Introduction to API-Gateway

aditya goel
7 min readFeb 18, 2023

Question:- What is an API-Gateway ?

Answer → Here is understanding about the API-Gateway :-

  • An API-Gateway is a single point of entry to the clients of an application.
  • It sits between the client and a collection of backend services for the application.

Question:- What are important functions of an API-Gateway ?

Answer → Here are some crucial functions of API-Gateway :-

Question:- Explain the flow of request involving API-Gateway ?

Answer → Here are steps involved in the Flow :-

Step #1.) Client sends a request to the API-Gateway.

  • The request is typically Http-based.
  • It could be REST, GraphQL OR some other higher level abstractions.

Step #2.) The API-Gateway validates the http-request.

Step #3.) The API-Gateway checks the caller’s IP-Address and other http-headers against it’s allow-list & deny-list. It could also perform some basic Rate-Limit checks against attributes such as IP-Address and Http-headers. For example, API-Gateway could reject the requests from an Ip-Address exceeding a certain rate.

Step #4.) The API-Gateway passes the request to an Identity-Provider for Authentication/Authorization. The API-Gateway receives an Authenticated-Session back from the provider with the scope of what the request is allowed to do.

Step #5.) A High level Rate-Limit check is applied against the Authenticated-Session. If it is over the limit, the request is rejected.

Step #6/7.) With the help of Service-Discovery component, the API-Gateway locates the appropriate backend service to handle the request by path-matching.

Step #8.) The API-Gateway transforms the request into the appropriate protocol and sends the transformed request to the backend-service. An example protocol could be gRPC. When the response comes back from the Backend service, the API-Gateway transforms the response back to the public facing protocol and returns the response to the client.

Question:- What other critical services, that an API-Gateway can provide ?

Answer → A proper API-Gateway also provides certain other critical services as well :-

  • API-Gateway should be able to track errors and provide circuit-breaking functionality, to protect the services from getting overloaded.
  • An API-Gateway should also be able to provide the Logging, Monitoring and Analytics-Services for Operational-Observability.

Question:- Demonstrate the Service-Discovery functionality of API-Gateway?

Answer → In any web application, FrontEnd would have to integrate with lots of mico-services, as shown below :-

Change.) Say a new service comes-up at BackEnd side, as a result of refactoring of code, then again FrontEnd would have to integrate this new endpoint as well :-

Implication.) Ultimately, the FrontEnd guy would say to BackEnd guy that, Are you kidding me with so many endpoints / services ?

Solution.) In order to avoid this inconvenience for the FrontEnd, the BackEnd can actually supply an Abstraction Layer. There is no reason for the FE-team to be aware of all the details of the various micro-services, which BackEnd maintains.

This Abstraction-Layer is merely a Facade, which routes the request & response, made by anyone outside the Micro-services System. FE-team only needs to know about this Abstraction-Layer.

Working of Abstraction-Layer.) This Abstraction-Layer do contains all the endpoints, which are exposed to the Outside world.

  • When the actual request comes-in from the FE, it knows which actual micro-service to call. In that sense, it acts as a Traffic-Controller OR Router.
  • This Abstraction-Layer forms a single entry point for all of your micro-services.

Advantages of having an Abstraction-Layer.)

  • If we have an Abstraction-Layer in between, then we are free to split our BackEnd into as many micro-services as we like to have OR refactor them as many times as we want.
  • As long as the contract between the FE & Facade-Service is being maintained, every-client accessing the APIs from outside don’t even need to know, what we are doing within ?

Formal name of this Abstraction-Layer.) This Abstraction-Layer is called as API-Gateway. This is also known by the name of Edge-Micro-service.

Question:- Given a Micro-Service System, what do we need to do, in order to start using the API-Gateway?

Answer → Below is simple 2-step process, that we need to follow, in order to start using the API-Gateway :-

Step #1.) First, we need to identify, what our External-API is going to be i.e. what all APIs are we OK to be called by external world ?

Note that, our micro-services may have a lot of APIs, but we certainly don’t want all of them to be accessible y the outside world/Clients.

Step #2.) Now, we bring in this micro-service called as Gateway Micro-Service. We can either write a new one OR use an existing technology. This Gateway micro-service is in-turn going to call one of our existing micro-services and pass along the response. This technique is also known as API-Composition because, we are composing the APIs, out of other APIs.

Question:- What other things can we achieve using the API-Gateway?

Answer → Now that we know, all of our requests go through this single micro-service, we can leverage it for other things :-

Advantage #1.) Monitoring → We can add some kind of monitoring, that measures :-

  • How many requests are coming ?
  • How long these requests are taking ?

Advantage #2.) Authentication → We can authenticate the users here. We can pass Security-Tokens like JWT.

Advantage #3.) Security → We can also implement measures to prevent the DOS Attack, prevent access to certain IPs, users, etc.

Question:- What all options are popular for implementing the API-Gateway ?

Answer → There are many popular Gateway Implementations. One such implementation is ZUUL, which comes from Netflix Stack. We download and run Zuul and we run it wherever we run our micro-services.

Question:- Whats the dis-advantage of using an API-Gateway ?

Answer → There are couple of disadvantages of using API-Gateway design pattern :-

  • Increased Latency → We have added an additional Network-Hop. Things are going to be little bit slow. We can’t do anything to solve this problem, since the pattern is like that.
  • Single Point of Failure → The API-Gateway itself can go down and since it’s the single entry point, our entire system of micro-service can go down.
  • Increased Complexity → The API-Gateway sometimes can become too complex layer. For example, our various clients might need the different APIs. However, this problem can be addressed too.

Question:- How can we avoid the API-Gateway from becoming a Single Point Of Failure ?

Answer → In order to make sure that, API Gateway doesn’t becomes the single point of failure :-

  • We can use a cluster of API-Gateways.
  • We can split our Incoming-Calls by the use of a Load-Balancer before the API-Gateway.

Question:- How to address the problem of Complexity ?

Answer → In that case, rather than to over-complicate a single API-Gateway, we might have to create different Gateways for different Clients, one for each client. We can then make those Clients call to the respective Gateways.

This design pattern is also called as “BackEnd For FrontEnds” i.e. different API Gateways for the different frontend clients.

Question:- What should be the deployment pattern for the API-Gateway ?

Answer → An API-Gateway is a critical piece of Infrastructure.

  • It should be deployed to multiple regions to improve Availability.
  • For many Cloud-Provider Offerings, API-Gateway is deployed across the World, closer to the clients.

That’s all in this blog. If you liked reading it, do clap on the page multiple times. We shall get back to you in next blog.