Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

Moving to a Modern API Gateway

API Gateways need to evolve to meet the needs of modern scalability, Kubernetes, Microservices, Multi-Cloud deployments and Cloud-native innovation

API gateways have enabled application and data access for many years. But the technology trends of the last 5 years are causing many companies to rethink their previous product and architectural decisions. As organizations increase their usage of microservices and container-based architectures, the traffic management, security policy and observability limitations of legacy API Gateways products becomes abundantly clear.

The Evolution of API Gateways

Products for managing traffic at the edge have evolved over time, but can be broadly divided into the following groups.

Hardware Load Balancers

Hardware load balancer or Application Delivery Controllers (offerings like F5 BigIP and Citrix ADC) are legacy data center technologies for traffic management at the perimeter. These legacy products are expensive, have no understanding of cloud native architectures, and introduce a single point of failure. In addition, their configuration is typically managed by a separate network team (not DevOps-friendly) and they have high operational costs. If you are embracing cloud computing, it is time to move on from this decade old technology.

Web Server-based Load Balancer and Reverse Proxies

One of the most popular products in this category is NGINX, a load balancer and reverse proxy for HTTP and other protocols. These types of technologies are reliable for static content and ingress and egress, but they don’t provide a suitable API Gateway out of the box and require add-ons like NGINX+, NGINX Controller, NGINX App Protect and NGINX Amplify. Like many older technologies, it wasn’t built for highly dynamic environments and API management.

NGINX-based API Gateways

While NGINIX can provide the proxy foundation for an API gateway, significant additional functionality needs to be added to NGINX and a number of vendors have taken this architectural approach. One example is Kong Gateway, an API gateway that leverages NGINX, Lua (LuaJIT and LuaEngine), and a persistent data store. The primary issue with this approach is that it requires Lua expertise to implement and customize Kong Gateway. In addition, implementing API gateways with outdated scripting languages has significant drawbacks with tail latency, debugging, scaling, and highly dynamic environments. Kong Gateway also incorporates a persistent data store using PostgresSQL or Cassandra which increases operational complexity and expense. It can be run in a DB-less mode but that results in feature loss and degradation.

Full life-cycle API management products

Full life-cycle API management tools (like Apigee) emerged as the need to share APIs across organizations grew along with the need to better manage, document and even monetize API traffic. Most products in this category were developed during the time of monolithic application architectures and VMs and have been slow to support cloud architectures. In addition, they tend to suffer from performance and latency issues due to their use of Java-based architectures and other dated platform technologies. Finally, they have limited ability to integrate into DevOps/GitOps workflows and have high operational costs.

Learn how T-mobile created a common edge gateway solution that works across all their platforms and removes the non-functional requirements for resiliency, security, and observability from their development teams.

The Move to Modern,
Cloud Native API Gateways

As applications are built using containers and microservices architectures, deployed onto Kubernetes and across multiple clouds, and planning for future web and mobile innovations, the need for a modern API Gateway becomes readily apparent.

Modern API Gateways have the following characteristics:

MODERN

Built on Envoy Proxy

Built to solve Internet-scale API challenges, Envoy Proxy is the foundation of next-generation of API Gateway architectures. Leveraging an open source community with 300+ companies making contributions, Envoy has emerged as the de-facto data plane for cloud-native applications and APIs. Envoy abstracts the network, providing infrastructure-as-code concepts, while delivering traffic management, security and observability features in a platform-agnostic manner. This foundation enables a modern API gateway to provide services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as federation, high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.


Unlike previous solutions built on hardware appliances, HAProxy, NGINX and other legacy technologies, Envoy Proxy is designed to easily integrate future innovations such as Web Assembly, GraphQL and many more.

ARCHITECTURE

Built to support today’s architectures, but future-proofed for innovation

API gateways need to support not only traditional architectures including monolithic applications and VMs, but also newer, cloud native services and containers and serverless workloads. In addition, modern API gateways need to support the latest technologies including RESTful APIs, gRPC and GraphQL. Many API Gateways can support legacy architectures. Only Gloo Edge, with Envoy Proxy, can seamlessly integrate with future innovation.

FLEXIBILITY

Extensible across different architectures, customizable with any language

Modern API gateways enable organizations to “extend” the architecture with new capabilities in a language independent manner via WebAssembly as well as the ability to decode, interpret and filter the wire protocol formats. This enables traffic to be routed more efficiently but it also offloads tasks from other services. This foundation allows modern API gateways to easily add DLP and WAF capabilities (usually at no extra cost), incorporate external auth servers, rate limiting servers, as well as request/response transformation and translation. Legacy API Gateways lack the ability to adapt to today’s demands.

SECURITY

Capable of zero-trust security and advanced threat prevention

A Zero Trust Security model moves away from the traditional perimeter-trust approach to a model that requires strict identity verification at “call-time” for every user and service request, as well as encryption of the traffic between services. Modern API gateways facilitate a Zero Trust Security model including invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement Forrester’s ZTX and Gartner’s CARTA strategies.

SCALABILITY

Built-In Internet scalability and High-Availability. Using less resources than before

As the volume of API calls significantly increases, and the complexity of modern infrastructure (containers, Kubernetes) and microservice application is realized, the ability connect, secure and observe traffic becomes more challenging. Legacy API Gateway architectures that use NGINX, Lua, Java, and even older technologies are too resource intensive, lack the native distributed architecture, and don’t deliver the required performance to support medium to large scale applications. n addition, legacy API gateways often rely on supporting technologies like operational databases that can become single points of failure as well as increase operational costs and complexity.

CLOUD-NATIVE OPS

Seamlessly integrate into your DevOps | GitOps workflows

Modern API gateways enable developers and operators to use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability. In addition, requirements for dynamic updates without restarts, canary deployments, and federated configurations are natively part of Gloo Edge. DevOps teams can now deploy and manage an API gateway, often in concert with a service mesh, to programmatically manage application networking, eliminating the need to separately access and manage individual resources and services.

Choosing the Right API Gateway for You

Watch these short videos outlining key concepts about modern API gateways.

How should I evaluate an API gateway?

WATCH NOW

Intro to Envoy Proxy and Gloo Edge

WATCH NOW

Additional API Gateway Resources

Gloo Edge demo video
Watch Now
Demo
Announcing Gloo Edge 1.11
Read More
Blog
Gloo Edge Feature Comparison
Read More
Doc
Enterprise-level policy enforcement with OPA (Open Policy Agent) and Gloo Edge
Read More
Blog
From Zero to Gloo Edge in 15 Minutes: ArgoCD GitOps Edition
Read More
Blog
Dynamic Forward Proxy with Gloo Edge
Read More
Blog