Enterprises normally have a technology estate that helps manage the different intra and interconnections – such as with vendors, clients, intranet systems, CRMs, retailers, payment systems and so on. But these different corporate tools may lack coherence and proper support.
This necessitates a strategy that will drive down dependencies on external software and establish APIs that can be moulded and customized to your business needs. When properly managed, your APIs allow for greater internal flexibility while establishing connectivity both internally (marketing, sales, customer service) and externally (apps, websites, platforms to offer the company's own APIs to third parties).
Such a strategy, among other things, requires a robust API gateway as a single point of entry for identity and access management, and throttling.
The need for an API Gateway
An API gateway provides a single, secure point of entry to access all your APIs. It offers a simple, consistent interface for all clients and partners to access your APIs and plays a key role in full lifecycle API management.
Its key functionalities include:
- Abstraction and simplification of internal functionality
- Providing an easy and intuitive mechanism to publish and document APIs
- Simplifying external/internal developer on-boarding
- Scalability to securely manage a multitude of APIs
- Rapid prototyping and development
- Authentication and authorization through security patterns like TLS, API keys, OAuth, etc.
- Strong analytics and monitoring of APIs
Working architecture of an API Gateway
At a bare minimum, an API gateway needs to provide a runtime component. This component is responsible to receive the client request (typically an HTTP JSON request), apply some transformations, aggregate and call the required backend services and provide response back to the client in the format conducive to the front end.
Typically, the API gateway is exposed to the Internet. Hence security is paramount. This is achieved through standard practices like API keys, OAuth and 1-way/2-way TLS. These are bundled in some format on the API gateway, to be easily applied on the APIs, as required, usually as configuration, rather than code.
Additional features like request/response caching are supported by API gateways. This saves round trips to the downstream services and re-use the existing responses leading to lower latencies, faster response times and enhanced customer experience.
For the internal management of the API gateway assets, a configuration database is required. This manages assets like API keys, configuration data, routing rules, access tokens, key-value maps, etc. Since throughput is of prime importance; low latency, NoSQL, in-memory databases are popular choices.
Since the APIs need to be exposed and will be used by external developers, we need a mechanism to share them. This is done through a publisher portal. Here we capture the details of APIs, access patterns and documentation. Community forum boards, technical assistance and monetization features and options can also be placed here.
As an API provider, we need to analyse which APIs are being consumed and how they are performing. For this, we need a strong analytics platform, which can measure statistics like transactions per Second (TPS) and error rates. Based on this analysis, we can provide deep and valuable insights to the product teams.
API monetization is a powerful capability to help leverage your digital assets, build a commercial infrastructure and revenue generating streams. With monetization, third-party API developers and other partners that use your assets can be charged for your API products.
Here are some common, non-exhaustive list of criteria to help you select an API Gateway:
|SaaS (Software As A Service) vs On-Premise||Due to various compliance needs and regulations, there might be a need to host your own gateway. This is then a critical feature during your evaluation process. Does the API gateway offer SaaS? On-Premise? Hybrid solutions?|
|Security||Does the API Gateway offer industry-standard security policies and features?|
|Onboarding||To increase API adoption, we need an easy to use, self-service on-boarding platform and a sandbox environment where API’s can be tried out. Does the API gateway provide this feature, out of the box?|
|Performance||Typically, depending on workloads, API gateways introduce minor latencies in the API response time. So performance is a critical attribute and is usually measured in TPS and/or IOPS (Input/output operations/second)|
|Features||Apart from security and throttling, certain other features like monetization, ease of development/operations, transformation features, caching, versioning, governance, routing, reporting etc become important in day-to-day management. Are all these features provided out of the box by the API Gateway?|
|Vendor eco-system||Does the API Gateway vendor provide training? Does the vendor provide support and platform maintenance services? How frequently are patches and upgrades provided to the platform?|
|Management Automation||Does the API Gateway vendor provide automation options to configure, manage, and integrate the solution into your operational processes? Vendors that offer APIs that are highly configurable, along with reporting APIs and webhooks for important events, ensure that you can easily automate changes and integrate it into your deployment process.|