Friday, May 10, 2019

What is API Gateway? Need of API Gateway in modern software architectures

I work with very large size non-ITes and ITes organizations. When I talk with them about modern software architectures such as Serverless, Micro-services, Event driven; we inevitably talk about mysterious word - “API Gateway”.

Most of the time I have seen zero awareness about “API Gateway” being an important part of new modern software architectures. Many senior TDMs [Technical Decision Makers] completely ignore this important aspect of overall API centric approach for all of their applications as an Organization strategy. There are few senior architects who understand need of “API Gateway” but the number is really really less.

In last 4 months, after 7 customer visits, approx. 10 deep dive modern architecture discussions at various level in organizations, I felt there is a necessity of writing “Simple yet effective” blog post that will focus on need of “API Gateway” in today’s software architectures when we talk about “Digital Transformation journey” with big organizations.

And here I am, writing a post on “What is API Gateway? Why it matters? And how should you choose the right API Gateway for yourself”.

Let’s go!

Realizing the concept of API Gateway

Today every organization is trying to provide service based offerings. For example, Gmail provides “Email as a service”, O365 provide “productivity solutions as a service”.
When you think of providing services based offerings for your customers then inevitably large portion of your offerings will be built based on “APIs”. In today’s world it will be based on “REST API” and in many cases legacy APIs as well build on XML based services. So your APIs will essentially consist of main business logic/ critical intellectual property of your service. So it is really important for you to make sure that you PROTECT these APIs. Therefore API Gateway is an important architecture strategy.
If you are “solution architect” and working on API based solution architecture; API Gateway is a must for you. Let’s understand why we need API gateway Or what benefits we get by using API Gateway.

Understanding the need of an API Gateway?

In today’s world REST APIs usually consist of main business logic/ Intellectual property/ critical exposing layer for your sensitive data. So directly exposing your actual REST API to rest of the world is not a good idea. It has to have a protection layer which monitors every coming requests. Sees if incoming request is a valid, legitimate request and then allow to reach to actual API. This middle man/ protection layer/ wrapper around your actual API is called as “API Gateway”.

An API Gateway is wrapper around your actual REST APIs or any type of APIs for that matter. When you say wrapper; means you don’t expose your actual REST API to the outside world rather you expose it through API Gateway. This has number of benefits –

  •          Security for your actual API
  •         Manage API lifecycle
  •         Routing, protocol transformation
  •         API monitoring, analytics
  •         Logging the every request hitting your API

Below is the conceptual diagram of API Gateway and where it resides –

As you can see in above diagram, all types of applications who consume your API will pass through the API Gateway Layer. So basically now all the common aspects of security for accessing your actual API; can now be “centralized” at one place and that is your API Gateway layer. So essentially you “Avoid” duplication of same work for each of the APIs common requirements such as security, monitoring, analytics etc.

Benefits of using API Gateway

Language agnostic –

Consider a scenario – You have 10 API’s developed in Java and .NET. All of them need to implement modern OAuth 2.0 based authentication scenario for protection of your APIs. So essentially, you will have to learn and code about implementation of OAuth 2.0 using your “Identity service (such as Auth0, Azure AD, Active Directory, Apache Directory and so on)” in both .NET and Java. Tomorrow you embark on the journey of Python for writing you Machine Learning APIs then you will have to same thing in Python as well. This is duplication of same work in different languages. Here API Gateway can rescue you.

No matter in which language your API is developed (Java, NodeJS, C#, Python etc.); what you need is a common API description format [example, Swagger] to onboard in API Gateway. Hence API gateway makes onboarding your organization wide APIs independent of the language in which they are written. This is huge benefit. So now you write your OAuth 2.0 implementation only with respect to “API Gateway” layer and you are done. All your APIs are now OAuth 2.0 authentication enabled without writing/ changing a Single line of code in actual APIs.

So API Gateway is Language Agnostic.

Compute and hosting platform Agnostic

To import your APIs in API Management it is not necessary to host your APIs on VM/ or physical machine or cloud. Your APIs can be anywhere and can be onboarded into API Gateway. You can have your actual APIs hosted on-premises, any cloud, Serverless, CDN hosted, VM hosted, PaaS anything. Doesn’t matter. The process of onboarding APIs inside API Gateway remains same and easy.

Centralized SSL implementation

Making sure that “Encryption during transit” of your API call is of most importance. This is where you use SSL certificates. When there is HTTPS is involved, payload (data sent in requests like Header and Body both) is encrypted during transit. This can be configured in API Gateway itself. Hence avoiding the same configuration involved on each of the server hosting your APIs.

Centralized Security configuration

API Gateway provides important features such as IP Filter, Validate Tokens configurations. This helps in building important security for all your APIs at one place.

Centralized Caching Framework

Many API Gateways has inbuilt caching mechanism which helps in caching GET method responses. This provides huge performance benefits on exposing APIs without API Gateway layer. In one of the trial of API Gateway I have seen without caching the response was taking around 300ms and after caching it took 7ms. This is amazing. Also most of API Gateway products these days coming with support for external caching products like Redis Cache. This way if the size of API Gateway caching is limited you can extend to external cache seamlessely and have more storage for caching the GET method responses.

So this way you avoid caching implementation at each of the individual APIs.

Note – Here some smart people may think why I am talking about only GET method response caching why not other methods such Post, Put, Delete? Well only GET method can be cached. Technically you can cache all methods but not recommended. Caching should be done for GET methods only. This is commonsense in Architecture design principles.


REST based APIs development approach is used for new API development however there is a large portion of existing APIs that deal in XML. So many times to make them work in new digital world and various new modern technologies you need to convert request and response from XML to JSON or JSON to XML, Transform XML using XSLT, replace string in body, set query string parameter and so on. All of this kind of transformations can be achieved using API gateway without writing a single line of code.

Versioning of APIs

This is another important benefit of API Gateway. You can expose multiple versions of the same API depending on the need. So this helps in updating the APIs to latest features without downtime because you can have multiple versions of the same API exposed at the same time using API Gateway.


This is by far one of the most important benefit you get by using API Gateway. Policies bring life of your APIs in balance. There are tons of policies API Gateway provides that makes API lifecycle management extremely easy and manageable. There are various categories of policies provided such as  -
  •         Access restriction
  •         Authentication
  •         Cross domain
  •         Caching
  •         Transformation
  •         Trace
  •         Control Flow
  •         Error handling and many more…

Supercool: Making money out of your APIs

I have seen lot of startup companies in recent time who only creates APIs. Then they sell these APIs, charge them per call to various companies and make money out of it. If you have such a vision in your mid then you can use API Gateway various features such as Grouping of APIs in logical structure and make it open to your customers. For example you can create FREE group which allows calling of your APIs only 10 calls/ min and max 1000 in a day. Then you can create BASIC pricing plan and allow 10 calls/ sec and charge them. Similarly you can create various plan such standard, premium and so on. Example Sendgrid, Twilio. These companies offer email, SMS APIs and they charge their customers based on such type of pricing plans. Building such type of money making model becomes super easy using “API Gateway layer”.

So by now I hope you are convinced why it makes sense to include API Gateway layer in your modern application architectures. As API gateway helps you to manage the lifecycle of APIs; it is also called as “API Management solution”.

So, what is Azure API Management?

In essence API Gateway is a Concept. Azure API Management is an implementation/ product of API Gateway concept. Similarly, other companies also provide API Gateway concept-based product; like Apigee, AWS API Gateway and so on.

If you are seriously looking into Azure cloud; API Management is a hero service that you can’t ignore. You should use API Management if you are betting on Azure platform. It is one of the versatile service in Azure and a complete solution to your “API Gateway” needs.


Hope this post gave you an idea why we should include API Gateway layer. This is really needed and important component to include in your organization wide applications architectures.

Well, API Gateway is going to be mission critical for you over a time period once you start on it and hence it is really important to configure DR (Disaster recovery) for the same. In next few posts I will show how can we achieve DR for Azure API Management solution.

Happy APIsation!!

1 comment: