Tech Insights / API Gateway

API gateway: Decoupling client interfaces with reverse proxies

Development teams are transitioning to modern architectural styles; 93% of organizations are using microservices, and exposing application programming interfaces (APIs) is the most important use case according to The State of Spring 2022. This includes APIs for internal users (86%) and external users (73%). The rapid expansion of API-first development requires the right tools to streamline API management and ensure API security. An API gateway provides a developer-friendly way to route, secure, and monitor API requests.


What is an API gateway?

An API gateway makes application programming interfaces simpler to create and use, more manageable, and more secure by providing services such as Single Sign-On (SSO), rate limiting, request validation, and tracing. What an API gateway provides is a single point of entry for multiple backend APIs, reducing the complexity of communication between microservices and rationalizing external access.

An API gateway acts as a reverse proxy. Clients only need to know how to reach the API gateway. It doesn’t matter if backend services move, go offline, or become unstable, the API gateway provides a consistent and stable point of access. An API gateway also applies appropriate pre-processing filters (if needed) before sending an API request on to the API endpoint for processing and may apply post-processing filters before sending the response back to the requestor.




How do API gateways work?

APIs connect disparate frontend clients and backend services within and across environments. The API gateway design pattern is popular in part because an API gateway can provide all the logic necessary to support different types of clients, such as web browsers or mobile devices. The gateway can “translate'' incoming requests and outgoing responses to suit different client needs and limitations. The gateway can also handle a lot of the necessary observability, security, and error handling. This way, you can have a single backend service instead of a service for each client type, and the service itself doesn’t have to implement the logic to support different client types or provide base-level logging, security, etc.

This is a significant benefit for developers since it reduces the amount of backend application code they need to maintain. Things like SSO, circuit breakers, rate limiting, and more can be offloaded and made consistent as part of the API gateway.

Here are six common (but related) API gateway use cases:

  1. API management for existing APIs. Move cross-cutting concerns and responsibilities from individual services to an API gateway (as just described).
  2. Backend for frontend (BFF). Translate API requests that come from different frameworks and devices before passing the requests on to multiple backend systems.
  3. Ingress for APIs and services. Secure APIs at a single access point and manage all traffic.
  4. Application modernization. Extend the functionality of legacy apps or decompose monolithic systems into microservices.
  5. Frontend for third-party APIs. Provide a frontend for third-party APIs to control their consumption by implementing SSO, rate limiting, etc. for those endpoints.
  6. API gateway with a service mesh. Securely control internal communication between application workloads, APIs, and data and from your network services to end users and external clients.



Benefits of API gateways

Some benefits of using API gateways include:

  • Simplified routing and delivery. Acts as a reverse proxy between a client and a requested resource; intercepts, analyzes, and modifies every request.
  • Authentication and authorization. Applies security protocols including encryption and decryption, HTTP, HTTPS, and OAuth 2.0 and API keys.
  • Rate limiting. Controls the number of requests clients can make to your APIs, eliminating the number of round-trip API requests and preventing potential site crashes.
  • Policy enforcement. Applies all client-specific policies in a single place.
  • API gateway vs load balancer. An API gateway may include load balancing functionality to distribute incoming requests across multiple backend servers for the same service. The two may also be used together, with load balancers serving as path-based routers to distributed API gateways to handle high traffic.



What to keep in mind when using an API gateway

An API gateway makes it easier to manage APIs and microservices. Here are some important things to keep in mind when implementing an API gateway:

API gateways play a critical role in API management

API management encompasses the set of tools and processes that are necessary to manage APIs throughout the lifecycle. An API gateway is a key element of API management that reduces complexity, helps APIs operate efficiently, and increases security.

  • An API gateway and API management control access to APIs and ensure that your system is resilient and secure.
  • An API gateway simplifies communication between a client and a service, such as a web browser and a server that may be many time zones away from each other or third-party programs or devices using different protocols.
  • API gateways provide cross-cutting functionality for API management including authentication and authorization, policy enforcement, and data transformation.

Implementing API gateways in your microservices architecture

Using an API gateway in a microservices architecture has become a popular design pattern as microservices have become widespread and the number of services and APIs has increased rapidly. An API gateway reduces the complexity of designing new APIs, simplifies updating existing APIs, and can make it easier to discover what APIs are available.

An API gateway combined with microservices allows you to monitor and secure APIs at a single access point and deliver high availability. Which API gateway is best for your microservices deployment depends in part on your application and whether your primary goal is hiding complexity from your users, translating requests from various protocols, or breaking down monoliths.

Distributed vs centralized API gateway

A distributed API gateway reduces the failure risk of a centralized API gateway. A centralized API gateway is a single point of failure, and outside mechanisms may be necessary to ensure high availability. By supporting multiple API gateway instances, a distributed gateway allows teams and business units to manage and maintain APIs at scale, while a centralized gateway may have practical scaling limits.

Service mesh vs API gateway

The difference between a service mesh and an API gateway is that a service mesh is intended for applications that have many discrete services that need to communicate efficiently with each other. In this situation, communication pathways quickly become complex. A service mesh decouples a service from having to know about the specifics of the networking in use.

While an API gateway can be used to accommodate the same type of “east-west” traffic (traffic within an application or traffic within a datacenter) it is also intended to handle “north-south” traffic (traffic to and from external clients).

Service meshes and API gateways can be (and often are) used together. An API gateway controls north-south traffic, making services in your network available to external clients and providing a simplified experience for consumers. Adding service mesh capabilities to an API gateway improves internal communication and API security.



When to use a Service Mesh vs an API Gateway

Service Mesh
API Gateway
Caters only to its connected services, providing load balancing, error handling, and traffic routing (east-west traffic) Decoupled from underlying services and remains in a separate abstraction layer, while catering to the set of APIs/services connected to the API gateway (north-south traffic)
Handles communication between services, hosts, and ports Handles edge routing and controls traffic coming in and out of a cluster
Provides security and observability to protect microservices, APIs, and data Establishes a stable API interface for external clients, providing edge or boundary level security

Examples of API gateways

It is important to consider which API gateway is best for the needs of your development and operations teams. Some popular API gateways are:

  • Spring Cloud Gateway. Open source, Java-based, distributed API gateway capable of handling cross-cutting concerns on premises and in the cloud.
  • Amazon API Gateway. Enables API creation and management at scale for applications running in AWS or other cloud environments.
  • Apigee API Gateway. Usually deployed on premises for application modernization, now includes API management across environments as part of Google Cloud Platform.
  • Ocelot API Gateway. A lightweight open source .NET Core based API gateway that controls API traffic on premises and in the cloud as part of Microsoft Azure’s API Management.

When choosing an API gateway, it’s important to consider whether your choice can operate in the environment(s) you will need it to run. Specific features, including distributed operation, extensibility to accommodate future use cases, and OpenAPI integration can also be valuable.



API Gateways at VMware

Tanzu is a leading resource for modern application development and Kubernetes. Tanzu products deliver the API gateway and other API management and API security capabilities that teams need to accelerate development. Tanzu experts can help jumpstart your team’s efforts to modernize and rationalize your approach to APIs.

Spring Cloud Gateway is an open source, distributed API gateway for the Spring ecosystem. It provides flexible capabilities for routing API requests, with a strong focus on cross-cutting concerns such as security, resiliency, monitoring, and metrics.

Distributed features provide high availability for gateway instances and allow the same APIs to be deployed to multiple availability zones. Teams and business units can be isolated with their own API gateway.

Spring Cloud Gateway for Kubernetes extends the capabilities of Spring Cloud Gateway to create a fully supported, commercial offering for the Kubernetes platform that is designed to be developer friendly. It lets you automate the deployment of an API gateway service by applying YAML configuration objects to a Kubernetes cluster.

API Portal for Tanzu provides a location for developers to find and test APIs from various OpenAPI sources. Features include an API Group dashboard and the ability to search for, view, and try out APIs.

Tanzu Application Platform is a modular, application-aware developer platform that provides a rich set of developer tooling and a pre-paved path to production to build and deploy software quickly and securely on any compliant public cloud or on-premises Kubernetes cluster. Tanzu Application Platform integrates Spring Cloud Gateway for Kubernetes and all the other tools that developers need, including a developer portal built on Backstage.

Tanzu Labs can help teams turbocharge their application modernization efforts and provide advice on the best tools and methods to manage APIs to achieve security and scale.

Tanzu Service Mesh provides advanced, end-to-end connectivity, security, and insights for modern applications—across application end users, microservices, APIs, and data.





Frequently Asked Questions

What is an API gateway?

An API gateway makes application programming interfaces (APIs) simpler to create and use, more manageable, and more secure by providing services such as encryption, request validation, rate limiting, auditing, and logging. An API gateway provides a single point of entry for a set of backend APIs that reduces complexity between clients and services. It is essentially a reverse proxy that processes incoming requests and sends back responses.

What is an API gateway and API management?

API management encompasses the set of tools and processes that are necessary to manage APIs throughout their lifecycle. An API gateway fulfills one of the key elements of API management by reducing complexity and helping your teams create APIs more quickly and operate them efficiently.

Do I need an API gateway if I use a service mesh?

Combining an API gateway with a service mesh is a good idea for applications that have external consumers (an API gateway can provide a simplified experience for external clients) and also have complex internal communication needs (that may be best handled by a service mesh). As your microservices architecture grows in complexity, combining the capabilities of a service mesh (for east-west traffic) and an API gateway (for north-south traffic) improves overall communication and API security.

What is an API gateway in microservices architecture?

As microservices have become more prevalent, API gateways have become popular because they can reduce the complexity of designing new APIs, simplify updating existing APIs, and make it easier to discover available APIs.