API gateways are a response to a key outcome of the microservices architecture style: the proliferation of services and their interfaces. The core purpose of an API gateway is to simplify and stabilize the interfaces exposed to clients.
In addition to this, because of the unique position of an API gateway in the architecture, a variety of add-on benefits are enabled, like monitoring, logging, security, load balancing, and manipulation of traffic.
An API gateway is similar to the Facade design pattern, but applied at the network level. The objective in both cases is to provide a simplified interface profile that hides the complexity of the system. You can see this idea in Figure 1.
Figure 1. Simple API gateway
Simplified interfaces
An API gateway acts to decouple clients from the services, and in so doing provide a single point of contact for inbound and outbound traffic.
A microservice back end may involve many interacting services, and these services may be heterogeneous with respect to their URLs and protocols. An API gateway can provide a streamlined interface for clients to interact with. In a sense, this operates like a simplification proxy.
In addition, an API gateway may be more sophisticated, capable of taking a single request, retrieving the necessary resources, and combining them into a single response. For instance, a request for a user profile might retrieve the user details, recent messages, and interests. The gateway could take the single request, request the data from each necessary service, and then unify them into a single response.
This kind of capability requires orchestration at the architectural level, and has implications for other microservices components like circuit breakers and service meshes.
Because an API gateway is capable of transforming the protocols and URL used on the back end, it is in a good position to help with migration of services. That is to say, an API gateway can to some extent hide the changes occurring on the back end.
API stability
An API gateway can also improve the stability of the API that clients interact with as development proceeds on services. The gateway can smooth over subtle changes that might otherwise break clients or require them to change, and it’s possible for developers to use the gateway to direct some of the traffic to newer versions of services to test them.
In general, an API gateway provides a single point of contact for clients that helps to minimize the affects of changes to the back-end services. The more complex the services, and the more frequently they change, the more valuable the capabilities of the gateway become.
Monitoring
An API gateway’s role in the architecture also makes it ideally positioned for some kinds of monitoring, alerting, and tracing. Similarly, gathering statistics at the gateway is useful for broad analysis of traffic and usage. Figure 2 tacks on this role for the gateway.
Figure 2. API gateway with logging
There are a variety of ways to handle the analysis of API gateway logging, such as by using the Amazon Elasticsearch Service.
Charging and limiting
When API usage is pay-for-use, then an API gateway is the perfect place to apply rate limits or track charges. Tracking customer and API usage from a single point is far simpler than attempting to instrument a variety of services to achieve the same effect.
Security
Because the gateway is the single point of entry into the system, it can bear the brunt of system hardening. This is similar to the role of a jump host in systems administration best practices.
The services are then able to concern themselves primarily with securing their communication with the single API gateway, a much simpler proposition than dealing with multiple public facing APIs.
The above applies to infrastructure level security. However, a gateway can also take on the work of authentication and authorization at the business level. This requires orchestration with the back-end services involved, but can simplify things by concentrating security logic in a single place. This naturally ties into rate limiting or pay-for-use, as the gateway will have the client accounts to use for billing.
API gateway solutions
API gateway solutions fall into two broad categories: managed and roll-your-own. In the realm of managed solution each cloud vendor offers a product. These can be found by searching as they are (unimaginatively) named along the lines of “Amazon API Gateway, “Azure Application Gateway,” and “Google Cloud API Gateway.”
When rolling your own, it is best to begin with a framework that will help with much of the grunt work. For example, in the Java ecosystem, Spring Cloud provides the Spring Cloud Gateway. Nginx is another good option.
API gateway in practice
We’ve discussed many of the benefits that an API gateway can offer. However, it’s important to always keep in mind the trade-off: A gateway is yet another piece of infrastructure requiring maintenance. In particular, an API gateway must be kept in sync with changes to the back end and clients. That said, if your architectural complexity or business case merits it, an API gateway can be the perfect solution.