Choosing an API Gateway for your platform

Enterprises normally have a technology estate that helps manage the different intra and interconnections – such as with vendors, clients, intranet systems, CRMs, retailers, payment systems and so on. But these different corporate tools may lack coherence and proper support.

This necessitates a strategy that will drive down dependencies on external software and establish APIs that can be moulded and customized to your business needs. When properly managed, your APIs allow for greater internal flexibility while establishing connectivity both internally (marketing, sales, customer service) and externally (apps, websites, platforms to offer the company's own APIs to third parties).

Such a strategy, among other things, requires a robust API gateway as a single point of entry for identity and access management, and throttling.

The need for an API Gateway

An API gateway provides a single, secure point of entry to access all your APIs. It offers a simple, consistent interface for all clients and partners to access your APIs and plays a key role in full lifecycle API management.

Its key functionalities include:

• Abstraction and simplification of internal functionality
• Providing an easy and intuitive mechanism to publish and document APIs
• Simplifying external/internal developer on-boarding
• Scalability to securely manage a multitude of APIs
• Rapid prototyping and development
• Authentication and authorization through security patterns like TLS, API keys, OAuth, etc.
• Strong analytics and monitoring of APIs

Working architecture of an API Gateway

Runtime

At a bare minimum, an API gateway needs to provide a runtime component. This component is responsible to receive the client request (typically an HTTP JSON request), apply some transformations, aggregate and call the required backend services and provide response back to the client in the format conducive to the front end.

Security

Typically, the API gateway is exposed to the Internet. Hence security is paramount. This is achieved through standard practices like API keys, OAuth and 1-way/2-way TLS. These are bundled in some format on the API gateway, to be easily applied on the APIs, as required, usually as configuration, rather than code.

Transformation

The incoming requests from the clients may follow a different pattern compared to the protocols under which the internal services operate. Hence, some features are required to translate the external client representation into the patterns and protocols that internal components communicate on. For this, typically some standard features like XML/JSON conversions, protocol manipulations such as changing HTTP GETs to POSTs, modification of headers, query and payload parameters are provided. For more advanced use-cases and requirements, some scripting may be required which can be achieved through JavaScript, GoLang, Java, Python, Node.js etc.

Caching

Additional features like request/response caching are supported by API gateways. This saves round trips to the downstream services and re-use the existing responses leading to lower latencies, faster response times and enhanced customer experience.

Storage

For the internal management of the API gateway assets, a configuration database is required. This manages assets like API keys, configuration data, routing rules, access tokens, key-value maps, etc. Since throughput is of prime importance; low latency, NoSQL, in-memory databases are popular choices.

Publishing

Since the APIs need to be exposed and will be used by external developers, we need a mechanism to share them. This is done through a publisher portal. Here we capture the details of APIs, access patterns and documentation. Community forum boards, technical assistance and monetization features and options can also be placed here.

Analytics

As an API provider, we need to analyse which APIs are being consumed and how they are performing. For this, we need a strong analytics platform, which can measure statistics like transactions per Second (TPS) and error rates. Based on this analysis, we can provide deep and valuable insights to the product teams.

API Monetization

API monetization is a powerful capability to help leverage your digital assets, build a commercial infrastructure and revenue generating streams. With monetization, third-party API developers and other partners that use your assets can be charged for your API products.

Choose Wisely!

Here are some common, non-exhaustive list of criteria to help you select an API Gateway:

Criteria	Description
SaaS (Software As A Service) vs On-Premise	Due to various compliance needs and regulations, there might be a need to host your own gateway. This is then a critical feature during your evaluation process. Does the API gateway offer SaaS? On-Premise? Hybrid solutions?
Security	Does the API Gateway offer industry-standard security policies and features?
Onboarding	To increase API adoption, we need an easy to use, self-service on-boarding platform and a sandbox environment where API’s can be tried out. Does the API gateway provide this feature, out of the box?
Performance	Typically, depending on workloads, API gateways introduce minor latencies in the API response time. So performance is a critical attribute and is usually measured in TPS and/or IOPS (Input/output operations/second)
Features	Apart from security and throttling, certain other features like monetization, ease of development/operations, transformation features, caching, versioning, governance, routing, reporting etc become important in day-to-day management. Are all these features provided out of the box by the API Gateway?
Vendor eco-system	Does the API Gateway vendor provide training? Does the vendor provide support and platform maintenance services? How frequently are patches and upgrades provided to the platform?
Management Automation	Does the API Gateway vendor provide automation options to configure, manage, and integrate the solution into your operational processes? Vendors that offer APIs that are highly configurable, along with reporting APIs and webhooks for important events, ensure that you can easily automate changes and integrate it into your deployment process.

About the Authors

Girish Gajria, Associate Technologist, Torry Harris

Amar Sudha Gururaj, Project Manager, Torry Harris