API Developers often face with following challenges:
- It is difficult to manage multiple API versions and environments.
- It takes a lot of time to monitor the access of 3rd party developers.
- Authorization of access is a challenge.
- Operations are burdened by traffic spikes.
API Gateways are reverse proxy servers that expose microservices as APIs. Clients and microservices are connected through the gateway, which is often referred to as north-south traffic. API Gateways typically perform authentication, enforce security policies, load balance between backend services, and throttle them if necessary. In addition to reducing the complexity of their client and server code, API Gateway also reduces the overall network latency required to satisfy client requests, enables better enforcement of access and imposes limits, and sometimes reduces the overall complexity of their client and server code.
We will discuss the basics of an API Gateway, what it does and doesn’t do, and how it differs from a service mesh in this post. A few popular API gateways will also be reviewed.
Purpose of an API Gateway
API Gateways are fundamentally designed to prevent backend services and data sources from being exposed to the public.
API Gateways provide an abstraction layer from which you can manage:
- Security — SSL termination, whitelisting, firewalling, authentication, and authorization.
- Performance — Throttling, request aggregation, routing, load balancing, and caching capabilities.
- Administrative — Logging, monitoring, metering, and versioning APIs.
Benefits of using an API Gateway
Client code that is cleaner and simpler
The client does not need to know how individual services have been decomposed when client and backend services are decoupled. The decoupling makes it easier to maintain client code and refactor services without affecting one another. In addition, API Gateways can be used by developers to keep track of endpoints and handle request failures so they don’t end up delivering a bad user experience.
A client app might need to call multiple backend services in order to perform a single operation. A client without an API Gateway will need to make multiple network round trips to the backend services, adding significant latency to the process. Requests can be aggregated and routed efficiently with an API Gateway to reduce the number of client calls required to complete a request.
Simplified Authentication and Rate limiting
In the absence of an API Gateway, each backend service must make its own security-related decisions about incoming client requests. Developers must first determine whether a request is authorized, whether the communication is secure, or whether the client is requesting too many requests, which complicates the code needed to deliver a service. API Gateways enable organizations to centrally handle authentication, SSL, client rate limiting, and other security-related policies for all their backend services.
What API Gateway Doesn’t do
Microservices are exposed as APIs by API Gateways, but they don’t handle the communications and networking infrastructure between them, also known as east-west traffic. Organizations with microservice-based architectures on Kubernetes will use a service mesh like Istio to manage east-west traffic.
Popular API Gateway
Amazon API Gateway
With Amazon API Gateway you can:
- Host multiple versions and stages of your APIs.
- Create and distribute API Keys to developers.
- Leverage AWS Signv4 to authorize access to APIs.
- Throttle and monitor requests to protect your backend.
- Utilizes AWS Lambda for serverless deployment.
- Managed cache to store API responses.
- Reduced latency and DDoS protection through CloudFront.
- Swagger Support.
- Request/Response data transformation and API mocking
Kong is a cloud-native API gateway written mostly in Lua and extensible via open-source and proprietary plugins. In addition, the Kong Service Control Platform, from the same vendor, can be easily integrated with it.
Tyk is an open-source API Gateway written in Go that can be extended with plugins written in a variety of languages. Furthermore, the company offers an API Management Platform that is available both on-premise and as a managed service.
API gateways are reverse proxy servers that expose microservices as APIs. API gateways also reduce the potential risks associated with exposing backend services and data sources directly to clients. An API gateway simplifies client code, reduces latency, and simplifies authentication and encryption. Various open-source and managed API gateways are available, written in a variety of languages. Despite API Gateways’ ability to provide microservices with APIs, security, performance, and administrative features, they can’t provide intra-application observability or control over networking or fault-tolerance characteristics. Hence, many fully-realized microservice architectures that operate at scale require an API gateway and service mesh.