I work with very large size non-ITes and ITes organizations.
When I talk with them about modern software architectures such as Serverless,
Micro-services, Event driven; we inevitably talk about mysterious word - “API Gateway”.
Most of the time I have seen zero awareness about “API
Gateway” being an important part of new modern software architectures. Many senior
TDMs [Technical Decision Makers] completely ignore this important aspect of
overall API centric approach for all of their applications as an Organization
strategy. There are few senior architects who understand need of “API Gateway”
but the number is really really less.
In last 4 months, after 7 customer visits, approx. 10
deep dive modern architecture discussions at various level in organizations, I
felt there is a necessity of writing “Simple yet effective” blog post that will
focus on need of “API Gateway” in today’s software architectures when we talk
about “Digital Transformation journey” with big organizations.
And here I am, writing a post on “What is API Gateway?
Why it matters? And how should you choose the right API Gateway for yourself”.
Let’s go!
Realizing the concept of API Gateway
Today every organization is trying to provide service based
offerings. For example, Gmail provides “Email as a service”, O365 provide “productivity
solutions as a service”.
When you think of providing services based offerings for
your customers then inevitably large portion of your offerings will be built
based on “APIs”. In today’s world it will be based on “REST API” and in many
cases legacy APIs as well build on XML based services. So your APIs will
essentially consist of main business logic/ critical intellectual property of
your service. So it is really important for you to make sure that you PROTECT
these APIs. Therefore API Gateway is an important architecture strategy.
If you are “solution architect” and working on API based
solution architecture; API Gateway is a must for you. Let’s understand why we
need API gateway Or what benefits we get by using API Gateway.
Understanding the need of an API Gateway?
In today’s world REST APIs usually consist of main business
logic/ Intellectual property/ critical exposing layer for your sensitive data.
So directly exposing your actual REST API to rest of the world is not a good
idea. It has to have a protection layer which monitors every coming requests.
Sees if incoming request is a valid, legitimate request and then allow to reach
to actual API. This middle man/ protection layer/ wrapper around your actual
API is called as “API Gateway”.
An API Gateway is wrapper around your actual REST APIs
or any type of APIs for that matter. When you say wrapper; means you don’t
expose your actual REST API to the outside world rather you expose it through
API Gateway. This has number of benefits –
- Security
for your actual API
- Manage
API lifecycle
- Routing,
protocol transformation
- API
monitoring, analytics
- Logging
the every request hitting your API
Below is the conceptual diagram of API Gateway and where
it resides –
As you can see in above diagram, all types of
applications who consume your API will pass through the API Gateway Layer. So
basically now all the common aspects of security for accessing your actual API;
can now be “centralized” at one place and that is your API Gateway layer. So
essentially you “Avoid” duplication of same work for each of the APIs common
requirements such as security, monitoring, analytics etc.
Benefits of using API Gateway
Language
agnostic –
Consider a scenario – You have 10 API’s developed in Java and .NET. All of them
need to implement modern OAuth 2.0 based authentication scenario for protection
of your APIs. So essentially, you will have to learn and code about implementation
of OAuth 2.0 using your “Identity service (such as Auth0, Azure AD, Active
Directory, Apache Directory and so on)” in both .NET and Java. Tomorrow you
embark on the journey of Python for writing you Machine Learning APIs then you
will have to same thing in Python as well. This is duplication of same work in
different languages. Here API Gateway can rescue you.
No matter in which language your API is developed (Java,
NodeJS, C#, Python etc.); what you need is a common API description format [example,
Swagger] to onboard in API Gateway. Hence API gateway makes onboarding your
organization wide APIs independent of the language in which they are written.
This is huge benefit. So now you write your OAuth 2.0 implementation only with
respect to “API Gateway” layer and you are done. All your APIs are now OAuth
2.0 authentication enabled without writing/ changing a Single line of code in
actual APIs.
So API Gateway is Language Agnostic.
Compute
and hosting platform Agnostic
To import your APIs in API Management it is not
necessary to host your APIs on VM/ or physical machine or cloud. Your APIs can
be anywhere and can be onboarded into API Gateway. You can have your actual
APIs hosted on-premises, any cloud, Serverless, CDN hosted, VM hosted, PaaS anything.
Doesn’t matter. The process of onboarding APIs inside API Gateway remains same
and easy.
Centralized
SSL implementation
Making sure that “Encryption during transit” of your API
call is of most importance. This is where you use SSL certificates. When there
is HTTPS is involved, payload (data sent in requests like Header and Body both) is
encrypted during transit. This can be configured in API Gateway itself. Hence
avoiding the same configuration involved on each of the server hosting your
APIs.
Centralized
Security configuration
API Gateway provides important features such as IP
Filter, Validate Tokens configurations. This helps in building important
security for all your APIs at one place.
Centralized
Caching Framework
Many API Gateways has inbuilt caching mechanism which
helps in caching GET method responses. This provides huge performance benefits
on exposing APIs without API Gateway layer. In one of the trial of API Gateway
I have seen without caching the response was taking around 300ms and after
caching it took 7ms. This is amazing. Also most of API Gateway products these
days coming with support for external caching products like Redis Cache. This
way if the size of API Gateway caching is limited you can extend to
external cache seamlessely and have more storage for caching the GET method
responses.
So this way you avoid caching implementation at each of
the individual APIs.
Note –
Here some smart people may think why I am talking about only GET method response
caching why not other methods such Post, Put, Delete? Well only GET method can
be cached. Technically you can cache all methods but not recommended. Caching
should be done for GET methods only. This is commonsense in Architecture design
principles.
Transformation
REST based APIs development approach is used for new API
development however there is a large portion of existing APIs that deal in XML.
So many times to make them work in new digital world and various new modern
technologies you need to convert request and response from XML to JSON or JSON
to XML, Transform XML using XSLT, replace string in body, set query string
parameter and so on. All of this kind of transformations can be achieved using
API gateway without writing a single line of code.
Versioning
of APIs
This is another important benefit of API Gateway. You
can expose multiple versions of the same API depending on the need. So this
helps in updating the APIs to latest features without downtime because you can have multiple versions of the same API exposed at the same time using API Gateway.
Policies
This is by far one of the most important benefit you get
by using API Gateway. Policies bring life of your APIs in balance. There are
tons of policies API Gateway provides that makes API lifecycle management extremely
easy and manageable. There are various categories of policies provided such
as -
- Access
restriction
- Authentication
- Cross
domain
- Caching
- Transformation
- Trace
- Control
Flow
- Error
handling and many more…
Supercool:
Making money out of your APIs
I have seen lot of startup companies in recent time who
only creates APIs. Then they sell these APIs, charge them per call to various
companies and make money out of it. If you have such a vision in your mid then
you can use API Gateway various features such as Grouping of APIs in logical
structure and make it open to your customers. For example you can create FREE
group which allows calling of your APIs only 10 calls/ min and max 1000 in a
day. Then you can create BASIC pricing plan and allow 10 calls/ sec and charge
them. Similarly you can create various plan such standard, premium and so on.
Example Sendgrid, Twilio. These companies offer email, SMS APIs
and they charge their customers based on such type of pricing plans. Building
such type of money making model becomes super easy using “API Gateway layer”.
So by now I hope you are convinced why it makes sense to
include API Gateway layer in your modern application architectures. As API
gateway helps you to manage the lifecycle of APIs; it is also called as “API
Management solution”.
So, what is Azure API Management?
In essence API Gateway is a Concept. Azure API
Management is an implementation/ product of API Gateway concept. Similarly,
other companies also provide API Gateway concept-based product; like Apigee,
AWS API Gateway and so on.
If you are seriously looking into Azure cloud; API Management
is a hero service that you can’t ignore. You should use API Management if you
are betting on Azure platform. It is one of the versatile service in Azure and
a complete solution to your “API Gateway” needs.
Conclusion
Hope this post gave you an idea why we should include
API Gateway layer. This is really needed and important component to include in your
organization wide applications architectures.
Well, API Gateway is going to be mission critical for
you over a time period once you start on it and hence it is really important to
configure DR (Disaster recovery) for the same. In next few posts I will show
how can we achieve DR for Azure API Management solution.
Happy APIsation!!
Very nice and helpful article. Thank you.
ReplyDelete