These days you find two type of API Gateways. Micro-Gateways are a more recent trend but API Gateway(s) are not a new technology. Classic API Gateways have a history from Web services and SOAP APIs where they play a role offloading and centralizing multiple functions in a single system. This idea and desire to build segregation of duties into the different layers or architecture can be also seen in Microservice architectures.
Classic API Gateway(s)
API Gateways are API proxies that are put between the API Provider and the API Consumer and take care of different things:
The first and foremost function is to protect APIs at all levels (interface, access and data), as explained in this article about API security tactics. Authentication and authorization not only for incoming calls but also filtering or forwarding this information as well as Identity mediation and integration with IDM platforms are required. Along the lines of “what you cannot see can’t be protected,” API monitoring is an essential functionality. Encryption of sensitive information from incoming but also outgoing traffic can be handy but also required in some regulated industries. Encryption and signatures have been a traditional requirement for API Gateways to offload these complex tasks from backends. Key and certificate management rounds up the list of security-relevant features.
API Control and governance
API control and governance features are important in today’s world where APIs are about to be everywhere. API quota management, API traffic throttling and load balancing but also content-based routing, blocking and processing are key for an API Gateway. To deal with regulatory compliance or other mandates, auditing of transactions is a good plus too. Last but not least, Service Level Agreement (SLA) monitoring and enforcement can be helpful where APIs support business-critical processes or where external providers provide APIs that you want to control.
When it comes to running a growing set of APIs, real-time API monitoring, with alerting based on errors, exceptions and threshold capabilities get more and more into focus. If the solution helps to Analyze API use for insight and trends it is becoming a more than a handy tool. To provide the different levels of API Monitoring the system needs to support a configurable logging of API transaction data at different levels.
API Administration is something where API Gateway Administrators will deal with on a day to day basis, managing all aspects of the daily API operations like Transaction management or Tracing and debugging. If keys or credentials are used, then client management like OAuth client management is going to be required – but also in integration scenarios managing JMS-based messaging needs to be checked and maintained.
Foundation for a good API Gateway tool is a wide range of protocols, data formats and standards that can be virtualized/proxied and mediated.
In cases where the existing API does not fit or where it is hard to adapt or change bi-directional transformation (for example, REST-to-SOAP, XML-to-JSON, and HTTP-to-JMS), including graphical API Mapping can turn out to speed up time to market.
These features in some cases are so sophisticated that people wish to replace existing ESB systems with API Gateways. Some API Gateways have been relabeled as “Lightweight ESB” or “Lightweight API Orchestration Tool.“
Micro Gateways have been developed to protect services that are more distributed, very often in microservice environments. In this case, you need a lot of API gateways and a central instance for control and management. When you hear micro you think of the size or footprint of those Gateways but that is not the reason for their name – cf. what size for microservices.
Usually, it’s more referring to the context they are used in and the specialized function. These functions are often a subset of the above-mentioned Gateways. Quite often they do REST API only, API Security including API throttling and quota but also API authentication, but mostly only with API Key or OAuth.
Micro is also referring to the way how they get deployed, supporting container infrastructures like Docker, Docker Swarm, Kubernetes, OpenShift, OpenStack or others. To integrate with these infrastructures deployments need to be automated and seamless. Configuration changes are promoted by spinning up new containers, killing the containers containing old configuration right after the traffic flow changed.
Scalability is an important aspect in these deployments too so the Gateways need to be elastic adapting to load that is incoming.
Logging and monitoring Data is integrated with the overall infrastructure. Functions like transformation, modification or complex orchestration are more managed by backend services.
Independent of the name of the Gateway either if it’s Micro, Macro or Classic API Gateways are an essential part of modern Infrastructures that fuel the Digital Economy.