypt HTTPS at the edge so backends speak plain HTTP internally.
- Caching of responses.
- Compression (gzip/brotli).
- Health checks to route around dead backends.
It operates primarily at the HTTP transport level. It cares about *connections and routing*, not deeply about the *meaning* of the API.
# Minimal NGINX reverse proxy
server {
listen 443 ssl;
server_name app.example.com;
location / {
proxy_pass http://backend_pool;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream backend_pool {
server 10.0.0.1:8080;
server 10.0.0.2:8080;
}What an API gateway does
An API gateway is a reverse proxy that has grown *API-aware* responsibilities. It's the single managed entry point to a collection of (often many) backend services, and it understands them as APIs.
On top of everything a reverse proxy does, a gateway typically adds:
- Authentication & authorization — validate API keys, JWTs, OAuth tokens before requests reach backends.
- Rate limiting & quotas — per-client throttling.
- Request/response transformation — rewrite headers, bodies, protocols (e.g. REST↔gRPC).
- Routing by API semantics — versioning, canary routing, A/B splits.
- API composition / aggregation — fan out to several services and merge responses.
- Observability per API — metrics, logs, and traces keyed to API operations.
- Developer-facing concerns — API keys, plans, sometimes a portal.
The gateway is where cross-cutting concerns live so each microservice doesn't reimplement auth, rate limiting, and logging.
The line, stated plainly
| Concern | Reverse proxy | API gateway |
|---|---|---|
| Forward & load balance | Yes | Yes |
| TLS termination | Yes | Yes |
| Caching/compression | Yes | Yes |
| Authn/authz | Rarely | Core feature |
| Rate limiting/quotas | Basic | Core feature |
| Request transformation | Limited | Core feature |
| API versioning/composition | No | Yes |
| Per-API analytics | Basic | Core feature |
Rule of thumb: every API gateway is a reverse proxy; not every reverse proxy is an API gateway. The gateway adds the API-management layer.
Where Kubernetes Ingress fits
In Kubernetes, Ingress (and the newer Gateway API) is the routing layer that exposes services to the outside. An Ingress controller is fundamentally a reverse proxy. Many controllers — Kong, Traefik, NGINX Ingress with plugins — can be configured to do gateway-grade things (auth, rate limiting) too. So the same component drifts along the spectrum depending on how you configure it.
This is why labels are slippery: Kong is marketed as an API gateway *and* runs as a Kubernetes ingress controller. It's the same proxy core with API-management plugins layered on.
Don't over-build
A frequent mistake is reaching for a heavyweight API gateway when a plain reverse proxy would do, paying with latency and operational complexity. Counter-mistake: scattering auth and rate-limiting logic across ten microservices because you skipped the gateway. Decide by your actual needs:
- A single app, or a few services with simple routing → a reverse proxy / ingress is plenty.
- Many services, external API consumers, per-client auth and quotas, versioning → you want a gateway.
How this looks in practice
PandaStack uses Kong ingress in front of apps on multi-region GKE, with Cloudflare handling DNS and edge protection. That gives you the reverse-proxy fundamentals — routing, TLS termination, load balancing — plus gateway-style capabilities where they matter: custom domains with automatic SSL, DDoS protection, and a firewall. Server-side metrics and analytics are captured at this edge layer into ClickHouse, which is exactly the kind of per-request visibility a gateway position enables — no SDK needed in your app.
The practical benefit for you: you deploy a service, attach a custom domain, and SSL plus routing plus protection are handled at the ingress without you wiring up a proxy yourself.
Quick decision guide
- Just need HTTPS + routing + load balancing? Reverse proxy / ingress.
- Need to authenticate and throttle external API consumers? API gateway.
- Running microservices with cross-cutting concerns? Gateway, to keep services thin.
- On Kubernetes? Your ingress controller may already cover both — configure, don't add another layer.
References
- [NGINX reverse proxy guide](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
- [Kong API gateway documentation](https://docs.konghq.com/gateway/latest/)
- [Kubernetes Ingress documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/)
- [Microservices API gateway pattern (microservices.io)](https://microservices.io/patterns/apigateway.html)
---
Want routing, TLS, custom domains, and DDoS protection handled for you at the edge? PandaStack fronts your apps with Kong ingress and Cloudflare automatically. Deploy free at [dashboard.pandastack.io](https://dashboard.pandastack.io).