Blog updated: April 2023
Sometimes everything depends on a powerful gateway. Covering security, control and the power of transformation, James Higginbotham explores the ways in which microservice architectures can benefit from an API gateway.
APIs are transforming the delivery of everything from fintech services to healthtech, through API-centric initiatives to APIs as products in their own right. This is prompting many businesses to explore the benefits of an API gateway in microservices architectures for the first time.
What is an API gateway?
An API gateway provides a single, unified API entry point across one or more internal APIs. The gateway typically provides:
- Rate limiting
- Access quota management
- Security
- Caching
- Routing
- API composition, processing and versioning
- API health analytics
An API management layer, such as Tyk, adds additional capabilities: in-depth analytics, monetisation, full lifecycle API management and more.
In a microservice-based architecture, whether you have 10, 100 or even more services, an API gateway can help provide a unified entry point for external consumers. It does this independent of the number and composition of internal microservices. By enforcing security and supporting scalability, API gateway tools for microservices can unlock significant potential in your architecture.
How an API gateway works in microservices
What is an API gateway in microservices? Well, in a microservice architecture, the API gateway pattern can help to solve a range of issues. The gateway sits at the edge of the microservices, managing API calls that flow between client applications and the various services.
Without an API gateway, you’re left dealing with a direct client-to-microservices pattern. Such implementations can get very messy, very fast. You end up with multiple client calls to multiple microservice endpoints, with client apps and microservices coupled in a way that discourages any kind of evolution of your microservices due to the layers of complexity involved. You’re effectively stifling innovation.
With microservice gateway and access patterns, you’re putting a software application – the gateway – between the client and the services. The client calls then flow through the API gateway, which routes them to the various microservices, including breaking calls down into different requests for different services, if required. Responses also flow through the gateway.
This structure delivers a range of benefits, including:
- Prevention of exposing internal concerns to external clients
- An additional layer of security for your microservices
- Support for mixing communication protocols
- Decreases microservices complexity
- Scope for microservice mocking and virtualization
We’ll explore these in more detail below.
API gateway microservices example
There are countless API gateway microservices examples out there. One of the best-known examples is Netflix. The streaming giant takes a ‘one size fits all’ approach to its architecture, despite the various client applications that are used to call it. Think televisions, tablets, smartphones, set-top boxes and so on.
Netflix has always been keen to embrace the advantages of technology and has successfully used GraphQL federation to scale and cement its global presence.
Of course, you don’t have to be the size of Netflix to enjoy the advantages of an API gateway in your microservices architecture. But before you start reaping those rewards, you’ll need to know which API gateway is best for microservices. Let’s look at some of the different types of API gateway in microservices to explore this.
Types of API gateway in microservices
The API gateway vs microservices debate is about more than just whether or not to use a gateway. Once you’re on board with the benefits of an API gateway in a microservices architecture, there’s still plenty to think about in terms of the types of API gateway in microservices architectures. For example:
- Should you use an open source API gateway for microservices? If flexibility is a priority for you, and avoiding vendor lock-in while also keeping your costs low, then microservices API gateway that’s open source could be just the ticket.
- Would an on-premise gateway or a cloud solution meet your needs best? There’s a convenience versus control debate to be had when it comes to whether to opt for an on-premise API gateway for a cloud gateway solution. Regulatory requirements may well come into play here too.
- Which API gateway providers should you consider and why? Identifying the best API gateway for microservices means looking in depth at what the market leaders are offering and considering which solution best fits with your microservices architecture, your team’s skills, your budget, your implementation timeline and more.
The benefits of an API gateway for microservices
The advantages of an API gateway in microservices architectures are numerous. Let’s look at some of the headline benefits.
Prevents exposing internal concerns to external clients
An API gateway separates external public APIs from internal microservice APIs, allowing for microservices to be added and boundaries changed. The result is the ability to refactor and right-size microservices over time, without negatively impacting externally-bound clients. It also hides service discovery and versioning details from the client by providing a single point of entry for all of your microservices.
This is one of the key benefits of an API gateway in a microservices architecture. It gives you the freedom and flexibility to change what you need to ‘behind the scenes’, from small service tweaks to fundamental changes – all without impacting the client side of things.
Adds an additional layer of security to your microservices
API gateways help to prevent malicious attacks by providing an additional layer of protection from attack vectors such as SQL Injection, XML Parser exploits and denial-of-service (DoS) attacks.
Given the ever-increasing sophistication of such attacks, no business can afford to ignore them. From disruption of services to reputational damage, there is a huge amount at stake; adding in an extra layer of security makes sense.
Enables support for mixing communication protocols
While external-facing APIs commonly offer an HTTP or REST-based API, internal microservices may benefit from using different communication protocols. Protocols may include ProtoBuf, AMQP or perhaps system integration with SOAP, JSON-RPC or XML-RPC. An API gateway can provide an external, unified REST-based API across these various protocols, allowing teams to choose what best fits the internal architecture.
And then there’s GraphQL. As adoption levels increase, it’s important to build in capacity. Do you want to build and manage GraphQL microservices next week, next month, next year…? At some point, it’s likely to happen, and an API gateway will help you adapt.
Decreased microservice complexity
Microservices have common concerns, such as: authorization using API tokens, access control enforcement and rate limiting. Each of these concerns can add more time to the development of microservices by requiring that each service implement them. An API gateway will remove these concerns from your code, allowing your microservices to focus on the task at hand.
Authorization and authentication in particular become much easier to manage when they are controlled via your API gateway. This setup also means you have clear oversight of who has been accessing what and when – something that can come in handy in all manner of scenarios.
Microservice mocking and virtualization
By separating microservice APIs from the external API, you can mock or virtualize your services to validate design requirements or assist in integration testing.
Being able to do this provides plenty of scope for innovation. You can test and tinker to your heart’s content, without impacting the experience of those accessing microservices through your API gateway.
The drawbacks of a microservice API gateway
While there are many benefits to using an API microservice gateway, there are some downsides:
- Your deployment architecture will require more orchestration and management with the addition of an API gateway
- Configuration of the routing logic must be managed during deployment, to ensure proper routing from the external API to the proper microservice
- Unless properly architected for high availability and scale, an API gateway can become a limiting factor and even a single point of failure
How to create an API gateway for microservices
If you want to choose the best API gateway for microservices, look for one that’s easy to implement and that delivers the flexibility, security and features you need right out of the box. Creating your microservices API gateway shouldn’t be hard – and with Tyk, it’s not.
For our self-managed (on-premise) gateway, you can complete the installation process using Docker in just minutes. For our cloud API gateway, you can sign up online and again it takes only minutes to get the gateway up and running.
Connecting and managing your microservices through an API gateway should be just as painless, though each gateway will have its own processes when it comes to connecting different services. Again, though, you should be looking at a task that takes only a few minutes.
Which API gateway is best for microservices?
Ok, so it’s fair to say we’re a bit biased when it comes to which API gateway is best for microservices. Clearly, we think that Tyk has plenty to offer. You can check out our candid comparison with Kong for full details, but in short we believe that Tyk’s strengths lie in the flexibility and freedom that our API gateway provides, along with how easy it is to use. Its powerful performance and minimal overhead are also pretty impressive.
When you’re already dealing with multiple microservices, the last thing you need is a gateway that’s complicated to understand or use. So, when you’re deciding which API gateway is best for microservices, be sure to factor usability into your thinking too.
We’ll let Tyk CEO Martin Buhr sum it up:
“Tyk was built to work with microservices – to be able to handle millions of transactions across multiple endpoints. This was before Kubernetes came along… We work very, very well in those ecosystems – Tyk is a really good piece of kit to put into your microservice first Kubernetes ecosystem and run your API management, all using Kubernetes operators and our Kubernetes operator and CRDs.”
How to implement an API gateway for microservices
It’s easy to implement an API gateway for microservices. You choose your provider, set up the gateway and start connecting your microservices. Simple! Or so it seems…
Actually, you need to think carefully about the API gateway pattern you want to implement. Do you want a single gateway that effectively couples all of your microservices or are you looking for multiple APIs gateways so that you can tailor each gateway for a different client app (one for web and one for mobile, for example)?
This ‘backend for frontend’ approach may initially sound like more hassle to set up, but it’s well worth considering when you’re mapping out your microservices API gateway strategy.
Why an API gateway is required in microservices
An API gateway is required in microservices for a range of reasons. The additional layer of security that it provides is one, as is the fact that implementing a gateway can reduce the complexity of your microservices architecture and management.
Increasingly for many businesses, the support that an API gateway provides for mixing and transforming communication protocols is also essential. This delivers far more flexibility than you could otherwise hope for in a direct client-to-microservices setup.
To underpin innovation, the fact that you can mock up and virtualize new services behind the gateway, all without impacting the client side, is also important. The fact that you can prevent exposing internal concerns to external clients is also a key driver for many businesses considering implementing an API gateway for microservices.
What is the use of an API gateway in microservices?
An API gateway sits between external consumers and your microservices, providing a unified entry point. You can use it not just for routing but for rate limiting and access quota management, caching, security and more.
You can also use an API gateway for composing, processing and versioning APIs, as well as for monitoring the health of those APIs. Different types of API gateway in microservices architectures will deliver different levels of analytics, but all should provide sufficient data to flag up any API health concerns. This is an important tool if you want to be as proactive as possible in identifying any pain points or issues within your architecture and your business.
Ultimately, you can use an API gateway for microservices to decrease complexity while enhancing security and manageability.
Why do we need an API gateway in microservices?
In simple terms, an API gateway in microservices can deliver smoother, easier management of your microservices architecture while saving you time and headaches.
Authentication and authorization is a good example of this. By centralising microservices authentication and authorization using an API gateway, you’re able to manage access to multiple services at once. No more fiddling around with individual services – you can shift control to the gateway and save time and effort in the process.
The fact that the gateway can route multiple API calls to different services simultaneously is also helpful in terms of increasing your efficiency. This centralised control lays a strong foundation for rapid scaling, so implementing an API gateway in your microservices architecture can also unlock your business’ potential for growth.
Microservices API gateway vs service mesh
There’s some major overlap between using a microservices API gateway and opting for a service mesh, yet the two were designed for different purposes. Using an API gateway and API management is all about facilitating API discovery, consumption and collaboration. The API gateway handles boilerplate logic to support scalability, enabling teams to productise their APIs.
A service mesh, on the other hand, is all about observability and interoperability, focusing on service connectivity. It’s a less high-level solution than the API gateway and API management, focusing on the relationships between services and enabling and monitoring holistic deployments.
This means that it isn’t always a simple question of microservices API gateway vs service mesh – it all depends on which problems you’re trying to solve and why. It’s also not an either/or situation – there’s room for both API management and a service mesh, depending on the size, resources and needs of your business.
List of API gateway for microservices
There are multiple options out there when it comes to choosing a gateway. Naturally, we think that Tyk deserves the top spot on your list of API gateways for microservices, but we also know that there are some great alternatives on the market, from Apigee to Azure.
With any decision like this over which provider to use, it’s essential to start with a list of your goals and priorities, including those over which there can be no compromise. You can use these priorities to guide your thinking and discussions as you review different providers.
One point to add here is that it’s not just the provider’s API gateway you need to review, it’s also their customer service. How quickly you can get hold of someone to help and how knowledgeable that individual is – and how capable of overcoming your challenges – can make a huge difference to your experience of using their product. Of course, if they’re also super nice, then so much the better.
Using Tyk for your microservice gateway
We’re not going to sing Tyk’s praises as the best API gateway for microservices here. Dave Koston, VP Engineering at Help.com, can do that instead!
“We use Tyk as a gateway in front of around 15 services (of varying sizes). We’re also using Tyk Identity Broker to proxy logins to our existing authentication service. Tyk gives us some really great features out of the box like rate limiting, sessions, token policies and visibility into API traffic.
“We also have web socket communication that requires authentication and it was easy to simply add some metadata to Tyk sessions and use the Tyk session store (Redis in our case) to authenticate those web socket connections with the same access token that we use for HTTP.”
To learn more about Tyk and how it can provide an API gateway for your microservices, along with API management of your public API, take a look at our microservices solutions. Or book a personalised demo.
