What is an API gateway?
An API gateway is a tool situated in front of one or more APIs, which can serve as a single point of contact for external API consumers, as well as internal APIs and microservices. The gateway enforces security policies to protect against threats, and efficiently routes traffic between API producers and consumers.
An API gateway works by receiving API requests from a client, aggregating multiple requests, and routing them to the required services. When responses are received, the API gateway similarly aggregates them and routes them back to the user.
Download the eBook: API Gateways: Productivity, Resilience, and Security for Next-Generation Cloud Applications
Microservices challenges and how API gateways can help
Modern cloud native applications based on a microservices architecture frequently utilize API gateways. These applications usually consist of autonomous, independent, single-function components known as microservices. These components are loosely coupled and typically connected to their own databases. You can deploy, maintain and test each microservice independently.
Microservices enable you to easily develop, deploy, and maintain different application functions, but they also make it difficult for external users to quickly and securely access the application. An API gateway helps solve this issue. Instead of asking customers to request access to each microservice separately, the gateway provides a single point of entry for all requests.
Once a request for information comes into a microservices-based application, the API gateway retrieves and returns the data, streamlining this process. It sends them to the relevant service, collects results, and sends them back to the customer. The gateway handles access control and also allows reliable and fast delivery in large, complex applications.
An API gateway provides a management interface for many important aspects of the application. It serves as the main proxy that connects customers to services, supporting security and administration functions such as metric collection, authentication, response transformation, and input validation.
Each microservice runs in an independent environment, allowing you to add, upgrade, move and change them without affecting the overall application. API gateways enable you to easily route traffic and scale up microservices applications.
Learn more in our detailed guide to API gateways and microservices
How does an API gateway work?
An API gateway decouples the client interface from the backend implementation of a microservices architecture. API consumers only communicate with the API gateway, which provides an easier and more consistent experience than integrating with each back end API provider.
When an API consumer sends a request to the API Gateway, the following process occurs:
- Request flow—the request is approved, validated, and translated against the backend endpoint. At this stage, API providers can request specific HTTP headers, query strings, or API keys to identify the caller, block fraudulent requests, or impose limits or quotas.
- Request routing—the API gateway is able to map between user requests and the back end services that can fulfill each request. It routes requests to one or more relevant services. Multiple requests for the same API are packaged into a single request to improve performance.
- Response flow—when APIs respond, the API gateway collects responses from multiple services and sends them back to the client. In the same way as requests, multiple responses may be aggregated into a single response. This response typically includes an HTTP status code confirming that the request was successful.
5 key capabilities of API gateways solutions
1. API Security
Access control is a major driver for the adoption of API gateway technology. An API gateway must provide an authentication layer so that only authenticated users can access a backend API. It should also be able to integrate with existing authentication providers, such as API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Once an account is authenticated, the API gateway authorizes the targets it is allowed to access. An API gateway should also support authorization—this means it should be able to abstract the structure of backend APIs and control user access to specific functions, data, or operations. An API gateway must be able to leverage existing authorization mechanisms such as role based access control (RBAC).
Learn more in our detailed guide to API gateway security
An API gateway reduces load on back end APIs and helps prevent abuse. Rate limiting limits access to the API, only allowing a certain number of requests per period, user, or group of users. Rate limiting makes it possible to expose APIs safely to third-party consumers, creating new revenue opportunities.
3. API Monitoring and Logging
An API gateway should provide basic monitoring for all APIs and be able to track requests, response times, and service level agreements (SLAs). The API gateway should also provide unified logging for all APIs. Logs should include a request ID, which makes it possible to correlate request headers with API activities, to enable end-to-end debugging.
4. API Transformation
An API gateway must provide the ability to transform request and response payloads. Payload transformation can support organizations moving from traditional SOAP-based architectures to modern REST-based API architectures, and can help accelerate time to market.
5. API Scalability
API gateways typically do not perform autoscaling out of the box, but they should integrate with a service that provides this functionality. API gateways must support scalability, high availability, load balancing, and shared state without compromising performance.
Benefits and challenges of API gateways
API gateways standardize and centralize the delivery of services via APIs and help organize and secure API integrations. The main benefits of an API gateway are:
- Simplified service delivery—combine API calls to request services, reducing the traffic volume and streamlining API processes to improve user experience.
- Flexibility—easily configure the gateway to encapsulate the application’s internal structure and invoke back end services.
- Legacy app integration—extend the functionality of legacy apps instead of refactoring or adopting new apps.
- Observability—monitor API activity with logs to pinpoint issues during failures.
However, API gateways also have challenges as the gatekeepers between API providers and consumers:
- Resilience and reliability—malfunctions in the API gateway can cause associated services to fail, unless they are configured for high-availability. Organizations should avoid adding redundant features that impact performance.
- Security—API gateways are trusted sources within the corporate network so that any compromise can affect the whole organization. It is important to separate internal and outward-facing APIs.
Complex dependencies—gateways require updates for each change to an API. API design rules and standards can mitigate this complexity.
API gateway vs. API management
API management solutions enable you to manage the entire API lifecycle. You can use these solutions to manage how you publish and share APIs with developers and partners, and control who can access each API according to specific user roles and permissions.
They also provide monitoring functionality to track usage statistics for each published API. These insights can answer important questions, such as which APIs are most popular among external clients, what clients do with APIs after they are published, the geo-distribution of requests, and how many API per second each endpoint receives.
API gateways might be components within an overall API management solution, or they can be used as a standalone solution. An API gateway is only a proxy service situated in front of existing infrastructure, while an API management solution encompasses the entire API lifecycle.
Organizations typically use API gateways and API management platforms together to:
- Enhance the back-end architecture and gain more control over a multi-API system.
- Improve observability of API-based applications.
- Improve end-users experience when consuming company data or features via APIs.
API gateway vs. service mesh
A service mesh is an infrastructure layer that focuses on managing internal communication, handling communication within a microservices-based application. It works by abstracting the network layer from the application and handles all traffic controls to ensure security and policy enforcement within the network.
Kubernetes and virtual machine (VM) workloads leverage a service mesh to handle communication between services and traffic flowing from external clients into the application. A service mesh can manage both north-south traffic (among services within a data center) and east-west traffic (services communicating across data centers).
An API gateway focuses on managing incoming request traffic from external users. In smaller implementations, it can be used to manage inter-service traffic as well. API gateways can support simple use-cases, including:
- Authentication and authorization
- Protocol compatibility
- Layer 7 level routing
- Rate limiting
Once a microservices architecture scales up, API gateways alone are not enough, because they cannot support use cases like end-to-end encryption of network communication and advanced deployment strategies. Larger microservices deployments typically use a service mesh in combination with an API gateway to achieve efficient traffic management and secure communication.
Learn more in our detailed guide to service mesh vs. API gateway
API gateway vs. load balancer
API gateways and load balancers can handle network traffic but work differently. Since an enterprise network typically sees high traffic volumes, an application running on a single server might lack sufficient compute or network power to handle all received traffic requests. A load balancer routes incoming network traffic between two or more servers.
An API gateway manages network traffic differently. Modern software increasingly relies on APIs to integrate disparate application components and enable them to communicate. An API gateway receives API requests from a client and determines the destination services or applications required to handle these calls. It also manages all translations and protocols between different software components.
Enterprises can use API gateways and load balancers together. For example, you can employ an API gateway to connect microservices and load balancers, and define how traffic should be distributed between multiple instances of a microservice.
Learn more in our detailed guide to API gateway vs. load balancer
7 API gateway tools you should know
1. Gloo Gateway
Gloo Gateway, is a full-featured API gateway, built on Istio and Envoy, for managing ingress and egress traffic to Kubernetes, VMs, and serverless functions. It can be a standalone API Gateway or be a component of a fully integrated API Gateway and Service Mesh (Solo.io Gloo Platform).
Gloo Gateway is a Kubernetes-native, next-generation API Gateway built on Envoy Proxy to manage, secure, and observe traffic at the edge. Gloo Gateway configures the behavior of the Envoy Proxy data plane to ensure secure application networking and policy-based traffic management while gathering metrics to improve observability.
2. Amazon API Gateway
Product page: https://aws.amazon.com/api-gateway/
Amazon API Gateway is a fully-managed service that enables you to create and manage APIs. You can use this service to create APIs for client applications or make them available to third-party application developers. The service enables:
- Creating and publishing APIs that can access AWS, data stored in the AWS cloud, and various web services.
- Maintaining, securing, and monitoring APIs.
The Amazon API Gateway can accept and process hundreds of thousands of concurrent API calls, including all related tasks such as traffic management, access control, authorization, monitoring, and throttling.
3. Apigee API Gateway
GitHub Repo: https://github.com/apigee
Apigee API Gateway is developed by Google. It lets you design, publish, secure, analyze, monetize, and monitor APIs. Apigee provides an API wrapper, an abstraction layer that enables you to modernize legacy SAP systems.
The Apigee platform handles tasks like translating API calls and passing requests to the underlying SAP environment. It also handles other functions, such as authentication, throttling, and threat assessment.
4. Azure API Gateway
Product page: https://azure.microsoft.com/en-us/services/api-management/
Azure API Gateway enables organizations to manage all APIs using a single API management service. It is designed for multi-cloud and hybrid environments hosting APIs on-premises and across clouds. The gateway proxies API requests, applies security and compliance policies, and collects telemetry.
The solution also provides a management plane and developer portal. The management plane can be accessed programmatically via API, or through the Azure portal. You can leverage the developer portal to learn how to use various APIs and collaborate.
5. Oracle API Gateway
Product page: https://www.oracle.com/cloud/cloud-native/api-management/
Oracle API Gateway is a platform that enables you to manage, deliver, and secure web APIs. It offers integration, governance, security, and acceleration for APIs. The platform is available on Linux, Solaris, and Windows.
Key features include:
- Identity management—the solution integrates with third-party identity management (IM) infrastructure to authenticate and authorize message traffic. It can integrate with the lightweight directory access protocol (LDAP), Microsoft Active Directory (AD), CA SiteMinder, Oracle Access Manager, Entrust GetAccess, and more.
- Pluggable pipeline—the solution uses an extensible internal message-handling pipeline. It enables you to add extra access control and content-filtering rules.
- REST APIs—this solution supports REST to ensure you can use web APIs to make enterprise application data and operations available.
6. Kong API Gateway
License: Apache License 2.0
GitHub Repo: https://github.com/Kong/kong
This open source API gateway is optimized especially for microservices architectures and can also work with other architectures. It is built on top of a lightweight proxy to minimize latency and enable scaling multiple microservice applications regardless of where they run.
The Kong API Gateway can manage and throttle API requests, and provides an authentication layer that can help secure services. It provides analytics and traffic visualization for APIs and microservices.
7. Tyk API Gateway
License: Mozilla Public License Version 2.0
GitHub Repo: https://github.com/TykTechnologies/tyk
Tyk is an open source API Gateway that supports REST, TCP, gRPC, and GraphQL protocols. It enables you to control access to APIs, when users can access them, and how they can access APIs. You can also deploy this gateway as part of a larger API management platform called Tyk Self-Managed, which also includes a Management Control Plane, central UI and developer Portal.
The evolution of API gateways
Several factors are reshaping how users evaluate API Gateways:
- How well does it scale to handle a larger volume of API traffic?
- How well does it perform at a larger scale?
- How well does it consistently deliver low-latency response times?
- Does it natively work in public cloud or any Kubernetes environments?
- Does it leverage the latest innovations in proxy technologies (e.g. Envoy Proxy)?
- Does it leverage the latest open source innovations around proxy technologies (e.g. WebAssembly or GraphQL)?
As each of these issues become more impactful to how an API Gateway can enable your microservice applications, the more companies are beginning to choose Solo.io Gloo Gateway. Based on Envoy Proxy, Gloo Gateway enables greater scalability and latency than legacy API Gateways based on NGINX, HAProxy or Java-wrappers on proxy technology.
In addition, Gloo Gateway is both public cloud native and Kubernetes native, so integrating with DevOps environments is seamless. And Gloo Gateway enables users to easily add new innovations such as Web Assembly or GraphQL to their API Gateway environment to handle next-generation application needs.