Enterprises normally have a technology estate that helps manage the different intra and interconnections – such as with vendors, clients, intranet systems, CRMs, retailers, payment systems and so on. But these different corporate tools may lack coherence and proper support.
This necessitates a strategy that will drive down dependencies on external software and establish APIs that can be moulded and customized to your business needs. When properly managed, your APIs allow for greater internal flexibility while establishing connectivity both internally (marketing, sales, customer service) and externally (apps, websites, platforms to offer the company's own APIs to third parties).
Such a strategy, among other things, requires a robust API gateway as a single point of entry for identity and access management, and throttling.
The need for an API Gateway
An API gateway provides a single, secure point of entry to access all your APIs. It offers a simple, consistent interface for all clients and partners to access your APIs and plays a key role in full lifecycle API management.
Its key functionalities include:
- Abstraction and simplification of internal functionality
- Providing an easy and intuitive mechanism to publish and document APIs
- Simplifying external/internal developer on-boarding
- Scalability to securely manage a multitude of APIs
- Rapid prototyping and development
- Authentication and authorization through security patterns like TLS, API keys, OAuth, etc.
- Strong analytics and monitoring of APIs
Working architecture of an API Gateway
 |
Runtime
|
At a bare minimum, an API gateway needs to provide a runtime component. This component is responsible to receive the client request (typically an HTTP JSON request), apply some transformations, aggregate and call the required backend services and provide response back to the client in the format conducive to the front end.
 |
Security
|
Typically, the API gateway is exposed to the Internet. Hence security is paramount. This is achieved through standard practices like API keys, OAuth and 1-way/2-way TLS. These are bundled in some format on the API gateway, to be easily applied on the APIs, as required, usually as configuration, rather than code.
 |
Transformation
|
The incoming requests from the clients may follow a different pattern compared to the protocols under which the internal services operate. Hence, some features are required to translate the external client representation into the patterns and protocols that internal components communicate on. For this, typically some standard features like XML/JSON conversions, protocol manipulations such as changing HTTP GETs to POSTs, modification of headers, query and payload parameters are provided. For more advanced use-cases and requirements, some scripting may be required which can be achieved through JavaScript, GoLang, Java, Python, Node.js etc.
 |
Caching
|
Additional features like request/response caching are supported by API gateways. This saves round trips to the downstream services and re-use the existing responses leading to lower latencies, faster response times and enhanced customer experience.
 |
Storage
|
For the internal management of the API gateway assets, a configuration database is required. This manages assets like API keys, configuration data, routing rules, access tokens, key-value maps, etc. Since throughput is of prime importance; low latency, NoSQL, in-memory databases are popular choices.
 |
Publishing
|
Since the APIs need to be exposed and will be used by external developers, we need a mechanism to share them. This is done through a publisher portal. Here we capture the details of APIs, access patterns and documentation. Community forum boards, technical assistance and monetization features and options can also be placed here.
 |
Analytics
|
As an API provider, we need to analyse which APIs are being consumed and how they are performing. For this, we need a strong analytics platform, which can measure statistics like transactions per Second (TPS) and error rates. Based on this analysis, we can provide deep and valuable insights to the product teams.
 |
API Monetization
|
API monetization is a powerful capability to help leverage your digital assets, build a commercial infrastructure and revenue generating streams. With monetization, third-party API developers and other partners that use your assets can be charged for your API products.
Choose Wisely!
Here are some common, non-exhaustive list of criteria to help you select an API Gateway:
| Criteria | Description |
| SaaS (Software As A Service) vs On-Premise | Due to various compliance needs and regulations, there might be a need to host your own gateway. This is then a critical feature during your evaluation process. Does the API gateway offer SaaS? On-Premise? Hybrid solutions? |
| Security | Does the API Gateway offer industry-standard security policies and features? |
| Onboarding | To increase API adoption, we need an easy to use, self-service on-boarding platform and a sandbox environment where API’s can be tried out. Does the API gateway provide this feature, out of the box? |
| Performance | Typically, depending on workloads, API gateways introduce minor latencies in the API response time. So performance is a critical attribute and is usually measured in TPS and/or IOPS (Input/output operations/second) |
| Features | Apart from security and throttling, certain other features like monetization, ease of development/operations, transformation features, caching, versioning, governance, routing, reporting etc become important in day-to-day management. Are all these features provided out of the box by the API Gateway? |
| Vendor eco-system | Does the API Gateway vendor provide training? Does the vendor provide support and platform maintenance services? How frequently are patches and upgrades provided to the platform? |
| Management Automation | Does the API Gateway vendor provide automation options to configure, manage, and integrate the solution into your operational processes? Vendors that offer APIs that are highly configurable, along with reporting APIs and webhooks for important events, ensure that you can easily automate changes and integrate it into your deployment process. |
About the Authors
- Set a robust API strategy that covers the integration of all your key IT assets and data
- Design and develop APIs with clear objectives for each
- Efficiently orchestrate API lifecycles while tracking API calls and API monetisation
Related Posts
In 2008, a significant outage in its data center prevented Netflix from sending DVDs to its customers for three days which prompted the company to rethink its IT architecture.
Organizations today are confronted with challenges arising from the growing number of applications and managing the volume of data being generated across cloud and on-premise environments.
Today, as business data increasingly proliferates a multitude of systems, app-integration teams are finding it increasingly difficult to keep pace. While a platform-based approach takes the pain out of integrating and scaling applications, the volume, velocity, and veracity of data are adding to integration complexities.
Whitepaper
Analyst Speak
(THIS) has been cited among notable vendors by Forrester Research in its report ‘The API Management Software Landscape, Q1 2024’. The report recognizes Torry Harris as a provider offering API management solutions with a geographic focus in the EMEA & APAC regions.
Forrester observes that the initial rush to “lift and shift” to the cloud has now been replaced by a focus on modernization and digital transformation. Cloud migration is the first step in a long journey to take advantage of the latest cloud-native technologies and services.
Torry Harris is a 'Strong Performer' in The Q3 2022 Forrester Wave™ for API Management Solutions. This report shows how each provider measures up and helps technology architecture and delivery (TAD) professionals select the right one for their needs.
Past Webinars
