An API gateway is a tool used for API management that works between client and backend services. The API gateway accepts all the application programming interface (API) calls, aggregates the various services required to fulfill them, and returns the appropriate result. It is a small application that sits in front of a group of microservices to facilitate requests from the external world and delivers the backend servers’ response. It decouples the client interface from your backend implementation.
The primary responsibility of the API gateway is to take all API calls from clients, then route the requests to the right microservice while performing certain functions such as response composition from back-end services, and protocol translation. The API gateway can handle multiple external requests simultaneously and route the requests to various microservices in the backend. The common functions of an API gateway include authorization and authentication of requests, routing requests, rate limiting, billing, monitoring, analytics, policy checks, alerting, and statistics.
API Gateway Implementation
API gateway implementation can be a bit clumsy. It is more than just a basic function of accepting a remote request and returning a response. While implementing API gateways, the platform team has to take extreme care, such as:
- Protecting APIs from overuse and abuse with the help of functions such as authentication and rate-limiting
- Understanding the usage of specific APIs with analytics and monitoring tools
- Connecting APIs to the billing system, in case the usage is meant to be monetized
- Configuring rules and routing traffic to various microservices in applications for executing business logic
- Adding and deleting new applications to the API services is automated without affecting the API user experience
Why use an API Gateway for Building Microservices?
An API gateway is handy as it acts as a single point in microservices-based applications. The API gateway helps execute functions such as traffic routing, protocol translation, traffic management, and security. The API gateway handles some requests by simply routing them to the appropriate backend service, aggregating the results, and sending a response to the request being made.
Since an API gateway is used in front of the microservices to handle traffic, it decouples the client interface from your backend implementation.
How Does an API Gateway Work in Microservices?
With APIs, an application can allow internal and third-party applications to integrate and exchange data seamlessly. The application team gets a standard interface to perform activities such as integrations with the help of API. Through API, apps would receive requests through REST API Calls or gRPC Calls. After processing the request in the backend, services would send their response to API, then deliver the answers to the user or device that made the request. Refer to the image below, which depicts how the API gateway works.
Common functions executed through an API gateway are:
- Protocol translation
- Service discovery
- Basic business logic
- Authentication and security policy enforcements
- Stabilization and load balancing
- Cache management
- Monitoring, logging, and analytics
Who Uses API Gateway?
Usually, an API gateway is used by platform teams. In many organizations, there are API developers, who handle Identity Access Management (IAM) in public clouds, and are responsible for creating, configuring, and deploying APIs. Apart from API developers, there can be API managers who would typically build an API to enable certain functionality in the API gateway. We can call them API creators.
Then there are app developers in the various teams who would make an application for which API needs to be developed or build an application that would invoke those APIs using WebSocket or REST API. They are referred to as API consumers.
Benefits of API Gateway
There are numerous benefits of an API gateway, but we will talk about only a few important ones here:
Better User Experience
Without an API gateway, the client would request each microservice, and there is a chance of multiple roundtrips getting a single response from the application. API gateway enables client requests to be processed by various services with a single roundtrip. Thus, fewer round trips mean lower latency and improved user experience.
Since the API gateway sits between client-side applications and backend microservices, it can act as a security layer. First, it ensures sensitive API endpoints are not exposed. Second, the API gateway protects APIs and microservices from malicious attacks such as SQL injection or DOS attacks.
API gateway manages rate-limiting, formats the requests, applies authentication and authorization policies, and helps to reduce complexity with respect to API. Due to this decoupling, APIs for each service do not need to process the traffic or apply security checks for each request. Hence the overall complexity of a microservice decreases.
Top Tools to Consider for API Gateway
We don’t endorse any particular tool because many API gateway tools exist. Organizations must evaluate various criteria such as scalability, ease of use, security, flexibility, and pricing. Also note, some companies may offer API management solutions which includes API gateway, API governance, and API Manager.
Some of the popular API gateway tools that are available in the market are:
- Akana API Platform
API Gateway vs. Ingress Proxy vs. Service Mesh
An API gateway is an edge proxy used to handle client requests and manage responses from backend services.
An API gateway is used for application routing, rate limiting, security, request and response handling, and other application-related tasks. For microservices-based applications, the API gateway would distribute the request to various services and gather and aggregate the response to be sent to the client.
On the other hand, the Ingress controller allows single-IP-port to access all services running in k8s through ingress rules. The ingress controller service is set to load balancer to be accessible from the public internet.
An Ingress controller is a Layer 4 and Layer 7 proxy that routes traffic from clients to the services deployed into Kubernetes. Like API gateway, Ingress Controller can manage traffic and provide visibility, troubleshooting, security, and identity. Ingress controller is limited to only Kubernetes services, while API handles both Kubernetes and VM workloads. Envoy proxy is one of the famous ingress controllers used by Kubernetes administrators. Other tools that are widely used as Ingress controllers are Kong Ingress, Contour, HAProxy Ingress, NGINX Ingress, etc.
Service mesh is an infrastructure layer to handle communication in a microservices-based application. Service mesh abstracts the network layer from the application and takes all the traffic controls, ensuring security and policy enforcement in the network. In a nutshell, the Service mesh is an advanced API gateway implementation that can handle both external traffic and also manage internal communication and works both for Kubernetes and VMs workloads.
A service mesh handles traffic flowing from external clients into an application and communication between services. A service mesh can drive both north-south traffic (i.e., among services in a data center) and east-west traffic (services between various data centers). One of the widely used service mesh is Istio. Figure B highlights how Istio handles the communication flow among various microservices (including Kubernetes and VMs).
Using service mesh such as Istio, the security team can quickly create security policies such as authorization, authentication, or organizational compliance policy and enforce all the network services.
Open source service mesh software that are popular in the market are Istio (based on Envoy proxy), Linkerd (based on Rust proxy), Consul, Open service mesh.
Figure B: Istio handling traffic in Kubernetes and VMs
For smaller infrastructure implementations with much less traffic, API gateway or Ingress controllers makes sense. They can handle simple use-cases like authentication and authorization, Layer 7 level routing, protocol compatibility, and rate-limiting. But as business scales and your architecture increases, then there would be a need for complex use cases such as advanced deployment strategies or automatic end-to-end encryption (E2EE) of network communication. In those cases, you can use Istio service mesh for better traffic management and secured communication.
Table of Summary: API Gateway vs Service Mesh
|Pillars||API Gateway||Service Mesh|
|Communication||External request||External and internal requests|
|Architecture||At the edge of the network||Edge and back-end|
|Implementation||Implemented once||Implemented as sidecar proxy|
|Traffic handling||North-South traffic||North-South and East-West traffic|
|Application troubleshooting||Limited to identification of problems within APIs||Can identify sources of a problem at network, application and proxy level.|
Using Envoy Proxy as API Gateway for Kubernetes
Envoy Gateway is an open source project that can be easily used as an API Gateway. It is based on the Gateway API– resource used for service networking in Kubernetes. This means When users create Gateway API resources in Kubernetes cluster, they will be translated into native Envoy API calls, so Envoy and xDS, its native API, will not need to be changed to add this new support.
With below features, Envoy Gateway will be easy for platform architects, infrastructure administrators, and developers to adopt quickly.
- xDS control plane to manage a fleet of Envoys
- Support for heterogeneous environments. Note: Currently it supports Kubernetes only
- Extensibility to support a multitude of application gateway use cases.
- Envoy infrastructure provisioning and management.
- High-quality documentation, tooling, and a diverse group of project maintainers for support.
Operational Benefits of Envoy Gateway
- App developers can use Envoy Gateway to route external traffic to their application easily, without needing to build or extend control planes to manage traffic.
- Infrastructure team can get basic gateway functionality with Envoy Gateway. They can provide Envoy-native experience to the application team without purchasing a vendor solution.
- Using API gateway, but want to explore Istio service mesh and its benefits
- Want to understand, how to use Istio as API Gateway in your enterprise applications
- Using Nginx Ingress Proxy for Kubernetes, and want to use service mesh to manage internal networking, learn how Istio can integrate with Nginx proxy and HAProxy.
- CNCF Steering Committee commits to Envoy Gateway