Discover how API gateways enable organizations to enhance the speed, simplicity, and security of accessing their cloud-based data and services.

An API gateway is a software solution that receives requests from application users, directs them to backend services, collects the necessary data, and delivers a consolidated response to the user. It also offers analytics, multiple layers of security, and other protective measures for the application.

API Gateway Value

An API gateway serves as a centralized entry point for all API calls directed towards an application, regardless of whether the application is hosted on-premises or in the cloud. It receives remote requests and retrieves the requested data. To illustrate, let’s consider a web application for a restaurant. A user can use their laptop or cellphone to submit a single request and effortlessly access various information from different backend microservices or APIs, such as the restaurant’s menu, customer photos and reviews, payment service, and location on a map. The API gateway receives and handles their request. However, an API gateway offers more than just request handling. It adds value by presenting data in a format suitable for the technology being used by the requestor. For example, someone using a web browser to inquire about a retail store would be provided with more extensive information compared to someone accessing the same store’s data on a mobile phone. Additionally, API gateways facilitate real-time communication between an application’s frontend and backend, enabling functionality like web chat, stock trading systems, and online games.

API and MicroServices

API gateways, also known as “edge microservices,” are commonly utilized in modern applications built with cloud-native microservices architecture. These applications typically consist of numerous independent, self-contained, single-function components, referred to as microservices. Each microservice is managed by a dedicated DevOps team, operates autonomously, and maintains its own database. They can be deployed, maintained, and tested independently. When information requests are made to an application employing microservices, an API gateway offers a streamlined approach to retrieving and delivering the data. In addition to handling access control, it ensures efficient and reliable communication within large and intricate applications. As microservices operate in separate environments, they can be added, upgraded, relocated, or modified without impacting the overall application. API gateways simplify the process of scaling up applications for companies. Furthermore, they enable faster development of new features, fostering innovation and reducing time-to-market.

API gateways and monolithic apps

Prior to the emergence of microservices, monolithic applications were prevalent. These applications are built upon an all-in-one architecture, where services are interconnected and share a single database. All components within the application are tightly coupled and function as a unified entity. Modifying any part of a monolithic application requires changing the code that encompasses the entire architecture. Although many monolithic applications are still actively utilized, they commonly leverage API gateways to establish connections with external third parties, internal users, or partners. By doing so, they can enjoy the advantages of security, scalability, and other benefits that are inherent to microservices.

How do API gateways work?

API gateways serve as an intermediary between users and a collection of microservices, providing three essential services:

  1. Request routing: The API gateway receives a new API request and transforms it into multiple requests. It consults a routing map that indicates the appropriate destinations for each request, and subsequently forwards the requests to the relevant internal microservice(s).
  2. API composition: Acting as a workflow orchestrator, the API gateway aggregates the requested information from multiple microservices. It combines the data into a cohesive format and returns it to the requester as a composite response.
  3. Protocol translation: API gateways are aware that API requests arrive through devices that utilize different API protocols. They facilitate communication between client requests and microservices by translating these protocols. The gateway converts API protocols from the format used by the end-user device (such as a web browser, mobile device, or other endpoint) to the protocols employed by the microservices. For instance, wide area networks (WANs) and local area networks (LANs) have distinct performance characteristics and API requirements. When information is returned, the gateway transforms and delivers it back to the requestors in a format that can be readily interpreted. For example, if a microservice responds in XML, but the request was made using JSON, the gateway automatically handles the translation. Additionally, when using a REST API, the HTTP protocol is utilized to request API services.

Benefits of API gateways

Adding one or more API gateways to your microservice applications provides many benefits:

  • Microservices security: By acting as a protective barrier, an API gateway enhances the security of an application’s backend. This prevents the exposure of application endpoints, reducing the risk of attacks. Additional security measures such as using HTTPS or HTTP encrypted with SSL can be implemented to further enhance security while improving performance.
  • API authentication: An API gateway adds an extra layer of security by authenticating API calls, safeguarding against mistakes, hacks, and data breaches. Authentication and authorization processes may include antivirus scanning, decryption and encryption, token translation, validation, and other security functions.
  • Input validation: The API gateway ensures that API requests have the necessary information in the correct format before forwarding them to microservices. If any information is missing or incorrect, the gateway rejects the request. Validated requests are then forwarded to the appropriate microservices.
  • Improved response times: By directly sending requests to the relevant services, the API gateway reduces roundtrips and network traffic, resulting in lower latency and overall better performance. This optimized approach contributes to an enhanced user experience.
  • Microservices load balancing: The API gateway monitors requests sent to different microservices, evenly distributing the load across nodes for improved efficiency. This load balancing mechanism becomes crucial during high traffic periods, such as Black Friday sales or product launches, preventing spikes or denial-of-service incidents.
  • Rate limiting: To protect the system from flooding with excessive requests, an API gateway monitors and limits the number of API requests a client or malicious bot can make within a specific time period. This helps maintain system stability and prevent overwhelming traffic.
  • Billing for microservices: Some businesses monetize their APIs by offering services to consumers or other companies. The API gateway handles traffic, monitors usage for specific products or services, and sends pricing information to a connected billing system. Different monetization models can be implemented, such as pay-as-you-go, tiered plans, or revenue sharing through advertising or affiliate marketing.
  • Microservices caching: API gateways can optimize API calls through the use of microservices caching. By caching responses, unnecessary load on backend services is reduced. Cached responses can be served when similar requests are received, improving performance and reducing costs.
  • Monitoring and analytics: With the API gateway controlling all inbound traffic, it becomes easier to monitor and generate reports on API usage, visibility, and trends. Traffic logs created by the gateway software help API providers identify and address infrastructure issues.
  • Extending legacy apps: Legacy applications still play a crucial role in many businesses, but they may lack API support and struggle to handle modern technologies such as mobile, SaaS, or IoT apps. Rather than undertaking complex cloud migration, an API gateway allows DevOps teams to add API functionality to legacy applications, providing benefits like rate limiting and throttling. This modernizes and extends the capabilities of the legacy application.

Challenges of API gateways

While there are many benefits to adding an API gateway, there can also be challenges:

  • Response time:While latency and response time are often decreased due to requests traveling more efficiently, the additional step of a request passing through an API gateway can potentially add to response time.
  • Dependencies: Anytime a business adds, changes or removes a microservice, it must update its API gateway. That can be challenging with an application that has evolved from having just a few microservices to encompassing many. However, creating API design rules can help with this.
  • Complexity:Routing logic can make communication with microservices more complex. The API gateway is another system that must be developed, deployed and maintained.
  • Security: Because an API gateway touches many areas of an enterprise’s systems, its compromise can seriously impact an application’s safety. 
  • Reliability: If there’s only one API gateway and it goes down, the whole application becomes unavailable. Creating multiple API gateways and using load balancers can help avoid this situation.

What is the difference between API management and API gateways?

While an API gateway operates as a frontline component, managing, routing, and securing API calls, API management encompasses a comprehensive solution that oversees the complete lifecycle of APIs, which includes the inclusion of API gateways. In essence, API gateways can be regarded as tools within the broader realm of API management.

The API lifecycle consists of three primary phases: creation (building and documenting the API), control (imposing security measures), and consumption (publishing and monetizing APIs). API gateways specifically play a role in the control phase of the API lifecycle, focusing on ensuring the security and integrity of APIs, thereby safeguarding data and protecting against unauthorized access.

Take the next step

  • Explore IBM API Connect®, an intuitive and scalable API design platform to create, securely expose, manage and monetize APIs across cloud computing systems.
  • Build skills to help you create developer communities to publish and share APIs and engage with them through a self-service portal in the Solution Developer: IBM API Connect curriculum.
  • API Connect can also come integrated with other automation capabilities in IBM Cloud Pak® for Integration, a hybrid integration solution that provides an automated and closed-loop lifecycle across multiple styles of enterprise integration. 
  • For Business to Business API connections explore the IBM Sterling Supply Chain Business Network B2B API Gateway for secure connections between you, your customers, and your partners.
  • Take our integration maturity assessment to evaluate your integration maturity level across critical dimensions and discover the actions you can take to get to the next level. 
  • Download our agile integration guide, which explores the merits of a container-based, decentralized, microservices-aligned approach for integrating solutions.