Home Think Topics API gateway What is an API gateway?
Explore IBM's API gateway solution Sign up for the Think newsletter
Illustration with collage of pictograms of gear, robotic arm, mobile phone

Published: 25 August 2024
Contributors: Gita Jackson, Michael Goodwin
What is an API gateway?

An API gateway is an API management tool that acts as an intermediary between an API client (the application on a user’s device) and backend services (located on a server). An API gateway presents a single point of entry for API calls.
 

An API, or application programming interface, is a set of rules or protocols that enables software applications to communicate with each other to exchange data, features and functionality. A request for data from a client to an API is known as an API call.

An API gateway receives an API call (sometimes called an API request), routes it to one or more backend services, gathers the requested data and delivers it to the client in a single, combined package. It also provides analytics, layers of threat protection and other security for the application.

For example, consider a restaurant’s web application. Using a laptop or cellphone, a user can enter one request and easily access the restaurant’s menu, photos and reviews, its payment service and a map to check its location, despite all that information being gathered and delivered from different backend microservices or APIs. The request submitted via the user’s application is received and executed by an API gateway.
IBM named a Leader in the 2024 Forrester Wave for API Management Software

IBM API Connect received the highest score possible in 17 out of the 24 criteria.
Related content

The key to unlocking your APIs’ full potential: API management
The value of an API gateway

API gateways can be deployed in the cloud, on-premises and in hybrid environments and are an important component of both API management and API security. API gateways help organizations provide a consistent, secure and satisfactory API experience for users.

API management is the scalable process of creating, publishing and managing APIs within an enterprise. API gateways improve and streamline management tasks such as request routing, load balancing and error handling. API gateways also improve API observability by generating logs of API calls and enabling the use of integrated analytics tools.

API security refers to the practices and procedures that protect APIs from misuse, malicious attacks and other cybersecurity threats. API gateways help enforce API security protocols and can be used to manage authentication, authorization and other permissions and access controls (by confirming API keys, or integrating with authorization protocols such as OAuth, for example), rate limiting (to protect against attacks such as distributed denial of service attacks) and encryption per an organization’s API security policies.

API gateways provide additional functions to enhance efficiency within an enterprise, helping enable high performance and high availability for applications and backend services. For example, API gateways can be used for caching, a process in which commonly referenced data is stored locally. This helps improve response time and reduces the load on servers. They can also compress large responses into smaller files, reducing bandwidth consumption.

They also provide rate limiting capabilities, which sets a limit on how often a client can send a request to a service in a set amount of time. This promotes stability, prevents servers from becoming overloaded and helps ensure that clients have equal access to APIs.

API gateways and their capabilities help organizations balance API traffic and workloads as the organization scales. By centralizing these functions, API gateways help streamline how an enterprise develops, deploys and manages APIs. Gateways help improve the performance, scalability and availability of apps and services and enable developers to focus more on core business logic rather than API administration.
How does an API gateway work?

APIs enable applications to communicate with each other and share data both within and outside of an organization’s IT environment. Modern enterprises can have thousands of APIs and a gateway provides a central focal point—a “front door”—and standardized interface that helps manage and route API calls from one location. An organization might choose to use multiple gateways, as many do, to allow for different security protocols and standards to be applied to different APIs or users, but the same principles apply.

Requests and routing
 

An API gateway receives all the calls directed at an enterprises API endpoints, authenticates the calls, processes them based on organizational policies, routes them to the appropriate services, then finally aggregates and returns the results to the API client that made the call. Even if multiple services are requested and accessed through the API call, the client only receives one response with all the data.
 

API composition
  

An API gateway provides workflow orchestration as it aggregates the requested information from multiple microservices, bundles the data and returns it to the requestor in composite form.
 

Protocol and data translation
 

An API gateway handles data and protocol translation in cases where the client device and microservices use different languages, formats (say, the request comes in using JavaScript or JSON but the microservice uses XML) or protocols (such as HTTP requests versus gRPC requests).
 

Caching
 

For commonly requested information, API gateways might use caching to accelerate the response time for the request. This data is stored in a separate cache so that the gateway can quickly return it without needing to route traffic to an additional service.
 

Monitoring and logging
 

API gateways can monitor and log API requests, responses and errors. This analytics data can be used to gain a better understanding of API traffic and performance, improve troubleshooting and strengthen security.

 
Why use an API gateway?

APIs are crucial to the flow of data in modern systems and API gateways help protect APIs and applications, help organizations gather valuable data and help ensure API performance.

API gateways can make processes more efficient. All of an organization’s APIs might need to complete a few common tasks alongside their specific function every time a call to that API is made. In an API-first ecosystem, where APIs are the building blocks upon which software is built, this is especially common.

For example, to comply with API security protocols, every API call might need to go through an authorization and validation process. Or to help ensure adequate bandwidth, every API might need to be monitored for usage rates and traffic. If APIs are monetized, every call might need to be routed to a billing service. An API gateway can handle all these tasks.

Some API calls require resources from several different microservices; an API gateway breaks down such calls, routes the requests to the appropriate backend services and aggregates the requested resources into one response for the client. This prevents the client from having to send a separate API call to each microservice, streamlining the process and reducing call load. Calls always go to the same place and the gateway organizes resource retrieval and return.

This capability is particularly beneficial in a DevOps environment, where microservices architectures are often used to help teams accelerate development and continuously deliver new apps and services. Microservices rely on APIs to communicate and gateways can be used to orchestrate this communication. An API gateway can also help ensure that each call is going to the correct place when multiple versions of an application are on the same server.

API gateways are also used in serverless computing models and other cloud-native-development approaches. In a serverless model, infrastructure and other backend services are run on-demand and spun up using APIs. Gateways can be used to manage this function.

Modern IT environments are all about integration, the success of which relies in large part on APIs. The more complex an API environment and the greater the traffic APIs receive, the more value an API gateway can provide.
API gateways and microservices

A microservices architecture is a software development approach in which applications are composed of smaller, independently functioning parts. These distinct functions can be deployed autonomously and communicate via APIs. They are designed to fulfill a singular goal, with the intention of being grouped together as the building blocks of larger programs.

Routing calls from API clients to these individual microservices is possible, but it is not very efficient and would require a separate call for each resource. An API gateway enables an organization to return the requested resources with a single API call.

It works like this: The gateway receives the API call that requires communication with several microservices. It breaks up the request, routes each segment to the appropriate resources and aggregates the resources into a single response for the API client. As an organization increases the number of APIs and microservices used in business functions, an API gateway helps reduce call volume and the complexity of routing calls by acting as a standardized, single-entry point.

Let’s imagine a client wants to pull product information from an ecommerce store built using a microservices architecture. The product details that the client wants to pull are spread out over multiple different services—a service for basic product information, a service for pricing, a service for inventory and so on.

The API gateway receives the request for product information, routes it to pull data from each service required to fulfill the request and then compiles that data and sends it back to the client as one complete response.
API gateways and Kubernetes

Kubernetes is considered the industry standard for deploying and managing containerized microservices. API gateways can interact with a containerized Kubernetes cluster in multiple ways.

When deployed in front of more than one Kubernetes cluster, an API gateway can serve as a load balancer, directing traffic to the correct cluster so that no one instance is overloaded. When deployed at the edge of a singular Kubernetes cluster, an API gateway can act as an ingress controller. Ingress controllers direct traffic into a Kubernetes cluster, to the requested services and then back out again. When deployed within a Kubernetes cluster, an API gateway can act as a service mesh. A service mesh handles traffic flowing between Kubernetes services, offering load balancing and service discovery and is commonly used for end-to-end encryption.
How does an API gateway improve API management

Beyond enabling organizations to route and balance API traffic more effectively, API gateways strengthen API management by helping:

  • Lower latency
  • Increase security
  • Reduce complexity


Lower latency

API gateways can help optimize traffic routing and load balancing across backend services by managing API calls through a centralized entry point. Such measures help maintain low latency. API gateways use a variety of methods for API traffic management that use bandwidth more efficiently and improve the user experience.

One such method is rate limiting. Rate limiting policies specify the number of requests (a request quota) that a specific client can make to an API over specific period of time. This helps make sure that users have equal access to APIs and protects backend services from becoming overloaded with requests.

Request throttling is a type of limiting that regulates the rate of requests that is hitting a server. This prevents spikes and helps organizations maintain performance and stability.

API gateways can also perform dynamic load balancing by continuously monitoring traffic to backend services. An API gateway can determine the health of a server based on real-time metrics and adjust how it routes calls to backend services.
 

Increase security
 

APIs are vulnerable to cybersecurity attacks such as distributed denial of service (DDoS) attacks. DDoS attacks overload servers with requests and malicious traffic, causing them to crash. An API gateway supports rate limiting and other techniques to help thwart DDoS attacks.

API gateways can also help secure APIs by monitoring API usage and providing traffic logs. Some API gateways also provide reports and analytics about the requests being made to any APIs in an organization’s infrastructure, enabling an organization to identify suspicious traffic before an attack happens.

API gateways not only assist in traffic management and provide a secure connection to APIs but can also be configured to provide API authentication and request authorization, reducing the vulnerability of an organization’s APIs. For example, API gateways are used to verify API keys when calls are received from a client before granting access to resources. For greater security, API gateways can be used in conjunction with tools such as web application firewalls (WAF), which monitor, filter and block malicious HTTP traffic.
 

Reduce complexity
 

API gateways centralize the flow of API calls, improving service visibility and discoverability. They also provide ways for APIs that use different protocols and data formats to communicate with each other.

Many web APIs use an architectural style called REST (representational state transfer, used in REST APIs), though other protocols, such as SOAP (simple object access protocol) and WebSocket APIs are also used. Whether it’s within an organization, or external calls directed at an organization’s internal APIs, it’s common to have APIs with various protocols and data formats that need to communicate with each other and request resources from the same backend services.

Manually converting each request would take an astronomical amount of time; API gateways help eliminate this problem by performing data and protocol translation, automatically translating requests and responses into the necessary format.

API gateways also make it easier for developers to iterate upon and deploy APIs because gateways can manage multiple versions of an API at the same time. Developers can then test multiple versions of an API against each other before deployment or maintain an instance of an older API version for specific use cases.

Additional API benefits include:

  • Extending legacy apps: Businesses still use legacy applications that contain essential data, perform significant functions and provide value, but the apps were not written for APIs. Such older technology can have trouble handling the increasing numbers of calls from newer technologies, such as mobile, SaaS or IoT apps. They can also be hard to access. Instead of taking on a complicated cloud migration, a DevOps team can add API functionality—including benefits such as rate limiting and throttling—to help modernize and extend the functionality of a legacy application.

  • Microservices caching: API gateways can help optimize API calls, such as with microservices caching. Caching responses to API calls can help avoid unnecessary load on backend services. The cached responses can be used when similar requests are received, improving performance and decreasing cost.

  • Monitoring and tracking application analytics: Since an API gateway controls all an application’s inbound traffic, it’s straightforward to have the software monitor and produce reports about visibility, trends and other insights about API usage. The gateway software can also create traffic logs that help an API provider understand and fix infrastructure problems.
API gateway challenges

While API gateways can help resolve complicated routing issues, adding a new piece of management software to any organization can also introduce new challenges. Common challenges include:

  • Scalability issues
  • Single point of failure
  • Gateway dependency/vendor lock-in 
     

Scalability issues
 

While API gateways can help organize API infrastructure and lower latency, if they receive more requests than they are configured to manage and don’t have enough resources to handle the traffic, they can increase latency instead.

Organizations must make sure that API gateways are provisioned and configured to meet the API environment and traffic demands of the enterprise. As an enterprise increases the amount APIs and services in use at any given time, resources must be scaled and provisioned accordingly to prevent users from experiencing any interruptions in service.
 

Single point of failure
 


A single point of entry also means that there can be a single point of failure. Centralizing APIs has a tremendous number of upsides, but the downside is that the gateway itself becomes a potential vector for an attack or infiltration. Gateway issues can have effects on all aspects of an enterprise that rely on access to APIs and backend services.
 

Gateway dependency
 

Once an organization has chosen the API gateway that meets their specific needs and built their API environment around that gateway, it can be expensive and time-consuming to move to another vendor.

Additionally, while gateways can make API usage more cost effective, the gateway will also require monitoring and management, which costs time and money. In some cases, an organization might choose to self-host an open-source gateway, rather than using a managed service, to have finer control over its various options. If an organization chooses a self-hosted option, this will add to the overall overhead costs for the development team.
Related solutions
API gateway tools from IBM API Connect

API gateway, based on IBM® DataPower®, is an enterprise gateway designed to securely expose data and business applications wherever they reside, on premises and across clouds. It provides a comprehensive set of policies for security, traffic management, mediation, accelerations and support for non-HTTP protocols.

 Explore API gateway tools from IBM API Connect
IBM API Connect

IBM API Connect® is a full lifecycle API management solution that uses an intuitive experience to help consistently create, manage, secure, socialize and monetize APIs, which promotes digital transformation on premises and across clouds.

 Explore IBM API Connect
IBM Cloud Pak for Integration

IBM Cloud Pak® for Integration is a hybrid integration platform that applies the functionality of closed-loop AI automation to support multiple styles of integration. The platform provides a comprehensive set of integration tools within a single, unified experience to connect applications and data across any cloud or on-premises environment.

 Explore IBM Cloud Pak for Integration
Resources API Connect one-page overview

Discover how an API management solution from IBM can unlock value and increase your competitive advantage.

 Understand IBM API Connect

Access a technical overview of IBM API Connect, its API lifecycle phases and its major product components.

 SDK versus. API: What’s the difference?

Learn about software development kits (SDKs) and APIs and how they improve both software development cycles and the end-user experience (UX).

 What is API monitoring?

API monitoring is the process of observing the performance, availability and functionality of enterprise application programming interfaces.

 What is API management?

API management is the scalable process of creating, publishing and managing application programming interface (API) connections—sharing them, controlling access, tracking their usage and enforcing security policies.

 What is automation?

Automation is the application of technology, programs, robotics or processes to achieve outcomes with minimal human input.
Take the next step

Use IBM API Connect to secure and manage enterprise APIs throughout their lifecycles. It helps you and your customers consistently create, manage, secure, socialize and monetize enterprise APIs, and is also available as a highly scalable API management platform on IBM Marketplace and AWS.

 Explore API Connect Book a live demo