API Blog Series
The term “API Gateway” is starting to create a lot of buzz in the NonStop circle. I thought it would be good to do a quick walkthrough of what API Gateway is and its potential benefits. For those of you who are already familiar with Proxy Server (or Reverse Proxy Server), you will find a lot of functional similarity between a Proxy Server and an API Gateway.
What does an API Gateway do?
An API Gateway is like a “gate-keeper” or “traffic-cop” that enables incoming Client Requests to be analyzed prior to being routed to a destination service. The typical configuration is that the API Gateway would sit in front of the backend servers to protect the internal network from access by malicious clients.
API gateways provide several different benefits to an organization. One key point is consolidation, providing a single point of entry for an organization’s Services. By deploying a gateway, a company can consolidate multiple Services into a single customer-facing interface. The API Gateway can control if requests can be routed to the appropriate backend services or rejected due to security or performance criteria. This single point of entry control enables changes or additions to the environment be done easily. By using an API gateway, services can be added, removed, or switched out simply by updating the configuration of the gateway.
One of the things that an API Gateway can do is provide backend services protection against intrusion attacks such as Denial of Service (DoS).
A denial-of-service (DoS) attack occurs when legitimate users are unable to access services or resources due to the actions of a malicious client. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. Services affected may include any customer-facing services, websites, online accounts (e.g., banking), or others that rely on the affected computer or network.
API Gateway can offer protection against by DOS by using Rate Limiting. Rate Limiting protects the backend services (APIs)from accidental or malicious overuse. Without rate limiting, each user may request as often as they like, which can lead to spikes of requests that starve other consumers. After rate limiting is enabled, API calls are limited to a fixed number of requests per second or minute.
An API Gateway can also improve the performance of environment by optimizing the handling of incoming application requests. For instance, it can balance the load across multiple backend services to optimize response time or resources. This ensures that requests are responded quickly, and that no server is over-stressed to degrade the performance.
Here are some common load balancing methods used by API Gateways.
- Round Robin: Requests are distributed to servers using a weighted round-robin balancing method.
- Least Connections: The request is sent to the server with the least average response time and least number of active connections, taking weight into account.
As the “gate keeper” that sits between a company’s users and the backend services, an API Gateway can secure these backend services or APIs against abuse or overuse. It provides an additional layer of security by limiting the access to the services to abide by configured rules, by:
- Limiting access by specific IP addresses
Requests must come from a specific range of IP addresses to pass through.
- Requiring Authentication
Incoming requests must include proper credentials to access backend services. By implementing Authentication in the API Gateway, it enables one common, centralized place to check authentication without having to implement it in all the backend services.
- Enforcing the use of TLS
Any backend services not using HTTPS with TLS is at risk of exposing sensitive data in flight. By enforcing the use TLS in the API Gateway, this adds protection to the data transfer to and from the backend services.
Making the case for a NonStop-based solution
As we can see, an API Gateway can play a critical role in an enterprise’s ecosystem. Given such an important role, an API Gateway should be:
Does that sound familiar? Yes! These are the well-known NonStop fundamentals. So, it makes perfect sense to consider an API Gateway solution that runs on the NonStop server which will address the above requirements, plus leveraging all benefits of the NonStop architecture and Guardian protection.
In our next blog, we will explore API Gateway solutions that run on the NonStop.
Do you find this tutorial blog helpful? Let us know what you think, and how we can make it even better. Don’t forget, you can subscribe to our blogs (top right-hand corner) to get automatic email notification when a new blog is available.
Phil Ly is the president and founder of TIC Software, a New York-based company specializing in software and services that integrate NonStop with the latest technologies, including Web Services, .NET and Java. Prior to founding TIC in 1983, Phil worked for Tandem Computer in technical support and software development.