The following diagram shows how an API-Gateway typically fits into the architecture:
API Service Delivery happens as it is the component responsible for exposing the organization’s APIs to the Consumer of services (which can of course be internal or external).
In brief, the API-Gateway covers the following key areas (for a detailed discussion of the capabilities of the API Gateway please refer to our previous blog post on the subject.):
- Manifestation - Exposes the organization’s APIs to the outside world, acting like a proxy to route requests from external consumers to the API itself (as an aside, many API management solutions can also support backendless APIs, implementing the entirety of the API on the Gateway itself
- Security - is the a Policy Enforcement Point for the API, applying Access Control Models on behalf of the API. Applying Access Control at this outer perimeter is consistent with the cyber security principle of “defensive in depth” and is an important feature of the API-Gateway’s capabilities
- Entitlement - Allows access to APIs at the agreed upon rates and either limiting or managing traffic;
- Standardization - Presents a uniform suite of APIs to consumers (according to any API standards an organization might have);
- Logging and Metrics capture - Captures the information required to understand API utilization.
In order to expose, secure, and manage an organization’s APIs the API-Gateway clearly needs to be in collaboration with the API Registry, ingesting information about the APIs and how they should be exposed. The API-Gateway should also establish a feedback loop, supplying the API Registry with management-level metrics on API utilization, in order to help maintain an accurate picture of how the organizations APIs are used and thus their relative importance for future capacity and investment decisions.
Generally, API-Gateway is a Policy Enforcement Point which uses Policy Based Management System typically using a Identity Provider (IDP) for Authentication and a the Policy Decision Point to determine Authorization to a resource.