• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • API Gateway: Backend for Frontend

    Let’s discuss what API Gateway is, why it is essential to have one, and how it can better manage APIs. We will also explore and list some of the best open-source and manged API gateways available in the market.

    What is API Gateway?

    An API gateway is an important concept in microservices architecture. It forms an entry point for external clients(anything that is not part of the microservice system). It is a component that acts as an entry point for an application.

    In other words, an API gateway is an API management server that has information about endpoints. It is also capable of performing authentication, rate limiting, load balancing, and more.

    To get a better picture of an API gateway, we need to know why it is essential to have an API gateway.

    Why We Need API Gateway?

    To understand the need for an API gateway, let’s discuss a use case of an e-commerce application.

    Case Study

    Consider a case study of a complex page( let’s say product page) of an e-commerce application. If we look at the below page of Amazon product listing, we can see a lot of information needed to be rendered by this specific page.

    For illustration purposes, let’s list all the microservices that we might need to render the above particular page.

    Consider Search Product, Inventory, Shipping, Rating and Reviews, Recommendation Engine, Merchants, and Finance and Insurance are the different seven(7) microservices being used for rendering the above page.

    P.S: Above seven(7) microservices are just an assumption to explain the API gateway concept. In reality, Amazon could have a different number of microservices.

    The Problem

    Since these microservices have been deployed separately on a different server if a client wants to access these services, at least seven(7) calls have to be requested for a single page.

    But is it really a good approach?

    I don’t think it’s a recommended approach because we have to make seven different calls, which would definitely impact performance, resource consumption, load time, etc. The client is also tightly coupled with all of the services, and suppose if we have to separate the Reviews and Rating microservices in two different services, we have to update the client code. The client has to make one call to get reviews, and one call to get ratings, which is really not the best way to deal with it.

    The Solution

    So what’s the recommended approach?

    It is an API gateway.

    In this approach, we have a layer between the client and microservices called an API gateway. It is a front-facing service for all of the microservices. Now any client who wants to access the microservices, the client has to call the API gateway. Now API gateway, in turn, makes a call to all of the microservices and gets whatever the response we might need. This process is called API composition.

    In a nutshell, An API gateway sits in between the client and microservices and it acts as a gateway for all of the microservices.

    Not only this but using an API Gateway benefits us in many ways.

    Benefits of An API Gateway

    API gateways benefit us in implementing A/B testing, caching, managing access quotas, API health monitoring, API versioning, Chaos monkey testing, and a lot more. Let’s touch some of the following benefits.

    Security 🛡️

    Every time an API call is performed, it has to access the services using public IP addresses. This exposes risks.

    By switching on to API Gateways, these microservices can be accessed using private IP addresses only. This results in a more secure way of the transaction of data. Additionally, the usage of API Gateway also protects the data from malicious and DDoS attacks.

    To ensure security, a TLS certificate is necessary, API Gateway handles all of them by keeping all our APIs behind a single static IP or domain and helping protect them with keys, tokens, and IP filtering.

    Authentication, Authorization, and Fault Tolerance 🔐

    broken authentication

    It is important to ensure authentication and authorization of the user who logs into applications. The API Gateway makes it easier by being a single entry point and satisfies all the requirements easily. Thus, it allows only authorized users to log in, and authenticated users to make changes, so fault tolerance is gained.

    Load Balancing and Routing 🚏

    In the case of multiple requests coming in and increasing traffic,  API Gateway helps take care of it. It is done by creating multiplies of services and calling them on like Round-Robin. It can manage and routes the client requests based on user segmentation. Thus, different quality or rate of speed of content is provided for different users.

    load balancing

    Consider a use case where two microservices are defined for returning low-quality images/videos and high-quality images/videos for a desktop and mobile, respectively. In this case, we can configure an API gateway in such a way that it acts a router and if the request is coming from a mobile it will route that request to the low-quality images/videos service, and if the request is coming from the desktop, it can route to high-quality images/videos service. This routing can be done based on headers, paths, and params, etc.

    Insulation

    If one or more microservices have been added to the application or removed, we will not update the client code. In this case, we need to perform some changes in the API gateway itself to make a call according to updated microservices.

    Reverse Proxy and Caching

    Serving a static file (HTML, JS, CSS, fonts) by a microservice is not the best use, In this case, we can move these files to the API gateway.

    An API gateway can keep hold of all the static contents and can directly serve the client. Similarly, consider a service that evaluates the trending products, and these trends are being calculated hourly or daily. So once the trend is calculated for the rest of the time, service will return the same response repeatedly. In this case, an API gateway has a feature called response cache, where we can mention a URL and threshold time for which it needs to cache the responses.

    Protocol Adaptor

    If we want to take advantage of protocol like web socket or a newer version of HTTP, i.e., HTTP/2, and even if our backend services are not ready or not compatible with HTTP/2 or web socket, an API gateway can take the responsibility of converting a newer to an older protocol. It can act as a protocol adaptor.

    Let’s explore the API gateway.

    First, open-source ❤️ and self-hosted solutions.

    Kong Gateway

    Kong Gateway is the most popular open-source cloud-native API gateway built on top of a lightweight proxy. It is written in Lua running with the help of the Nginx. It is a template engine that helps to accelerate the event time. It guarantees to deliver unparalleled latency performance and scalability for all our microservice applications regardless of where they run.

    Companies like Nasdaq, Honeywell, Cisco, FAB, Expedia, Samsung, Siemens, and Yahoo Japan extensively use the Kong API gateway.

    Some of the features offered by Kong are:

    • Authentication
    • Traffic Control
    • Analytics
    • Transformations
    • Logging
    • Serverless
    • Extendable using Plugin architecture

    Kong got very good documentation and integration.

    You can run Kong on your preferred cloud platform.

    Apache APISIX

    Apache APISIX was initially born at China’s ZhiLiu technology and a later stage, it entered the apache incubator and made open-source. The vice president of the project, Ming Wen, states that this API gateway solves various challenges brought by cloud-native & microservices.

    Apache ApiSix is being used by companies like 360, HelloTalk, NetEase, TravelSky, and many more.

    Apache APISIX is based on Nginx and etcd, and it has dynamic routing and plug-in hot loading, which is especially suitable for API management under the microservice system.

    Tyk

    Tyk is an enterprise-ready open-source API gateway. You have an option to either go for self-hosted or managed.

    The following are some of the out-of-the-box features offered by TYK.

    • Authentication
    • Quotas & Rate Limiting
    • Version Control
    • Notifications and Events
    • Mock out APIs
    • Detailed Monitoring and Analytics
    • Committed to backward compatibility
    • GraphQL Out of the Box

    TYK is also available on the AWS marketplace. A good choice if your application stack is on AWS.

    Ocelot

    Ocelot is a .NET API gateway.

    This project aims to use .NET, running microservices or service-oriented architecture that needs a unified point of entry into their system. However, it will work with anything that speaks HTTP and run on any platform that ASP.NET Core supports.

    Ocelot act as middleware in a specific order. It manipulates the HttpRequest object into a state specified by its configuration until it reaches a request builder middleware. It creates a HttpRequestMessage object, which is used to request a downstream service. The middleware that makes the request is the last thing in the Ocelot pipeline. It does not call the next middleware. A middleware piece maps the HttpResponseMessage onto the HttpResponse object and is returned to the client.

    Ocelot offers standard features such as routing, authentication, rate limiting, caching, load balancing, and more. It does not provide support for Chunked Encoding, Forwarding a host header, and Swagger.

    Goku

    Goku API Gateway is an umbrella project of EOLINK Inc. It is a Golang-based microservice gateway that enables high-performance dynamic routing, service orchestration, multi-tenancy management, API access control, etc.

    Goku provides a graphic interface and a plug-in system to make configuration easier and expand more conveniently. Apart from standard features, Goku offers clustering, hot updates, alerting, logging, etc.

    Express Gateway

    Express Gateway is built on Express.js. Express Gateway is a bunch of components that declaratively build around Express to meet the API Gateway use case. Express Gateway’s power is harnessed the rich ecosystem around Express middleware.

    Companies like Joyent, The Linux Foundation, VIRICITI, Switch Media, Coozy, and Musement are using Express gateway extensively.

    It is simple, fast, and offers all the basic features.

    Gloo

    Gloo is a next-generation fully featured API gateway and Ingress Controller for cloud-native environments. It is built on Envoy Proxy to connect, secure, and control traffic across your application services.

    Gloo supports connecting to a wide range of workloads to secure and manage that, and it is exceptional in its functional level routing. It is available as open-source and enterprise both. The enterprise version offers the following.

    • Developer portal
    • WAF
    • Data loss prevention
    • More way to authenticate
    • Advanced rate limiting and multi-cluster management

    KrakenD

    KrakenD is an ultra-high performance open-source API Gateway. Its core functionality is to create an API that acts as an aggregator of many microservices into single endpoints, doing the heavy-lifting automatically for you: aggregate, transform, filter, decode, throttle, auth, and more.

    It offers a declarative way to create the endpoints. It is well structured and layered and open to extending its functionality using plug-and-play middleware developed by the community or in-house.

    KrakenD claims to be faster than Kong and Tyk. Check out the benchmarking results.

    Fusio

    Fusio is an API-Management system because it helps develop actual API endpoints (i.e., request and transform data from a database). It is not limited to proxy requests to another API. It provides a simple and intuitive backend to control and manage your API

    Some of the features offered by Fusio are:

    • Monetization
    • Subscription support
    • Generate OAI, RAML schema specification
    • Documentation

    and other standard API gateway features.

    WSO2

    WSO2 is a full lifecycle API Management solution that can be run anywhere. It can be deployed on-prem, cloud, or in a hybrid fashion where its components can be distributed and deployed across multiple cloud and on-prem infrastructures.

    It comprises a cloud-native API gateway and provides a Kubernetes operator to convert raw microservices into managed APIs easily. API Manager integrates with service meshes and provides a full-fledged management plane and control plane for managing, monitoring, and monetizing APIs and API products.

    It supports API publishing, lifecycle management, application development, access control, rate limiting, and analytics in one cleanly integrated system.

    Next, let’s explore the commercial platforms.

    Apigee

    Apigee is a cross-cloud API management platform by Google Cloud.

    apigee

    It comes in the following flavors:

    • Apigee: a hosted SaaS solution where you pay for what you use. You focus on building business and offload managing Apigee environment to GCP.
    • Apigee hybrid: let you manage APIs on-premises, on Google Cloud Platform (GCP), or a mix of both.

    Apigee offers end-to-end API management, which comes with monetization and inbuilt monitoring.

    Cloud Endpoints

    Another one by Google Cloud.

    Endpoints is a lighter version of Apigee by Google Cloud. It is best suitable for developers to develop, deploy, and manage APIs on any Google Cloud back end. It provides tools and libraries for its clients from the App Engine application. It helps to create and configure using Google Codelab. Codelab helps to run sample API using App Engine in Java 8 and Maven 3.6.0.

    Google Cloud Endpoints tightly integrate with other products like Trace and Logging for monitoring, Auth0, and Firebase for authentication, GKE, and App Engine for automated deployment, etc.

    Amazon API Gateway

    AWS may offer anything you need to run your applications.

    So does API.

    Amazon API Gateway is a fully managed service that is made for developers to form – > publish -> maintain and secure APIs easily at any scale. It supports both RESTful and WebSocket APIs and allows us to enables real-time 2-way communication.

    Below is the pictorial representation by Amazon, which illustrates how Amazon API gateway works.

    If your Microservices or API is already hosted on AWS, then it makes sense to integrate with Amazon API Gateway. They offer 1 million API calls under the FREE tier, which is good for you to see how it works.

    Azure

    Why leave Azure behind?

    Microsoft Azure offers end-to-end API management in cloud, on-premises, or hybrid. You can manage the API management programmatically through REST API and SDK.

    Good news if you use SOAP. You can import the web services description language (WSDL) of their SOAP service, and Azure will create a SOAP front-end. They offer all the standard features, including monetization. Go ahead and give a try to experience the platform.

    Conclusion

    Once your API is ready, don’t forget to monitor and secure them. If you are still under development, check out these tools to expedite the API testing & development.

    The above should give you an idea about available API Gateway and Management solutions. If you are under a tight budget, then you can try open-source. The best to install some of them on your cloud VM to see what works for you.

    Good luck!