API Gateway

It’s time to talk about some other aspects of the API connectivity such as security, authentication and authorization of these APIs.

So What is an API gateway, An API gateway is an appliance which sits either at edge of your network "maybe internet" if you are exposing your APIs on internet, the best use-case here can be API Banking, or as stated earlier in front of your internal ESB which scans every API request and only allows it to go through if the consumer is able to properly Authenticate and Authorize itself on the API gateway. let's take an example here, imagine an external third-party partner or a corporate customer wants to interact with our internal system using an API, now you can't just host your internal API on the internet without any protection, right? So, what will you do, you may introduce an API gateway which sits in the DMZ (Demilitarized zone) and acts as a security guard which scans every incoming request based on certain security parameters such as:

· Authentication (To determine whether you are actually the one whom you are claiming to be)

o It can be done via passing a Preshared key in the API request header

o It can be done using SSL certificates (something like 2-way SSL where the consumer organization and you both exchange certificates and the authentication takes place based on these certificates)

· Whitelisting of the source IP address from which the consumer is originating the request.

· Authorization (To determine whether this consumer has access to the particular API which it is requesting)

· Passing AD credentials in the API request header, based on the same the API gateway may make a decision whether this consumer is allowed to access that particular API

· Authorization can also be based on a combination of all the authentication parameters for eg. The API gateway can make a decision that this API can only be allowed to access if this request gets authenticated via AD and comes from a specific IP address and presents a particular certificate in the request.

Some other tasks which an API gateway can perform are:

· API firewall - This is a unique capability which is only possessed by the API gateway where it can scan every request for presence of any malicious code or scripts in the object and based on the policy it can drop and stop allowing connections from that particular source.

· Caching - The API gateway would cache (store the responses from backend application servers in its own memory for some time) the responses from the backend application servers so that it doesn’t need to connect to the application servers again and again improving the latency for the consumers who are accessing the API.

· Protocol conversion - which an ESB can also perform (Converting XML to JSON, SOAP to REST, etc), such that the consumer "the customer in our case" and the service provider do not need to do any developments or changes at our end

· Routing - There may be certain cases where the API gateway may route requests directly to the hosting Application servers bypassing the ESB or for that matter route the request to any application server in the environment without pointing the request to the ESB.

Note: All this is happening in real-time at Wire speed, so we are talking about the entire (Request/response) process happening in Milliseconds

Please note, there are architectures where you can actually host your On-premise API on a Cloud API gateway