API Gateway as a Service (APIGaaS)
What Is an API Gateway?
APIs are driving force behind many applications big and small. Whether you’re publishing a public API or building a new integrations marketplace, APIs are becoming the way business is done. Just like the web era had HTTP servers to serve those websites in production, APIs have API Gateways to serve APIs in production. One can leverage API gateways to help deliver the API with high availability in mind to your customers and partners. They are a type of proxy server that sits in front of your API and performs functionality such as authentication, rate limiting, routing publicly accessible endpoints to the appropriate microservice, load balancing across multiple internal services, among other things.
API Gateway vs Direct Communication
In direct communication approach, a client app can make requests directly to some of the microservices. A direct client-to-microservice communication architecture could be good enough for a small microservice-based application, especially if the client app is a server-side web application like an ASP.NET MVC app. However, when you build large and complex microservice-based applications (for example, when handling dozens of microservice types), and especially when the client apps are remote mobile apps or SPA web applications, that approach faces a few issues.
For most microservices‑based applications, it makes sense to implement an API gateway, because it acts as a single-entry point into the system. The API gateway is responsible for request routing, composition, and protocol translation, and can streamline the system. With an API gateway, each of the application’s clients gets a custom API. The API gateway handles some requests by simply routing them to the appropriate backend service and handles others by invoking multiple backend services and aggregating the results. If there are failures in the backend services, the API gateway can mask them by returning cached or default data.
Benefits of Using API Gateway
Regardless of if you are using microservices or serverless computing or your API is internally used or publicly accessible, there are many benefits to using API gateways:
- Decoupling: If your clients which you have no control over communicated directly with many separate services, renaming, or moving those services can be challenging as the client is coupled to the underlying architecture and organization. API gateways enables you to route based on path, hostname, headers, and other key information enabling you to decouple the publicly facing API endpoints from the underlying microservice architecture.
- Reduce Round Trips: Certain API endpoints may need to join data across multiple services. API gateways can perform this aggregation so that the client doesn’t not need complicated call chaining and reduce number of round trips.
- Security: API gateways provide a centralized proxy server to manage rate limiting, bot detection, authentication, CORS, among other things. Many API gateways allow setting up a datastore such as Redis to store session information.
- Cross Cutting Concerns: Logging, Caching, and other cross cutting concerns can be handled in a centralized appliance rather than deployed to every microservice.
Key aspects of API Gateway:
- API Security: An API Gateway should ensure only authenticated users can access the backend APIs by providing an authentication layer. The API Gateway should be able to integrate with existing and custom authentication providers. This ensures the back-end APIs don’t have to implement this logic and any changes to the authentication schemes require no changes to the backend. In a nutshell, API security is about authentication and authorization. This simplifies access rule configuration and, potentially, dealing with complex authorization logic.
- Rate-Limiting: API Gateway should help with reducing the load on backend APIs and prevent misuse. Rate-limiting provides restricted access to APIs by permitting only a certain number of requests. By exposing APIs to third-party consumers, this also could provide a revenue stream by opening up the possibilities of higher rate limits.
- API Monitoring and Logging: An API Gateway should provide default monitoring across all APIs and have the ability to track requests/response time is taken, SLA, etc. It should be able to integrate with a full-featured monitoring solution to help track this information.
- Threat Protection: APIs are the gateways for enterprises to connect digitally with the world. Unfortunately, there are malicious users out there, waiting to gain access to enterprise backend systems. An API Gateway needs to provide threat protection against potential hackers, malware, and/or anonymous outsiders to prevent against DDoS or SQL Injection attacks amongst others
- API Transformation: An API Gateway should provide the capabilities to transform requests/response payloads. As organizations move from a legacy-based SOAP-based architecture to a more modern REST-base architecture and need a quick time to market strategy, payload transformation becomes an integral component of this requirement.
- Scaling: API Gateway must support scalability and high availability, load balancing, shared state without compromising performance. It should provide linear scalability and fault-tolerance on hardware or cloud infrastructure for mission-critical data. It should also support replicating across multiple data centers and providing lower latency for your consumers.
How can we help?
For most microservices‑based applications, it makes sense to implement an API Gateway, which acts as a single-entry point into a system. The API Gateway is responsible for request routing, composition, and protocol translation. It provides each of the application’s clients with a custom API. The API Gateway can also mask failures in the backend services by returning cached or default data. If you need API Gateway integration for your services, do not hesitate to contact us and we can walk you through the details.