The demand for microservices is multiplying with each day passing. When you decide to develop an application as a set of microservices, you must ensure how the client will interact with your microservices.
But the question is, why use a microservice architecture pattern over a monolithic application?
Microservices architecture patterns have their importance for enabling agile development and developing complex applications. Unlike monolithic applications, which have only one set of endpoints, microservices architecture consists of multiple sets of fine-grained endpoints.
Microservices also enable you to interact with a comparatively small and flexible code base, and hence you can decide which bit of code you want to interact with and where it came from.
Working with microservice architecture is essential to increase your application efficiency. Working with the API gateway in microservice architecture makes your application more efficient and reduces your coding efforts. Also, at the same time, it reduces the applications’ errors, making them more effective and essential to use.
Considering the importance of API gateway in Microservice architecture pattern, we have presented a short guide explaining what API gateway is, the need for API gateway, its working and functionality, and much more details. Let’s get started to learn them.
What is an API Gateway?
An API stands for Application Program Interface, containing the set of tools to build applications. API Gateway is a reverse proxy that accepts all API calls, applies various services to fulfill the calls, and returns the appropriate output. In simple words, an API gateway is a server that summarizes the internal system architecture of the application.
The API gateway has responsibilities to provide the application client with API, perform request routing, provide authentication, load balancing, monitoring, composition, and protocol translation. When a client makes a request, the request transmits to the API gateway, and further, it routes to appropriate microservices.
There is a total of two different methods by which the API gateway handles the request made by the client:
- It routes the request of the client to a suitable service.
- It spreads out the request of clients to multiple services.
The best example of an API gateway is the Netflix API gateway. As you know, you can use the Netflix services on different devices such as laptops, Tablets, Smartphones, Televisions, etc. Here, the API gateway helps to provide the size that fits all API for its services.
Need for API Gateway in Microservices Architecture
As understood before, microservice architecture may have 10 to 100 or even more services altogether. API Gateway helps us merge the entry point for clients, independent of the number of internal microservices. There are many reasons why we need an API gateway in the microservices architecture pattern, which are as given below:
- API gateway helps to stop exposing internal concerns to external clients
- API gateway helps to provide additional security to your microservices
- API gateway helps to merge the communication protocols
- As you have studied, API gateway helps to decrease the complexity of microservices, eventually improving the efficiency of the application.
- API gateway helps separate the microservice API and other external APIs to virtualize the design requirements and testing.
Microservices API Gateway vs. Traditional API Gateway
The main aim of the microservices API gateway is to speed up the development of services independently. It provides the functionality for the team to publish, update and monitor the microservices independently and effectively. This functionality is not found in the traditional API gateway because it focuses on managing the APIs internally.
The industries and firms have worked on understanding this internal system thoroughly by defining the APIs. Therefore the challenge of revealing the thousands of APIs to the clients led to the exposure of API gateways. With passing time, the API gateway becomes the center of infrastructure to access these APIs.
The below table shows a better representation of the difference between Microservices API Gateway vs. Traditional API Gateways.
|Traditional API Gateway
||Microservices API Gateway
|Traditional API gateway come up with a simple mechanism to create new services
||Microservices API gateway makes use of tools quickly that allows service teams to easily and safely create new services
|Traditional API gateway enables functionality for monitoring usage of API per client
||Microservice API gateway monitors the user-visible metrics like availability to clients
|In a traditional API gateway, routing manages to change API versions
||Microservices API gateway integrates routing to roll out the new versions of services quickly
Therefore, traditional API gateways solve the challenges that API management faces, but it fails to solve the difficulties adopted by microservices. Hence, the microservice API gateway integrated into your application allows service teams to monitor, update and publish the services safely and fast, enabling your organization to develop more software efficiently and effectively than ever before.
Working of an API Gateway in Microservices Architecture
Consider that you are building an eCommerce mobile application for clients where the application displays the product details. When making this application with a monolithic architecture, the client retrieves the data using a single REST call to the application. When we develop the same application with microservices architecture, each microservice reveals instructions for fine-grained endpoints.
Let’s make use of microservices architecture. The product details page displays the data by multiple microservices, for example, order services, shopping cart services, review services, shipping services, and much more. Here, the client directly calls each microservices and distributes requests across the available instances. But when clients directly call the microservices, there are many issues faced, such as mismatch between the client call and APIs or use of protocols that are not web-friendly. API Gateway can solve this issue effectively. API gateway merges the internal system of the application and allows an API that each client adapts.
The below image explains how the API gateway manages the API calls and Interacts with other architecture components.
While implementing the API gateway in microservices architecture, scalability and performance of API Gateway are usually essential. There are various technologies used to implement the scalability and performance of API gateway. The API Gateway is responsible for the functionalities including routing, billing, monitoring, rate limiting, authentication, adequate security, alerts, and policies, etc. It helps to intercept incoming requests from clients and passes them to the API management system to apply necessary functions and get output.
The API Gateway handles the request by routing them to the backend service. For example, the API gateway first retrieves the client’s profile containing the personal information before fetching the knowledge of the profile. It is best to write the API Gateway code rather than writing the API code using a traditional approach that is difficult to understand.
API gateway uses the system’s benefits, unlike any other service client, whether server-side discovery or client-side discovery. API Gateway always needs to know the IP address of each microservice to communicate. But deciding the application locations is not easy as application services have multiple locations assigned altogether.
The most important thing to consider while using API gateway is the problem of partial failure of the system when one service calls another service that is responding slowly or is absent. However, there are solutions to this problem using API Gateway depending on the scenario and service failure.
Backend for Frontend (BFF) Pattern
In the backend for the frontend pattern, the backend service from the microservices architecture pattern serves as the endpoint for requesting the frontend.
We know that APIs are part of the applications functioning with one another with a single purpose. But over time of usage, there are chances of cracks or faults in the small piece of code which helps everything stay aligned with one another. Therefore, the Backend for Frontend Pattern helps develop the backend niche for better user experiences individually. You can say that it is the layer between the frontend and the request backend calls.
Also, sometimes the output of data returned by the microservices to the front end is not in the exact format or the filter needed by the front end. To solve this issue, the frontend should have some logic to reformat the data, and therefore, we can use BFF to shift some of this logic to the intermediate layer. The primary function of the backend for frontend pattern is
- Get the required data by calling the appropriate microservice APIs
- Format the frontend data representation
- Send the formatted output to the frontend
Hence, BFF helps to reduce the logic handling responsibility of the frontend and enables a well-formatted interface to the frontend of the application.
Implementation of API Gateway – Issues and Solutions
After a brief understanding of the working of API gateway, now it’s time to learn the implementation of API gateway in microservices. Below we have discussed some design issues and solutions that you have to consider while implementing API gateway:
Scalability and Performance
Reactive Programming Model
The API gateway handles the requests by routing them to appropriate backend services. On the other hand, it also addresses some requests by invoking multiple backend services and combining the overall results. For instance, considering an eCommerce platform, the requests to backend services are independent of each other for a product details request.
The API gateway should be able to handle multiple requests simultaneously, to minimize the response time. But sometimes, there are dependencies between requests. Therefore, the API gateway validates the requests by calling the authentication service and then routes them to the backend services. Similarly, suppose you wish to fetch the details of products from the customer’s wishlist in an application. In that case, the API gateway has to retrieve the customer’s profile data to retrieve the product information.
A microservice-based application is a distributed system and should be using an inter-process communication approach – which has two techniques. The first is by using an asynchronous messaging-based mechanism. Some implement this by using message brokers such as JMS and AMQP, whereas others utilize brokerless and service communication directly, just like Zeromq. The other technique is a synchronous mechanism like HTTP or Thrift.
The API Gateway will support various communication mechanisms for microservices-based architecture. A system can use both asynchronous and synchronous techniques or multiple implementations of each method simultaneously.
The API Gateway has to know the IP address and Port (location) of each microservice with which it communicates. In traditional architecture, you probably hardwire the location, but in the latest cloud-based microservice application, this is a non-trivial problem.
Infrastructure services like message brokers will contain a static location that can be specified via OS environment variables. However, it is not easy to identify the location of application services because it assigns the location dynamically. Also, due to auto-scaling and upgrades, the instances of the services change dynamically.
Therefore, API Gateway needs to use the system’s service discovery mechanism, i.e., Service-Side Discovery or Client-Side Discovery, just like any other service client system. If the system chooses client-side discovery services, then the API gateway should query the service registry, which contains the database of all microservice instances and their respective locations.
Another challenge you might face while implementing API Gateway is the partial failure of the system. This problem arises in all distributed systems when one service calls another, which is unavailable or responding slowly. The API gateway never blocks the indefinite waiting for the downstream service.
Handling this failure eventually depends on which service is failed and the given scenario. For instance, when considering a shopping application, if the recommendation service fails to respond during the product details scenario, the API Gateway will return the rest of the product detail to the user since they are still helpful, and the recommendation can be empty or be replaced. On the other hand, if the product detail service fails to respond, the API Gateway has to return an error to the user.
Also, note that the API Gateway can return the cache data if available. For example, the product prices for a shopping application change infrequently, and therefore the API Gateway can return the cached prices if the pricing service is unavailable. The API Gateway can cache the data by itself or stored it in an external cache such as Memcached. The API Gateway ensures that the system failure does not impact the user experience by returning either default data or cached data.
Similarly, Netflix Hystrix is one of the most valuable libraries for writing code that helps to invoke remote services. Hystrix implements a circuit breaker pattern to stop the client from waiting for the failed services to respond. It trips the circuit breaker, which eventually fails all the requests immediately if the error rate for the service exceeds the specified threshold. It helps to time out the calls that exceed the threshold. If you are working with JVM, it is recommended to use Hystrix, and if you are working with a non-JVM environment, you should use an equivalent library.
API gateway generally does more than just reverse proxying, like performing API operations with the help of API composition. API gateway provides clients to retrieve the data using a single API request in an application using API Composition.
The below figure illustrates the working of API composition in detail. Suppose you create an eCommerce application and the client with various services like order services, shopping cart services, review services, shipping services, and much more. Here, the client makes a request call to fetch the order details like order bill, order delivery, ordered product information. The traditional API request call will create many API calls for calling each service from the backend.
But at the same time, using API gateway, the client will make one API call, and parallelly the API gateway will call the services using a combination of multiple calls for higher performance in the output. Therefore, the API gateway enables the mobile client to retrieve the data using a single request only.
Service Mesh and API Gateway
The most frequently asked question while dealing with microservices is the difference between service mesh and API gateway as there is an overlap between API gateway and service mesh patterns.
API gateway is a central component of the architecture, while service mesh divides the application’s functionality into microservices further handled by the infrastructure layer. The API gateway and service mesh functionality include handling request routing, rate limiting, monitoring, authentication, etc. The difference between both is that the API gateway manages the traffic from the client to services. In contrast, the service mesh contains the traffic for service to service communication.
API gateway generally focuses on the external organizing resources to manage and control the services inside the network. Therefore, it is located between the network and application to manage the traffic from edge-level client to service communication. You can say that the primary function of API gateway is to route external and internal API calls.
At the same time, service mesh focuses on internal organizing resources that expose the services to the web. Therefore, service mesh reveals the services or API calls that enable the specific business function to manage the internal traffic service to service communication. So, you can use the service mesh to upgrade the portability with the internal architecture systems or microservices.
API gateway ensures the security requirements thoroughly, mainly when used within a service mesh. Still, there are some security compromises regarding service mesh as it focuses more on speeding the delivery of microservices.
Hence, we can say that API gateway is a mature technology to work with while building a microservice pattern in an application. In contrast, the service mesh is an emerging technology that risks working within current scenarios.
Policy Configuration in API Gateway
There are possibilities that the messages contain malicious data, including the characters, text patterns, or even SQL injections. Therefore, we implement the security process to make the network secure and safe for transaction and transmission.
Here, you can apply the CAP policies for securing the inbound and outbound traffic to protect the data against malicious attacks and SQL injections by limiting the HTTP versions and URL path. You can define a domain name or create a whitelist and blacklist the client’s IP address. Another option is to limit the query parameters and HTTP headers or generate a list of forbidden words or regular expressions that seem unknown and threaten the data.
The best practice is to apply this security policy to the message before routing it to any microservice for API calls. And also, the same security policy is applied before sending the output message to the client from the microservices.
API Gateway’s Role in Security: Identity and Access
For an API Gateway technology, access control is one of the best security drivers that serve all sorts of organizations to manage the APIs and set rules on how to handle the data requests by the clients.
The beginning of the access control for API gateway generally starts from the authentication mechanism to identify the source of the API request call. In the current situation, you can use OAuth, a popular gateway to act as an intermediate for web resources without revealing the password to the services. Whereas working with the key-based authentication gateway, there are chances that the company may lose the data as it is challenging to maintain the authentication of the keys.
Using Gateway, you can route all API transactions with a single channel for evaluating and securing messages all over the organization. Message security is introduced between the API gateway’s internal services, making them more secure and enabling the message to pass between the encrypted services.
If you ignore the proper authentication, severe security problems will be caused in an organization. For example, if an API request is a mobile number, you can get personal details like email addresses and device identification data. Therefore, robust authentication mechanisms like OAuth are essential to protect the industry standards of organizations.
The APIs in the API gateway and local services of the server are fundamentally insecure without threat protection. As you know, APIs are the primary source of digital connection with the world, but if there is any malicious user who attacks the backend system, the system is vulnerable.
The attacker can inject the SQL commands like drop, delete or even create random data available to APIs. The SQL injection enables the attackers to access the system database, codes, and system directories. There are chances that the attackers copy all the clients’ data from the database and use it for their interest. Apart from this SQL injection, there are many other forms of injection threats like RegExInjection or XML Injection.
There is a specific HTTP status code used for the different situations of the request call. For example, most of the developers use 200 for the success of the request call and 404 for the failure of the request call. The stack trace can threaten malicious users to identify the package name, class name, versions, server names, or SQL queries.
We can return the balanced error object with the HTTP status code and error message to reduce this challenge. Retuning the balance error code will help to enhance the error handling issues and secure the API from the attacker.
Whitelists and Whitelist-Allowable Methods
There should be a familiar list of devices, network, and client IP addresses at the IP address level of API traffic. This list varies depending on the size of the network. As you know, multiple methods allow access to a given URL to perform various operations on the given entity. For instance, the POST method would create a new entity, and the DELETE method would delete the entity. In contrast, the GET request will read the entity while the PUT method would update the given entity.
Therefore, the service needs to limit the number of verbs to work, and all others will return a response code.
Hackers find the gaps in the system and take advantage of such loose input validations to break the system. The attacker will use the existing inputs to determine what is accepted and push the request accordingly until the system integrity breaks down.
Some common input validations are
It is good practice to have message size limitations when you are sure that you will not receive any message larger than a specific size. It will help you to filter out the messages and make the system effective and more secure.
SQL injection protection enables you to protect the system by blocking the request, which can cause the SQL injection or any similar threat.
Malicious attacks on XML applications include SQL injections, XSLT, or recursive payloads to crash the system services.
The authentications for all API users and logging of all API calls enable the API suppliers to limit consumption for all clients. API gateway caps allow you to detect the number of API calls made by a single API resource and other constraints like consumption by seconds, minutes, or day.
Benefits of API Gateway for Microservices
API Gateway helps the microservices to communicate among themselves internally by providing flexibility and completely independent protocols. It allows the developers to create the architecture subset in various forms without publicly exposing the endpoints. The API gateway offers the below benefits.
API gateway acts as a security layer between the front end and the backend microservices to ensure that the sensitive API endpoints are not exposed publicly. It helps protect the API from malicious attacks by hackers such as SQL injections and other threats that may benefit API’s vulnerability.
The API client can integrate the data information with the session information like Redis, specially created for the trusted clients. Therefore, without the API gateway, Redis would directly expose the client and increase the security issues.
Some API gateway helps the developers debug and create the infrastructure that can gracefully scale. The best example is Dashbird.io which connects the AWS API gateway and gathers information like execution time, errors, and much more. Not all API gateway provides this service, so some third-party monitoring solutions figure out the scenario behind the scenes.
Decreases Microservices Complexity
API gateway helps to reduce the complexity of the microservices by managing the user access control, authentication issues, rate limiting and allows your API to focus on the primary goal.
This creates an effective advantage as your API doesn’t have to respond in any possible way. API gateway handles your routing, formats of the responses, and even the cache of the system.
Support for Mixing Communication Protocols
Internal microservices benefit from using different communication protocols by using API gateway. An API gateway can provide a unified REST-based API for various protocols to choose the best internal architecture for the applications.
Avoids Exposing Internal Concerns to External Clients
An API gateway helps to separate the external APIs from the internal microservices patterns. It hides the service history and versioning details from the clients for all your microservices. As output, you get the efficiency to refactor the microservice with time, removing all negative impacts of externally bound clients.
Apart from all these benefits, the microservices API gateway allows clients to create a single call request data. It helps clients to get several microservices and get enough information on just one screen. Each of these request calls makes use of network bandwidth and client code. This single call gets the result far more efficient in comparison to several calls at the same time. Microservices API gateway enables the protocol translations automatically so that everyone can speak in the same language, and as a result, it allows faster data flow between endpoints.
Summarizing the benefits of API gateway:
- It enables the clients to partition the applications into microservices.
- It enables the clients to determine the location of service problems.
- It creates the optimal API for a particular client individually.
- API gateway reduces the number of request/response calls. It takes a single request call from the client to fetch multiple services at the same time with a single round trip.
- It converts the standard public web-friendly protocol into the internal protocol.
Drawbacks of API Gateway for Microservices
There are many reasons to use the API gateway, but you should also consider some drawbacks of using the API gateway for microservices.
The first challenge you face while working with API gateway is to integrate it into the software server. Even when the installation and configuration time is less, it is essential to work precisely on this matter. Also, the API gateways often generate a failure at the application’s endpoint, which is very difficult to find. This failure can also cause the application to crash or find it challenging to communicate with the server.
While configuring the API gateway microservices, it is essential to manage the routing logic during the deployment. Managing routing logic ensures the proper routing from external API to the desired microservice. Also, after the API gateway configuration, interacting the API with the application through the API gateway will require another difficulty for the developers.
When it comes to building applications of high scalability, API gateway acts as the single point of failure, as API gateway will be the single point between the frontend and the application APIs. Also, performance and efficiency reduction is the primary concern as there are various scenarios where the API gateway can directly impact the speed of your applications.
In conclusion, you can say that the API gateway is the essential component to work with when it comes to microservices application patterns. API gateway represents a single entry point into the system, providing the request routing, security, protocol translation, and composition of microservices in an application. API gateway also enables to mark the failure in the backend services of the application by returning the default data.
Microservices are an architectural approach that enables the creation of cloud applications. This application is developed by a set of small separate services to operate and communicate on its own over APIs.
Making use of microservices API gateway enables efficiency and speed of the data transfer. Using the declarative style to write the application makes it possible for the API gateway to fulfill the clients’ requests and share the desired responses.
Our engineering experts at Maruti Techlabs have migrated complex and fully functional applications from monolithic to microservices architecture among various industry verticals.
To level up with applications that provide scalability and customization in a secure, low-cost, customer-friendly package of cloud application development services, get in touch with us here.