Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

API Gateways: Productivity, Resilience, and Security for Next-Generation Cloud Applications

Jeff Pistone | November 17, 2022

Software development is a perpetual process where applications, infrastructure, and requirements change continuously. With each change, the application stack gets more complex and challenging to manage. Today, even a small organization’s application stack has various components like Cloud Foundry, virtual machines, bare metal servers, Kubernetes, and containers. 

With the rise of microservices architecture, application components have become progressively smaller and have adopted a more limited scope, such as responding to a couple of API requests. As the scope of services narrows, the importance has shifted to how these applications are built, connected, and deployed. 

With the microservices paradigm shift, requirements for resiliency, security, and observability become crucial parts of software development. Most organizations realize that nearly one-fourth of their developer time is spent on these requirements. Furthermore, these non-differentiating requirements have caused more production issues, mostly related to networking and configuration.

In other words, software development has evolved into creating more and smaller services, but has created a new set of challenges related to workflow, security, observability, resiliency, and scalability.

Figure 1: Cloud-native challenges (Source: SoloCon 2022)

Figure 1: Cloud-native challenges (Source: SoloCon 2022)

This blog will discuss the core problems in cloud-native microservices and the solution to achieving a more reliable and secure application stack. 

Microservices Paradigm Shift: New Problems and New Solutions

The microservices architecture paradigm has enabled developers to create their applications using the most appropriate programming language. In addition, it is now possible to create services independently using separate teams. 

This approach led to many architectural patterns and practices with overlapping features and minimal reuse among different services. In the long run, this decentralized development approach creates an application stack with inconsistent security implementations and observability patterns—not to mention the extra money and developer time spent on creating and managing the applications in the first place.

In the cloud-native world, with its flexibility and scalability requirements, there is a need to simplify the effort required to deploy secure and resilient applications. While streamlining the action, the following should be resolved as well:

  • Establishing a minimum level of bureaucratic processes with simple, easy-to-use, and self-service tools
  • Implementing software-based tooling for managing the applications and no dedicated hardware such as network appliances
  • Meeting the demands of high scalability with rich flexibility over time
  • Enforcing best practices and guardrails to keep systems in order

Solution: Developer Portal and API Gateway

The cloud-native and modern solution to the mentioned challenges is a managed API gateway solution with a developer self-service portal.

Figure 2: Solution overview (Source: SoloCon 2022)

Figure 2: Solution overview (Source: SoloCon 2022)

The solution focuses on the API gateway and traffic routing since microservices rely on well-defined APIs between services. As an API gateway, it leverages industry-standard technologies like Envoy. However, managing Envoy is not easy, requiring a high level of domain knowledge. Thus, a central platform team provides all the mentioned features as a managed service. 

The solution is flexible in regard to public and private clouds being part of the cloud-native world. In addition, it integrates with critical in-house systems, such as for inventory and visibility. The latest trends in software development, e.g., GitOps, are also offered as part of the solution. Last but not least, it is a self-service platform with no tickets to open and no need to wait for someone to take action. 

From an architectural point of view, the design looks as follows:

Figure 3: Architecture overview (Source: SoloCon 2022)

Figure 3: Architecture overview (Source: SoloCon 2022)

At the top, there is an edge layer with perimeter controllers and firewalls. Under that layer, there is an API gateway with data and control planes—and all the cool features of an API gateway. On the very bottom level, there are real applications packaged as microservices and running on different platforms. The three key capabilities of this solution are discussed below.

Traffic Management

Traffic management handles the request routing and the connection between services with rate limiting, circuit breaking, protocol transition, and load balancing. In addition, it covers the locality-aware failover approaches that help to maintain reliable connections to the services.

Security

The perimeter control validates all inbound traffic before reaching the clusters. In addition, robust authentication and authorization methods can integrate with existing external authentication and authorization servers. Finally, the traffic between services can use mutual TLS encryption to protect data-in-motion on all connections. 

Extensibility

With the Network Filter Chain of Envoy, it’s possible to enforce rules in priority order, create inline transformations, and make custom filters in any language, such as with WebAssembly

Developer Portal & Process

Gloo Portal, a self-service developer portal, is the cloud-native modern solution to the management challenge of complicated microservices. It enables developers to publish, document, share, discover, and use APIs with rich controls and comprehensive security information.

Figure 4: Gloo Portal (Source: Solo.io)

Figure 4: Gloo Portal (Source: Solo.io)

This portal also serves as an inspection tool for teams, with granular role-based access controls (RBAC) and delegation to limit clients’ and administrators’ permission to access applications, resources, and management tools. It also follows the latest trends in the industry with configuration as code, GitOps, and custom resources with Kubernetes. Developers and operators can use declarative Kubernetes custom resources to manage traffic, implement security policies, and configure monitoring.

Solo.io has worked with many customers to implement API gateways and developer portals to improve developer productivity and speed application delivery while improving resiliency and security. Using a cloud-native managed API gateway solution eliminates non-functional requirements from the application code. When these are removed, there is more time—nearly 20% to 30%—for developers to focus on their core applications. 

In addition, the developer portal and API gateway enable code sharing and reuse of functionalities while increasing collaboration. When application management is streamlined, the result is remarkable, with a significant reduction in production issues—since most of the issues arise from networking configuration problems directly related to non-functional requirements.

Start a free trial now, and see how the Gloo Platform lets you manage your services with a next-generation cloud-native approach.  For more about the API gateway journey, we recommend the ebook “Moving to a Modern API Gateway.” And if you want structured instructor-led training, Solo Academy has the best set of courses created by Istio maintainers and community members.

 

BACK TO BLOG