What is an API Gateway?

An API Gateway is the traffic manager that interfaces with the actual backend service or data, and applies policies, authentication, and general access control for API calls to protect valuable data. An API gateway is the way you control access to your back-end systems and services and it was designed to optimize communication between external clients and your backend services, giving your clients a seamless experience. An API gateway ensures scalability and high availability of your services. It is responsible for routing the request to the appropriate service and sending back a reply to the requestor. An API gateway maintains a secure connection between your data and APIs, and manages API traffic and requests including load balancing, both inside and outside your company. The gateway applies policies, authentication, and general access control for API calls to protect valuable data. An API gateway takes all API calls from clients and routes them to the right microservice using request routing, composition, and protocol translation.

API Gateway Diagram

One of the primary reasons an API gateway is used because it is able to invoke multiple back-end services and aggregate the results. Rather than customers having to send a request for each individual service, they can send them to the API gateway, which then passes the request on to the relevant service. In addition, an API gateway provides an alternative to the one-size-fits-all style API. An API gateway can also expose a different API for each client, a necessity in today’s ever-evolving environments.

Why Use an API Gateway?

Most enterprise API’s are deployed using gateways today. API gateways are being used more due to the increase of use in microservices. Microservices allow an application to be deconstructed into several loosely-coupled services, because each microservice requires its own functionality. Microservices make it easier to develop, deploy, and maintain the different functions of an application, but they can also make it more difficult for customers to access the application quickly and securely. An API gateway is the solution to this problem. Rather than making customers request access to each microservice individually, the gateway is that single point of entry for the requests, which disburses them to the appropriate service, gathers the results and conveys that back to the requestor. The primary reason to use an API gateway, this function is referred to as routing by developers. For example, API gateways help your company manage the traffic generated by calls from say a mobile application like Uber and a backend application like Google Maps.

API gateways are vital to successful API management. As the main proxy connecting your customers with your services, the gateway supports important administration and security functions, including authentication, metric collection, input validation, and response transformation.

Authentication

An API gateway can be used to authenticate API calls. This way, even if the customer needs to access data from multiple services, they only need to authenticate once at the gateway. This reduces latency and ensures authentication processes are consistent across the application. Similar to how a passport is used to verify your identity or a visa to prove that you are allowed to work in a particular country, the API gateway provides multiple ways for consumers to authenticate and get access to your API resources. Gateways can use one of the many open standards to determine the identity or validity of the consumer (i.e., OAuth, JWT tokens, API Key, HTTP Basic/Digest, SAML, etc.) or it can use non-standard means to locate credentials in headers or payload of the message. API gateways can also call out to other systems to verify identity, much like police could access a criminal database. In addition, like customs in an airport, an API gateway can also check for threats in an incoming API consumer. They can use API Firewalling, content validation and message integrity checks which include determining if an API has been tampered with. An API gateway can also delegate the risk-assessment of an incoming API to a third-party application for them to make the determination.

Metrics Collection

Because all requests go through the API gateway, it is the ideal place to collect data analytics. For example, an API gateway can measure how many requests a user is making or how many requests are being relayed to each individual microservice. API gateways can also be used to limit requests. If a user is sending too many requests, the gateway can be programmed to reject them rather than pass them along to one of the microservices.

Input Validation

Input validation is the API gateway ensuring that all customer requests contain the required information needed to complete a request, and that it is provided in the correct format. If something appears to be awry, the gateway will reject the request. If all necessary information is included, the gateway to route the request to the microservice responsible for retrieving the requested information.

Response Transformation

Response transformation is an important function of API gateways. It acts as the “translator” of information. For instance, if your backend service gave up an answer in XML, but the requestor needs it in JSON, the gateway will take care of this automatically. Different applications and users often need access to different information. Mobile applications usually need less data than their web counterparts, for example so the gateway can provide the correct responses to the requests. Requests from internal users are likely to include more data in responses. Some of that data would need to be securely protected before responding to a similar request from an external user which is the job of the gateway.

Benefits of API Gateways

Wrapping your microservices together and making them accessible via API gateway provides secure, faster, easier access to your services. Using an API gateway grants digital businesses myriad additional benefits, including:

  • Makes your API’s and backend systems more secure via a single interface approach
  • It gives you full control of the API execution environment using extensible policies for security and access control, throttling, routing, mediation, and SLA management.
  • Simpler code writing, for both your services and your application users
  • Decreased latency over time due to fewer back and forth calls
  • Faster, easier access to all microservices
  • Decrease in workload on each individual microservice or load balancing
  • Comprehensive metrics collection

Other benefits of an API gateway are: it hides how your application is partitioned from the requestor or client, clients no longer have to know the locations of all your individual services, and it provides the optimal API for each request, regardless of the code used.

The success of your applications can depend on a powerful API gateway. A gateway ensures great performance, high availability and scalability of your services.