An API gateway accepts requests (specifically, API calls) from a client and routes them to the appropriate backend apps or microservices. It secures and mediates critical traffic between backend services and consumers of the API, thereby reducing the risk of breaches, downtime, and slow performance.
Today, most modern apps are built using APIs – software interfaces that enable two applications or services to communicate and allow for interactivity between products and services in the form of requests and responses. As APIs become more common and are distributed across microservices architectures, additional infrastructure is needed to ensure scalability and security.
Why Use an API Gateway?
Using an API gateway means you can expose and maintain a single API domain (for example, api.example.com). With an API gateway, you can provide one entry point to all clients, potentially routing requests to different versions of the API depending on the user request. The API gateway enables you to deliver the best possible response by invoking multiple microservices for a single client request and aggregating the results.
You can learn more about deploying NGINX as an API gateway in our blog series Deploying NGINX as an API Gateway.
Basic Capabilities of an API Gateway
API gateways can be used for both monolithic and microservices-based apps. API gateways perform several functions, including:
- Authenticating the requesters making API calls (AuthN)
- Verifying that the requester is authorized to make the request (AuthZ)
- Routing requests to appropriate backends
- Applying rate limits to prevent overloading of your systems
- Applying rate limits to mitigate DDoS attacks
- Offloading SSL/TLS traffic to improve performance
- Handling errors and exceptions
API Gateway vs. API Management
The terms API gateway and API management are sometimes used interchangeably, but are in fact not synonymous. An API gateway is the data plane that sits between the client and API endpoint. It is an individual proxy server responsible for routing, policies, and security. API management refers to the control plane that manages APIs in production. It defines policies, pushes configurations, generates reports and alerts, and has visibility over all API gateways.
Ideally, the API management platform is infrastructure-agnostic, giving you freedom to deploy API gateways across various environments (for example, on premises, cloud, and edge) in the way that best suits your use cases.
API Gateway for Microservices
In microservices architectures, a single API can have hundreds of endpoints, and a single application can consist of multiple microservices that communicate via APIs. With a microservices app exposing many API endpoints, the potential attack surface is far greater than with monolithic apps.
Adopting an API gateway for microservices can mitigate risks by streamlining access and communication between the client and API. But the API gateway still encapsulates APIs, which are characteristically open. As they expose the data required for connectivity, APIs might also expose sensitive data.
The Open Web Application Security Project (OWASP) highlights the most prevalent vulnerabilities in their OWASP API Security Top 10 project:
API1. Broken Object Level Authorization
API2. Broken User Authentication
API3. Excessive Data Exposure
API4. Lack of Resources & Rate Limiting
API5. Broken Function Level Authorization
API6. Mass Assignment
API7. Security Misconfiguration
API9. Improper Assets Management
API10. Insufficient Logging & Monitoring
To protect APIs from these prevalent new attacks, securing an API gateway becomes critical. Learn more about the importance of securing your API gateway in Secure Your API Gateway with NGINX App Protect WAF on our blog.
API governance refers to applying rules and guardrails across your APIs and API gateway. Implementing a flexible API governance model helps balance global policies like logging, error response codes, and TLS configuration.
For any organization implementing an API-first strategy, particularly large organizations with thousands of APIs, ensuring consistency through API governance combats potential API sprawl . While API governance was once seen as something that could slow down development, it’s now necessary when APIs are being managed at scale.
API Gateway Resources
The follow resources provide more information about API gateway capabilities, use cases, and common deployment patterns:
- Learning Page: API Gateway
- Building Microservices Using an API Gateway
- How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
- Deploying NGINX Plus as an API Gateway
How Can NGINX Help?
NGINX is a lightweight, cloud‑native API gateway that you can deploy across clouds and on-premises environments. Configuring NGINX as an API gateway enables you to protect APIs with rate‑limiting policies, enforce specific request methods, and provide fine‑grained access control.
NGINX as an API gateway is also a high-performance and CI/CD-friendly solution with advanced security. To learn more, read our blog series Deploying NGINX as an API Gateway.
NGINX offers both universal tools and Kubernetes-native tools for implementing an API gateway depending on your use cases and deployment patterns.
- NGINX Plus as an API gateway – Lightweight, high-performance API gateway that can be deployed across cloud, on-premises, and edge environments
- F5 NGINX Management Suite API Connectivity Manager – Deploy and operate API gateways with developer-friendly tools for API management, governance, and security
Get started by requesting your 30-day free trial of NGINX Management Suite, which includes NGINX Plus as an API gateway and API Connectivity Manager.
- NGINX Ingress Controller – Manages app connectivity at the edge of a Kubernetes cluster with API gateway, identity, and observability features
- NGINX Service Mesh – Developer-friendly solution for service-to-service connectivity, security, orchestration, and observability
Get started by requesting your free 30-day trial of NGINX Ingress Controller with NGINX App Protect WAF and DoS, and download the always‑free NGINX Service Mesh.