An API-Gateway is a Proxy Server that is the single entry point into the system.

API-Gateway is similar to the Facade pattern from object-oriented design. The API-Gateway encapsulates the internal system architecture and provides an API that is tailored to each client type.

An API-Gateway might have other responsibilities such as authentication, monitoring, load balancing, caching, request shaping and management, and static response handling.

The following diagram shows how an API-Gateway typically fits into the architecture:

API Gateway Architecture

API Service Delivery [2]#

API-Gateway is where the API Service Delivery happens as it is the component responsible for exposing the organization’s APIs to the Consumer of services (which can of course be internal or external).

In brief, the API-Gateway covers the following key areas (for a detailed discussion of the capabilities of the API Gateway please refer to our previous blog post on the subject.):

  • Manifestation - Exposes the organization’s APIs to the outside world, acting like a proxy to route requests from external consumers to the API itself (as an aside, many API management solutions can also support backendless APIs, implementing the entirety of the API on the Gateway itself
  • Security - is the a Policy Enforcement Point for the API, applying Access Control Models on behalf of the API. Applying Access Control at this outer perimeter is consistent with the cyber security principle of “defensive in depth” and is an important feature of the API-Gateway’s capabilities
  • Entitlement - Allows access to APIs at the agreed upon rates and either limiting or managing traffic;
  • Standardization - Presents a uniform suite of APIs to consumers (according to any API standards an organization might have);
  • Logging and Metrics capture - Captures the information required to understand API utilization.

In order to expose, secure, and manage an organization’s APIs the API-Gateway clearly needs to be in collaboration with the API Registry, ingesting information about the APIs and how they should be exposed. The API-Gateway should also establish a feedback loop, supplying the API Registry with management-level metrics on API utilization, in order to help maintain an accurate picture of how the organizations APIs are used and thus their relative importance for future capacity and investment decisions.

Finally, metrics captured by the API-Gateway should be available for ingestion by any other system that requires it, for purposes such as monitoring, monetization, Metric Analysis.

Generally, API-Gateway is a Policy Enforcement Point which uses Policy Based Management System typically using a Identity Provider (IDP) for Authentication and a the Policy Decision Point to determine Authorization to a resource.

Most modern API-Gateway utilize a form of OAuth 2.0 for determining Access Control

API Gateway

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
API Gateway.png 29.3 kB 1 25-Oct-2015 16:57 jim API Gateway
api-gate-way-arch.png 56.4 kB 1 25-Feb-2016 12:45 jim Api Gateway Arch
« This page (revision-13) was last changed on 07-Jan-2017 12:24 by jim