API Gateway: Backend for Frontend
Let’s discuss what an API Gateway is, why it is essential to have one, and how it can better manage APIs. We will discuss some of the best open-source and managed API gateways for better performance and security.
Best API Gateways in 2024
Kong Gateway
Kong Gateway is the most popular open-source cloud-native API gateway built on top of a lightweight proxy. It is written in Lua running with the help of Nginx. It is a template engine that helps to accelerate the event time. Kong guarantees to deliver unparalleled latency performance and scalability for all our microservice applications, regardless of where they run.
Companies like Nasdaq, Honeywell, Cisco, FAB, Expedia, Samsung, Siemens, and Yahoo Japan extensively use the Kong API gateway.
Some of the features offered by Kong are:
- Authentication
- Traffic Control
- Analytics
- Transformations
- Logging
- Serverless
- Extendable using Plugin architecture
Kong got excellent documentation and integration.
Apache APISIX
Apache APISIX was initially born at China’s ZhiLiu technology and at a later stage, it entered the apache incubator and made open-source. The vice president of the project, Ming Wen, states that this API gateway solves various challenges brought by cloud-native & microservices.
Apache ApiSix is being used by companies like 360, HelloTalk, NetEase, TravelSky, and many more.
Apache APISIX is based on Nginx and etcd, and it has dynamic routing and plug-in hot loading, which is especially suitable for API management under the microservice system.
Tyk
Tyk is an enterprise-ready open-source API gateway. You have an option to either go for self-hosted or managed.
The following are some of the out-of-the-box features offered by TYK.
- Authentication
- Quotas & Rate Limiting
- Version Control
- Notifications and Events
- Mock out APIs
- Detailed Monitoring and Analytics
- Committed to backward compatibility
- GraphQL Out of the Box
TYK is also available on the AWS marketplace. A good choice if your application stack is on AWS.
Ocelot
Ocelot is a .NET API gateway.
This project aims to use .NET, running microservices or service-oriented architecture that needs a unified point of entry into their system. However, it will work with anything that speaks HTTP and run on any platform that ASP.NET Core supports.
Ocelot act as middleware in a specific order. It manipulates the HttpRequest object into a state specified by its configuration until it reaches a request builder middleware. It creates a HttpRequestMessage object, which is used to request a downstream service. The middleware that makes the request is the last thing in the Ocelot pipeline. It does not call the next middleware. A middleware piece maps the HttpResponseMessage onto the HttpResponse object and is returned to the client.
Ocelot offers standard features such as routing, authentication, rate limiting, caching, load balancing, and more. It does not provide support for Chunked Encoding, Forwarding a host header, and Swagger.
Goku
Goku API Gateway is an umbrella project of EOLINK Inc. It is a Golang-based microservice gateway that enables high-performance dynamic routing, service orchestration, multi-tenancy management, API access control, etc.
Goku provides a graphic interface and a plug-in system to make configuration easier and expand more conveniently. Apart from standard features, Goku offers clustering, hot updates, alerting, logging, etc.
Express Gateway
Express Gateway is built on Express.js. Express Gateway is a bunch of components that declaratively build around Express to meet the API Gateway use case. Express Gateway’s power is harnessed the rich ecosystem around Express middleware.
Companies like Joyent, The Linux Foundation, VIRICITI, Switch Media, Coozy, and Musement are using Express gateway extensively.
It is simple, fast, and offers all the basic features.
Gloo
Gloo is a next-generation fully featured API gateway and Ingress Controller for cloud-native environments. It is built on Envoy Proxy to connect, secure, and control traffic across your application services.
Gloo supports connecting to a wide range of workloads to secure and manage that, and it is exceptional in its functional level routing. It is available as open-source and enterprise both. The enterprise version offers the following.
- Developer portal
- WAF
- Data loss prevention
- More way to authenticate
- Advanced rate limiting and multi-cluster management
KrakenD
KrakenD is an ultra-high performance open-source API Gateway. Its core functionality is to create an API that acts as an aggregator of many microservices into single endpoints, doing the heavy-lifting automatically for you: aggregate, transform, filter, decode, throttle, auth, and more.
It offers a declarative way to create the endpoints. It is well structured and layered and open to extending its functionality using plug-and-play middleware developed by the community or in-house.
KrakenD claims to be faster than Kong and Tyk. Check out the benchmarking results.
Fusio
Fusio is an API-Management system because it helps develop actual API endpoints (i.e., request and transform data from a database). It is not limited to proxy requests to another API. It provides a simple and intuitive backend to control and manage your API.
Some of the features offered by Fusio are:
- Monetization
- Subscription support
- Generate OAI, RAML schema specification
- Documentation
and other standard API gateway features.
WSO2
WSO2 is a full lifecycle API Management solution that can be run anywhere. It can be deployed on-prem, cloud, or in a hybrid fashion where its components can be distributed and deployed across multiple cloud and on-prem infrastructures.
It comprises a cloud-native API gateway and provides a Kubernetes operator to convert raw microservices into managed APIs easily. API Manager integrates with service meshes and provides a full-fledged management plane and control plane for managing, monitoring, and monetizing APIs and API products.
It supports API publishing, lifecycle management, application development, access control, rate limiting, and analytics in one cleanly integrated system.
Apigee
Apigee is a cross-cloud API management platform by Google Cloud.
It comes in the following flavors:
- Apigee: a hosted SaaS solution where you pay for what you use. You focus on building business and offload managing Apigee environment to GCP.
- Apigee hybrid: let you manage APIs on-premises, on Google Cloud Platform (GCP), or a mix of both.
Apigee offers end-to-end API management, which comes with monetization and inbuilt monitoring.
Cloud Endpoints
Another one by Google Cloud.
Endpoints is a lighter version of Apigee by Google Cloud. It is the best suitable for developers to develop, deploy, and manage APIs on any Google Cloud back end. It provides tools and libraries for its clients from the App Engine application.
Google Cloud Endpoints tightly integrate with other products like Trace and Logging for monitoring, Auth0, and Firebase for authentication, GKE, and App Engine for automated deployment, etc.
Amazon API Gateway
AWS may offer anything you need to run your applications.
So does API.
Amazon API Gateway is a fully managed service that is made for developers to form – > publish -> maintain and secure APIs easily at any scale. It supports both RESTful and WebSocket APIs and allows us to enable real-time 2-way communication.
Below is the pictorial representation by Amazon, which illustrates how the Amazon API gateway works.
If your Microservices or API is already hosted on AWS, then it makes sense to integrate with Amazon API Gateway. They offer 1 million API calls under the FREE tier, which is good for you to see how it works.
Azure
Why leave Azure behind?
Microsoft Azure offers end-to-end API management in the cloud, on-premises, or hybrid. You can manage the API management programmatically through REST API and SDK.
Good news if you use SOAP. You can import the web services description language (WSDL) of their SOAP service, and Azure will create a SOAP front-end. They offer all the standard features, including monetization. Go ahead and give it a try to experience the platform.
MuleSoft
Manage API and enhance efficiency in your business with MuleSoft. It allows you to create, secure, manage, and govern universal APIs from any place.
You can discover APIs using CI/CD pipelines along with new CLI to accelerate your application delivery. MuleSoft lets you design APIs using different protocols while complying with governance standards and maintaining high quality.
Collect data from APIs to explore, serve, and unify all your data into a GraphQL query. This can be done with the help of DataGraph. With MuleSoft’s flexible gateway, you can manage your service without bothering about size, cloud, or language.
MuleSoft offers a control panel where you can analyze, manage, and secure your APIs, microservices, and users. Evolve the latest business models and revenue streams to maximize your API values by focusing on adoption, API communities, and consumption journey.
Moreover, MuleSoft provides Anypoint Exchange to integrate your APIs with a single source of truth to power your business. You can put the API governance in operation using Anypoint API governance without including development overheads.
Create an account in MuleSoft and take a free trial to explore its functionalities.
Boomi
Don’t think about complexities when you have the Boomi API management service that can help your business deploy, manage, and secure your APIs effectively.
Boomi API management can handle the complete lifecycle of the APIs in any platform. This lets you configure your APIs and implement the integrations easily. It has an intelligent and easy-to-use UI that makes data available for your business every time using its API Proxy.
Publish, control, and govern APIs whether it is in the cloud, at the edge, or on-premises and efficiently manage and control data access. Boomi allows you to create omnichannel experiences across social, IoT, and mobile networks. You can use its API Developer Portal to access data easily from your existing applications.
Boomi offers never-ending features, such as mediation, versioning, engagement, authentication, policy management, monitoring, and application management. You can maintain different versions of API according to your needs and ensure the right actions for it. It also enables you to deploy APIs with third-party authentication system.
By integrating with a simple wizard, Boomi AtmoSphere, you can easily design and manage APIs.
Take a trial of 30 days to understand Boomi from deep and explore its features to manage APIs.
What is API Gateway?
An API gateway is an important concept in a microservice’s architecture. It forms an entry point for external clients (anything that is not part of the microservice system). It is a component that acts as an entry point for an application.
In other words, an API gateway is an API management server that has information about endpoints. It is also capable of performing authentication, rate limiting, load balancing, and more.
To get a better picture of an API gateway, we need to know why it is essential to have an API gateway.
Why do We need an API Gateway?
To understand the need for an API gateway, let’s discuss a use case of an e-commerce application.
Case Study
Consider a case study of a complex page( let’s say product page) of an e-commerce application. If we look at the below page of Amazon product listing, we can see a lot of information needed to be rendered by this specific page.
For illustration purposes, let’s list all the microservices that we might need to render the above particular page.
Consider Search Product, Inventory, Shipping, Rating and Reviews, Recommendation Engine, Merchants, and Finance and Insurance are the different seven(7) microservices being used for rendering the above page.
P.S: Above seven(7) microservices are just an assumption to explain the API gateway concept. In reality, Amazon could have a different number of microservices.
The Problem
Since these microservices have been deployed separately on a different server if a client wants to access these services, at least seven(7) calls have to be requested for a single page.
But is it really a good approach?
I don’t think it’s a recommended approach because we have to make seven different calls, which would definitely impact performance, resource consumption, load time, etc. The client is also tightly coupled with all of the services, and suppose if we have to separate the Reviews and Rating microservices in two different services, we have to update the client code. The client has to make one call to get reviews, and one call to get ratings, which is really not the best way to deal with it.
The Solution
So what’s the recommended approach?
It is an API gateway.
In this approach, we have a layer between the client and microservices called an API gateway. It is a front-facing service for all of the microservices. Now any client who wants to access the microservices, the client has to call the API gateway. Now API gateway, in turn, makes a call to all of the microservices and gets whatever response we might need. This process is called API composition.
In a nutshell, An API gateway sits in between the client and microservices and it acts as a gateway for all of the microservices.
Not only this but using an API Gateway benefits us in many ways.
Benefits of An API Gateway
API gateways benefit us in implementing A/B testing, caching, managing access quotas, API health monitoring, API versioning, Chaos monkey testing, monetization, and a lot more. Let’s touch on some of the following benefits.
Security 🛡️
Every time an API call is performed, it has to access the services using public IP addresses. This exposes risks.
By switching on to API Gateways, these microservices can be accessed using private IP addresses only. This results in a more secure way of the transaction of data. Additionally, the usage of API Gateway also protects the data from malicious and DDoS attacks.
To ensure security, a TLS certificate is necessary, API Gateway handles all of them by keeping all our APIs behind a single static IP or domain and helping protect them with keys, tokens, and IP filtering.
Authentication, Authorization, and Fault Tolerance 🔐
It is important to ensure the authentication and authorization of the user who logs into applications. The API Gateway makes it easier by being a single entry point and satisfies all the requirements easily. Thus, it allows only authorized users to log in, and authenticated users to make changes, so fault tolerance is gained.
Load Balancing and Routing 🚏
In the case of multiple requests coming in and increasing traffic, API Gateway helps take care of it. It is done by creating multiplies of services and calling them on like Round-Robin. It can manage and routes the client requests based on user segmentation. Thus, different quality or speed of content is provided for different users.
Consider a use case where two microservices are defined for returning low-quality images/videos and high-quality images/videos for a desktop and mobile, respectively.
In this case, we can configure an API gateway in such a way that it acts as a router and if the request is coming from a mobile, it will route that request to the low-quality images/videos service, and if the request is coming from the desktop, it can route to high-quality images/videos service. This routing can be done based on headers, paths, and params, etc.
Insulation
If one or more microservices have been added to the application or removed, we will not update the client code. In this case, we need to perform some changes in the API gateway itself to make a call according to updated microservices.
Reverse Proxy and Caching
Serving a static file (HTML, JS, CSS, fonts) by a microservice is not the best use, In this case, we can move these files to the API gateway.
An API gateway can keep hold of all the static contents and can directly serve the client. Similarly, consider a service that evaluates the trending products, and these trends are calculated hourly or daily. So once the trend is calculated for the rest of the time, the service will return the same response repeatedly. In this case, an API gateway has a feature called response cache, where we can mention a URL and threshold time for which it needs to cache the responses.
Protocol Adaptor
If we want to take advantage of a protocol like web socket or a newer version of HTTP, i.e., HTTP/2, and even if our backend services are not ready or not compatible with HTTP/2 or web socket, an API gateway can take the responsibility of converting a newer to an older protocol. It can act as a protocol adaptor.
Conclusion
Once your API is ready, don’t forget to monitor and secure them.
The above should give you an idea about available API Gateway and Management solutions. If you are under a tight budget, then you can try open-source. It is the best to install some of them to see what works for you.