Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

Kubernetes API gateway

What are the options?

Series: Kubernetes API Gateway

What is an API gateway?

An API gateway is an API management tool that sits between clients and the backend services they need to access. The API gateway acts as a reverse proxy, accepting all application programming interface (API) calls, aggregating the services required to execute the calls, and returning the appropriate results to the clients.

An API gateway is a way of decoupling the client interface from the backend implementation. When a client makes a request, an API gateway splits it into multiple requests, routes them to the appropriate location, generates a response, and keeps track of everything.

API gateways typically handle common system-wide tasks for API services such as user authentication, rate limiting, and statistics. The challenge is to overcome the complexity of enterprise APIs and provide a simple and reliable experience for customers. 

With adoption of Kubernetes containers and cloud native architectures for modern applications, technologies like the open source Envoy Proxy and Istio have emerged to enable application networking for distributed systems. Envoy has become the most popular proxy at the edge, and also as the sidecar to handle internal traffic in an Istio service mesh.

Why is API gateway important For Kubernetes?

The API gateway solution builds on the unique strengths of Kubernetes, giving teams better communication and capabilities.

One of these strengths is scalability. However, the scalability offered by Kubernetes presents the challenge of maintaining security and control for each instance of an application or service. Historically, Kubernetes lacked a built-in mechanism for managing APIs, which caused problems for administrators. A unified API gateway makes it easy to extend each application or service as needed. This is achieved via a centralized API admin portal that provides real-time visibility into how APIs are being used.

Another major benefit of Kubernetes is its open source nature, allowing it to adapt to any use case. An API gateway facilitates digital transformation by extending the flexibility of Kubernetes to easily interact with other APIs, including legacy systems.

One of the benefits of managing an API through a gateway is that it makes it easier to collect data from multiple sources, because all traffic must go through one point. This simplifies the monitoring and analysis of API calls. This is very important for both security and performance optimization of Kubernetes clusters.

What is the Kubernetes API gateway project?

Gateway API is the official API gateway packaged with Kubernetes, currently in beta. It is an open source project maintained by the SIG-NETWORK community.

The Kubernetes API Gateway is a collection of resources that models a network of services in Kubernetes. These resources (including GatewayClass, Gateway, HTTPRoute, TCPRoute, and Service) provide expressive, scalable, role-oriented interfaces that are implemented by a variety of vendors, with wide industry support.

What is the Kubernetes API Gateway project?

Image Source: Kubernetes

After you deploy a Kubernetes application, you typically need to expose it to end users. This is usually done using an Ingress Controller. The Ingress API object defines the routing and mapping of external traffic to the Kubernetes service. It also provides load balancing, SSL termination, and name-based virtual hosting.

Many commercial controllers, such as the NGINX Ingress Controller and HAProxy, implement the Kubernetes Ingress interface. These controllers differentiate themselves from each other by providing more features, such as advanced load balancing. Currently, the native Ingress API is very limited in scope.

 

The Gateway API is an evolution of Ingress that extends the API definition to provide advanced functionality, as a native part of Kubernetes. You can access some of these via private extensions to Ingress offered by various vendors, but their implementations are not coordinated with each other. In the new Kubernetes Gateway API, many of these features are implemented by multiple vendors following a single specification, providing users with multiple implementation options.

Important features added to the Gateway API include HTTP and TCP routing, traffic segmentation, and role-oriented access control.

Third-party API gateway solutions for Kubernetes

The official Kubernetes Gateway API has yet to mature and prove itself in demanding enterprise environments. In the meantime, most organizations are relying on third-party API gateway solutions. Here are a few leading solutions you should know about.

Solo Gloo Mesh

Solo.io’s Gloo Mesh Gateway and Gloo Edge deliver robust API gateways by enhancing open source Istio and Envoy Proxy. By default, basic open source distributions of Istio and Envoy don’t go far enough to deliver features needed for comprehensive application networking. Traffic routing alone isn’t enough, and if you use pure open source you inherit the burden of developing and maintaining missing enterprise features forever. 

Solo adds comprehensive functionality to your API gateways, reducing complexity while increasing security, reliability, and observability for consistent applications and microservices connectivity, including:

  • Manage API ingress and egress at the edge – with traffic from external sources coming in over the Internet, you’ll need routing, circuit breaking, rate limiting, load balancing, and locality-aware failover to maintain reliable connections to your services.
    • Comprehensively secure all connections – establish a zero trust environment where every inbound connection is validated before being allowed. Integrate with your existing external authentication and authorization servers. Use mTLS encryption to protect data-in-motion on all connections.
    • Federate configurations and policies as code – manage application networking with common policies implemented consistently everywhere. Developers and operators can use declarative CRDs, usually as part of a DevOps or GitOps process, to manage traffic, implement security policy, and configure observability.
  • Define custom rules and behaviors – set up a filter chain to enforce rules in priority order, create inline transformations, and make your own custom filters, in any language, with WebAssembly (Wasm.)
  • Build a developer portal – fully integrated with Gloo Mesh Gateway and Gloo Edge, Gloo Portal abstracts the complexity and enables developers to publish, document, share, discover, and use APIs with rich controls and comprehensive security information.
  • Limit access to resources – use granular role-based access controls and delegation to limit which clients and administrators have permissions to applications, resources, and management tools.

NGINX Kubernetes Gateway

NGINX Kubernetes Gateway aims to simplify API gateway capabilities, delivering them without the need for CRDs. The beta version delivers Ingress controller functionality with Layer 7 routing supporting HTTP and HTTPS.

It uses three main resources – GatewayClass, Gateway, and Routes – mapping them to the relevant roles with role-based access control (RBAC):

  • Infrastructure providers define GatewayClasses for Kubernetes clusters
  • Cluster operators deploy and configure Gateways and policies in a cluster
  • Application developers are then free to attach Routes to Gateways to expose their applications externally.

Amazon API Gateway

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs to access data stored in the AWS and other web services.

You can use Amazon API Gateway to expose microservices running in an Elastic Kubernetes Service (EKS) cluster. API Gateway lets you create API frontends for microservices and includes features such as API versioning, API key management, authentication and authorization, and DDoS protection. 

AWS Controller for Kubernetes lets you manage Amazon API Gateway the same way you manage Kubernetes resources such as pods, deployments, services, and Ingresses.

Azure API Management

Azure API Management is a turnkey solution for your API Gateway needs. You can quickly create consistent, modern gateways for microservices and expose them as APIs. As a complete lifecycle API management solution, it also provides additional features such as API discovery, API lifecycle management, and a self-service developer portal for API analytics.

Azure Kubernetes Service (AKS) and API Management together provide a platform for deploying, publishing, securing, monitoring, and managing microservices-based APIs.

How to choose?

Kubernetes API gateways are evolving and there are several good choices available. To choose the best API gateway for your needs, we recommend considering the following:

  • An API gateway should be vendor agnostic and should not lock you into a specific cloud environment.
  • An API gateway should be robust and mature, based on components with a long track record of reliability and resilience.
  • An API gateway should provide enterprise-grade security features.
  • An API gateway should provide advanced traffic management, routing, and service management features to support large microservices environments.

We have worked hard to ensure Solo Gloo Gateway meets all these requirements. Learn more about our Kubernetes API Gateway solution.

Sections