API Gateways & Networking
I design and fix API gateways, Kubernetes ingress, and zero-trust networking with Kong, Nginx, Envoy, Traefik, Tailscale, Cloudflare Tunnel, and WireGuard, so traffic routes correctly and securely with no public attack surface.
Sound familiar?
- ✕Ingress returns 404/502/503 and the routing rules are a mystery
- ✕You're standing up an API gateway and need it done right the first time
- ✕TLS, mTLS, or cert-manager isn't issuing or terminating correctly
- ✕You want to kill an internet-facing VPN appliance before it's the next CVE
- ✕Rate limiting, auth, and routing logic are scattered across services
- ✕Multi-cluster or multi-cloud traffic needs to route coherently
What you get
- ✓Traffic routes predictably, with rules you can actually read
- ✓A gateway layer that centralizes auth, rate limits, and routing
- ✓Zero-trust access with no public concentrator sitting there to get popped
- ✓TLS and mTLS that issue and renew themselves
Traffic should be uneventful
The network layer is where outages hide and attack surface quietly piles up. A good gateway and ingress setup is one you can read in five minutes and reason about while production is on fire. That’s the goal of every engagement here.
What I help with
- Ingress and gateways. Nginx, Traefik, Envoy, Kong, or cloud-native (ALB/GCLB). Routing, rate limiting, auth, and observability in one layer you can actually follow.
- Zero-trust access. Replacing VPN appliances with Tailscale, Cloudflare Tunnel, or WireGuard meshes. No public portal and no inbound port means far less to exploit.
- TLS and certificates. cert-manager, ACME, and mTLS between services, with certs that renew themselves.
- Multi-cluster and multi-cloud. Coherent routing and failover across clusters and providers.
How an engagement works
- Map the current flow. How a request actually travels today, edge to pod.
- Design the target. The simplest topology that covers your auth, security, and scale needs.
- Implement and cut over. Staged and reversible, with no surprise downtime.
- Hand off. Diagrams and runbooks so your team owns it after I leave.
Frequently asked questions
Which API gateway should I use?+
It depends on your stack and team. Envoy or Traefik for Kubernetes-native ingress, Kong when you need a rich plugin ecosystem and API management, plain Nginx when simplicity wins. I recommend the lightest option that covers your auth, rate-limiting, and observability needs. Whatever happens to be fashionable that quarter doesn't enter into it.
Can you replace our VPN appliance with something safer?+
Yes, and it's one of my favorite jobs. Internet-facing VPN appliances are a recurring CVE magnet. A mesh built on Tailscale, Cloudflare Tunnel, or WireGuard removes the public concentrator entirely, so there's no inbound port and no portal sitting there to be exploited. I can usually stand up the replacement in an afternoon.
Why is my Kubernetes ingress returning 502/503?+
Usually the ingress is healthy and the upstream isn't. A wrong service port, no ready endpoints, a failing readiness probe, or a mismatched `targetPort`. Occasionally it's TLS termination or a routing rule in the wrong order. I trace the request from the edge to the pod and find exactly where it dies.
Do you handle service mesh too?+
Yes. Istio, Linkerd, and Cilium for mTLS, traffic shifting, and observability. I'll also tell you when a mesh is overkill for your scale, because most of the time it is.
related work
Where I’ve done this
Replaced an internet-facing VPN appliance with a zero-trust mesh
A team running an internet-facing VPN appliance, the exact category behind a wave of 2024 CVEs, moved to a Tailscale and Cloudflare Tunnel mesh and removed the public concentrator entirely.
Full cutover with zero customer-facing downtimeZero-downtime migration to Kubernetes with multi-cloud ingress
A team moving from hand-managed VMs to Kubernetes needed it done without an outage. A staged, GitOps-driven migration with weighted ingress shifted traffic gradually and reversibly, with zero downtime.