API Gateways are API proxies that are put between the API Provider and the API Consumer. At its heart, an API Gateway is a façade that provides an API interface to your complex subsystem. These APIs provide the “front-end APIs” acting as the “front door” for all your applications that have access to data, business logic or functionality from your backend services. It decouples the interface that your clients see (in this case, API consumers that could be mobile apps, thin clients) from the actual underlying implementation.
Why do you need an API Gateway?
APIs have become a strategic necessity for businesses. They facilitate agility, integration and innovation. So, you expose an API to integrate and everything works just fine, right?
Well, not really. The APIs you expose internally and externally provide very valuable information. Hence, there are various concerns for security, availability, threats and monitoring. According to Gartner, by 2022, API abuses will be the most-frequent attack vector for enterprise web application data breaches. So what do you do? You invest in the right API Gateway to make sure that things happening outside your enterprise are not breaking things within your enterprise.
How does it do that?
By acting as a central interface for clients using APIs, an API Gateway acts as the single entryway into a system allowing multiple APIs or microservices to act cohesively and provide a uniform experience to your users. An API Gateway plays an important role in ensuring the reliable processing of every API call.
How do you leverage it?
As the diagram recommends, all your policies should be enforced at the API Gateway—do not depend on your back-end APIs and certainly not on your front-end applications to build the right level of security to protect your APIs. All your API security challenges can and should be delegated to API Gateway because you don’t have to write any code, it’s all about configuration.
Key aspects every API Gateway should address
1. API Security
Access control is the number-one security driver for an API Gateway technology. It serves as a governor of sorts so an organization can manage who can access an API and establish rules around how data requests are handled. Authentication and Authorization are of primary importance.
An API Gateway should ensure only authenticated users can access the backend APIs by providing an authentication layer. The API Gateway should be able to integrate with existing and custom authentication providers. This ensures the back-end APIs don’t have to implement this logic and any changes to the authentication schemes require no changes to the backend.
Once Authenticated, the API Gateway then authorizes “what” the authenticated user has access to. With Authorization, an API Gateway should be able to abstract common complexities from back-end APIs. This avoids the back-end API having to maintain this logic and any subsequent changes to it. An API Gateway should be able to work with existing authorization mechanisms. It should also be able to provide fine-grained, centrally managed access rights to each individual methods of an API.
In a nutshell, API security is about authentication and authorization. The effective implementation of a gateway “should be able to absorb all of that, so backend services don’t have to deal with authorization anymore.” This simplifies access rule configuration and, potentially, dealing with complex authorization logic.
An API Gateway should help with reducing the load on backend APIs and prevent misuse. Rate-limiting provides restricted access to APIs by permitting only a certain number of requests. By exposing APIs to third-party consumers, this also could provide a revenue stream by opening up the possibilities of higher rate limits.
3. API Monitoring and Logging
An API Gateway should provide default monitoring across all APIs and have the ability to track requests/response time is taken, SLA, etc. It should be able to integrate with a full-featured monitoring solution to help track this information.
Since it sits between the consumers and APIs, API Gateways should provide default logging capabilities. API Gateways help provide unified logging capabilities to all APIs. To help analyze multiple APIs together, the gateway should be able to provide a co-relation ID into their request headers, so back-end APIs, front-end Apps can also include this ID into their logging activities.
4. Threat Protection
APIs are the gateways for enterprises to connect digitally with the world. Unfortunately, there are malicious users out there, waiting to gain access to enterprise backend systems. An API Gateway needs to provide threat protection against potential hackers, malware and/or anonymous outsiders to prevent against DDoS or SQL Injection attacks amongst others.
5. API Transformation
An API Gateway should provide the capabilities to transform requests/response payloads. As organizations move from a legacy-based SOAP-based architecture to a more modern REST-base architecture and need a quick time to market strategy, payload transformation becomes an integral component of this requirement.
As the API Gateway sits between the consumers and backend APIs, it’s also in the unique position to determine any high or low activities based on the monitoring that’s enabled. Even though the gateway may not be expected to provide auto-scaling out of the box, it should be able to integrate with Services that provide this capability.
An API Gateway must support scalability and high availability, load balancing, shared state without compromising performance. It should provide linear scalability and fault-tolerance on hardware or cloud infrastructure for mission-critical data. It should also support replicating across multiple data centers and providing lower latency for your consumers.
As the API market matures, so does the increase in security breaches. As decision-makers, you want assurances that exposing enterprise data via APIs will not create undue risk. The API Gateway provides the ability to safely and securely publish APIs in an automated manner ensuring high availability so that developers can quickly and easily find and use them to deliver business value for your organization while ensuring integrity and confidentiality.
Read all about the role of API Gateways in the modern enterprise.