Architecture Report:
API Gateways
Gleicon Moraes
https://github.com/gleicon
https://medium.com/@gleicon
Slide 2
Slide 2 text
Overview
API Gateways
API Gateway is used to front and distribute
access to internal APIs. Different vendors
ship distinct building blocks and
integrations. They can be SaaS or be
installed in your infrastructure.
Slide 3
Slide 3 text
The API Gateway Pattern
Slide 4
Slide 4 text
API Gateway Pattern
● Separation of concerns between client and server code
● Distinct API views and responses from the same origin
● Call composition between APIs
● Single point of access
● Leverage migration from legacy code
● Leverage breaking monolith to microservices
Slide 5
Slide 5 text
Architecture diagram
Client
Backend as a Service
Regular App
Microservices
Serverless
Client
API Gateway
Slide 6
Slide 6 text
Core features
Slide 7
Slide 7 text
Uniform authentication
● Allow for distinct frameworks and authentication models in the backend, acting as a
translator
● Enable per user or per app credentials, granular control and logging
● Add security for legacy APIs
Slide 8
Slide 8 text
Rest over HTTPS
● SSL termination for legacy apps
● Single point of certificate maintenance
● Widespread transport protocol, compatible to most web frameworks
Slide 9
Slide 9 text
Horizontal scalability
● Composition of load balancing and application server
● No single request serving point, no sticky bit
● Scale up charged per request or per network traffic
● Distributed Request/Response caching
Slide 10
Slide 10 text
Payload rewrite
● Request/response intercept
● DSL for inline real time payload rewrite
● Mainly default to json handling
Slide 11
Slide 11 text
Request composition
● Combine two or more API responses into a single request
● Either concatenate or rewrite the response into a single payload
● Microservice calls
● Serverless event trigger
Slide 12
Slide 12 text
Backend as a Service
● Abstract database queries to API routes
● Manage connection pools and integration into legacy systems
● Batch call stored procedures
● Integration to message bus and messaging solutions
● Serverless architectures (e.g. AWS Lambda)
Slide 13
Slide 13 text
Analytics
● Detailed reports on requests
● Billing management
● Per request/origin error codes
● Volumetric analysis
Slide 14
Slide 14 text
Security
● DDOS Protection
● Throttling and rate limiting
● Whitelist and Blacklists
● Worldwide presence
Slide 15
Slide 15 text
Players
Slide 16
Slide 16 text
How to pick the right one
● Not all features are needed for your deployment
● Pick and choose based on budget and in house knowledge
● Migrate from an existing reverse proxy based on features
● Hosted or SaaS: evaluate the team workload and devops skill set
● ** Features may change - conduct your analysis based on features you need
Slide 17
Slide 17 text
Players
SaaS
● APIGEE
● AWS API Gateway
● Sensedia
Opensource
● Kong
● Tyk
● Nginx + Lua (openresty)
Slide 18
Slide 18 text
Comparison chart
Uniform
Authenticat
ion
Rest over
HTTPS
Horizontal
Scalability
Payload
Rewrite
Request
Composit
ion
BaaS/
Serverless
Analytics Security
APIGEE
Amazon API GW
Sensedia
Kong
Tyk
Openresty
Slide 19
Slide 19 text
Pitfalls
Slide 20
Slide 20 text
Dependency
BaaS and in house development
Until a contract renewal or in the face of a vendor change, dependency on BaaS might
have created space so other development tasks were taken by the team. Take care to not
outgrow your backlog counting on a long term contract. Alocate BaaS dependency as
technical debt.
Authentication model
Engage into market proven authentication models that might be present in other players.
Most APIs stick to OAUTH2 or AUTH Secrets.
Slide 21
Slide 21 text
Lock in
Pluggable infrastructure
IaaS vendors offer API Gateways that have competitive price models but make sure that
you can serve and front APIs outside of their infrastructure for an attractive network
ingress/egress price.
Development model
The configuration and coding should be versionable outside of the tool and automatable -
meaning you should have tests for your configuration changes. The Gateway should
support dev, integration and production environments and version promotion.
Slide 22
Slide 22 text
Scalability
Horizontal scalability
SaaS model: use the bundled analytics and instrument your backend. If you host your
Hosted model on cloud: make sure you reserve the minimum or regular day to day usage
and pick marketplace prices to lower the impact on your monthly rates
Hosted on VPS/bare metal: plan for at least 30% peaks on each server.
Backend savings
API gateway should save backend computing and network resources. Make sure you
review your sizing and scaling. Do use automation to ensure resources grow according to
the workload.
Slide 23
Slide 23 text
Conclusion
1. Use API Gateways as
accelerators but plan for
reducing their footprint on your
architecture
2. Use standard transport and
authentication protocols
3. Take care with cache and data
coherency
4. Strive to be able to migrate to
at least one open source
solution