Table of Contents
Open Table of Contents
API Gateway
An API gateway is an API management tool that is an intermediary between a client and a collection of back-end services.
An API gateway acts as a reverse proxy that accepts all API calls, collects the various services required to fulfill the calls, and returns the appropriate result.
Although an API gateway includes most of the functions found in a reverse proxy like routing, caching, and load balancing, it differs from a reverse proxy by way of its ability to address system-wide concerns.
System Concerns
Some of the system wide concerns that an API Gateway seeks to address include:
- Security
- Auditing
- Configuration management
- Exception management
- Logging
Case Analysis
An API gateway is expected to handle all tasks involved in accepting and processing thousands of concurrent API calls, including traffic management, access control, CORS support, authorization and authentication, throttling, monitoring, and API version management.
Case: You have an application that uses the microservices architecture pattern. For example, a product’s details data is spread over multiple services such as product information service, pricing service, order service, etc. However, the code that displays the details of this product needs to fetch information from all these individual services.
Problem: How will the clients of a microservice-based application access all these independent services?
Solution: The implementation of an API gateway would provide a single-entry point for all clients. Requests are handled by either proxying/routing them to the appropriate service or by handling other requests by spreading out to multiple services.
Expected blockers: Building an API gateway carries with it increased development complexity as it has to be built, deployed and managed as part of the system.
Implementation issues: An event-driven/reactive approach is the best implementation if it scales to handle high loads. On Java Virtual Machine (JVM), NIO-based (New Input/Output) libraries like Netty, Spring Reactor, etc are sensible to use. NodeJS is also another sensible option.
Common Features
- Security
- HTTP, HTTP/2, TCP, UDP, WebSockets, gRPC
- Protocol translation and management
- Authentication and authorization
- LDAP authentication
- JWT authentication
- HMAC authentication
- oAuth2 authentication
- OpenID Connect
- Traffic management
- Traffic mirroring
- Stickiness
- Distributed in-flight request limiting
- Active health checks
- Blue/Green & Canary deployments
- Distributed rate limiting
- Middleware (circuit breakers, retries, buffering)
- API traffic observability
- Cluster wide dashboard
- Support for third party monitoring platforms (Datadog, InfluxDB, Prometheus, Grafana etc.)
- Distributed tracing (Zipkin, Open Tracing, Jaeger)
- Acceleration
- Caching
- GitOps workflows integration
- Collaboration
- Developer portal with OpenAPI support
Benefits of API Gateways
- Centralizing processes and configuration in an API gateway ensures that security and availability issues are addressed sufficiently.
- SSL, authentication and authorization features overcome security issues.
- Rate limiting, circuit breaker, and retry features ensure an always-on system.
- Embedded developer portals with OpenAPI specifications such as Swagger can be used to easily document an API, thus increase developer poductivity and enhance collaboration.
Implementation Considerations
Architectural Considerations
An API gateway solution should not drive the architecture of microservices. Features, configurations, and solutions of an API gateway should only be deployed when they are needed to improve the microservices architecture.They are therefore not supposed to drive the architecture as building around niche features complicates the application.
Logs and Metrics
Diligent logs and metrics should be considered and implemented appropriately. Proper analysis of logs and metrics of APIs can save time when performance issues arise.
API Governance
Internal API governance should not be overlooked. API governance responsibilities include;
- Visibility
- Security
- Lifecycles
- Intra and inter-organization of integrations
Internal Considerations
Internal promotion of adoption of API gateway should be carried out comprehensively. API gateways often add complexity to the architecture of an application as it introduces new behaviors, processes, etc.
Teams need to be onboarded to raise their awareness of new concepts for a successful adoption process.
What Next?
In the next blog series, I will build a sample API Gateway for microservices.
I will use Eureka for microservice discovery and follow an event-driven architecture.