What are API gateways ?
An API gateway is a facade for the product microservices used by external clients, which are generally implemented as reverse proxies. They are integral parts of any major cloud service and are more and more frequently seen in enterprise architectures. Most ship with a UI that facilitate all the phases of API management, but as you can imagine, you can also interact with the API to accelerate automation.
Here are some of them:
- Google Apigee, founded in 2004 and acquired by Google in 2016
- Azure API Management
- Amazon API Gateway
- Mulesoft, founded in 2006 and acquired by Salesforce in 2018
- Red Hat 3scale, founded in 2007 and acquired by Red Hat in 2016
Think of an API gateway as a way to decouple client-facing public APIs from the backend implementation, enabling all development groups to keep improving their products simultaneously. For example, while an Android developer is polishing the latest release of his app for the brand-new Pixel phone, the backend team is already integrating their latest ML enrichments on the next version of their data model. In the meantime, an old iOS 10.3 version is still serving thousands of customers. Increasing collaboration and velocity is critical to business today.
This is where API Gateways play their role in keeping everything under control. In this post and the follow on blogs, I will focus more specifically on Google Apigee solution and service offering.
What problems does an API solve?
For the consumer:
As a developer, one of the biggest unknowns is when I am asked to integrate a new service and how long it will take me to gain access to the dev versions. And what about the documentation, will it be up-to-date, or will I have to guess and reverse-engineer random examples found on stackoverflow?
In the end, all the prep work necessary to get in was by far the most time-consuming part. Once the access was granted, I simply had to pick my endpoints, see what type of data they are yielding and start to write some glue code.
Apigee will take care of managing App Developer keys and facilitate communication by providing a developer portal to address documentation and testing needs. The portal can be branded and offers interactive documentation, API key validation and analytics.
For the backend team:
Gateways protect the backend against traffic spikes by implementing configurable throttling. They can also incorporate partial or full caching to alleviate the load on the back-end, reducing the pressure on the back-end team to respect SLAs.
They are also alleviating the burden of maintaining access keys and enforcing quotas. As they allow marshaling requests and responses, adapting the payloads will no longer imply a new development. In Apigee Edge, backend developers will be able to extract any element of the requests or responses and log them without any code change.
For the security team:
For the security team these systems bring relief by offering consistent rulesets in regard to TLS termination, request validation, access control, and authorization scheme. Apigee has a feature to enforce a set of filters at the organization level. If a vulnerability is discovered, for example, the threat can be stopped almost instantly by ruling out a specific set of requests without involving the development team. The backend load-balancing can also be used to confine specific IPs to controlled targets.
For the product team:
Who is using what, and how is my product performing? Apigee ships with an integrated monitoring Dashboard that will help monitor application performance and usage.
How to manage the API lifecycle, and how to retire endpoints or reformat object definitions? Thanks to strong versioning and embedded documentation, up-to-date documentation is guaranteed and customer notifications are easy. You can, for example, issue deprecation notices in your released versions, and even transform the payload dynamically to advertise them.
What features does an API offer?
Features most commonly found in API gateways:
- Create new API, new developer credentials
- Publish new versions
- Maintain multiple versions for each API
- Monitor usage, performance, error rate
- Enforce access control, request format and rate limiting
Advanced features we can find in more advanced solutions:
- Transformation XML to JSON, this can allow you to modernize a legacy SOAP API and turn it into a REST API with 0 lines of code
- Endpoints mashing, where you can fuse data from different providers to produce value
- Caching / partial caches, alleviating load on backend services
- Endpoint load-balancing, enabling easy horizontal scaling
- Quota, often tied to Monetization and subscription plans
- Developer (users) account management through a Web UI
- Swagger presentation, since Swagger specification has been renamed OpenAPI Specification, it is becoming the de-facto standard to advertise and document an API. Most developers are now used to try API calls directly from their browser. If you don’t already have something similar, this feature by itself could be a good reason to consider using an API Gateway.
What’s next ?
In a future post, I will demonstrate how to create a simple Apigee proxy to access Twitter API. Apigee has also recently released a hybrid solution that I will deploy on a Google Anthos cluster.
Stay tuned for that deep dive!
Interested in learning more about Apigee, or looking for help transforming your organization. We would love to hear from you.