An API gateway accepts requests (specifically, API calls) from a client and routes them to the appropriate microservices. It secures and mediates critical traffic between backend services and consumers of the API, thereby reducing the risk of breaches, downtime, and slow performance.
Today, most modern apps are built using APIs – software interfaces that enable two applications to communicate and allow for interactivity between products and services in the form of requests and responses. As APIs become more common and are distributed across microservices architectures, additional infrastructure is needed to ensure scalability and security.
Why Use an API Gateway?
Using an API gateway means you can maintain a single API domain (for example, api.example.com). With an API gateway, you can provide one entry point to all clients, potentially routing requests to different versions of the API depending on the user request. The API gateway enables you to deliver the best possible response by invoking multiple microservices with a single request and aggregating the results.
You can learn more about deploying NGINX as an API gateway in our blog series Deploying NGINX as an API Gateway.
Basic Capabilities of an API Gateway
API gateways can be used for both monolithic and microservices-based apps. API gateways perform several functions, including:
- Authenticating the requesters making API calls (AuthN)
- Verifying that the requester is authorized to make the request (AuthZ)
- Routing requests to appropriate backends
- Applying rate limits to prevent overloading of your systems
- Applying rate limits to mitigate DDoS attacks
- Offloading SSL/TLS traffic to improve performance
- Handling errors and exceptions
API Gateway vs. API Management
“API gateway” and “API management” are sometimes used interchangeably, but are in fact not synonymous. An API gateway is the data plane that sits between the client and API endpoint. It is an individual proxy server responsible for routing, policies, and security. API management refers to the control plane that manages APIs in production. It defines policies, pushes configurations, generates reports and alerts, and has visibility over all API gateways.
Ideally, the API management platform is infrastructure-agnostic, giving you freedom to deploy API gateways across various environments (for example, on premises, cloud, and edge) in the way that best suits your use cases.
API Gateway for Microservices
In microservices architectures, a single API can have hundreds of endpoints, and a single application can consist of multiple microservices that each connect via APIs. With each microservice exposing countless API endpoints, the potential attack surface is far greater than with monolithic apps.
Adopting an API gateway for microservices can mitigate risks by streamlining access and communication between the client and API. But the API gateway still encapsulates APIs, which are characteristically open. While APIs expose the data required for connectivity, they might also expose sensitive data.
The Open Web Application Security Project (OWASP) highlights the most prevalent vulnerabilities in their OWASP API Security Top 10 project:
API1. Broken Object Level Authorization
API2. Broken User Authentication
API3. Excessive Data Exposure
API4. Lack of Resources & Rate Limiting
API5. Broken Function Level Authorization
API6. Mass Assignment
API7. Security Misconfiguration
API9. Improper Assets Management
API10. Insufficient Logging & Monitoring
To protect APIs from these prevalent new attacks, securing an API gateway becomes critical. Learn more about the importance of securing your API gateway in Secure Your API Gateway with NGINX App Protect WAF on our blog.
API governance refers to applying rules and guardrails across your APIs and API gateway. Implementing a flexible API governance model helps balance global policies like logging, error response codes, and TLS configuration.
For any organization implementing an API-first strategy, particularly large organizations with thousands of APIs, ensuring consistency through API governance combats potential API sprawl . While API governance was once seen as something that could slow down development, it’s now necessary when APIs are being managed at scale.
API Gateway vs. Gateway API
While their names are similar, an API gateway is not the same as the Kubernetes Gateway API. An open source project under active development by the Kubernetes community, the Gateway API is an evolution of the current Kubernetes Ingress API.
Watch this quick video where NGINX’s Jenn Gile explains the difference between an API gateway and the Kubernetes Gateway API.
How Can NGINX Help?
NGINX is not only the fastest web server around, it can also be deployed as a cloud‑native, easy-to-use API gateway. Configuring NGINX as an API gateway enables you to protect APIs with rate‑limiting policies, enforce specific request methods, and provide fine‑grained access control.
NGINX as an API gateway is also a high-performance and CI/CD-friendly solution with advanced security. To learn more, read our blog series Deploying NGINX as an API Gateway.