Architecturally, API gateways have both a data plane and a control plane. The data plane is where traffic flows from your external clients through the proxies to the backend services. The control plane is where your configuration and policies are defined. These configurations are pushed to the proxies to adjust the flow of traffic or to add security checks like authentication. With adoption of Kubernetes containers and cloud-native architectures for modern applications, technologies like the open source Envoy Proxy and Istio have emerged to enable application networking for distributed systems. Envoy has become the most popular proxy at the edge, and also as the sidecar to handle internal traffic in an Istio service mesh.
Why you need a modern API gateway
Legacy API gateways were not designed for the highly dynamic environments like cloud and Kubernetes. They require additional infrastructure and a lot of effort to become highly-available and production ready. And legacy API gateways are often deployed centrally which conflicts with the distributed nature of modern applications.
APIs are the interfaces which applications use to communicate and the gateway is the control point for routing, shaping, and securing that traffic. As the API gateway intercepts the incoming request, security rules can be applied to inspect the request, authenticate the client, and rate limit the request to protect the backend service from exploit or failure. API gateways can route and shape traffic to support use cases like canary deployments and traffic shadowing to ensure safer application deployments and to maintain a great end user experience.
Why choose Solo.io as the API gateway for your modern apps
Solo.io’s Gloo Mesh Gateway and Gloo Edge deliver robust API gateways by enhancing open source Istio and Envoy Proxy. By default, basic open source distributions of Istio and Envoy don’t go far enough to deliver features needed for comprehensive application networking. Traffic routing alone isn’t enough, and if you use pure open source you inherit the burden of developing and maintaining missing enterprise features forever. Solo.io adds comprehensive functionality to your API gateways, reducing complexity while increasing security, reliability, and observability for consistent applications and microservices connectivity.
options:
timeout: ‘20s’
retries:
retryOn: ‘connect-failure’
numRetries: 3
perTryTimeout: ‘5s’
Manage API ingress and egress at the edge
With traffic from external sources coming in over the Internet, you’ll need routing, circuit breaking, rate limiting, load balancing, and locality-aware failover to maintain reliable connections to your services.
Comprehensively secure all connections
Establish a zero-trust environment where every inbound connection is validated before being allowed. Integrate with your existing external authentication and authorization servers. Use mTLS encryption to protect data-in-motion on all connections.
apiVersion: gateway.solo.io/v1
kind: VirtualService
spec:
virtualHost:
domains:
-‘example.com’
routes:
-matchers:
-prefix: /app/cart
routeAction:
single:
upstream:
name: shopping-cart
namespace: gloo-system
Federate configurations and policies as code
Manage application networking with common policies implemented consistently everywhere. Developers and operators can use declarative CRDs, usually as part of a DevOps or GitOps process, to manage traffic, implement security policy, and configure observability.
Define custom rules and behaviors
Set up a filter chain to enforce rules in priority order, create inline transformations, and make your own custom filters, in any language, with WebAssembly (Wasm.)
Build a developer portal
Fully integrated with Gloo Mesh Gateway and Gloo Edge, Gloo Portal abstracts the complexity and enables developers to publish, document, share, discover, and use APIs with rich controls and comprehensive security information.
Limit access to resources
Use granular role-based access controls and delegation to limit which clients and administrators have permissions to applications, resources, and management tools.
Application networking is a team sport
While not strictly a security feature of API gateways, one important consideration is the availability of enterprise support and defined service-level agreements (SLAs) for response. Community support for open source software itself doesn’t meet the requirements for production deployments, so you need a vendor on standby to help you out. Inevitably there will be issues and when a CVE (common vulnerabilities and exposures) incident is discovered, it is reassuring to know that someone can quickly patch your code and even backport the fix to older versions if you haven’t kept up with the rapid pace of new releases.