Learn how API gateways are helping organizations provide quicker, easier and more secure access to their cloud-based data and services.

An application programming interface (API) gateway is software that takes an application user’s request, routes it to one or more backend services, gathers the appropriate data and delivers it to the user in a single, combined package. It also provides analytics, layers of threat protection and other security for the application.

The value of an API gateway

An API gateway provides a single entry point for all API calls that come into an application, whether the app is hosted in an on-premises data center or on the cloud. It accepts requests that come in remotely and returns the requested data.

For example, consider a restaurant’s web application. Using a laptop or cellphone, a user can enter one request and easily access the restaurant’s menu, diners’ photos and reviews, its payment service and a map to check its location, despite all that information being gathered and delivered from different backend microservices or APIs. Their request is received and executed by an API gateway.

Beyond just servicing requests, though, an API gateway also provides value by making data available in a way appropriate for the requestor’s technology. Someone requesting information about a retail store using a web browser, for instance, is shown much more information than someone who requests and views the same store’s data on a mobile phone. API gateways can also enable real-time communication between an application’s frontend and backend — for instance, in web chat, stock trading systems and online games.

API gateways and microservices

API gateways, sometimes called “edge microservices,” are frequently used in applications created with modern, cloud-native microservices architecture. These applications are typically comprised of many independent, autonomous, single-function components (or microservices) — each managed by its own small, self-contained DevOps team. The microservices are loosely coupled, connect to their own databases and can be deployed, maintained and tested independently.

When requests for information come into an application with microservices, an API gateway provides a streamlined approach to retrieving and returning the data. In addition to handling access control, it allows fast, reliable delivery within large and complex applications.

Since microservices run in their own independent environments, they can be added, upgraded, moved and changed without impacting the overall application. API gateways make it easier for companies to scale up their applications. Plus, they can develop new features faster, allowing for more innovation and a faster time-to-market.

API gateways and monolithic apps

Before there were microservices, there were monolithic applications. These applications rely upon services that are part of an all-in-one architecture connected to a single database. All components are dependent upon each other and operate as a single unit. Changing any aspect of a monolithic application means changing the code that runs the entire architecture.

Many monolithic applications are still in use. They primarily use API gateways to connect with external third parties, internal users or partners while providing the same security, scalability and other benefits that apply to microservices.

How do API gateways work?

API gateways sit between a user and a collection of microservices, providing three key services:

  1. Request routing: An API gateway receives a new API request, turns it into multiple requests, consults a routing map that shows where each request should be sent and sends the requests to the appropriate internal microservice or microservices.
  2. API composition: The API gateway provides workflow orchestration as it aggregates the requested information from multiple microservices, bundles the data and returns it to the requestor in composite form.
  3. Protocol translation: API gateways know that API requests come in via devices that use different API protocols, and they help client requests and microservices communicate with each other by translating those protocols. The gateway translates API protocols from what the end-user device uses — whether a web browser, mobile or another endpoint — to the microservice’s protocols. A wide area network (WAN) and local area network (LAN), for instance, perform differently and have different API needs. When information comes back, the gateway transforms and sends it back to requestors in the way they can view it. If, for instance, a microservice provides a response in XML, but the request came in using JSON, the gateway automatically does that translation. A REST API uses the HTTP protocol to request API services.

Benefits of API gateways

Adding one or more API gateways to your microservice applications provides many benefits:

  • Microservices security: An API gateway puts a barrier in front of an application’s backend, making it more secure. It means an application’s endpoints are not exposed; therefore, there’s less threat of attack. A company can also use HTTPS for additional security or HTTP encrypted with SSL, which improves performance.
  • API authentication: An API gateway provides another security layer that protects against mistakes, hacks and data breaches by authenticating API calls. Authentication and authorization can include antivirus scanning, decryption and encryption, token translation, validation and other security functions.
  • Input validation: Input validation ensures an API request has all the necessary information in the correct format before the gateway passes it along to a microservice. If something is missing or wrong, the gateway rejects the request. When it’s validated as being correct, the gateway sends the request.
  • Faster response times: Because an API gateway sends requests directly to the right services, there are fewer roundtrips and less traffic, reduced latency and better performance overall, which means an application provides an improved user experience.
  • Microservices load balancing: An API gateway keeps track of requests sent to different microservices, balances the load between nodes for efficiency and ensures the application remains available. This load balancing is critical when high traffic levels are expected — such as during a Black Friday sale or new product launch — to prevent spikes or denial-of-service events.
  • Rate limiting: Rate limiting means an API gateway monitors traffic coming in from all sources and limits how many API requests a client (or malicious bot) can make in a specific time period — per second, or per day, week or month — to protect the system from being flooded with requests and possibly crashing.
  • Billing for microservices: Some businesses monetize some of their APIs by offering a service to consumers or other companies. The API gateway handles traffic, monitors usage for specific products or services and sends pricing information to a connected billing system. There are different types of direct monetization, including users paying as they access a service or resource, for a certain number of services or via tiers (where different services are provided at different levels). Other APIs share revenue with consumers through ad revenue share, affiliate marketing or credits to a consumer’s bill.
  • Microservices caching: API gateways can help optimize API calls, such as with microservices caching. Caching responses to API calls can help avoid unnecessary load on backend services. The cached responses can be used when similar requests are received, improving performance and decreasing cost.
  • Monitoring and tracking apps’ analytics: Since an API gateway controls all of an application’s inbound traffic, it’s straightforward to have the software monitor and produce reports about visibility, trends and other insights about API usage. The gateway software can also create traffic logs that help an API provider understand and fix infrastructure problems.
  • Extending legacy apps: Businesses still use legacy applications that contain essential data, perform significant functions and provide value, but the apps were not written for APIs. Such older technology can have trouble handling the increasing numbers of calls from newer technologies, such as mobile, SaaS or IoT apps. They can also be hard to access. Instead of taking on a complicated cloud migration, a DevOps team can add API functionality — including benefits like rate limiting and throttling — to help modernize and extend the functionality of a legacy application.

Challenges of API gateways

While there are many benefits to adding an API gateway, there can also be challenges:

  • Response time: While latency and response time are often decreased due to requests traveling more efficiently, the additional step of a request passing through an API gateway can potentially add to response time.
  • Dependencies: Anytime a business adds, changes or removes a microservice, it must update its API gateway. That can be challenging with an application that has evolved from having just a few microservices to encompassing many. However, creating API design rules can help with this.
  • Complexity: Routing logic can make communication with microservices more complex. The API gateway is another system that must be developed, deployed and maintained.
  • Security: Because an API gateway touches many areas of an enterprise’s systems, its compromise can seriously impact an application’s safety. 
  • Reliability: If there’s only one API gateway and it goes down, the whole application becomes unavailable. Creating multiple API gateways and using load balancers can help avoid this situation.

Open-source API gateways

An open-source API gateway lets DevOps teams create new API sources without writing code. Some of the benefits of an open-source API gateway include letting a company start small and scale up fast, allowing the flexibility to innovate and change quickly and providing transparency for users.

API gateways with service mesh

Service mesh — which can be used with microservices architecture and on any platform, such as VMs, containers, Kubernetes, Docker or serverless workloads — is an infrastructure layer that provides a consistent way for services to communicate within a system. Using an API gateway in addition to a service mesh adds security to APIs and provides a greater speed to delivery.

API gateways and ingress

Ingress is an object that sets rules for accessing Kubernetes services from outside a Kubernetes cluster. It allows a DevOps team to consolidate routing into one resource and can provide load balancing, SSL termination and name-based virtual hosting.

However, it does not support some of the other features API gateways provide, such as authentication, security, rate limiting and more. API gateways offer more flexibility, configuration and security options than ingress.

What is the difference between API management and API gateways?

While an API gateway sits in front of APIs — handling, routing and securing API calls — API management is an overall solution that manages the entire API lifecycle and includes API gateways. Another way to think about it is that API gateways are API management tools.

The three main phases of the API lifecycle are creating (building and documenting the API), controlling (applying security) and consuming (publishing and monetizing your APIs). API gateways fall under the control phase of the API lifecycle — they secure APIs and keep data safe.

API gateways and IBM

APIs will continue to be just one part of application modernization and transforming your organization.

When it comes to meeting such demands, a move toward greater automation will help. Ideally, it would start with small, measurably successful projects, which you can then scale and optimize for other processes and in other parts of your organization.

Working with IBM, you’ll have access to  AI-powered automation capabilities, including prebuilt workflows, to help accelerate innovation by making every process more intelligent. 

Take the next step:

  • Explore IBM API Connect®, an intuitive and scalable API design platform to create, securely expose, manage and monetize APIs across cloud computing systems.
  • Build skills to help you create developer communities to publish and share APIs and engage with them through a self-service portal in the Solution Developer: IBM API Connect curriculum.
  • API Connect can also come integrated with other automation capabilities in IBM Cloud Pak® for Integration, a hybrid integration solution that provides an automated and closed-loop lifecycle across multiple styles of enterprise integration. 
  • For Business to Business API connections explore the IBM Sterling Supply Chain Business Network B2B API Gateway for secure connections between you, your customers, and your partners.
  • Take our integration maturity assessment to evaluate your integration maturity level across critical dimensions and discover the actions you can take to get to the next level. 
  • Download our agile integration guide, which explores the merits of a container-based, decentralized, microservices-aligned approach for integrating solutions.  

Get started with an IBM Cloud account today.

More from Cloud

Clients can strengthen defenses for their data with IBM Storage Defender, now generally available

2 min read - We are excited to inform our clients and partners that IBM Storage Defender, part of our IBM Storage for Data Resilience portfolio, is now generally available. Enterprise clients worldwide continue to grapple with a threat landscape that is constantly evolving. Bad actors are moving faster than ever and are causing more lasting damage to data. According to an IBM report, cyberattacks like ransomware that used to take months to fully deploy can now take as little as four days. Cybercriminals…

2 min read

Integrating data center support: Lower costs and decrease downtime with your support strategy

3 min read - As organizations and their data centers embrace hybrid cloud deployments, they have a rapidly growing number of vendors and workloads in their IT environments. The proliferation of these vendors leads to numerous issues and challenges that overburden IT staff, impede clients’ core business innovations and development, and complicate the support and operation of these environments.  Couple that with the CIO’s priorities to improve IT environment availability, security and privacy posture, performance, and the TCO, and you now have a challenge…

3 min read

Using advanced scan settings in the IBM Cloud Security and Compliance Center

5 min read - Customers and users want the ability to schedule scans at the timing of their choice and receive alerts when issues arise, and we’re happy to make a few announcements in this area today: Scan frequency: Until recently, the IBM Cloud® Security and Compliance Center would scan resources every 24 hours, by default, on all of the attachments in an account. With this release, users can continue to run daily scans—which is the recommended option—but they also have the option for…

5 min read

Modernizing child support enforcement with IBM and AWS

7 min read - With 68% of child support enforcement (CSE) systems aging, most state agencies are currently modernizing them or preparing to modernize. More than 20% of families and children are supported by these systems, and with the current constituents of these systems becoming more consumer technology-centric, the use of antiquated technology systems is archaic and unsustainable. At this point, families expect state agencies to have a modern, efficient child support system. The following are some factors driving these states to pursue modernization:…

7 min read