June 17, 2021
What is An API Gateway?
API gateways are a lot like a multi-lingual traffic cop, who not only knows where people want to go but also speaks their language, no matter what country they come from!
As a point-of-entry for requests for application services sent by end-user applications, gateways sit between APIs (Application Programming Interfaces) and the application services running on a server. Instead of the APIs sending requests directly to individual services, they go through the gateway, i.e. the traffic cop.
APIs that receive authorized access from the gateway are then directed to a range of services. Here are some of the most common services:
- Application microservices
- User-access authentication
- Security policy enforcement
- Load balancing
- Cache management
- Dependency resolution
- Service Level Agreement management
During the process, the gateway translates the various protocols used by the APIs and then directs each request to the appropriate application service.
Benefits of API Gateways
Gateways invoke back-end service requests and compile the results. Having a “multi-lingual cop” working in this fashion provides several benefits:
- Simplifies software coding, for both the APIs and the services behind the gateway.
- Decreases latency in service requests and response times.
- Improves security for application services by managing all API requests on a single device.
- Reduces the workload of internal services.
- Provides metrics to analyze how fast API-to-application service exchanges occur.
Since developers update API gateways when adding and removing services, the update process should be lightweight, without putting a drain on the gateway CPU and memory. This allows the gateway to keep functioning properly as changes are made.
How Do API Gateways Work?
API gateways include several functional components. Access Control manages which APIs can connect to each application service and the rules for how data requests are handled. This ensures that only authenticated user applications can connect to back-end services.
Another key function is Rate-Limiting, which reduces the load on APIs to prevent misuse by permitting only a certain number of requests at one time. In some cases, higher rate limits are set, such as for services offered to customers.
API Monitoring provides the ability to track request and response times and whether they meet SLAs. Logging analyzes APIs and inserts a correlation ID into request headers so back-end APIs and front-end applications can include the ID in their logging activities.
Threat Detection is also key. This provides protection against hackers who try to upload malware, SQL injection, and other forms of cybercriminal activity, such as DDoS (Distributed Denial-of-Service) attacks.
API Gateway Example
From a performance standpoint, Auto-Scaling handles spikes in activity while High Availability allows gateways to automatically failover to another gateway in the event of a system crash. This is particularly important for maintaining access to mission-critical application services. It’s also important to implement Load Balancing to distribute API requests evenly to multiple servers that provision an application service.
Protocol Translation automatically translates REST protocol calls into SOAP protocol format. This is key, for example, when you have a web service that you want to continue using with clients that don’t support a legacy application service that uses SOAP.
It’s also important to add a Disaster Recovery component. This requires replicating API gateways across multiple data centers. In addition to making business continuity possible, replication gives you the ability to provision application services from the multiple data centers, thus providing lower latency to end-users.
Common API Gateway Use Cases
One of the most common use-cases for API gateways is to give APIs access to application microservices. The gateway organizes requests processed by the microservices’ architecture to create simplified experiences for end-users. The gateway achieves this by taking multiple requests from an end-user application and turning them into just one to reduce the number of round trips between the end-user application and the microservices.
For IT teams that use the DevOps approach, developers can use microservices to build and deploy applications in an iterative way, which is key since APIs are one of the most common ways that microservices communicate. On the Ops side, cloud environments with a serverless model depend on APIs for provisioning infrastructure. The IT team can deploy serverless functions and manage them using an API gateway.
Security is another key API gateway use-case. You can set policies on the gateway to allow or deny access to APIs and for specified IP addresses and virtual private network endpoints. Identity Access Management (IAM) will enable you to control who can create, invoke, and manage your APIs.
Potential API Drawback
Using an API gateway to provide a single point of access to an application’s services does come with a potential drawback. If the gateway is not managed well or if it’s configured improperly, it could cause a bottleneck. Depending on factors like the scale of the traffic flowing through the gateway, it may get overwhelmed by the number of API requests for application services.
Gateway performance can also be impacted by the performance of individual services and network latency. Just like that traffic cop at a busy city intersection, there’s only a certain amount of traffic the gateway can handle.
As a result, the “traffic cop” makes mistakes or fails to address requests, and traffic gets worse and worse. Situations like these call for load balancing and rate-limiting as described above. Cyberattacks can also degrade gateway performance, which makes threat detection essential.
A Business Leader’s Guide to APIs
Tips for Selecting an API Gateway
If you’re considering deploying an API gateway, either in the cloud or on-premises, important features to assess include logging and monitoring capabilities as well as the ability to make modifications to the payload or responses. You also want the gateway to integrate easily within your current technology stack, and it should provide a smooth migration path to other gateways—just in case you change gateway platforms in the future.
For businesses with cloud environments, look for a provider that offers gateways with managed services so it will be easier to monitor and maintain your APIs and keep them secure. The leading provider gateways also support containerization, serverless workloads, and web applications. Other key features to look for include traffic management, access control, throttling, and API version management. Find a good one and you will be able to handle hundreds of thousands of concurrent API calls.
The Big Payoff: API Gateways Make It Easier to Transact Business
API gateways make it easy for API requests and application services to talk to each other. When a request comes in, the gateway knows exactly which service to direct the request to and how to translate the request into a language the application service will understand.
This capability to direct and translate makes things easier for software developers as they code APIs and application services. They can focus on what the APIs and services are meant to do rather than worrying about whether they can get where they need to go—that’s what the gateway as a “traffic cop” is meant to do.
Most importantly, API gateways make things easier for customers and internal end-users. When they submit a request to an application that invokes multiple services, the gateway efficiently brings all the requests together and returns a unified, multi-service response. That means customers and end-users both get the information they need quickly and can transact business faster!