Slide 1

Slide 1 text

Architecture Report: API Gateways Gleicon Moraes https://github.com/gleicon https://medium.com/@gleicon

Slide 2

Slide 2 text

Overview API Gateways API Gateway is used to front and distribute access to internal APIs. Different vendors ship distinct building blocks and integrations. They can be SaaS or be installed in your infrastructure.

Slide 3

Slide 3 text

The API Gateway Pattern

Slide 4

Slide 4 text

API Gateway Pattern ● Separation of concerns between client and server code ● Distinct API views and responses from the same origin ● Call composition between APIs ● Single point of access ● Leverage migration from legacy code ● Leverage breaking monolith to microservices

Slide 5

Slide 5 text

Architecture diagram Client Backend as a Service Regular App Microservices Serverless Client API Gateway

Slide 6

Slide 6 text

Core features

Slide 7

Slide 7 text

Uniform authentication ● Allow for distinct frameworks and authentication models in the backend, acting as a translator ● Enable per user or per app credentials, granular control and logging ● Add security for legacy APIs

Slide 8

Slide 8 text

Rest over HTTPS ● SSL termination for legacy apps ● Single point of certificate maintenance ● Widespread transport protocol, compatible to most web frameworks

Slide 9

Slide 9 text

Horizontal scalability ● Composition of load balancing and application server ● No single request serving point, no sticky bit ● Scale up charged per request or per network traffic ● Distributed Request/Response caching

Slide 10

Slide 10 text

Payload rewrite ● Request/response intercept ● DSL for inline real time payload rewrite ● Mainly default to json handling

Slide 11

Slide 11 text

Request composition ● Combine two or more API responses into a single request ● Either concatenate or rewrite the response into a single payload ● Microservice calls ● Serverless event trigger

Slide 12

Slide 12 text

Backend as a Service ● Abstract database queries to API routes ● Manage connection pools and integration into legacy systems ● Batch call stored procedures ● Integration to message bus and messaging solutions ● Serverless architectures (e.g. AWS Lambda)

Slide 13

Slide 13 text

Analytics ● Detailed reports on requests ● Billing management ● Per request/origin error codes ● Volumetric analysis

Slide 14

Slide 14 text

Security ● DDOS Protection ● Throttling and rate limiting ● Whitelist and Blacklists ● Worldwide presence

Slide 15

Slide 15 text

Players

Slide 16

Slide 16 text

How to pick the right one ● Not all features are needed for your deployment ● Pick and choose based on budget and in house knowledge ● Migrate from an existing reverse proxy based on features ● Hosted or SaaS: evaluate the team workload and devops skill set ● ** Features may change - conduct your analysis based on features you need

Slide 17

Slide 17 text

Players SaaS ● APIGEE ● AWS API Gateway ● Sensedia Opensource ● Kong ● Tyk ● Nginx + Lua (openresty)

Slide 18

Slide 18 text

Comparison chart Uniform Authenticat ion Rest over HTTPS Horizontal Scalability Payload Rewrite Request Composit ion BaaS/ Serverless Analytics Security APIGEE Amazon API GW Sensedia Kong Tyk Openresty

Slide 19

Slide 19 text

Pitfalls

Slide 20

Slide 20 text

Dependency BaaS and in house development Until a contract renewal or in the face of a vendor change, dependency on BaaS might have created space so other development tasks were taken by the team. Take care to not outgrow your backlog counting on a long term contract. Alocate BaaS dependency as technical debt. Authentication model Engage into market proven authentication models that might be present in other players. Most APIs stick to OAUTH2 or AUTH Secrets.

Slide 21

Slide 21 text

Lock in Pluggable infrastructure IaaS vendors offer API Gateways that have competitive price models but make sure that you can serve and front APIs outside of their infrastructure for an attractive network ingress/egress price. Development model The configuration and coding should be versionable outside of the tool and automatable - meaning you should have tests for your configuration changes. The Gateway should support dev, integration and production environments and version promotion.

Slide 22

Slide 22 text

Scalability Horizontal scalability SaaS model: use the bundled analytics and instrument your backend. If you host your Hosted model on cloud: make sure you reserve the minimum or regular day to day usage and pick marketplace prices to lower the impact on your monthly rates Hosted on VPS/bare metal: plan for at least 30% peaks on each server. Backend savings API gateway should save backend computing and network resources. Make sure you review your sizing and scaling. Do use automation to ensure resources grow according to the workload.

Slide 23

Slide 23 text

Conclusion 1. Use API Gateways as accelerators but plan for reducing their footprint on your architecture 2. Use standard transport and authentication protocols 3. Take care with cache and data coherency 4. Strive to be able to migrate to at least one open source solution