Front-end Science: What is an API Gateway? Why is it useful?

An API is often referred to as a front door for applications to access data and business logic from backend services. An API is essentially an interface that a piece of software provides to other people or programs, allowing them to interact with that software.

When creating an API, you need to choose a programming language (Java, Python, PHP, etc.) to write the API logic. You also need to deploy the API to the server and monitor the API to ensure that the infrastructure has enough capacity to handle a large number of requests.

The API gateway abstracts these steps away from you, so you don’t need to write much code or worry about managing the underlying infrastructure; you just need to create API endpoints to which clients can send requests.

The major cloud providers all offer fully managed API gateway services:

• AWS API Gateway ^[1]
• GCP API Gateway ^[2]
• Azure API Management ^[3]
• Alibaba Cloud API Gateway ^[4]

This article will explain why you should use API Gateways, how they work, and we'll look at examples of API Gateways in real-world applications.

What we will cover:

• 1. Why use an API Gateway?
• 2. How API Gateway works

• 2.1 Request Verification
• 2.2 Authorization and Authentication
• 2.3 Rate Limitation
• 2.4 Request Routing
• 2.5 Request and Response Conversion

• 3. Real World Examples
• End

1. Why use an API Gateway?

API Gateway is a fully managed service that makes it easier for developers to create, publish, maintain, monitor, and secure APIs at nearly any scale.

In the context of cloud computing, “fully managed” means that the responsibility for maintenance and management of the service lies with the cloud provider, which means the underlying infrastructure, software updates, security, scalability, availability, and disaster recovery are all managed by the cloud provider.

This abstraction mainly makes the developer's life easier, as they can just focus on developing the service without having to worry about managing it.

In this case, the price of this abstraction is a loss of flexibility, and the API gateways provided by most cloud providers have a hard limit on the number of requests per second (RPS) that can be processed.

The cloud costs of using a managed service such as an API Gateway are also higher and must be weighed against the higher number of developer days (number of developers * work days) required to build an API from scratch.

To truly understand the benefits of using an API Gateway, let’s look at the steps you would follow to design, write, and deploy a traditional API:

「Step 1: Define requirements and scope」

• Understand the needs of the target users or systems.
• Determine the data and functionality that the API will expose.

「Step 2: Design the API」

• Define API endpoints and methods (GET, POST, PUT, DELETE).
• Design the request and response format (usually JSON or XML).
• Specify the data model and resources that the API will interact with.
• Plan error handling and status codes.

「Step 3: Develop API」

• Choose a programming language and framework.
• Implement the API endpoints defined during the design phase.
• Integrate with databases or other services as needed.
• Ensure security practices are implemented, such as input validation and rate limiting.

「Step 4: Deploy the API」

• Choose a hosting solution (cloud provider, on-site server).
• Set up the deployment environment.
• Deploy the API to the server.

「Step 5: Monitor and maintain the API」

• Monitor your API for uptime, performance, and errors.
• API is regularly updated to fix bugs and patch security vulnerabilities

With API Gateway, you mainly need to focus on steps 1, 2, and parts of step 3, while the other steps are mostly abstracted and handled by the API Gateway.

The main reason for using an API Gateway is to simplify the process of developing and maintaining APIs.

2. How API Gateway works

The API Gateway does many things at the same time.

To understand how the API Gateway works, let's use an analogy.

The API Gateway is like the maître d' (French for head waiter), who is usually found in high-end restaurants, although it is a slowly disappearing profession.

The Maitre d' is the liaison between guests and restaurant staff and is responsible for:

1. Greeting and Seating : The Maitre d' is often the first person guests meet when they arrive at a restaurant. They warmly welcome guests, ask about reservations, and assist with seating guests, taking into account preferences and special requests.
2. Reservations : The Maitre d’ is responsible for managing reservations and ensuring that tables are assigned efficiently. They keep track of available tables and reservation times, making necessary adjustments to meet guest needs.
3. Managing wait times : During busy periods, the host manages guests’ wait times by providing estimated wait times and offering alternatives, such as seating guests at the bar or in the waiting area.
4. "Problem Solving" : If any problems or concerns arise during the guest's meal, the supervisor should intervene and solve the problem in a timely manner to ensure the guest's satisfaction.
5. Handling special requests : If a guest has special requests or dietary restrictions, the supervisor will communicate this information to the kitchen and ensure that the guest's needs are met.

In short, the Maitre d' is a person in a restaurant who has many talents and responsibilities. From the picture below, we can see how the Maitre d' acts as a communicator between customers and what they may need.

The foreman is the communicator between the customers and anything they may need.

An API Gateway works similarly, acting as a communicator between a client and the many services it may need to access.

The API Gateway acts as a middleman between clients and the many services they may need to access

Let's look at what an API Gateway can do in more detail.

2.1 Request Verification

This involves inspecting incoming requests to confirm that they meet predefined criteria before forwarding them to backend services.

This may include checking the structure of the request, validating data types, ensuring required parameters are present, and validating query parameters, headers, and request bodies against schemas.

By doing this, the API Gateway acts as the first line of defense, preventing poorly formatted or malicious requests from reaching the backend systems.

Using the restaurant analogy, this would be similar to a maitre d' waiting at the door to greet guests, but remember, this is a fine dining restaurant, so the maitre d' makes sure guests are dressed in accordance with the restaurant's dress code - similar to validating incoming API requests against a predefined pattern.

2.2 Authorization and Authentication

Authentication is the process of verifying the identity of the user or service making a request, typically through credentials such as a username and password, tokens, or API keys.

After authentication, authorization determines which resources or actions the authenticated entity is authorized to access or perform.

API gateways are usually integrated with identity providers and support various authentication and authorization mechanisms, such as OAuth , JWT, API keys, etc. They ensure that only legitimate, authorized requests can pass through the backend services.

Authentication focuses on "who", while authorization focuses on "rights".

For the maitre d’ who greets guests into a restaurant, identity verification involves the guest proving they are who they say they are, usually by presenting some form of ID with a photo that can be matched to their face.

Authorisation will involve checking whether they have a reservation, meaning they are authorised to enter the restaurant and order food.

2.3 Rate Limitation

Rate limiting involves controlling the number of requests a user or service can make within a specified time frame, usually defined as a limit on the number of requests per second (RPS).

Rate limiting helps avoid overloading backend services, ensuring they remain available. Rate limiting is also used as part of a cost control strategy, as you will pay for every request sent to the API Gateway.

The API Gateway can implement different rate limiting strategies based on the accessed user, service, or endpoint.

Using our restaurant analogy, imagine that we have guests in our restaurant, who are all verified, authenticated, and authorized to enter the restaurant. But these guests are extremely hungry and thirsty, and are constantly ordering food and drinks. At some point, this becomes unmanageable for the restaurant. The chefs and waiters are overworked and don’t have the capacity to take any new orders, they are running out of plates and cutlery, and the kitchen is running out of food.

The chef can step in and limit the number of orders a customer can place, for example, limiting the number of entrees or bottles of wine that can be ordered per hour. Limits ensure that the restaurant is not overloaded and is still able to serve new customers.

2.4 Request Routing

An API Gateway manages the routing of incoming requests to appropriate backend services based on various conditions like URL path, HTTP method, headers, or query parameters. It is an integral part of a microservices architecture where different services handle different parts of an API.

Going back to our earlier restaurant analogy, depending on the guest’s purpose, the maitre d’ will direct them to the appropriate person or place – diners to the server, guests who just want a drink to the bar, people asking about booking a restaurant event to the event coordinator.

2.5 Request and Response Conversion

This involves modifying requests and responses as they pass through the API Gateway.

For requests, this might mean adding, removing, or modifying headers, rewriting URLs, or even changing the request body. For responses, this might involve changing the status code, modifying headers, or transforming the body.

This functionality allows the API Gateway to act as an intermediary that can transform requests and responses to meet the needs of the client and the backend services.

Backend services can also perform this request and response transformation. The decision about which component (API gateway or backend service) does the transformation is subjective. However, the API gateway is often an ideal place to centralize this transformation with minimal effort, rather than doing custom transformations in each backend service.

For example, if a restaurant guest is gluten intolerant, then their order will have to be altered to ensure the meal does not contain any gluten.

This order conversion logic can be implemented by the head waiter explicitly indicating which ingredients should be excluded from the menu before sending the order to the chef, or it can be implemented in the kitchen by the head waiter simply telling the chef that the guest has ordered a gluten-free dish and asking him to modify the order accordingly.

3. Real World Examples

Microservices architecture is an approach to developing software that breaks large applications into smaller, independent components called microservices. Each microservice is a self-contained unit with a specific function or responsibility within the wider application.

The following diagram shows a simple microservices architecture for a basic e-commerce application.

API Gateway used in Microservice Architecture of E-commerce Website

• Clients : These are the different clients that interact with the e-commerce platform. They can be mobile applications, web browsers, or any other third-party applications.
• 「API Gateway」 : Acting as a single entry point for all types of clients, it routes requests to appropriate microservices based on the nature of the request (user-related, product-related, order-related).
• “Services” : These are examples of microservices specific to an e-commerce website. Each service handles a different aspect of the business logic, such as user profiles, product catalogs, and order processing.
• 「Database」 : Each microservice has its own dedicated database to ensure data isolation and service independence.

In this example, the API Gateway is:

1. Ensure that every client request is "verified"
2. Make sure customers are authenticated and authorized before taking actions like placing an order or writing a product review.
3. “Rate limit” requests to ensure that the service is not shut down due to malicious behavior sending a large number of requests.
4. Routes client requests to appropriate backend services based on various conditions such as URL path, HTTP method, headers, or query parameters.
5. Handles request and response transformations . For example, a response from a Product Service might have a complex format and extensive details. The API Gateway transforms this response into a format more suitable for a mobile application. This might involve simplifying the data, converting it to a lighter format, or extracting only the essential information that a mobile application needs.

End

API Gateway is a fully managed service that makes it easier for developers to create, publish, maintain, monitor, and secure APIs at virtually any scale. Because it is fully managed, it abstracts the work required to manage and maintain the underlying infrastructure - this is handled by the cloud provider that provides the service.

An API Gateway acts as a middleman between clients and the many services that need to be accessed, and it handles request validation, authentication and authorization, rate limiting, request routing, and request/response translation.

It is particularly useful in microservices architectures, serving as a central entry point for managing, processing, and routing incoming requests to the appropriate microservices, playing a vital role in simplifying client interactions and providing a central interface for a group of microservices.