GraphQL BFF Gateway for Mobile
A GraphQL backend-for-frontend gives mobile clients one endpoint that returns exactly the fields they need in a single request, aggregating many microservices. Persisted queries, batching, and Redis caching minimize round trips and protect backends on Azure.
Overview
Mobile clients are bandwidth- and battery-sensitive: every extra round trip and over-fetched field costs the user. A GraphQL backend-for-frontend (BFF) gives the mobile app one endpoint that returns exactly the fields it needs in a single request, aggregating data from many backend microservices. It combines GraphQL's precise field selection with the BFF idea of a channel-specific backend.
Use this when a mobile app talks to many services, needs to minimize round trips, and benefits from a query shape it controls.
Components
- API Management: the edge layer applying authentication, rate limits, and persisted-query enforcement.
- GraphQL gateway: a BFF on Azure Container Apps that resolves queries by calling backend services.
- Container Apps: host the GraphQL gateway and supporting resolvers.
- Cosmos DB: low-latency, globally distributed storage for the BFF's read models.
- Redis Cache: caches resolved entities and persisted-query results.
- Azure AD B2C: OAuth 2.0 / OIDC identity for mobile users.
- Application Insights: per-resolver performance and error tracking.
Data Flow
The mobile app sends a GraphQL query (typically a persisted query ID) through API Management to the GraphQL gateway. The gateway authorizes the request, plans the query, and calls the necessary backend services, using DataLoader-style batching to avoid N+1 calls. It assembles a single response with exactly the requested fields, caching resolved entities in Redis. The app receives one compact payload.
Scaling and Resilience
Container Apps scale the gateway horizontally on concurrency. Cosmos DB and Redis absorb read load and provide low latency globally. Query depth and complexity limits, plus persisted queries, prevent expensive or malicious requests. Backend calls use timeouts and circuit breakers so one slow service degrades gracefully rather than failing the whole query.
Security
Persisted queries restrict the mobile client to a vetted set of operations, shrinking the attack surface. API Management enforces OAuth scopes and rate limits. The gateway applies field-level authorization based on token claims. Backend credentials stay server-side, and all traffic is TLS-encrypted. Per-user rate limits prevent abuse from compromised clients.
Trade-offs and Alternatives
A GraphQL BFF adds a resolution layer and the operational care GraphQL demands (query cost control, caching, N+1 avoidance). For a single simple service, REST is lighter. When many teams own backends, federation may suit better than a hand-built BFF. This pattern is strongest for one client type (mobile) whose payload and round-trip needs justify a dedicated, field-precise gateway.