API Gateway as Policy Enforcement in Microservices

⏱ 24 min read

There is a moment in every distributed system when the front door stops being a door and becomes a border crossing.

At first, the API gateway looks innocent enough. A routing layer. A nice place to terminate TLS, map URLs, maybe do some authentication. Teams describe it with soft words: façade, ingress, edge. Then the estate grows. Ten services become fifty. One mobile app becomes web, partner APIs, batch clients, internal tools, event-driven workflows, external vendors, and regulators asking inconvenient questions. The gateway is no longer just plumbing. It is where the organization decides who may do what, under which conditions, with what evidence, and at what cost.

That is the real story here: the API gateway as a policy enforcement point in a microservices architecture, with request flow shaped by policy interceptors rather than scattered ad hoc code. microservices architecture diagrams

This is not merely an infrastructure pattern. It is a design decision about power, consistency, domain boundaries, and operational risk. Done well, it becomes the guardrail between a fast-moving digital platform and a sprawling mess of duplicated checks, inconsistent authorization, and audit nightmares. Done badly, it becomes a god box at the edge, bloated with business logic and latency.

The distinction matters.

A gateway should enforce policy. It should not become the domain.

That line is where good architecture lives.

Context

Microservices promise autonomy. Teams own services, data, release cycles, and often their own technology choices. In theory, this buys speed and local optimization. In practice, it introduces a different tax: every cross-cutting concern wants to appear everywhere.

Authentication appears in every service. Authorization follows. So do rate limits, tenant isolation, request validation, schema checks, consent verification, data residency rules, API product entitlements, idempotency keys, fraud heuristics, request tracing, and audit logging. Soon each service is implementing some variant of the same policies, but in slightly different ways.

This is how enterprises accidentally create inconsistent behavior at scale.

One customer is blocked on Service A but allowed on Service B. One API masks a field for a support agent, another leaks it. One service records audit metadata, another forgets. A partner integration gets throttled correctly at the edge but bypasses a backend limit through an internal path. Security and compliance reviews become archaeology.

The pressure gets worse in regulated environments: banking, healthcare, insurance, public sector, telecom. Here, policy is not decorative. It is law encoded as software. “Can this caller perform this action on this customer’s account from this geography under this consent context?” is not a nice-to-have check. It is a board-level risk.

So the architecture needs a place where these concerns are expressed coherently and enforced predictably.

That place is often the API gateway.

Not because gateways are magical, but because request traffic has to cross a boundary anyway. If you must have a choke point, make it useful.

Still, there is a trap. Many organizations hear “centralize policy” and end up centralizing too much. The edge becomes the system’s super-ego, overloaded with rules it cannot properly understand. Domain semantics are flattened into generic headers and JWT claims. Business exceptions multiply. Release coordination slows. Every new policy becomes an integration project.

The answer is not “put everything in the gateway.” The answer is to be precise about what kind of policy belongs there, how policy interceptors participate in request flow, and where domain decisions still belong in services.

Problem

Without a coherent policy enforcement model, microservices architectures decay in predictable ways.

The first symptom is duplication. Teams independently implement authentication, authorization, throttling, and request validation. The code differs by language, framework, and local habit. No two implementations are quite the same. This is expensive, but more importantly it is dangerous. Inconsistency at the edge creates inconsistent outcomes in the business.

The second symptom is semantic drift. Policies that should be expressed in domain language get translated into technical fragments too early. “A branch advisor may view a portfolio if they are assigned to the household and consent is valid” turns into a handful of roles, scopes, and headers. The nuance gets lost. Eventually the gateway is making brittle yes/no decisions on impoverished context.

The third symptom is policy bypass. Internal service-to-service calls, asynchronous processing, back-office tools, and partner channels can all create alternate routes around enforcement. This is common in enterprises that evolved from an ESB, added microservices, and layered Kafka on top. The synchronous path is protected; the event-driven path quietly is not. event-driven architecture patterns

The fourth symptom is governance by ticket queue. Security or platform teams become gatekeepers for every API rule. Product teams wait. Exceptions pile up. Nobody trusts the policy estate, so they re-implement checks inside services “just to be safe.” The result is both centralization and duplication—the worst of both worlds. EA governance checklist

And beneath all this sits a harder question: which policies are edge policies, and which are domain policies?

If you blur them, your architecture will fight you for years.

Forces

A useful architecture article must acknowledge the tensions, because these systems are built in the space between competing truths.

Consistency vs autonomy

Centralized policy enforcement gives consistency. Microservices want team autonomy. Every enterprise says it wants both. It cannot have both without design discipline.

Fast rejection vs rich context

The gateway is the cheapest place to reject a bad request. But rich domain decisions often require context the gateway does not own: customer state, account hierarchy, consent records, fraud status, business calendar, active case locks. The earlier you decide, the less you know.

Technical policy vs domain policy

Some policies are technical and cross-cutting: authN, TLS, quotas, schema validation, tenant routing, basic authZ checks. Others are deeply domain-specific: whether a claim can be reopened, whether a payment can be reversed, whether a sales rep can see a customer under a regional regulation exception. The former belongs comfortably at the edge. The latter often does not.

Latency vs control

Every interceptor in the request path buys control by spending latency. Add enough policy calls—identity introspection, entitlement lookup, consent check, fraud profile, rate decision—and your gateway starts to behave like a call center with too many supervisors.

Central governance vs local evolution

Enterprises need enforceable standards. Product teams need freedom to evolve. If the gateway becomes the only place policy can change, the central team becomes a bottleneck. If every team can do anything, policy devolves into folklore.

Synchronous control vs asynchronous reality

Most policy conversations focus on request-response APIs. Real enterprises also run on Kafka, CDC streams, scheduled jobs, and internal events. If policy decisions at the gateway are not reflected in downstream asynchronous flows, reconciliation problems appear. The request looked valid at ingress, but later processing violates entitlements or data sharing rules.

These forces are the architecture. The boxes and arrows come later.

Solution

Treat the API gateway as a Policy Enforcement Point (PEP) with a chain of policy interceptors, while keeping authoritative decision logic and domain semantics in the appropriate places.

That sentence carries the whole pattern.

The gateway intercepts requests and applies a sequence of policy checks and transformations before routing traffic to services. Some policies are evaluated directly in the gateway. Others are delegated to specialized policy decision services. The gateway assembles context, enforces outcomes, and records evidence.

But—and this is the part that saves you from creating a distributed monolith—domain services remain responsible for domain invariants and domain-specific authorization that depends on rich business state.

In domain-driven design terms, the gateway sits outside the core domain. It protects bounded contexts; it does not replace them.

A practical policy interceptor chain usually includes:

  • transport security termination
  • request normalization and schema validation
  • authentication
  • coarse-grained authorization
  • tenant and channel enforcement
  • rate limiting and quota policies
  • request enrichment with verified claims/context
  • routing and transformation
  • audit/tracing emission
  • optional delegation to external policy decision services

The chain is valuable because it makes policy explicit and composable. You can reason about order. You can version rules. You can monitor where rejections happen. You can introduce new controls without changing every service.

The trick is to classify policies.

Policies that fit well at the gateway

  • Authentication and token validation
  • API key verification
  • mTLS and client certificate checks
  • Rate limiting and quotas
  • Basic scope/role checks
  • Geographic or network-origin restrictions
  • Consumer contract enforcement
  • Request size, schema, and protocol validation
  • Header normalization and correlation IDs
  • Tenant resolution from trusted claims
  • Data masking for generic edge responses in some cases

Policies that usually do not belong entirely at the gateway

  • Rich business authorization tied to aggregate state
  • Long-running process rules
  • Decisions requiring transactional consistency with domain data
  • Domain invariants such as “claim cannot be amended after settlement”
  • Policies dependent on eventual consistency hazards unless carefully reconciled
  • Rules that vary heavily by bounded context and product

A good heuristic is simple: if the rule can be expressed using trusted edge context and stable enterprise-wide semantics, it probably belongs in the gateway. If it requires interpreting business state inside a bounded context, it belongs in the service, even if the gateway does a coarse pre-check first.

This leads to a layered model of policy.

  1. Edge policy rejects clearly invalid, unsafe, or unauthorized requests early.
  2. Domain policy confirms whether the operation is valid in business terms.
  3. Event policy ensures asynchronous propagation respects the same semantics.

Most enterprises implement the first layer, neglect the second by over-centralizing it, and completely forget the third. Then they discover reconciliation the hard way.

Architecture

The architecture is best understood as a request flow with interceptors and decision points rather than a static box diagram.

Architecture
Architecture

This pattern works because the gateway can perform fast, deterministic checks on the request envelope while enriching the request with verified context. The backend service then receives a request that is already authenticated, normalized, correlated, and partially authorized.

But partial is the important word.

A mature enterprise architecture often separates the Policy Decision Point (PDP) from the Policy Enforcement Point (PEP). The gateway is the PEP. The PDP may be an authorization service, entitlement engine, or rules service. This keeps the enforcement path centralized while allowing policy logic to evolve in a more governed, testable place.

That decision comes with a latency cost. Every external decision call in the request path needs caching, resilience, timeouts, and fallback behavior.

You also need to think in bounded contexts. The same subject can mean different things in different domains. “Account owner” in retail banking is not the same concept as “policy holder” in insurance or “subscriber administrator” in telecom. If the gateway invents one generic enterprise role model and imposes it everywhere, it will eventually flatten the domain into nonsense.

A better approach is to let the gateway enforce enterprise-wide policies and pass domain-relevant claims into bounded contexts, where services map those claims to local authorization rules.

Request flow and interceptor ordering

Order matters more than teams admit.

You want cheap checks before expensive ones. You want identity established before authorization. You want validation before routing. You want audit evidence recorded around decisions, not after the fact.

A common ordering:

  1. Terminate TLS / verify transport
  2. Normalize request and reject malformed input
  3. Authenticate caller
  4. Resolve tenant/channel/device context
  5. Apply rate limit and API product quota
  6. Evaluate coarse authorization
  7. Enrich context headers or token claims
  8. Route to target service
  9. Emit audit and telemetry

Do not casually reorder these. A lot of weird bugs come from doing expensive entitlement calls before rejecting a malformed payload, or routing before a tenant policy check, or mutating headers before authentication is complete.

Domain semantics discussion

This is where many gateway programs lose the plot.

Policy is not just about users and scopes. It is about meaning. The gateway should understand enough domain semantics to enforce policies safely, but not so much that it starts owning the domain model.

For example, a healthcare platform may enforce at the gateway that:

  • the caller is a validated clinician app
  • the clinician is authenticated under a trusted identity provider
  • the request carries a valid treatment context identifier
  • tenant and region are consistent with data residency rules
  • the client has access to the API product and is under quota

But whether that clinician may view a specific patient’s oncology record may depend on consent, care team assignment, emergency override rules, legal hold, and record sensitivity labels. That belongs deeper, closer to the healthcare bounded context.

The gateway can carry the verified identity and context. The domain decides the meaning.

That is domain-driven design in practice: preserve the language of the bounded context where business truth lives. Use the gateway to police the crossing, not to impersonate the customs office, police, and court all at once.

Event-driven architecture and Kafka

Now bring Kafka into the picture, because enterprises never stay purely synchronous.

A request may pass the gateway, call a service, and then emit events to Kafka for downstream processing. Those consumers may trigger notifications, analytics, settlement, fraud scoring, data lake updates, CRM synchronization, or partner feeds. If policy is enforced only on ingress, downstream consumers can accidentally violate the original conditions.

This creates a policy propagation problem.

You need one of two strategies:

  • Propagate policy-relevant context with the event, such as tenant, subject, consent context, sensitivity tags, purpose-of-use, and correlation ID.
  • Re-evaluate policy in consumers where the downstream action has its own authorization implications.

In practice, you often need both.

Diagram 2
Event-driven architecture and Kafka

That phrase “allow + obligations” matters. Some policy decisions are not just permit or deny. They may require obligations: mask fields, limit purpose, persist audit evidence, apply retention class, or prevent onward sharing. If you do not model obligations explicitly, downstream systems will ignore them.

Migration Strategy

No large enterprise starts with a pristine gateway policy architecture. They start with APIs already in flight, duplicate checks in services, maybe an old ESB, maybe a WAF doing some things, maybe OAuth in some places and API keys in others, maybe a service mesh trying to help. Migration is the real architecture problem.

The right strategy is progressive strangler migration.

Do not rip out authorization from every service and declare victory at the gateway. That is how outages happen and auditors become interested. Instead, introduce gateway policy interception incrementally, while preserving service-side protections until confidence is earned.

A sensible migration path looks like this:

1. Inventory existing policies

Catalog what is enforced where today:

  • gateway or ingress
  • service code
  • sidecars or mesh
  • identity provider
  • batch jobs
  • Kafka consumers
  • back-office apps

This is usually sobering. The same policy appears in five places, and nowhere completely.

2. Classify policies by fit

Tag each rule as:

  • edge policy
  • domain policy
  • shared decision service candidate
  • asynchronous/event policy
  • legacy exception to retire

This is where migration reasoning matters. You are not moving checks because centralization feels tidy. You are moving them because they become more consistent, testable, and governable at the edge.

3. Introduce interceptors in observe mode

Start with non-blocking interceptors that log what they would have done. Compare results with current service behavior. Expect mismatches. Those mismatches teach you where semantics are unclear.

4. Move technical policies first

Authentication, token verification, schema validation, rate limits, and correlation metadata are good early wins. They deliver value without distorting domain behavior.

5. Add coarse authorization at the gateway

Use roles, scopes, API product entitlements, or trusted claims for broad access control. Keep fine-grained checks in services.

6. Externalize shared policy decisions carefully

If multiple services use the same entitlement logic, consider a PDP or authorization service. But externalize only what is truly shared and stable.

7. Reconcile asynchronous paths

Ensure events carry the right context or that consumers re-check local policy. This step is often skipped and later regretted.

8. Retire duplicate logic selectively

Only remove service-side checks after:

  • policy parity is proven
  • telemetry confirms expected reject/allow patterns
  • fallback and incident paths are ready
  • compliance agrees the new evidence trail is sufficient

9. Strangle legacy gateways or ESB mediation

As modern gateway enforcement matures, legacy mediation layers can be narrowed to protocols and exceptions, then retired.

9. Strangle legacy gateways or ESB mediation
Strangle legacy gateways or ESB mediation

Reconciliation discussion

Migration always creates periods where policy is split across old and new paths. That means reconciliation is not optional.

You need to reconcile:

  • gateway decisions vs service decisions
  • synchronous authorization vs event-driven side effects
  • old channel policies vs new channel policies
  • entitlements in IAM vs actual domain state
  • audit logs across layers

A practical technique is to create a policy decision journal. Every significant allow/deny decision is logged with subject, action, resource, policy version, obligations, correlation ID, and route. Then compare decisions across layers during migration. This becomes invaluable during incident analysis.

Reconciliation is also needed for eventual consistency. Suppose the gateway permits a request based on cached entitlements, but the downstream service has fresher domain data and rejects it. That is not necessarily a bug; it is a consistency boundary. The architecture should detect and measure these disagreements.

If disagreement rates are high, your policy split is wrong or your data freshness assumptions are fantasy.

Enterprise Example

Consider a multinational bank modernizing its retail and SME platforms.

The bank has mobile and web channels, branch systems, partner APIs, and internal operations tools. It is decomposing a core digital platform into microservices: Customer Profile, Accounts, Payments, Lending, Cards, Notifications, and Case Management. Kafka is used for events such as payment initiated, consent updated, beneficiary changed, account locked, and fraud alert raised.

Originally, each service implemented some version of authorization:

  • mobile scopes were checked in some services
  • branch roles in others
  • partner entitlements separately
  • quotas handled by a legacy API manager
  • audit metadata added inconsistently
  • event consumers trusted upstream services and rarely re-validated policy context

The result was exactly what you would expect. A customer service representative could see card details through one path but not another. A partner app could hit account summary endpoints beyond agreed quota due to alternate routes. Some GDPR-related consent checks were applied for web requests but not for asynchronous document generation triggered from Kafka.

The bank introduced a modern gateway as PEP with interceptors for:

  • OAuth2/JWT validation and mTLS for partners
  • API product and consumer entitlement checks
  • channel and geography restrictions
  • coarse role/scope checks
  • schema validation
  • request correlation and audit enrichment
  • rate and burst limits per tenant and product

It also built an authorization service as PDP for shared retail entitlements: household relationships, delegated access, and channel permissions. But crucially, it did not move payment-specific business authorization entirely to the gateway. The Payments bounded context retained rules such as:

  • whether a payment can be released under current fraud hold
  • whether a beneficiary requires step-up confirmation
  • whether a cutoff-time exception applies
  • whether account state permits reversal

That was the right call. Those rules depend on aggregate state and transaction timing. They belong with the payment domain.

For Kafka consumers, the bank propagated:

  • tenant
  • authenticated subject
  • acting party and customer context
  • purpose of use
  • consent reference
  • sensitivity classification
  • correlation ID

Notification and document services re-evaluated local policy before sending sensitive artifacts. That was not overhead. It prevented a class of embarrassing leaks.

The migration was strangler-style. Gateway policies first ran in shadow mode. Mismatches were compared against service decisions for six weeks. Several hidden inconsistencies surfaced:

  • branch users had broad IAM roles but were restricted in domain rules
  • partner entitlements in the API manager did not match contractual products
  • cached household relationship data caused stale allows after access revocation

The bank fixed data ownership boundaries and shortened cache TTLs. Only then did it begin retiring duplicated checks in some services. Not all checks were removed; domain-level checks remained.

The payoff was not just security. Delivery improved. Teams no longer rewrote token validation libraries in five languages. Product managers could reason about API product limits centrally. Audit evidence became coherent. Incident response got faster because there was a single policy decision trail across ingress and service layers.

That is the kind of enterprise gain architects should care about: less accidental complexity, clearer boundaries, better control.

Operational Considerations

The gateway as policy enforcement point is an operational design as much as an application design.

Performance and latency budgets

Every interceptor spends part of your latency budget. Be explicit. Budget milliseconds per stage. Cache identity metadata and coarse decisions where safe. Prefer deterministic local checks to chatty remote calls. Put hard timeouts on PDP calls.

Do not let “one more policy call” become death by a thousand round-trips.

High availability

The gateway is now critical path. That means:

  • horizontal scale
  • multi-zone deployment
  • careful config rollout
  • backpressure handling
  • circuit breakers for external decision services
  • graceful degradation rules

If the PDP goes down, what happens? Fail closed is secure but may halt the business. Fail open protects availability but can violate policy. Different APIs may need different stances.

Architecture is choosing which pain you are willing to have.

Policy versioning

Policies change. Regulators change. Product contracts change. Fraud rules change. So policies need:

  • versioning
  • staged rollout
  • canary enforcement
  • rollback
  • test harnesses with replay traffic
  • explainability for why a decision was made

A policy that cannot be explained in production is not governance. It is superstition with YAML. ArchiMate for governance

Observability

Capture:

  • allow/deny counts by interceptor
  • latency per policy stage
  • cache hit rates
  • mismatch rates between gateway and service decisions
  • downstream reconciliation failures
  • top denied resources/actions by consumer/channel

Without this, policy architecture becomes invisible until it breaks.

Audit and evidence

Especially in regulated environments, record:

  • authenticated identity
  • asserted and verified claims
  • decision source and policy version
  • obligations
  • target route/service
  • correlation ID
  • request metadata needed for traceability

Audit is not just for compliance theater. During incidents, these records tell you whether the system behaved as designed or simply guessed convincingly.

Governance model

Central platform teams should own the gateway framework, common interceptors, and operational controls. Domain teams should own domain policy implementations and the semantics of local authorization. Shared policy services need a clear product model, not a committee.

A governance model without ownership boundaries will collapse into either anarchy or bureaucracy. Both are expensive.

Tradeoffs

Let’s be blunt: this pattern is powerful, but it is not free.

Benefits

  • Consistent enforcement of cross-cutting policies
  • Faster rejection of invalid or unauthorized requests
  • Reduced duplication across services
  • Better auditability and observability
  • Cleaner service code for technical concerns
  • Easier API product management and consumer governance

Costs

  • Added latency in the request path
  • Central operational dependency
  • Risk of over-centralizing business logic
  • Policy rollout complexity
  • More sophisticated testing required
  • Potential mismatch between edge claims and domain truth

The largest tradeoff is conceptual, not technical. Centralizing enforcement tempts organizations to centralize meaning. Resist that temptation. Meaning belongs with the domain.

Failure Modes

This pattern fails in recognizable ways.

The god gateway

The gateway accumulates routing, orchestration, transformations, customer segmentation rules, pricing checks, and workflow decisions. It becomes the old ESB wearing cloud clothes. Changes slow down. Incidents become mysterious. Nobody understands the full blast radius.

Authorization by header graffiti

The gateway enriches requests with dozens of headers, many loosely trusted or poorly documented. Services start depending on incidental metadata. Semantics drift. Spoofing risks appear on internal paths.

Use signed tokens or verified context contracts where possible, not a junk drawer of headers.

Policy bypass through side channels

A batch job, internal admin API, or Kafka consumer performs sensitive actions without equivalent policy checks. The synchronous edge is clean; the actual enterprise is not.

Stale decision data

Cached entitlements, consent records, or customer relationships lead to false allows or false denies. These are especially nasty in domains with frequent revocations.

Dual enforcement divergence

During migration, gateway and service rules diverge. Users get inconsistent outcomes. Teams patch around symptoms instead of fixing ownership.

Fail-open accidents

Under outage pressure, teams configure permissive fallback behavior and forget to revert it. Temporary exceptions are architecture’s favorite way of becoming permanent.

Domain flattening

The gateway imposes one enterprise role model that does not fit bounded contexts. Services contort themselves to fit the edge model. Over time, the domain language is lost.

Once domain language is lost, architecture stops serving the business.

When Not To Use

There are cases where the gateway-as-policy-enforcement pattern is the wrong primary move.

Do not lean on it heavily when:

  • Your system is mostly internal, low-risk, and simple enough that service-local policies are cheaper.
  • Your critical decisions are highly domain-specific and require deep transactional knowledge.
  • You do not have enough governance maturity to manage shared policy safely.
  • You are trying to use the gateway as a substitute for bounded context design.
  • Your biggest integration surface is asynchronous and event-driven, not request-response.
  • You are in an early product stage where policy is changing daily and centralization would create drag.

Also, do not confuse this pattern with service mesh authorization. Meshes are useful for workload identity, mTLS, and some east-west controls. They do not replace domain-aware policy design at the API boundary.

And if your organization has a strong tendency to build giant centralized platforms that every team fears, be careful. The gateway can become the latest monument to that habit.

This pattern sits among several others:

  • Backend for Frontend (BFF): Useful when different channels need tailored APIs. A BFF may still rely on gateway enforcement for shared edge policies.
  • Policy Decision Point / Policy Enforcement Point: Classic separation that keeps gateway enforcement distinct from policy logic.
  • Strangler Fig Pattern: Essential for migrating legacy edge controls and monolith APIs progressively.
  • Service Mesh: Helpful for transport security and workload policies, but usually not sufficient for API consumer policies.
  • Anti-Corruption Layer: Important when legacy identity or entitlement models need translation before reaching modern services.
  • Saga / Process Manager: Relevant when authorization implications span long-running workflows.
  • Outbox / CDC: Useful for propagating domain events with policy-relevant metadata reliably into Kafka.
  • Domain Events: Necessary if downstream services must understand policy obligations and context.

These patterns complement each other. They do not absolve you from drawing clear ownership lines.

Summary

The API gateway as policy enforcement in microservices is one of those patterns that looks obvious only after you have lived without it.

At enterprise scale, cross-cutting policies cannot remain scattered in every service. Authentication, coarse authorization, quotas, tenant controls, request validation, and audit enrichment need a coherent enforcement point. The gateway is the natural place to intercept requests, compose policy checks, and establish trusted context before traffic enters the service landscape.

But the gateway is not the domain.

That single sentence should sit on the wall of every platform team.

Use policy interceptors to reject bad requests early and consistently. Externalize shared decisions where it genuinely helps. Keep domain-specific authorization and business invariants inside bounded contexts. Propagate policy context into Kafka and downstream consumers so asynchronous flows do not become loopholes. Migrate with a strangler strategy. Reconcile decisions across layers. Measure disagreement. Expect failure modes, because they will arrive.

A good gateway policy architecture feels less like a fortress and more like a well-run border: fast for the legitimate, firm with the unsafe, and always clear about who has authority to decide.

That is what good enterprise architecture does. It puts control where control belongs, and leaves meaning where meaning belongs.

Frequently Asked Questions

What is a service mesh?

A service mesh is an infrastructure layer managing service-to-service communication. It provides mutual TLS, load balancing, circuit breaking, retries, and observability without each service implementing these capabilities. Istio and Linkerd are common implementations.

How do you document microservices architecture for governance?

Use ArchiMate Application Cooperation diagrams for the service landscape, UML Component diagrams for internal structure, UML Sequence diagrams for key flows, and UML Deployment diagrams for Kubernetes topology. All views can coexist in Sparx EA with full traceability.

What is the difference between choreography and orchestration in microservices?

Choreography has services react to events independently — no central coordinator. Orchestration uses a central workflow engine that calls services in sequence. Choreography scales better but is harder to debug; orchestration is easier to reason about but creates a central coupling point.