If you are a company or department that publishes apis, and you want other companies or departments to use them, then you probably need an API management tool. Also, API Gateway could be one of the fastest ways to add security to your apis. There are large variety of api gateways on the market and some of them are open sourced for their basic version. Let’s list the features that a comprehensive API Gateway should have:
- API Management – defining routes and services, creating proxies, managing resources and end points –urls, managing external and internal apis
- Security – authentication, authorization, role base handling, request rate limiting
- Developer Portal – onboarding consumers to use the apis, publishing apis to different environments like development, qa, staging, production. The portal could contain a comprehensive documentation about the apis and a sample of code.
- Analytics and Monitoring – Tracing, Debugging, Monitoring (sometimes could be in conjunction with tools like Prometheus and Grafana, Elastic and Kibana )
If your application follows microservice architecture, API gateway can provide following :
Authentication – APIs can remove security check in the code
Orchestration – if an api in a microservice calls many different calls on the same or different microservices, the gateway can create an orchestrator api and package data in the desired response to the consumer
Different protocol support – if micorservices communicate through different protocols like TCP, UDP, SOAP, the gateway can expose the apis to the client through REST HTTP call (the client won’t know the architecture of microservices)
Load-balancing configuration – the gateway could balance the load of requests between different nodes
Response transformation – api gateway could recognize the client (mobile, web etc.) and give a different response based on client’s needs and configuration
Circuit breaker – api failure in one microservice can cause the cascading failure in the flow to all the api calls in a stack. The gateway can keep an eye on some threshold for any api in any microservice. If an api passes that threshold, the gateway marks it as an open circuit and decides not to make the call for a configured time (example is Hystrix by Netflix). Once the api starts giving results as expected, then the gateway marks it as a closed circuit again.
Multiple API implementations and version
We evaluated three most used api gateway on the market: Kong, Apigee and Express Gateway: