An application programming interface (API) enables you to access another company’s services — or software, data, even a piece of code — to extend the functionality of your own product while saving time and money. That’s why more and more businesses are either leveraging third-party APIs or creating their own to sell to third-party app developers.
The process of creating or hosting an API is not simple though. It involves securing it, monitoring how people use it, adding and retiring some services, and more. To simplify these tasks, you can use an API gateway.
What is an API gateway?
An API gateway accepts all API calls and then acts as a reverse proxy, retrieving resources from backend applications on behalf of the client application. An API gateway not only accepts API calls — it also handles tasks related to API services like user authentication, rate limiting, monitoring, and more.
To help you understand what an API gateway is, let’s use an analogy. Think of an API gateway like a front door. Behind the door are the backend services that client applications want access to. The client — also known as the API consumer — make their request at the door, perhaps verify their identity, and then wait for the data requested to be delivered. Behind the door, where the client can’t see, their request is routed to the relevant part of the API system and the response is forwarded back to the client.
Let’s take a more technical look at how an API gateway works below.
How does an API gateway work?
An API gateway decouples the client interface from the backend implementation of a Systems Applications and Products (SAP) environment or microservices architecture. This API interface, which is easier to work with than the underlying backend implementation, sits between the API consumer and provider.
So when an API consumer sends a request to the API Gateway, it will go through three phases. To start, the request will be authorized, validated, and transformed for an endpoint in the backend. This step is known as the “request flow.” At this stage, the API provider might require a particular HTTP header, query string, or API key to identify a caller and reject any unauthorized requests or enforce a throttling or quota limit.
Then, the request will be routed to the relevant service (or services). For example, in the Amazon API Gateway, a request might be routed to a function in AWS Lambda or another AWS resource. Here is where the action happens: maybe a record is saved in the database or some tweets are streamed, depending on what the request was.
Finally, the request will once again be transformed to send back to the client. While an API gateway will often route a request to multiple services, it will aggregate the results into a single response. This response can include an HTTP status code to confirm the request was successful. This step is known as the “response flow.”
Now that we have a better understanding of how an API gateway works, let’s take a closer look at the advantages one offers.
Why Use an API Gateway
There are several benefits to using an API gateway. While each API gateway may differ depending on its implementation, they typically have the following functionality in common.
Most API gateways handle user authentication and rate limiting, which can help prevent your API from being accidentally or intentionally abused. They also typically offer analytics and monitoring so you can keep track of how people are using your APIs and services.
With an API gateway, you don’t have to worry about how adding or retiring API services will affect how client apps can request access to them either. Client applications will still be able to request access to any of your services at the same entry point, without needing to keep track of multiple API endpoints.
An API gateway is also ideal if you have a microservices-based application. Below we’ll explain why.
API Gateway Microservices
In the past, businesses would have one monolithic application that did everything. If client applications wanted to retrieve some data or service from this application, it would make one API call. A load balancer would then route the request to one of the app’s replicated and identical endpoints. The app would query various database tables to complete the request and return a response to the client.
Today, many businesses have adopted a microservices architecture, in which multiple services are responsible for different tasks. With this architecture type, client applications can access these services in two ways.
The first way is direct client-to-microservice communication. With this approach, client apps can make requests directly to individual microservices by sending multiple calls to the correct microservice endpoints.
There’s a few problems with this approach, however. First, the more requests that a client has to send to the back end, the more round trips the application has to complete between the client and server. This can result in increased latency and longer wait times for the client. Second, since each microservice must be accessible through public endpoints, there’s an increased security risk. Implementing security measures like authorization for each individual microservice is therefore critical — but will require a significant amount of time and effort.
Finally, updating the application poses some serious challenges with this type of communication model. That’s because adding or retiring microservices will not only require some serious development effort — they’ll also impact client apps that have coupled with existing internal endpoints.
While direct client-to-microservice communication might work for small microservice-based applications, an indirect approach is ideal for larger and more complex applications. That’s where an API gateway comes in.
An API gateway provides a single entry point for client applications. A client submits its request and the gateway can break it down into multiple requests, route them to different backend services, and return the response to the client in a single round-trip. An API gateway therefore reduces the number of requests between the client and server, improving latency and the user experience.
Open Source API Gateway
Like website building software, API gateways can either be proprietary or open source.
A proprietary API gateway is owned by another company. Typically, you have to pay a fee to the provider to use their gateway and you can’t extend the gateway to add or enhance its functionality. But the provider will handle some of the administrative and management tasks, like enforcing compliance requirements and quota limits, for you.
Unlike a proprietary API gateway, an open source API gateway is free to use and you can extend it as needed. Typically, there are plugins available to extend this type of gateway. However, you will be responsible for most of the day-to-day management of this solution.
API Gateway Service Providers
If you’d like to reap the benefits of an API gateway, then you can choose from a wide range of vendors. Depending on your needs, you can select a vendor that offers a proprietary or open source API gateway, one that specializes in microservices or another architecture type, and so on. The vendors below offer different types of API gateways, services, and pricing models to meet different businesses’ needs and budgets. Let’s take a look.
The Amazon API Gateway is a fully managed service designed to make it easy for developers to create and manage APIs at any scale. Developers can create APIs to use in their own client applications, or to make available to third-party app developers. In addition to being able to create and publish APIs that access AWS, other web services, or data stored in the AWS Cloud, developers can also maintain, monitor, and secure these APIs much more easily. That’s because the Amazon API Gateway can accept and process up to hundreds of thousands of concurrent API calls and all the related tasks like traffic management, authorization and access control, throttling, and monitoring.
There are no minimum fees or startup costs to using the Amazing API Gateway. You’re only responsible for the API calls you receive and the amount of data transferred out. To ensure that you can grow, Amazon offers a tiered pricing model so you can reduce your cost as your API usage scales.
The Apigee API Gateway is a highly scalable and secure solution by Google. With this platform, developers can design, secure, publish, analyze, monitor, and monetize APIs. Apigee is particularly ideal for modernizing legacy SAP systems because it provides an “API wrapper” — or abstraction layer — between developers and SAP legacy systems. That means that developers get to work with feature-rich and responsive APIs and have a consistent and reliable experience while the Apigee platform handles translating API calls and passing the requests to the underlying SAP environment. The platform also takes on other functions, including authentication, threat assessment, and throttling.
You can try the Apigee API Gateway for free, but you’ll have to pay to get your API program up and running. There are three tiers: standard, enterprise, and enterprise plus. You have to contact Google to get the pricing for any of these tiers.
The Azure API Gateway is ideal for hybrid and multi-cloud environments with APIs hosted on-premises as well as across clouds. With this gateway, organizations can efficiently and securely manage all their APIs from a single API Management service.
The gateway is responsible for proxying API requests, applying security and compliance policies, and collecting telemetry — and it’s only one part of Microsoft’s API management solution. In addition to the gateway, there’s the management plane and developer portal. The management plane is exposed as an API and used to configure the API Management service via the Azure portal and other supported mechanisms. The developer portal is used by developers to learn how to use the APIs and collaborate.
The Kong API Gateway is an open source API gateway that’s optimized for microservices architecture (although it can work with any type of architecture). The Kong API Gateway is built on top of a lightweight proxy so it’s able to minimize latency and scale for multiple microservice applications, no matter where they run. In addition to managing and throttling API requests, it also provides an authentication layer to protect your services and analytics for visualizing and monitoring traffic to your APIs and microservices.
The Kong Gateway is free to download, but you can upgrade to the enterprise subscription for advanced traffic control, customer support, and more.
The Tyk API Gateway is open source, like Kong’s. While it doesn’t have as large of a community or as many plugins available as Kong, Tyk is easy to use and extend. The Tyk dashboard makes it easy to design, maintain, manage, and protect your APIs and complete any administrative tasks, whether it’s API key management, rate limiting, quotas, API versioning, pr access control. Tyk does not offer any integrated billing features, however, which can make it difficult to monetize your APIs.
Choosing the Right API Gateway
API gateways can make it easier, faster, and safer to create and manage APIs for your business. Choosing the right one will depend on how much you want to spend, what role you want to play in the day-to-day management of your gateway, and whether you want to be able to extend its functionality, among other factors.