Why do you need an API Gateway
The microservice architecture have encouraged the splitting of large scale applications into smaller services that are good at performing single task to take advantage of the following benefits:
- Independent service deployments
- Faster release cycles
- Easier maintenance
- Granular scalability
However, this microservices don't come without its own set of problems. Splitting of services meant that APIs needed to be grouped into smaller sets (Bounded contexts) and this offloaded problems to client-side and API applications.
Leaking domain knowledge
Since client-side applications now have to deal with multiple APIs, this means that domain knowledge is now scattered across consumers thus, making them harder to maintain.
Multiple attack points
The number of APIs exposed publicly is relative to the increase of potential attack points of an application.
Requires to purchase multiple domain names and SSLs
In order to expose multiple groups of APIs publicly, owners would have to buy multiple domain names and SSL certificates.
Cross Origin Resource Sharing (CORS) issues
Client-side applications especially browsers are enforcing security measures to prevent unauthorized websites to access resources hosted on other domains. This makes it difficult to consume APIs hosted on multiple domains.
Since each API group might be managed by multiple teams, each team might end up deciding / favoring to use a specific authentication mechanisms. This results to requiring client-side applications to authenticate against each API set in different mechanisms (Cookies, HTTP Headers, oAuth)
Backend / API related Issues
Duplication and inconsistencies between cross-cutting concerns
The grouping of APIs into smaller groups introduces a potential mismatch on cross-cutting concern implementations (Authentication, Authorization, Logging, Rate Limiting, Monitoring, Security Policies, Circuit Breaking, Retries)
API Gateway to the rescue
An API gateway is a piece of software that sits in front of your microservice ecosystem. It acts as an entry point of HTTP traffic into your microservice-based applications. It does its job by containing the routing knowledge of HTTP traffic to appropriate upstream services (Much like a reverse-proxy).
The API gateway helps in making your microservice ecosystem to look like a single application from a consumer's point of view. This alone solves the problems faced by client-side applications in a way comparable to hitting multiple goals with one rock.
Its also a perfect way to offload all the cross-cutting concerns that need to be implemented in uniform fashion across a microservice ecosystem.
API Gateway Samples
- API Gateway + Express + VueJS + Ocelot (Docker Compose or AWS)
- Lambda + API Gateways, Kong, Ocelot
- Ocelot Sample
- .NET Core API Gateways
- API Gateway in a Nutshell.
- API Gateway Presentation
- Microsoft Architecture Guide: Direct microservice to client communication.