API Gateways Security
A software program known as an API gateway sits between a client and a collection of backend microservices. API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, CORS support, authorization, access control, throttling, monitoring, and API version management.
Benefits of API Gateways:
- Wrapping your microservices together and making them accessible via API gateway provides secure, faster, easier access to your services.
- Makes your APIs and backend systems more secure via a single interface approach.
It gives you full control of the API execution environment using extensible policies for security and access control, throttling, routing, mediation, and SLA management. - Simpler code writing, for both your services and your application users.
- Decreased latency over time due to fewer back and forth calls.
- Faster, easier access to all microservices.
- Decrease in workload on each individual microservice or load balancing.
- Comprehensive metrics collection.
Challenges of API Gateways:
- Response time: While latency and response time are often decreased due to requests traveling more efficiently, the additional step of a request passing through an API gateway can potentially add to response time.
- Dependencies: Anytime a business adds, changes or removes a microservice, it must update its API gateway. That can be challenging with an application that has evolved from having just a few microservices to encompassing many. However, creating API design rules can help with this.
- Complexity: Routing logic can make communication with microservices more complex. The API gateway is another system that must be developed, deployed and maintained.
- Security: Because an API gateway touches many areas of an enterprise’s systems, its compromise can seriously impact an application’s safety.
- Reliability: If there’s only one API gateway and it goes down, the whole application becomes unavailable. Creating multiple API gateways and using load balancers can help avoid this situation.
How an API gateway supports DevOps and serverless Environments?
In organizations that follow a DevOps approach, developers use microservices to build and deploy apps in a fast-paced, iterative way. APIs are one of the most common ways that microservices communicate.
Additionally, modern cloud development, including the serverless model, depends on APIs for provisioning infrastructure. You can deploy serverless functions and manage them using an API gateway.
In general, as integration and interconnectivity become more important, so do APIs. And as API complexity increases and usage grows, so does the value of an API gateway.
Stages and Who is responsible for the administration of the API gateway?
operations and security and systems architects teams are responsible for administration of gateway.
Below are the main stages in an API gateway administration lifecycle:
- Planning an API gateway system
- Installing API gateway components
- Configuring a domain
- Operating and managing the API gateway
- Upgrading the API gateway
Protect API gateways?
Threats like DDoS, SQL injection, and brute force demand an added defense line to safeguard the API gateway. To prevent malicious code from attacking the gateway, it’s wise to do the regress API getaway check on the server end.
Some of the best practices:
- Define the usability and accessibility of each API gateway at the time of development only.
- Make sure the gateway is not exposing too much information and access filters are defined.
- Try applying a transformation reaction to the gateway while using the HTTP headers for RESTful API. This leads to an automatic share of only needed data.
- For an application with many use cases like IoT devices, mobile implementation, website, and integration, create a dedicated API gateway for each type. Don’t bring internal use endpoints into the public’s eye.
- Gateways for internal apps or networks should be accessed over a private network to prevent unwanted data access.
API Gateway products:
- Kong Gateway
- Apache Apisix
- Ocelot
- Goku
- Express Gateway
- WSO2
- Amazon API Gateway
- Oracle API gateway
- Tyk Gateway
- Apigee API Management
- Mulesoft Anypoint API Management
Thanks for giving information
Pingback: Microservices Design Patterns