API Gateway — Secure & Lightweight API Communication for Mobile Client

What the Article covers

• What is an API Gateway
• Need for API Gateway
• Advantages
• Disadvantages
• What to Look For while selecting API Gateway
• API Gateways to select from

API Gateway

An API gateway is an HTTP server where routes and endpoints are defined in configuration, and each route is associated with a resource to handle that route. In a Serverless architecture such handlers are often FaaS functions. where FaaS standing for Function as a Service.

An API gateway provides a single, unified API entry point across one or more internal APIs. They typically layer rate limiting (prevent throttling) and security as well. A microservice-based architecture may have from N number of services ranging from 10 to 100 or even more. An API helps providing a unified entry point for external consumers (mobile app, web apps, desktop apps etc) independent of the number and composition of internal microservices.

API Gateways

When an API gateway receives a request, it looks for the routing configuration entry matching the request, and, in the case of a FaaS-backed route, will call the relevant FaaS function with a representation of the original request. Typically the API gateway will allow mapping from HTTP request parameters to a more concise input for the FaaS function, or will allow the entire HTTP request to be passed through, typically as a JSON object. The FaaS function will execute its logic and return a result to the API gateway, which in turn will transform this result into an HTTP response that it passes back to the original caller (front end, could be a mobile app, web app or any other consumer platform).

Beyond purely routing requests, API gateways may also perform authentication, input validation, response code mapping and more.

One use case for an API gateway with FaaS functions is creating HTTP-fronted microservices in a Server-less way with all the scaling, management, and other benefits that come from FaaS functions.

Need for API/Application Gateway

API gateway minimizes latency — the time between the cause and effect of the request is minimized and improves security by creating a safe network.

Abstraction: An API gateway separates external public APIs From internal microservice APIs, allowing for microservices to be added and boundaries changed. The result is the ability to refactor and right-size microservices over time, without negatively impacting externally-bound clients. It also hides service discovery and versioning details from the client by providing a single point of entry for all of your microservices.

Support for Multiple communication protocols. Its not necessary if the external-facing APIs are using HTTP then internal microservices hidden behind need to use the same protocol, that’s not imperative. External-facing APIs in most cases offer an HTTP or REST-based API, internal facing APIs may benefit from using different communication protocols viz ProtoBuf, AMQP, JSON-RPC or XML-RPC. Microservices are totally independent and have their own implementation as they like, including their own authorizations if needed as well for the requests coming in.

Decreased complexity. Microservices have common concerns, such as: authorization using API tokens, access control enforcement, and rate limiting. Each of these concerns can add more time to the development of microservices by requiring that each service implement them. An API gateway will remove these concerns from your code, allowing your microservices to focus on the task at hand.

Microservice Mocking and Virtualization. By separating microservice APIs from the external API, you can mock or virtualize your services to validate design requirements or assist in integration testing.

Advantages

• Security: The Microservices are not exposed directly to the Front end application consuming these services, making the connection robust and secure.
• Latency: Maintaining connections to each of the microservices vs connecting to one API gateway decreases the latency drastically, making the communication faster.
• Authentication/Authorization: Rather than implementing authentication logic at each microservice level, the same can be now handled on the gateway side, this ensures that microservices need to worry about only task in hand and no token/authorization handling ensuring no extra logic.
• Enhances Service Discovery: Each microservice has its own API definition and the mapping stands with API gateway configuration, so leading to faster service discovery.
• Lighter and cleaner microservices: Common concerns of authorization, access control, rate limiting etc are transferred to API gateway so no more load on the microservices, allowing your microservices to focus on the task at hand.
• Response Caching: Making the APIs respond faster as the microservices keep only the required business logic.
• Retry/Service Breaker: Based on the retries, the microservice can keep stats and send it over to the API gateway and in turn API gateway can stop the retries based on number of times the request came along or the wait time etc.
• Rate Limiting: Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe. The API gateway ensures not to exceed the number of calls to the microservice in picture based on the cap factor.
• Load balancing: If a microservices is overloaded with requests coming in, keeping multiple instances can solve the issue and will ensure the system does not slug on n number of requests.
• Logging/Tracking: Keeping the stat of number of requests coming in to which microservice, sending the stats to concerned interfaces, all from one place.
• Query Transformation: The API gateway has the ability to transform the incoming requests adding additional params in header or request based on the redirection it will have for the request.

Disadvantages

• Single Instance of API Gateway, so single point of failure: Not to worry, multiple API gateways can solve the issue,
• Vendor control: All the features or advantages an API gateway offers depends on the Vendor you are using for the API Gateway as well. Also the vendor does have the control for some part of your system as you are exposing your data to a third party.

What to Look For while selecting API Gateway

• Simplicity:
• Scalability and flexibility
• Security
• All-inclusiveness

So, depending on the size and needs of your business, you may not have to “follow the leader” when it comes to your API strategy. The important part is to know how to proceed with your Open API project so it will be part of your business strategy. Because when trying to choose your API management platform, a little homework can go a long way to ensuring that it’s the best of times.

API Gateways to select from

• Apigee: On the top lies the Apigee provided by Google. The most valuable features Apigee has are scalability and technical support. In Apigee you need to understand multiple concepts in order to setup API in your unique way.

Apigee Architecture

• Mulesoft: MuleSoft is another first-rate API management tool for integrating applications. It also provides great managing and building APIs. Plus, it proposes solutions in creating an application network from the very beginning.
  Such solutions help you to manage users and analyze the received traffic. They also include policies in place that level-up API security, preventing your system from cyberattacks.
  Some of its basic features cover:
• Unified API platform
• Help in creating a community that you can use for encouraging contributors and cooperating with other developers

MuleSoft proposes a free trial option so that you can explore the tools and see them at work. Among proposed pricing, Gold, Platinum, and Titanium plan. For details about pricing, feel free to contact the MuleSoft team.

• Axway: Axway is a notable API management tool that ensures cloud data integration. Proposed solutions include API management, B2B integration, content teamwork, and creating apps.
  Core features include:
• Trend investigation and predictive API analysis
• Pre-built development policies that simplify developers’ work

It provides a free trial version. You may contact the Axway team for more details about pricing and custom quotes.

• Kong Inc: Kong Inc. supports end-to-end solutions for companies focusing on resolving critical application difficulties. The tools Kong Gateway and Kong Enterprise could help you to control and manage APIs. The last one is also an open-source tool as well.
• Some of Kong’s features include:
• Teams management and integrated development environment.
• Collection of plugins extending tools’ functionalities.
• Scalability, what especially important for organizations with a strong workload.

You can download Kong Gateway for free. For the Enterprise edition, you can request a free software demo. You need to contact their team for pricing details.

• Ocelot: Ocelot is open source, aimed at people using .NET running a micro services / service orientated architecture that need a unified point of entry into their system. Ocelot is fast, scalable and provides authentication, routing, request aggregation among many other features.
• Azure API Management: The most valuable features are the ease of use and it is a platform that has self-enablement for the customers to be able to register themselves.
  The integration with Azure Active Directory is a good security feature for authentication and authorization. There is multifactor authentication. You can also use all of the Azure AD features integrated with API Management.
  Also, Azure API Management has chosen a slimmer, more streamlined approach and offers administrators few bells and whistles, to support quicker API setup and management. This approach (and it’s associated lower costs) works well for some who don’t have a complicated scenario on how they want to expose their APIs.
  Azure API Management operates with fewer concepts, so administrators can set the service up quickly