What are the primary security considerations when designing a secure API gateway for external and internal microservices?