What is an API Gateway?

Application Programming Interfaces Table of Contents:


 

API gateways are a lot like a multi-lingual traffic cop, who not only knows where people want to go, but also speaks their language, no matter what country they come from!

As a point-of-entry for requests for application services sent by end-user applications, gateways sit between APIs (Application Programming Interfaces) and the application services running on a server. Instead of the APIs sending requests directly to individual services, they go through the gateway, i.e. the traffic cop.

APIs that receive authorized access from the gateway are then directed to a range of services. Here are some of the most common services:

  • Application microservices
  • User-access authentication
  • Security policy enforcement
  • Load balancing
  • Cache management
  • Dependency resolution
  • Service Level Agreement management

During the process, the gateway translates the various protocols used by the APIs and then directs each request to the appropriate application service.

Benefits of API Gateways

In addition to accommodating direct requests, gateways can invoke requests for multiple back-end services and aggregate the results. Having a “multi-lingual cop” working in this fashion provides several benefits:

  • Simplifies software coding—for both the APIs and the services behind the gateway.
  • Decreases latency in service requests and response times.
  • Improves security for application services by managing all API requests on a single device.
  • Reduces the workload of internal services.
  • Provides metrics to analyze how fast API-to-application service exchanges occur.

Because developers must update an API gateway each time a new service is added or removed, the update process should be lightweight, without putting a drain on the gateway CPU and memory. This allows the gateway to keep functioning properly as changes are made.

How Do API Gateways Work?

API gateways include several functional components. Access Control manages which APIs can connect to each application service and the rules for how data requests are handled. This ensures only authenticated user applications can connect to back-end services.

Another key function is Rate-Limiting, which reduces the load on APIs to prevent misuse by permitting only a certain number of requests at one time. In some cases, higher rate limits are set, such as services offered to customers.

API Monitoring provides the ability to track request and response times and whether they meet SLAs. Logging analyzes APIs and inserts a co-relation ID into request headers so back-end APIs and front-end applications can include the ID in their logging activities.

Threat Detection is also key. This provides protection against hackers who try to upload malware, SQL injection and other forms of cybercriminal activity such as DDoS (Distributed Denial-of-Service) attacks.

 

API Gateway Example

Example of an API Gateway

(n.d.). Retrieved from https://www.express-gateway.io/eg-vs-amazon-aws-api-gateway/

The image above depicts an end-user managing a warehouse order-fulfillment process. The front-end application interacts with the API gateway to gain access to three separate application services that allow the end-user to check an order request, pull stock from inventory, and arrange for shipping. With the gateway directing connections to the services, everything happens all at once from the end-user viewpoint.

From a performance standpoint, Auto-Scaling handles spikes in activity while High Availability allows gateways to automatically failover to another gateway in the event of a system crash. This is particularly important for maintaining access to mission-critical application services. It’s also important to implement Load Balancing to distribute API requests evenly to multiple servers that provision an application service.

Protocol Translation automatically translates REST protocol calls into SOAP protocol format. This is key, for example, when you have a web service that you want to continue using with clients that don’t support a legacy application service that uses SOAP.

It’s also important to add a Disaster Recovery component. This requires replicating API gateways across multiple data centers. In addition to making business continuity possible, replication gives you the ability to provision application services from the multiple data centers, thus providing lower latency to end-users.

Common API Gateway Use Cases

One of the most common use-cases for API gateways is to give APIs access to application microservices. The gateway organizes requests processed by the microservices architecture to create simplified experiences for end-users. The gateway achieves this by taking multiple requests from an end-user application and turning them into just one to reduce the number of round trips between the end-user application and the microservices.

For IT teams that use the DevOps approach, developers can use microservices to build and deploy applications in an iterative way, which is key since APIs are one of the most common ways that microservices communicate. On the Ops side, cloud environments with a serverless model depend on APIs for provisioning infrastructure. The IT team can deploy serverless functions and manage them using an API gateway.

Another key API gateway use-case is security. You can set policies on the gateway to allow or deny access to APIs and for specified IP addresses and virtual private network endpoints. You can also leverage Identity Access Management (IAM) roles and policies for controlling who can create and manage your APIs as well as who can invoke them.

Potential API Drawback

Using an API gateway to provide a single point of access to an application’s services does come with a potential drawback. If the gateway is not managed well or configured improperly, it could cause a bottleneck. Depending on factors such as the scale of the traffic flowing through the gateway, it may get overwhelmed by the number of API requests for application services.

Gateway performance can also be impacted by the performance of individual services and network latency. Just like that traffic cop at a busy city intersection, there’s only a certain amount of traffic the gateway can handle.

As a result, the “traffic cop” makes mistakes or fails to address requests, and traffic gets worse and worse. Situations like these call for load balancing and rate-limiting as described above. Cyberattacks can also degrade gateway performance, which make threat detection essential.

Tips for Selecting  an API Gateway

If you’re considering deploying an API gateway, either in the cloud or on-premises, important features to assess include logging and monitoring capabilities as well as the ability to make modifications to the payload or responses. You also want the gateway to integrate easily within your current technology stack, and it should provide a smooth migration path to other gateways—just in case you change gateway platforms in the future.

For businesses with cloud environments, the Amazon API Gateway is a fully-managed service that makes it easy to create, publish, maintain, monitor and secure APIs. You can also create RESTful APIs and WebSocket APIs that enable real-time two-way communication applications.

The Amazon API Gateway also supports containerized and serverless workloads as well as web applications. You can process hundreds of thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management.

The Big Payoff: API Gateways Make It Easier to Transact Business

API gateways make it easy for API requests and application services to talk to each other. When a request comes in, the gateway knows exactly which service to direct the request to and how to translate the request into a language the application service will understand.

This capability to direct and translate makes things easier for software developers as they code APIs and application services. They can focus on what the APIs and services are meant to do rather than worrying whether they can get where they need to go—that’s what the gateway as a “traffic cop” is meant to do

Most importantly, API gateways make things easier for customers and internal end-users. When they submit a request to an application that invokes multiple services, the gateway efficiently brings all the requests together and returns a unified, multi-service response. That means customers and end-users both get the information they need quickly and can transact business faster!

Contact us today to learn more about API gateways and how we can support your firm’s digital transformation efforts.

Video: The Importance of a Solid API Strategy

YouTube video

 


Application Programming Interfaces Table of Contents: