API gateways have enabled application and data access for many years. But the technology trends of the last 5 years are causing many companies to rethink their previous product and architectural decisions. As organizations increase their usage of microservices and container-based architectures, the traffic management, security policy and observability limitations of legacy API Gateways products becomes abundantly clear.
The Evolution of API Gateways
Products for managing traffic at the edge have evolved over time, but can be broadly divided into the following groups.
Hardware Load Balancers
Hardware load balancer or Application Delivery Controllers (offerings like F5 BigIP and Citrix ADC) are legacy data center technologies for traffic management at the perimeter. These legacy products are expensive, have no understanding of cloud native architectures, and introduce a single point of failure. In addition, their configuration is typically managed by a separate network team (not DevOps-friendly) and they have high operational costs. If you are embracing cloud computing, it is time to move on from this decade old technology.
Web Server-based Load Balancer and Reverse Proxies
One of the most popular products in this category is NGINX, a load balancer and reverse proxy for HTTP and other protocols. These types of technologies are reliable for static content and ingress and egress, but they don’t provide a suitable API Gateway out of the box and require add-ons like NGINX+, NGINX Controller, NGINX App Protect and NGINX Amplify. Like many older technologies, it wasn’t built for highly dynamic environments and API management.
NGINX-based API Gateways
While NGINIX can provide the proxy foundation for an API gateway, significant additional functionality needs to be added to NGINX and a number of vendors have taken this architectural approach. One example is Kong Gateway, an API gateway that leverages NGINX, Lua (LuaJIT and LuaEngine), and a persistent data store. The primary issue with this approach is that it requires Lua expertise to implement and customize Kong Gateway. In addition, implementing API gateways with outdated scripting languages has significant drawbacks with tail latency, debugging, scaling, and highly dynamic environments. Kong Gateway also incorporates a persistent data store using PostgresSQL or Cassandra which increases operational complexity and expense. It can be run in a DB-less mode but that results in feature loss and degradation.
Full life-cycle API management products
Full life-cycle API management tools (like Apigee) emerged as the need to share APIs across organizations grew along with the need to better manage, document and even monetize API traffic. Most products in this category were developed during the time of monolithic application architectures and VMs and have been slow to support cloud architectures. In addition, they tend to suffer from performance and latency issues due to their use of Java-based architectures and other dated platform technologies. Finally, they have limited ability to integrate into DevOps/GitOps workflows and have high operational costs.
The Move to Modern,
Cloud Native API Gateways
As applications are built using containers and microservices architectures, deployed onto Kubernetes and across multiple clouds, and planning for future web and mobile innovations, the need for a modern API Gateway becomes readily apparent.
Modern API Gateways have the following characteristics:
Built on Envoy Proxy
Built to solve Internet-scale API challenges, Envoy Proxy is the foundation of next-generation of API Gateway architectures. Leveraging an open source community with 300+ companies making contributions, Envoy has emerged as the de-facto data plane for cloud-native applications and APIs. Envoy abstracts the network, providing infrastructure-as-code concepts, while delivering traffic management, security and observability features in a platform-agnostic manner. This foundation enables a modern API gateway to provide services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as federation, high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.Unlike previous solutions built on hardware appliances, HAProxy, NGINX and other legacy technologies, Envoy Proxy is designed to easily integrate future innovations such as Web Assembly, GraphQL and many more.
Built to support today’s architectures, but future-proofed for innovation
API gateways need to support not only traditional architectures including monolithic applications and VMs, but also newer, cloud native services and containers and serverless workloads. In addition, modern API gateways need to support the latest technologies including RESTful APIs, gRPC and GraphQL. Many API Gateways can support legacy architectures. Only Gloo Edge, with Envoy Proxy, can seamlessly integrate with future innovation.
Extensible across different architectures, customizable with any language
Modern API gateways enable organizations to “extend” the architecture with new capabilities in a language independent manner via WebAssembly as well as the ability to decode, interpret and filter the wire protocol formats. This enables traffic to be routed more efficiently but it also offloads tasks from other services. This foundation allows modern API gateways to easily add DLP and WAF capabilities (usually at no extra cost), incorporate external auth servers, rate limiting servers, as well as request/response transformation and translation. Legacy API Gateways lack the ability to adapt to today’s demands.
Capable of zero-trust security and advanced threat prevention
A Zero Trust Security model moves away from the traditional perimeter-trust approach to a model that requires strict identity verification at “call-time” for every user and service request, as well as encryption of the traffic between services. Modern API gateways facilitate a Zero Trust Security model including invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement Forrester’s ZTX and Gartner’s CARTA strategies.
Built-In Internet scalability and High-Availability. Using less resources than before
As the volume of API calls significantly increases, and the complexity of modern infrastructure (containers, Kubernetes) and microservice application is realized, the ability connect, secure and observe traffic becomes more challenging. Legacy API Gateway architectures that use NGINX, Lua, Java, and even older technologies are too resource intensive, lack the native distributed architecture, and don’t deliver the required performance to support medium to large scale applications. n addition, legacy API gateways often rely on supporting technologies like operational databases that can become single points of failure as well as increase operational costs and complexity.
Seamlessly integrate into your DevOps | GitOps workflows
Modern API gateways enable developers and operators to use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability. In addition, requirements for dynamic updates without restarts, canary deployments, and federated configurations are natively part of Gloo Edge. DevOps teams can now deploy and manage an API gateway, often in concert with a service mesh, to programmatically manage application networking, eliminating the need to separately access and manage individual resources and services.