What is an API gateway?

The use of APIs has exploded in recent years. Software AG reports that 98% of IT decision-makers ranked APIs as ‘extremely important’ or ‘very important’ in 2022, while Akamai states that API calls now represent 83% of web traffic.

Using an API gateway could level up the security, performance and management of your APIs. Whether you’re new to the whole idea or in the midst of mapping out a detailed API platform strategy, it’s important to understand just how an API gateway can seamlessly integrate applications, streamline data exchange and deliver a smoother, more performant API experience.

All this means that if you’re not up to speed yet with what an API gateway is, it’s time to catch up. Fast.

Introduction to API gateways

According to Markets and Markets, the API management solutions market is on track to increase from USD 4.5 billion in 2022 to USD 13.7 billion by 2027. That’s an impressive compound annual growth rate (CAGR) of 25.1%. Within this market, API gateways are essential in supporting organisations to design, create, publish and monitor their APIs – along with much, much more, as we’ll explore below. 

What is an API?

Let’s start with the basics. An application programming interface (API) is an intermediary set of definitions and protocols that enables two computer programs to communicate and share data. Commonly used APIs include RESTful APIs, SOAP APIs and, more recently, GraphQL APIs.

What is an API gateway?

An API gateway sits between a client and a set of backend services. It is an API management service that provides a unified entry point for API calls. It serves as a central control plane that enables you to perform a range of functions efficiently. You can use an API gateway to improve the security of your APIs, enhance their performance and make it easier to manage them. 

Note that an API gateway is not the same as a gateway API. A gateway API is a means of integrating an application with an API gateway system.

While an API gateway microservices architecture is the most common example, it’s not the only way to use a gateway. We’ll look at several examples of API gateways in action below. We have also included in-depth details on why you need API management in the video below. 

Why use an API gateway?

Whether managing a single API or a whole range of API products, you can use an API gateway service to make it easier to secure and manage your APIs. An API gateway manages the traffic between the client and the backend. This means it can handle requests and retrieve data and services, including routing, combining multiple API calls and enforcing policies. 

In a nutshell, an API gateway can handle the following:

  • Authentication and authorisation
  • Protocol mediation and transformations
  • Custom plugins and functions
  • Analytics and tracing
  • Versioning and lifecycle management
  • Caching
  • Endpoint protection
  • Logging 

Benefits of an API gateway

API gateway integration can deliver many benefits, from faster API product creation to customer and revenue growth. You can use a gateway to lift and shift cloud migration, adopt microservices, scale rapidly, undertake complex API data/systems integration, or provide stress-free, efficient and secure API management. 

Simplifying the API management process

Whoever said API management should be hard? In this day and age, there’s certainly no need for it to be. By controlling everything at the gateway layer, you can easily bring standardisation to your API management. 

You also benefit from super simple deployment by choosing an API gateway open source product such as Tyk. Thanks to the open source code, you can deploy Tyk anywhere and get started in minutes, with no third-party software to manage – just full oversight and complete control. 

Improving security

Simplicity aside, using an API gateway can work wonders for your API security. You can implement security policies at the gateway level, meaning that every API benefits from standardised security, regardless of which of your teams created it. That means you don’t have to worry about building security for every API and microservice, as the gateway takes care of it all. 

Access control, key management, key hashing, whitelisting, certificate pinning, dynamic client registration… you can manage all of this and more through an API gateway. You control who accesses your APIs, when and how.

API security gateway features include encrypting traffic to ensure secure communication and data exchange. Encrypting sensitive information in transit can help keep your data safe from prying eyes and unauthorised access.

A secure API gateway can also handle authentication and authorisation. This allows you to verify the identity of anyone making an API request and put permissions in place to enforce appropriate access control.

Features such as rate limiting and load balancing further contribute to security. They can help keep you secure from distributed denial of service (DDoS) attacks by ensuring the gateway isn’t overwhelmed by too many requests. This can also protect against cascading failures. 

Reducing latency

API gateway solutions have the potential to introduce latency, as your API calls are now going through the gateway layer. That said, the most performant API gateway will be able to handle tens of thousands of requests per second with minimal introduced latency. 

If latency is particularly relevant to you, there are steps that you can take to reduce it. API caching, for example, has the potential to reduce latency and is easy to manage through an API gateway platform

Scaling APIs

Implementing API gateway software creates the ideal environment for scaling your APIs and growing your business. It opens up the potential to manage each step of your API lifecycle, laying the groundwork for smooth scaling. Then it’s time to grow. 

With Tyk, for example, you can import your APIs, support versioning strategies and easily document and publish your API into a catalogue for discovery. You can also use detailed analytics to understand how your APIs are being consumed and better respond to evolving customer needs. 

Types of API gateway

There are two main types of API gateways to choose from: cloud-based API gateways and on-premise API gateways. You can also opt for a hybrid solution, where your API gateway provider hosts the API management layer while your edge gateways are deployed on your infrastructure. 

The setup you need will depend on a range of factors…

Cloud-based API gateway

If time is of the essence, a cloud-based API gateway can give you a head-start, as you don’t have to worry about infrastructure headaches. You can choose the regions where you want to locate your gateway(s), decide where your data will reside, and get started. 

With a cloud-based API gateway, you can achieve everything you need quickly and easily. With Tyk Cloud, for example, you can:

  • Implement your custom logic with Python-based plugins
  • Configure customer domains for your dashboard and developer portal
  • Create and manage multiple environments
  • Create and manage control plane and edge gateway deployments
  • Define teams, roles and users and easily manage access

On-premise API gateway

Also referred to by some API integration companies as a self-managed API gateway, an on-premise gateway is one that you install in your own infrastructure. This leaves you in complete control with no calling home and no usage limits (at least, not with Tyk API Gateway). 

Control is a huge deal for many organisations. For example, if you operate in a heavily regulated environment, you may need a gateway to be part of your own infrastructure rather than cloud-based. This is where an on-premise solution shines, giving you the API gateway you need while leaving you in total control. 

Considerations for choosing an API gateway solution

There are many API gateway solutions on the market. Whether you need a Kubernetes API gateway as part of a gateway microservices setup, a gateway for a serverless architecture or even a gateway for a monolithic architecture, you’ll be able to find one that perfectly suits your needs. Book an API gateway demo to see each product you’re considering first-hand before committing to one.

API gateway costs are something to consider carefully when choosing a solution. Beware products that entice you with freemium models or large jumps between usage tiers. Such solutions can cost far more than you originally anticipated, particularly as your business grows.

Let’s run through a few other considerations.

Open-source vs commercial API gateways

As a committed API gateway open source provider, Tyk is clearly an advocate of the open source approach. It gives you the power to create new products and grow your customers and revenue while enjoying full oversight and complete control. Open source also means you have an entire community of experts. What’s not to love?

Alternatively, a commercial API gateway may be a good choice if you need to integrate with other products from the same provider. However, there is little to choose between open source and commercial products besides the more attractive price tag that usually accompanies open source gateways!

Scalability and performance considerations

Most businesses are aiming for growth. That means choosing an API gateway that doesn’t just meet your current performance needs but also your future ones. You’ll need to consider how easy it will be to scale and how much it’s likely to cost you as you do.

Support for different protocols and formats

Which API protocols and formats will your API gateway software be working with? Whether you’ve got REST, GraphQL, gRPC, SOAP or other APIs, you’ll need a gateway capable of working with them.

How does an API gateway work?

Whether you want to implement an API gateway for security reasons, to help you scale, or as part of a complex API gateway microservices architecture (or for any other reason), the gateway’s core functionality will underpin everything. A gateway can route requests, take care of authentication and authorisation, manage traffic and handle caching. 

At a basic level, an API gateway works by accepting API requests from clients. The gateway processes those requests in accordance with policies that you can define. Based on those policies, the gateway will direct the requests to relevant services. It can combine responses and aggregate results before returning them to the client. 

An API gateway can also translate between different API protocols. This means that you can work with SOAP, RESTful, GraphQL and other APIs while delivering a smooth user experience. In essence, you can tinker with the backend while presenting a single, unified entry point for clients. 

Request routing

An API gateway comes with a range of routing features. These include things like rate limiting, load balancing (such as native round-robin load balancing to rotate requests through target hosts), circuit breakers (these can be rate-based, to trigger events for corrective action or logging), the ability to manipulate requests and responses, custom error handling and more. 

Authentication and authorisation

You can use an API gateway to implement access control policies to ensure your APIs are secure. The range of available authentication and authorisation mechanisms is impressive. Bearer tokens, HMAC signatures, JSON web tokens, multiple auth, OAuth 2.0, keyless authorisation, OpenID Connect, Go plugin authentication, Python CoProcess and JSVM plugin authentication and physical keys are just some of your options! 

Traffic management

Being able to manage traffic to suit your needs is one of the key benefits of an API gateway. Examples of the ways in which an API gateway can manage traffic include: 

  • Rate limiting – so your API doesn’t get overwhelmed
  • Request throttling – so you can automatically queue and retry requests when quota or rate limits are hit
  • Request quotas – so you can control requests over longer periods
  • Request size limits – so you can control traffic size
  • Key expiry – so you can adopt regular token recycling 
  • Progressive delivery – so you can build on your core CI/CD principles

Caching

An API gateway gives you the ability to cache requests in various ways. For example, you could simply cache all safe requests, manually set which endpoint patterns to cache, or enable upstream control to allow another application to tell the gateway what to cache or not cache and for how long.

Transformation and data enrichment capabilities in API gateways

If you need to modify inbound and outbound body data and header information on the fly, an API gateway can help. With Tyk, for example, you can do this using scriptable or dedicated middleware. In this capacity, an API gateway can ensure traffic is in the required format, structure or style for your backend services and the client.

Gateway request and response transformation capabilities enable you to modify incoming requests to match an expected format or structure. You can do the same with responses, transforming them to match the client’s expectations. You can also check incoming requests to validate that they meet specific criteria before they reach your backend services.

In addition to request and response transformation, API gateways can also handle data transformation, converting data formats and structures for seamless communication between services. They can also enrich data by modifying information or adding to it en route to its destination. Another API gateway benefit is combining multiple responses into one unified response for the client.

Monitoring and analytics provided by API gateways

Ensuring your APIs are healthy, reliable and performant is essential to providing a positive API experience. Gateway benefits related to analytics and monitoring can help here. On the monitoring front, an API gateway allows you to observe the health of your APIs, enabling you to spot any errors, including through automated alerts quickly. You can also dynamically adjust routing based on backend service availability.

In terms of analytics, API gateways collect and analyse API usage and performance data, enabling you to make data-driven business decisions. They can also collect error data, including converting error messages from the backend into the format required by the client. The gateway can also deliver default responses or prompt alternative behaviour during backend failures.

Deployment considerations

How do you want to deploy your API gateway? Are you after a self-managed solution or a cloud gateway with zero infrastructure headaches? You’ll need to decide this before choosing a gateway solution.

There’s a geographic aspect to this, too if it’s important to you to be wherever your users are (whether for performance, data sovereignty or other reasons), check which hosting locations an API gateway offers before committing to it.

API gateway and microservices architecture

What is an API gateway in microservices? It’s essential to enable seamless, secure communication and data exchange. An API gateway for microservices sits between the client and your services, providing a single entry point.

This has several benefits when it comes to working with APIs and microservices. For example, you can work on your backend services without impacting the client experience. You can also deliver responses from multiple services as one single response to the client.

API gateway for Kubernetes

If you use Kubernetes with your microservices, a Kubernetes API gateway can help you manage your APIs declaratively.Tyk Operator can help with this declaratively using Kubernetes custom resource definition (CRD) manifests.

As with other API gateway setups, the benefits of using an API gateway with Kubernetes include enhanced management, security and efficiency.

API gateway and Ingress 

Ingress is an API object in Kubernetes that lets you flexibly configure routing rules when managing external access to services within a cluster. You can use an API gateway with Ingress, with Ingress handling basic routing and the gateway dealing with more advanced features. This provides a clean separation of concerns and a consistent entry point for external clients. When using Tyk, you can enrich Kubernetes Ingress with Tyk Operator.

API gateway and service mesh 

You can use an API gateway with a service mesh. This provides all the usual benefits of using an API gateway but provides a higher-level abstraction, with the service mesh performing network-level tasks behind it. It’s a significant architectural decision, so it’s worth exploring in more detail if you’re wondering whether to use API management, a service mesh or both

Best practices for API gateways

Regardless of your motivations for implementing an API management service, there are tried and tested best practices that will help you – and your end users – enjoy a smooth experience. Let’s look at a few of these. 

Designing for scalability

Scalability is the key to rapid growth. As such, if you plan to grow your customer base and revenue, it’s essential to design for scalability from the outset. An API gateway facilitates this by enabling robust security and efficient request handling and traffic management, no matter how much or how rapidly you scale.  

Monitoring and logging

Monitoring your APIs’ general health and performance is essential to both troubleshooting and making proactive, data-driven decisions. As such, implement monitoring and logging at the outset of your API gateway journey for maximum insight into your business. 

Versioning

Over time, you will need to iterate different versions of your API. An API gateway makes it easy for you to create new versions from existing API products while supporting backward compatibility and avoiding breaking a contract. 

Implementing security protocols

To protect your endpoints and data in transit, it’s essential to implement robust API security protocols. The best practice is to do so in a consistent and standardised manner, which is precisely what API gateway solutions facilitate. 

If you would like to learn in more detail about what an API gateway is and how it could benefit your business, why not chat with Tyk? Our friendly, expert team is always happy to talk about all things gateway-related, so drop us a line to get in touch.

10 benefits of using API gateways

The advantages of API gateway implementation include management, security, performance and various other benefits.

1. Simplification of communication

Without an API gateway, managing the volume of communications pathways that modern networks entail – particularly in microservices architectures – quickly becomes complicated, time-consuming and not fun.

An API gateway simplifies the client interaction element of this, providing clients with a single, unified entry point, no matter how complex the underlying web of services.

2. Efficient API management

Having an API gateway that serves as a centralised control plane, providing a unified point through which clients can interact with your services, simplifies the overall management of your APIs. It makes it easier to enforce policies and bring consistency to multiple services.

3. Centralised policy enforcement

You can apply consistent security, routing and observability policies by centralising your enforcement with an API gateway. Applying API management policies helps to bring reliability and dependability to your APIs and services while simplifying their administration. It also makes versioning and rolling back policies easy, as well as centralised logging and auditing of policy-related events to enable the tracking of patterns and identification of security incidents.

4. Security enhancement

Security is one of the most significant benefits of using an API gateway. Centrally managing security measures such as authentication, authorisation, and encryption enables a swift response to potential threats.

5. Load balancing

An API gateway’s load-balancing capabilities help prevent any single service instance from being overwhelmed by traffic. It also supports scalability, high availability, performance optimisation and fault tolerance.

6. Caching

Caching is when the gateway stores and retrieves frequently requested data. This means you can reduce the load on your backend services while delivering improved client response times. Tyk provides plenty of flexibility in how you configure caching, so you can optimise performance on your own terms.

7. Rate limiting

As mentioned above, rate limiting is essential in protecting your services from a DDoS attack. It puts the power to control the rate of incoming requests in your hands. In addition to preventing abuse (as well as accidental overwhelming of the gateway), rate limiting can ensure fair usage between clients.

8. Insights and analytics

The key benefit is the detailed insights into usage, performance and errors that API gateways can provide. They allow you to track your APIs’ health and troubleshoot issues swiftly and efficiently when identifying bottlenecks or other problems.

Cross-cutting concerns

It can be challenging to modularise cross-cutting concerns as they cut across traditional system boundaries. However, an API gateway providing common functionalities such as authentication, authorisation, logging and monitoring supports the uniform application of such concerns. This ensures consistency across services at the same time as simplifying development and maintenance.

Service orchestration

API gateways play a valuable role in service orchestration, enabling interactions between numerous microservices to be easily coordinated. Combining them into a single endpoint allows the gateway to streamline complex workflows and reduce the burden on clients. Service orchestration enhances system efficiency, simplifies the development process, and improves overall maintainability.

What next?

With a solid understanding of an API gateway’s purpose, role and benefits now under your belt, why not turn your attention to API management? The Tyk team is on hand to answer any questions, so feel free to reach out.