Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

API Gateways in the Cloud-Native World

Joshua Molina | November 10, 2022

An API gateway is one of the most evolved technologies of the last decade. With the increase of cloud-native modern architecture, applications have become smaller and more distributed. Instead of single monolith API servers, there are now tens—or even hundreds—of API servers running in most organizations. The distributed architecture of applications today has created the necessity for a central place to manage APIs. In this article, we will discuss API gateways in the cloud-native era by diving into their design, use cases, and evolution.

The Evolution of API Gateways

Internet and web applications are the ubiquitous technologies of the last two decades, and API gateways have been an essential part of these applications since the beginning of web development. Understanding the evolution of API gateways is vital to comprehend their current status and being ready for the future.

In the 1990s, monolith web applications were developed with a database, backend, and frontend tiers. Hardware and software load balancers were responsible for routing traffic between the tiers and instances. 

With the rise of Web 2.0, regular end users became an essential part of web applications for active contribution. JavaScript and the high frequency of data transfer between clients—namely browsers—required more secure methods of communication. In response to this need, application delivery controllers and load balancers with security features became popular in the early 2000s.

In the 2010s, monolith web applications were converted into smaller services with web frameworks. As the number of services increased, the connection between services became more critical. This is when the first versions of the current modern API gateways emerged for REST APIs. 

When microservice architecture and the cloud-native era arose, decoupled services were deployed to clusters living in cloud platforms. These decoupled services were highly dynamic in terms of configuration and scalability and were designed to be ephemeral. 

Today’s modern cloud-native API gateways have evolved to meet the requirements of a microservice architecture with the following highlights:

  • Support for microservices by managing overhead services such as authentication, rate limiting, and monitoring
  • Increased resiliency with scaling and caching
  • Support for the dynamic and transient nature of services via service discovery and health checks 

In the last few years, Kubernetes has become the de facto container management platform to run microservice applications. Service mesh tools like Istio and reverse proxy tools like Envoy have also become popular as an additional layer for service-to-service communication. 

API gateways in modern stacks focus on API-as-a-service abstraction, while service mesh tools concentrate on the in-cluster network. In addition, current API gateways need to follow the latest software development trends like GitOps and adopt the latest technologies like gRPC and GraphQL. API gateways now use Kubernetes-native methods such as custom resources to comply with GitOps principles.

The Emergence of Cloud Native Gateways 

Legacy API gateways were not designed for highly dynamic environments like cloud and Kubernetes. For instance, legacy API tools based on NGINX were not sufficient for complex transactions, event transmissions, and long-lived connections. On the other hand, microservice architectures and Kubernetes created a highly dynamic and ephemeral environment.

In order for the old tools to work, they require additional infrastructure and a lot of effort to become highly available and production-ready. Also, legacy API gateways are often deployed centrally, which conflicts with the distributed nature of modern applications.

How Do API Gateways Work?

An API gateway serves as a single entry point for incoming requests, a design that provides an additional tool in the landscape for request routing, flexibility, scalability, and security. When the underlying API servers return the requested data, the API gateway sends it to the original client. API gateways provide four primary services: routing, authentication, cache, and logging and monitoring.

Figure 1: API Gateway overview (Source: Microsoft) 

Figure 1: API Gateway overview (Source: Microsoft)

Routing

In cloud-native modern applications, miscellaneous microservices are distributed over clusters and data centers. For incoming requests, API gateways direct them based on the gateway configuration and request data.

Authentication

API gateways are on the front line for underlying APIs, allowing you to authenticate incoming requests in a central place. It removes the burden of implementing authentication mechanisms in hundreds of different microservice backends. 

Caching

Cloud-native modern applications are designed to provide a fast response time and reduced latency. This makes it possible to cache some of the results that are not changing frequently. An API gateway can cache the results from API backends with a time-to-live (TTL) period configuration. Then, it can send data from the cache without connecting to the API server backend.

Logging and Monitoring

An API gateway is ideal for logging incoming requests and monitoring the distributed API servers. It is possible to log all the incoming requests with their metadata. In addition, you can watch the golden signals—latency, traffic, errors, and saturation—for your API servers from the API gateway. 

Why Do You Need an API Gateway?

The primary use case for API gateways is that they bring an API-as-a-service abstraction to your application stack. With an API gateway in front of your backend services, they will be abstracted away from the clients. The interaction between the clients and backend servers is defined in the API gateway configuration, making it possible to develop, upgrade, and manage the clients and servers independently. 

There are other use cases, such as service connectivity and API lifecycle management. API gateways can enforce policies between services and ensure secure traffic between them as a service connectivity tool. As an API lifecycle management tool, API gateways serve as part of the design, improvement, test, and run lifecycle stages. 

The Benefits

API gateways enrich your application stack with the following advantages:

  • Security: API gateways create a barrier between the clients and the backend servers so that your application endpoints are not exposed to the outside world, minimizing security threats.
  • Validation: Implementing a complete validation is one of the most challenging tasks when developing an API; you can move all validation steps to the API gateway and ensure that backend servers only receive valid requests. 
  • Reduced response time: Using caching and smart backend server configurations, API gateways lead to faster responses and increase the overall performance of your application stack.
  • Load balancing: Organizations often have multiple instances of the same server in the cluster for scalability and reliability; with an API gateway in front of them, you can distribute incoming requests and avoid denial-of-service events.
  • Rate limiting: API gateways can limit incoming traffic and protect your backend servers from becoming flooded, thus avoiding downtime.

The Downsides

In addition to the many benefits of API gateways, there are some challenges to consider:

  • Complexity: The configuration required for routing can become complex when the number of microservices and their API scope increases.
  • Dependency: Microservices change continuously in terms of API definitions and communication protocols. Every change should be reflected in the API gateway to work seamlessly, bringing yet another dependency to your application stack.
  • Reliability: API gateways are the entry points to your application stack, meaning they have to be reliable and scalable. If there is only a single API gateway instance and it goes down, it will lead to complete service downtime.

Conclusion

API gateways are indispensable parts of modern cloud-native architectures. However, choosing, designing, and deploying a cloud-native API gateway solution is not so straightforward. You can find many open-source tools on the market, but configuring and using them coherently to deliver a secure, scalable, and reliable stack is reasonably complex. 

Solo.io offers a robust modern API gateway platform that leverages the features of open-source tools like Istio and Envoy. With Solo.io, you can create a comprehensive application network while overcoming the challenges of API gateways, including their complexity, dependency, and reliability. It is the cloud-native and modern API gateway solution needed by the applications of today and the future.

Start a free trial of Solo.io today, and experience a simplified and secure API gateway!

BACK TO BLOG