How Do API Gateways work? What are the typical components of an API gateway? Are there common standards around how they manage security, call logging and governance?
A great example of an API Gateway is the Netflix API Gateway. The Netflix streaming service is available on hundreds of different kinds of devices including televisions, set‑top boxes, smartphones, gaming systems, tablets, etc. Initially, Netflix attempted to provide a one‑size‑fits‑all API for their streaming service.
The API Gateway offers a reverse proxy to redirect or route requests (layer 7 routing, usually HTTP requests) to the endpoints of the internal microservices. The gateway provides a single endpoint or URL for the client apps and then internally maps the requests to a group of internal microservices.
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services.
You need an API gateway because it provides a unified entry point across internal APIs. It allows you to control user access. And it enables security measures, like rate limiting, and applies security policies, like OAuth or JWT. An API gateway is especially important for securing microservices.
This is a pretty wide ranging question since there are a lot of different types of gateways (and management solutions). In the broadest sense a gateway is a filter somewhere in your web stack (hosted by you or a third party) which filters your API traffic in someway. Some of the filtering could happen:
Typically the types of functions the gateway may provide may include: access control (filtering traffic so only authenticated/authorized traffic gets through), rate limiting (restricting how much traffic can be sent by each client of the API), analytics/metrics capture and logging (tracking what's going on on the API), security filtering (checking the content on incoming messages for attacks, redirection/traffic routing (sending traffic to different endpoints in your own infrastructure depending on the sender or the request).
The gateway typically works as a set of modules and filters which treat the traffic as it flows through it at high speed and you can typically enable those modules / filters you need and control their parameters. There are obviously quite a few different ways to actually do the implementation + various vendors and open source systems to choose from.
I'll try to write this neutrally since I work for 3scale which provides both commercial and open-source solutions but I'd enourage you to look at the various options and draw your own conclusions! The main choices you have are:
The different approaches work differently and it depends what you're aiming for. At 3scale we obviously have a bias for our approach since it allows you to slot in the filtering agents pretty much anywhere in your stack - but no doubt every vendor will have their view!
The concept of API Gateway is more easy (to me) to understand with an analogy. If you think about a reception desk at the front of an office building, it basically routes calls, stops unexpected visitors and makes sure parcels get to the right place.
That's exactly the role of an API Gateway in a distributed application. It takes request and redirects them to the right service. Put into an image, here's how it could look.
Basically, it's the reception desk, between your microservices and the different clients requests (browers, apps, etc.). In terms of how they work, what are the components, and so on, it totally depends on the implementation and requirements. Some API Gateways handles authentication and authorization, others process and validate input data, or transform the responses. Some provides monitoring information, and some it all.
If you are looking for more technical responses, Steve provides great details on the different components that constitute such a layer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With