An API gateway is a gateway that sits between a client and a collection of backend services.
An API gateway acts as a reverse proxy to accept all api calls, aggregate the various services required to fulfill them, and return the appropriate result.
What Api Gateways Do ?
Prevents exposing internal concerns to external clients.
An API gateway separates external public APIs From internal microservice APIs, allowing for microservices to be added and boundaries changed. The result is the ability to refactor and right-size microservices over time, without negatively impacting externally-bound clients. It also hides service discovery and versioning details from the client by providing a single point of entry for all of your microservices.
Adds an additional layer of security to your microservices.
API gateways help to prevent malicious attacks by providing an additional layer of protection from attack vectors such as SQL Injection, XML Parser exploits, and denial-of-service (DoS) attacks.
Enables support for mixing communication protocols.
While external-facing APIs commonly offer an HTTP or REST-based API, internal microservices may benefit from using different communication protocols. Protocols may include ProtoBuf, AMQP, or perhaps system integration with SOAP, JSON-RPC, or XML-RPC. An API gateway can provide an external, unified REST-based API across these various protocols, allowing teams to choose what best fits the internal architecture.
Decreased microservice complexity.
Microservices have common concerns, such as: authorization using API tokens, access control enforcement, and rate limiting. Each of these concerns can add more time to the development of microservices by requiring that each service implement them. An API gateway will remove these concerns from your code, allowing your microservices to focus on the task at hand.
Microservice Mocking and Virtualization.
By separating microservice APIs from the external API, you can mock or virtualize your services to validate design requirements or assist in integration testing.
API gateway providers
API gateways started as a bespoke middleware. Today, though, there are many providers to help you implement a proxy for any of the aforementioned cases. Let’s review and compare them using the following factors:
- Open source or proprietary
- Self-hosted or cloud
- Community
- Plugins and integration support
- Technologies used
Kong Gateway — for modern microservices-based apps
Kong provides a variety of API management functions and its gateway solution exists as two options: an open source product and a licensed one with a few extra features. It’s also versatile in terms of deployment, one of which are premade Docker containers. The open source version runs on premises, but the enterprise one also supports hybrid cloud implementation.
Kong is also well-known for its abundant plugins, both official and community-developed, that allow you to transform your gateway into a full cycle API management platform when needed. Although Kong is a solid gateway choice, except for when you’re managing legacy apps — it can’t transform calls into SOAP or XML formats.
Amazon API Gateway — for serverless Lambda development
If you’re building a serverless architecture with AWS Lambda, AWS API Gateway is your best option. It’s cloud-only and AWS users can integrate it in a couple of clicks. Their free tier ends at 1 million API calls, so it doesn’t hurt to try out, especially since its feature set is comparable to Kong Enterprise.
Just keep in mind the vendor lock-in that comes with AWS tools. The tool doesn’t have many third-party plug-ins, so you have to be very confident that you’ll be using it in the long run.
Tyk Gateway — for enterprise-level development
Tyk might be one of the most approachable vendors as its gateway is open source and free even with enterprise-level features. Easy integration is also in Tyk’s philosophy — you can write plugins in Python, JavaScript, Go, and more languages, and of course, use plugins created by their growing community.
Any protocols are accepted and convertible: REST, SOAP, gRPC, GraphQL, and TCP. If you wonder about any cons, Tyk is under MLP license, one of the less permissive ones.
KrakenD — for aggregating many microservices
KrakenD claims to be a super-performant API gateway that’s also open source and available for all deployment types: on premises, in cloud, and hybrid. Its unique feature is the declarative way to create endpoints, allowing its use with no programming whatsoever. You can extend its functionality using Go and Lua, but don’t expect much from third-party plugins as its community is quite small.
There’s an Enterprise tier with a few extra features like OpenAPI specs generation, but the use of standard features is free and unlimited for all.