What is an API Gateway?
An API gateway is a tool situated in front of one or more APIs, which can serve as a single point of contact for external API consumers, as well as internal APIs and microservices. The gateway enforces security policies to protect against threats, and efficiently routes traffic between API producers and consumers.
An API gateway works by receiving API requests from a client, aggregating multiple requests, and routing them to the required services. When responses are received, the API gateway similarly aggregates them and routes them back to the user.
Microservices challenges and how API gateways can help
Modern cloud native applications based on a microservices architecture frequently utilize API gateways. These applications usually consist of autonomous, independent, single-function components known as microservices. These components are loosely coupled and typically connected to their own databases. You can deploy, maintain and test each microservice independently.
Microservices enable you to easily develop, deploy, and maintain different application functions, but they also make it difficult for external users to quickly and securely access the application. An API gateway helps solve this issue. Instead of asking customers to request access to each microservice separately, the gateway provides a single point of entry for all requests.
Once a request for information comes into a microservices-based application, the API gateway retrieves and returns the data, streamlining this process. It sends them to the relevant service, collects results, and sends them back to the customer. The gateway handles access control and also allows reliable and fast delivery in large, complex applications.
An API gateway provides a management interface for many important aspects of the application. It serves as the main proxy that connects customers to services, supporting security and administration functions such as metric collection, authentication, response transformation, and input validation.
Each microservice runs in an independent environment, allowing you to add, upgrade, move and change them without affecting the overall application. API gateways enable you to easily route traffic and scale up microservices applications.
How does an API gateway work?
An API gateway decouples the client interface from the backend implementation of a microservices architecture. API consumers only communicate with the API gateway, which provides an easier and more consistent experience than integrating with each back end API provider.
When an API consumer sends a request to the API Gateway, the following process occurs:
- Request flow—the request is approved, validated, and translated against the backend endpoint. At this stage, API providers can request specific HTTP headers, query strings, or API keys to identify the caller, block fraudulent requests, or impose limits or quotas.
- Request routing—the API gateway is able to map between user requests and the back end services that can fulfill each request. It routes requests to one or more relevant services. Multiple requests for the same API are packaged into a single request to improve performance.
- Response flow—when APIs respond, the API gateway collects responses from multiple services and sends them back to the client. In the same way as requests, multiple responses may be aggregated into a single response. This response typically includes an HTTP status code confirming that the request was successful.
The Evolution of API Gateways
Several factors are reshaping how users evaluate API Gateways:
- How well does it scale to handle a larger volume of API traffic?
- How well does it perform at a larger scale?
- How well does it consistently deliver low-latency response times?
- Does it natively work in public cloud or any Kubernetes environments?
- Does it leverage the latest innovations in proxy technologies (e.g. Envoy Proxy)?
- Does it leverage the latest open source innovations around proxy technologies (e.g. WebAssembly or GraphQL)?
As each of these issues become more impactful to how an API Gateway can enable your microservice applications, the more companies are beginning to choose Solo.io Gloo Gateway. Based on Envoy Proxy, Gloo Gateway enables greater scalability and latency than legacy API Gateways based on NGINX, HAProxy or Java-wrappers on proxy technology.
In addition, Gloo Gateway is both public cloud native and Kubernetes native, so integrating with DevOps environments is seamless. And Gloo Gateway enables users to easily add new innovations such as Web Assembly or GraphQL to their API Gateway environment to handle next-generation application needs.
5 key capabilities of API gateways
1. API Security
Access control is a major driver for the adoption of API gateway technology. An API gateway must provide an authentication layer so that only authenticated users can access a backend API. It should also be able to integrate with existing authentication providers, such as API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Once an account is authenticated, the API gateway authorizes the targets it is allowed to access. An API gateway should also support authorization—this means it should be able to abstract the structure of backend APIs and control user access to specific functions, data, or operations. An API gateway must be able to leverage existing authorization mechanisms such as role based access control (RBAC).
An API gateway reduces load on back end APIs and helps prevent abuse. Rate limiting limits access to the API, only allowing a certain number of requests per period, user, or group of users. Rate limiting makes it possible to expose APIs safely to third-party consumers, creating new revenue opportunities.
3. API Monitoring and Logging
An API gateway should provide basic monitoring for all APIs and be able to track requests, response times, and service level agreements (SLAs). The API gateway should also provide unified logging for all APIs. Logs should include a request ID, which makes it possible to correlate request headers with API activities, to enable end-to-end debugging.
4. API Transformation
An API gateway must provide the ability to transform request and response payloads. Payload transformation can support organizations moving from traditional SOAP-based architectures to modern REST-based API architectures, and can help accelerate time to market.
5. API Scalability
API gateways typically do not perform autoscaling out of the box, but they should integrate with a service that provides this functionality. API gateways must support scalability, high availability, load balancing, and shared state without compromising performance.
Benefits and challenges of API gateways
API gateways standardize and centralize the delivery of services via APIs and help organize and secure API integrations. The main benefits of an API gateway are:
- Simplified service delivery—combine API calls to request services, reducing the traffic volume and streamlining API processes to improve user experience.
- Flexibility—easily configure the gateway to encapsulate the application’s internal structure and invoke back end services.
- Legacy app integration—extend the functionality of legacy apps instead of refactoring or adopting new apps.
- Observability—monitor API activity with logs to pinpoint issues during failures.
However, API gateways also have challenges as the gatekeepers between API providers and consumers:
- Resilience and reliability—malfunctions in the API gateway can cause associated services to fail, unless they are configured for high-availability. Organizations should avoid adding redundant features that impact performance.
- Security—API gateways are trusted sources within the corporate network so that any compromise can affect the whole organization. It is important to separate internal and outward-facing APIs.
Complex dependencies—gateways require updates for each change to an API. API design rules and standards can mitigate this complexity.
API gateway vs. API management
API management solutions enable you to manage the entire API lifecycle. You can use these solutions to manage how you publish and share APIs with developers and partners, and control who can access each API according to specific user roles and permissions.
They also provide monitoring functionality to track usage statistics for each published API. These insights can answer important questions, such as which APIs are most popular among external clients, what clients do with APIs after they are published, the geo-distribution of requests, and how many API per second each endpoint receives.
API gateways might be components within an overall API management solution, or they can be used as a standalone solution. An API gateway is only a proxy service situated in front of existing infrastructure, while an API management solution encompasses the entire API lifecycle.
Organizations typically use API gateways and API management platforms together to:
- Enhance the back-end architecture and gain more control over a multi-API system.
- Improve observability of API-based applications.
- Improve end-users experience when consuming company data or features via APIs.
API gateway vs. service mesh
A service mesh is an infrastructure layer that focuses on managing internal communication, handling communication within a microservices-based application. It works by abstracting the network layer from the application and handles all traffic controls to ensure security and policy enforcement within the network.
Kubernetes and virtual machine (VM) workloads leverage a service mesh to handle communication between services and traffic flowing from external clients into the application. A service mesh can manage both north-south traffic (among services within a data center) and east-west traffic (services communicating across data centers).
An API gateway focuses on managing incoming request traffic from external users. In smaller implementations, it can be used to manage inter-service traffic as well. API gateways can support simple use-cases, including:
- Authentication and authorization
- Protocol compatibility
- Layer 7 level routing
- Rate limiting
Once a microservices architecture scales up, API gateways alone are not enough, because they cannot support use cases like end-to-end encryption of network communication and advanced deployment strategies. Larger microservices deployments typically use a service mesh in combination with an API gateway to achieve efficient traffic management and secure communication.
API gateway vs. load balancer
API gateways and load balancers can handle network traffic but work differently. Since an enterprise network typically sees high traffic volumes, an application running on a single server might lack sufficient compute or network power to handle all received traffic requests. A load balancer routes incoming network traffic between two or more servers.
An API gateway manages network traffic differently. Modern software increasingly relies on APIs to integrate disparate application components and enable them to communicate. An API gateway receives API requests from a client and determines the destination services or applications required to handle these calls. It also manages all translations and protocols between different software components.
Enterprises can use API gateways and load balancers together. For example, you can employ an API gateway to connect microservices and load balancers, and define how traffic should be distributed between multiple instances of a microservice.