Does API-Gateway really makes sense in 2021 ??

Vignesh Thirunavukkarasu
3 min readOct 28, 2021

--

Hmmm… an interesting thought that i had for quiet sometime. After dwelling in the Software architect role for sometime, I have finally realize the utmost use-case for API gateways.

As a novice developer, I have designed app modules, that run independently on OpenShift without an API gateway. However, after getting involved in some mission critical applications for the organization, I realized the full potential.

Here are some of the use cases that don’t surface up more often, some are quiet astonishing.

All the below use cases will make sense in Enterprise Organizations.

Lemme first set the context: In most large scale enterprises, there will be a segregation of the Network zone into primarily 2 Zones : GRN — Green Zone Network & DMZ — Demilitarized Zone (both networks being in the restricted private IP zone only).

GRN — is where primarily all the normal applications are hosted. These servers don’t have access to internet — both outbound as well as inbound (this is a common practice to prevent any intrusion). ie. in simple terms they are protected by inner firewall.

DMZ — hosted machines can have access to internet — both inbound / outbound. They are behind the external firewall (or the frontline firewall).

A Typical DMZ/ GRN setup for Enterprises — including the API Gateways in DMZ

If a application in GRN wants to communicate to / from internet — they talk to DMZ (by having the inner firewall IP whitelisted). Now, here is where the API Gateways come into play. Enterprises host a single API Gateway Cluster (Ex: IBM DataPower), spanned across 3–4 data centers in more than 20–30 nodes, and are always on active-active mode.

Security Concerns: API Gateways have the power to enable TPS (transactions per second), IP based limits and so on, which is very critical for the enterprises — as these could be the cause for DDOS attacks, if not implemented. They also provide additional authentication layer, mTLS (or two way SSL) which is the frontline authentication for the connection to be established beyond the API Gateway. These features can't be built on normal app’s we host on nginx / apache http / spring boot etc.

Versioning: Another interesting feature is the they provide versioning of API’s which actually don’t happen that efficiently, but if incorporated is an immense tool to control the end user experience, based on the version of OS she/he is running.

Single Point of Entry: This concept can be extended to have different API’s for mobile, and browser separately (if needed). Since the authentication module can be of-loaded onto API gateway, the core services become more lightweight and can just start focussing on just the business module. Also, this provides a feature to just change a single place for any security changes, avoiding the overhead on modifying all the backend services.

LoadBalancing: The most common use case to provide resiliency for applications, to add more load-balancers pool and finally mapping the API gateway with 3DNS mapping (like Route 53 / F5 network) and using intelligent tiering of routing within the internal load-balancer pools in different data ceners.

One of an very weird and interesting feature that I have seen implemented is a same set of IP’s have been registered with two different internet facing DNS names and both of them have different set of certificates, and one with 1024 bits and another with 4096 bits. I have Zero clue how the certs part is possible, Mapping the DNS names with IP’s is fine, since they just eventually resolve to the IP’s only.

However, there is also a catch that they become the single point of failure, so they need to be even more self resilient than the internal applications itself. Nevertheless, if I get a chance to talk to my younger self, I would prefer not to tell him about theAPI gateway, rather let him to realize on his own

-cheers

--

--