The use of APIs has exploded in recent years. Software AG reports that 98% of IT decision-makers ranked APIs as ‘extremely important’ or ‘very important’ in 2022, while Akamai states that API calls now represent 83% of web traffic. This means that if you’re not up to speed yet with what an API gateway is, it’s time to catch up. Fast.
Introduction to API gateways
According to Markets and Markets, the API management solutions market is on track to increase from USD 4.5 billion in 2022 to USD 13.7 billion by 2027. That’s an impressive compound annual growth rate (CAGR) of 25.1%. Within this market, API gateways are essential in supporting organisations to design, create, publish and monitor their APIs – along with much, much more, as we’ll explore below.
What is an API?
Let’s start with the basics. An application programming interface (API) is an intermediary set of definitions and protocols that enables two computer programs to communicate and share data. Commonly used APIs include RESTful APIs, SOAP APIs and, more recently, GraphQL APIs.
What is an API gateway?
An API gateway sits between a client and a set of backend services. It is an API management service that provides a unified entry point for API calls.
Note that an API gateway is not the same as a gateway API. A gateway API is a means of integrating an application with an API gateway system.
Why use an API gateway?
Whether managing a single API or a whole range of API products, you can use an API gateway service to make it easier to secure and manage your APIs. An API gateway manages the traffic between the client and the backend. This means it can handle requests and retrieve data and services, including routing, combining multiple API calls and enforcing policies.
In a nutshell, an API gateway can handle the following:
- Authentication and authorisation
- Protocol mediation and transformations
- Custom plugins and functions
- Analytics and tracing
- Versioning and lifecycle management
- Caching
- Endpoint protection
- Logging
Benefits of an API gateway
API gateway integration can deliver many benefits, from faster API product creation to customer and revenue growth. You can use a gateway to lift and shift cloud migration, adopt microservices, scale rapidly, undertake complex API data/systems integration, or provide stress-free, efficient and secure API management.
Simplifying the API management process
Whoever said API management should be hard? In this day and age, there’s certainly no need for it to be. By controlling everything at the gateway layer, you can easily bring standardisation to your API management.
You also benefit from super simple deployment by choosing an API gateway open source product such as Tyk. Thanks to the open source code, you can deploy Tyk anywhere and get started in minutes, with no third-party software to manage – just full oversight and complete control.
Improving security
Simplicity aside, using an API gateway can work wonders for your API security. You can implement security policies at the gateway level, meaning that every API benefits from standardised security, regardless of which of your teams created it. That means you don’t have to worry about building security for every API and microservice, as the gateway takes care of it all.
Access control, key management, key hashing, whitelisting, certificate pinning, dynamic client registration… you can manage all of this and more through an API gateway. You control who accesses your APIs, when and how.
Reducing latency
API gateway solutions have the potential to introduce latency, as your API calls are now going through the gateway layer. That said, the most performant API gateway will be able to handle tens of thousands of requests per second with minimal introduced latency.
If latency is particularly relevant to you, there are steps that you can take to reduce it. API caching, for example, has the potential to reduce latency and is easy to manage through an API gateway platform.
Scaling APIs
Implementing API gateway software creates the ideal environment for scaling your APIs and growing your business. It opens up the potential to manage each step of your API lifecycle, laying the groundwork for smooth scaling. Then it’s time to grow.
With Tyk, for example, you can import your APIs, support versioning strategies and easily document and publish your API into a catalogue for discovery. You can also use detailed analytics to understand how your APIs are being consumed and better respond to evolving customer needs.
Types of API gateway
There are two main types of API gateways to choose from: cloud-based API gateways and on-premise API gateways. You can also opt for a hybrid solution, where your API gateway provider hosts the API management layer while your edge gateways are deployed on your infrastructure.
The setup you need will depend on a range of factors…
Cloud-based API gateway
If time is of the essence, a cloud-based API gateway can give you a head-start, as you don’t have to worry about infrastructure headaches. You can choose the regions where you want to locate your gateway(s), decide where your data will reside, and get started.
With a cloud-based API gateway, you can achieve everything you need quickly and easily. With Tyk Cloud, for example, you can:
- Implement your custom logic with Python-based plugins
- Configure customer domains for your dashboard and developer portal
- Create and manage multiple environments
- Create and manage control plane and edge gateway deployments
- Define teams, roles and users and easily manage access
On-premise API gateway
Also referred to by some API integration companies as a self-managed API gateway, an on-premise gateway is one that you install in your own infrastructure. This leaves you in complete control with no calling home and no usage limits (at least, not with Tyk API Gateway).
Control is a huge deal for many organisations. For example, if you operate in a heavily regulated environment, you may need a gateway to be part of your own infrastructure rather than cloud-based. This is where an on-premise solution shines, giving you the API gateway you need while leaving you in total control.
How does an API gateway work?
Whether you want to implement an API gateway for security reasons, to help you scale, or as part of a complex API gateway microservices architecture (or for any other reason), the gateway’s core functionality will underpin everything. A gateway can route requests, take care of authentication and authorisation, manage traffic and handle caching.
At a basic level, an API gateway works by accepting API requests from clients. The gateway processes those requests in accordance with policies that you can define. Based on those policies, the gateway will direct the requests to relevant services. It can combine responses and aggregate results before returning them to the client.
An API gateway can also translate between different API protocols. This means that you can work with SOAP, RESTful, GraphQL and other APIs while delivering a smooth user experience. In essence, you can tinker with the backend while presenting a single, unified entry point for clients.
Request routing
An API gateway comes with a range of routing features. These include things like rate limiting, load balancing (such as native round-robin load balancing to rotate requests through target hosts), circuit breakers (these can be rate-based, to trigger events for corrective action or logging), the ability to manipulate requests and responses, custom error handling and more.
Authentication and authorisation
You can use an API gateway to implement access control policies to ensure your APIs are secure. The range of available authentication and authorisation mechanisms is impressive. Bearer tokens, HMAC signatures, JSON web tokens, multiple auth, OAuth 2.0, keyless authorisation, OpenID Connect, Go plugin authentication, Python CoProcess and JSVM plugin authentication and physical keys are just some of your options!
Traffic management
Being able to manage traffic to suit your needs is one of the key benefits of an API gateway. Examples of the ways in which an API gateway can manage traffic include:
- Rate limiting – so your API doesn’t get overwhelmed
- Request throttling – so you can automatically queue and retry requests when quota or rate limits are hit
- Request quotas – so you can control requests over longer periods
- Request size limits – so you can control traffic size
- Key expiry – so you can adopt regular token recycling
- Progressive delivery – so you can build on your core CI/CD principles
Caching
An API gateway gives you the ability to cache requests in various ways. For example, you could simply cache all safe requests, manually set which endpoint patterns to cache, or enable upstream control to allow another application to tell the gateway what to cache or not cache and for how long.
Best practices for API gateways
Regardless of your motivations for implementing an API management service, there are tried and tested best practices that will help you – and your end users – enjoy a smooth experience. Let’s look at a few of these.
Designing for scalability
Scalability is the key to rapid growth. As such, if you plan to grow your customer base and revenue, it’s essential to design for scalability from the outset. An API gateway facilitates this by enabling robust security and efficient request handling and traffic management, no matter how much or how rapidly you scale.
Monitoring and logging
Monitoring your APIs’ general health and performance is essential to both troubleshooting and making proactive, data-driven decisions. As such, implement monitoring and logging at the outset of your API gateway journey for maximum insight into your business.
Versioning
Over time, you will need to iterate different versions of your API. An API gateway makes it easy for you to create new versions from existing API products while supporting backward compatibility and avoiding breaking a contract.
Implementing security protocols
To protect your endpoints and data in transit, it’s essential to implement robust API security protocols. The best practice is to do so in a consistent and standardised manner, which is precisely what API gateway solutions facilitate.
If you would like to learn in more detail about what an API gateway is and how it could benefit your business, why not chat with Tyk? Our friendly, expert team is always happy to talk about all things gateway-related, so drop us a line to get in touch.
