API Gateway's aren't new, but for whatever reason I'm seeing API Gateway become more and more of a buzzword. Here's an actual conversation I had with someone on slack the other day:

Bob 12:47 PM
Mike, ... any thoughts on an API Gateway of choice?

Mike Treadway 1:14 PM
There are many choices, however I think the biggest question is what functions are you expecting an API gateway to perform?

Bob 1:22 PM
Not exactly sure yet 🙂

Mike Treadway 1:26 PM
So someone just said, find an API gateway just because?? lol. Usually there's a set of needs and an API gateway can serve that need.

Bob 1:27 PM
Kind of 🙂

Mike Treadway 1:27 PM
I knew of a group using [snip] because they said they wanted to have dedicated engineers to use [snip] to expose APIs that were vastly different than the APIs behind it.

Bob 1:27 PM
But there is more to it.

Mike Treadway 1:28 PM
Which is a terrible idea in my opinion for greenfield projects. I mean..who wants to write APIs using a workflow diagram??
I see value in a gateway to provide consistent API pathing/routing, usage metrics, etc. I think many people believe using an API gateway gives you automatic authentication and authorization of APIs and perhaps it does for a some, but it really depends.
You still have to secure your backend services regardless.
anyway, happy to help in any way. I just need to know more about what is expected from this gateway.

Bob 1:32 PM
I will share more, I actually want to! I need to head out to drop off my kid to airport. But will either ping you later or monday to chat on this.

Mike Treadway 1:33 PM
ok, sounds good.

I think there's a lot of misconception out there about what an API gateway is for and when you need it. This happens to all of us at some point in our career, where someone asks you to go figure out what tool to use for something without really understanding whether the tool is actually needed. Reminds of this awesome quote:
No one wants a 1/4" drill bit, they want a 1/4" hole.

-Michael Winser

What is an API Gateway?

An API gateway is a common ingress point for a set of web services. Having a common ingress point, allows you to do some pretty interesting things that can solve many problems. When you use an API gateway, you're using the API Gateway architecture pattern. In fact, many people are using this pattern without even realizing they have an API gateway.

At IBM, we recently built an API gateway for our platform microservices using just NGINX and Consul. We wanted a common domain name for all of our services and used NGINX to reverse proxy the incoming requests to the various microservices. Simple. Free. We added in the Consul portion to give us some dynamic service discovery across data centers so we don't have to update our NGINX configuration for each new service. I'll cover more on this in the future.

So now that you know what it is, do you really need one? Like all great answers, it depends.

You might need an API Gateway if...

  • You've built 8+ microservices and you're starting to forget their hostnames and ports.
  • You want to simplify the configuration needed to make new services available.
  • You want to apply features that span across services (i.e. rate throttling, sql injection detection, etc.)
  • You want to to collect API metrics across services (kind of the same as above).
  • You want to authenticate and/or authorize requests before they reach your services.
  • You want the ability to have one API call issue several internally and aggregate the results.
  • You want to take disparate backend service APIs (SOAP, XML,json, etc.) and present them with a streamlined, consistent API presentation.

If you are experiencing any of the above. It may be time to take a look at API gateways. Please keep in mind that you may not need a super fancy, feature reach API gateway (like Apigee). You can accomplish quite a bit with a simple Node.js application or NGINX. It really comes down to which of the above problems are you trying to solve.

Be aware that products such as IBM API Connect go way beyond an API gateway and get into things like making it easy to deploy APIs, create APIs, etc. These enter the realm of API Management platforms which can cause some confusion and distract from the problems described above. API Management platforms definitely have their place, but don't confuse API Gateways with API Management. They're mutually exclusive.

What an API Gateway Isn't

An API Gateway isn't a panacea. It can help simplify authentication, but you still have to take measures to secure your services behind the gateway. It can possibly make your APIs faster with caching, but you still have to think about the ramifications of even using caches. It can provide a single ingress, but you still have to figure out how to manage the locations of the service behind the API Gateway. I could go on and on.

A Simple API Gateway with NGINX

Here's a very simple NGINX based API gateway to demonstrate how easy it can be to get started with one.
events {
    worker_connections  1024;
}

http {

    server {
        listen       80;
        server_name  api.my-company.com;

        set $x_proxy_from "http://$host$request_uri";
        proxy_set_header x-proxy-from $x_proxy_from;

        # Services
        location /my-service {
            proxy_pass http://my-service.local/my-service;
        }
    }
}

Lines 1-3: Tells NGINX the number of connections a worker process can have open.
Lines 8-9: Specifies the server port number and what values for the Host HTTP header to match. In this particular configuration, NGINX will respond to any requests because there's only one server block. Even though it happens to not matter in this case, it's a best practice to specify it.
Lines 11-12: Sets a header with the original URL value so downstream services can know what's going on.
Line 14-17: Any request URL who's path starts out as /my-service, proxy the request as is to http://my-service.local/my-service.

You can keep going with this example by adding more services, securing it with SSL, and externalizing the service configurations so each service has its own configuration file.

3 comments:

  1. There are a lot of choices out there in commercial and open sources. Enterprises these days are using API Gateways to get onto the digital bandwagon

    ReplyDelete
  2. Good one. These days so many people ask for API Gateways without knowing is it really required. All they look for is something they have to use API gateway in their business to justify.

    ReplyDelete