1. API Gateway How To
The Many Ways To Apply The Gateway
Pattern
September 1–2, 2021
springone.io
1
Shruti Iyer
shrutiyer
Alberto C. Ríos
@Albertoimpl
Albertoimpl

2. Safe Harbor Statement
The following is intended to outline the general direction of VMware's offerings. It is intended for information
purposes only and may not be incorporated into any contract. Any information regarding pre-release of
VMware offerings, future updates or other planned modifications is subject to ongoing evaluation by
VMware and is subject to change. This information is provided without warranty or any kind, express or
implied, and is not a commitment to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions regarding VMware's offerings. These purchasing decisions should only
be based on features currently available. The development, release, and timing of any features or
functionality described for VMware's offerings in this presentation remain at the sole discretion of VMware.
VMware has no obligation to update forward looking information in this presentation.
2

3. What is an API Gateway?
● Essentially a reverse proxy
3
Client Service
API
gateway

4. What is an API Gateway?
● Essentially a reverse proxy
● Single point of entry to simplify the experience
4
Client
Service A
API
gateway
Service B

5. What is an API Gateway?
● Essentially a reverse proxy
● Single point of entry to simplify the experience
● Reduces the amount of duplication and variation in handling cross-cutting
concerns
5
Client A Service A
API
gateway
Service B
Client B

6. Different forms of API Gateways
6
1. API management for existing APIs
2. Ingress for APIs and services
3. Application Modernization
4. Simplified Aggregated API
5. But with a Service Mesh!?

7. API Management for existing APIs

8. API Management for existing APIs
8
When publishing a set of APIs, concerns include:
● How are the customers using the APIs?
● Are there sufficient and correct security mechanisms in
place to restrict access?
● What should happen if parts of the system are down or
overloaded?
● If needed, how can I monetize the catalog of APIs?

9. API Management for existing APIs
Many APIs have to deal with a lot of responsibilities beyond business logic.
These responsibilities might include:
● Monitoring and collecting usage metrics
● Authorization, monitoring and revoking API access
● Implementing security flows
● Rate limiting
● Error handling
● Monetization
9

10. API Management for existing APIs
Many APIs have to deal with a lot of responsibilities beyond business logic.
These responsibilities might include:
● Monitoring and collecting usage metrics
● Authorization, monitoring and revoking API access
● Implementing security flows
● Rate limiting
● Error handling
● Monetization
10
Reality is that you have all these concerns per application

11. API Management for existing APIs
11
Products
Security
Error Handling
...
Observability
Customers
Security
Error Handling
...
Observability
Billing
Security
Error Handling
...
Observability
😃 😮 🙂

12. API Management for existing APIs
12
Products
Security
Error Handling
...
Observability
Customers
Security
Error Handling
...
Observability
Billing
Security
Error Handling
...
Observability
😃 😮 🙂
ΩΩΩ
Billing
😃 😮 🙂
Observability
Security
Error Handling
...
API
Management
Gateway
Products Customers
Move responsibilities
from each service to an
overarching gateway
layer.

13. API Management for existing APIs
● Implementing granular governance
and security policies
● Managing cross-cutting concerns in
one place
● Building a catalog of APIs for clients
Use for:
Billing
😃 😮 🙂
Observability
Security
Error Handling
...
API
Management
Gateway
Products Customers
13

14. Ingress for APIs and services

15. Ingress for APIs and services
Managing all traffic entering your cluster of applications
● Directing traffic to different environments
● Handle throttling
● Implement rate-limiting
● Load-balancing
● Maintain High Availability
15

16. ...
Ingress for APIs and services
16
Billing (Instance 1)
Products (Instance 2) Billing (Instance 2)
🚥󰠖
Ingress Gateway
for
Traffic Management
Products (Instance 1) Customers

17. ...
Ingress for APIs and services
17
Billing (Instance 1)
...
Throttling
Global Rate Limiting
Products (Instance 2) Billing (Instance 2)
Ingress Gateway
for
Traffic Management
Products (Instance 1) Customers
Load Balancing

18. Ingress for internal APIs sharing
18
Agent Frontend
External OIDC
Agent Line of Business
Agent API
Gateway
Fraud Detection
Backend
Internal Client
Certificates
Fraud Line of Business
Fraud API
Gateway
Fraud Data
Services
External
Users 😃 😮 🙂

19. Ingress for APIs and services
19
● Manage load-balancing for
○ Staged rollouts
○ Canary deployments
○ A/B testing
● Rate-limiting and throttling
● API sharing with different
lines of business
Use for:

20. Application Modernization

21. Moving from a Monolith to microservices
21
How can an API gateway help us
splitting a monolith?
Client A
Big Monolith
Client B

22. Moving from a Monolith to microservices
2
2
First, we add a gateway
Client A
API
gateway
Client B
Big Monolith

23. Moving from a Monolith to microservices
2
3
Second, identify bounded contexts
Big Monolith
Client A
API
gateway
Client B
Products
Customers
Billing

24. Moving from a Monolith to microservices
2
4
Third, extract and decommission
Big Monolith
Client A
API
gateway
Client B
Products
Customers
Billing

25. Moving from a Monolith to microservices
2
5
And repeat 💸
Client A
API
gateway
Client B
Products
Customers
Billing

26. Application modernization
2
6
External service Routing to
Services Off-Platform
Virtual Machine
Client A
Big Monolith
Products
Customers
Billing

27. Kubernetes Cluster
Application modernization
27
External service Routing to
Services Off-Platform
Virtual Machine
Client A External
Service
gateway Monolith Request
API
External Service
Big Monolith
Products
Customers
Billing
Greenfield Service

28. Simplified Aggregated API

29. Simplifying a set of complex services into one API
2
9
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)

30. Simplifying a set of complex services into one API
3
0
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)
Mobile
Phone
Web app
Service
Client

31. Simplifying a set of complex services into one API
31
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)
Mobile
Phone
Web app
Service
Client

32. Simplifying a set of complex services into one API
3
2
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)
Mobile
Phone
Web app
Service
Client

33. Simplifying a set of complex services into one API
33
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)
Mobile
Phone
Web app
Service
Client
Simplified
Aggregated
API

34. Simplifying a set of complex services into one API
34
Products
(GraphQL)
Customers
(REST)
Billing
(gRPC)
Catalog
(SOAP)
Mobile
Phone
Web app
Service
Client
Simplified
Aggregated
API

35. But with a Service Mesh!?

36. But with a Service Mesh!?
Service mesh is for east-west traffic
(between services inside your
network)
Gateway is for north-south traffic
(making services available externally
to clients).
3
6
Service
API Gateway
Service
Service
Service
Mesh

37. What can a Service Mesh do?
● Establish service-to-service
communication
● Security flows like user
authentication, mTLS, service
RBAC
● Observability
● Rate limiting
37
Lots of overlap with a
gateway’s capabilities!

38. A Service Mesh vs A Gateway
38
Service
Service
Service
Service
Mesh
Sidecar
Proxy
Sidecar
Proxy
Sidecar
Proxy

39. A Service Mesh vs A Gateway
3
9
Service
API Gateway
Service
Service
Common Concerns
...

40. When to use a Service Mesh vs a Gateway?
4
0
API Gateway
Caters to the services’ need of routing
traffic, handling security, collecting
metrics
Service Mesh
Decoupled and remains in a separate,
abstraction layer while catering to the
set of APIs/services connected to it
Handles communication between
services, hosts, ports (east-west traffic)
Handles edge routing and controls
what traffic is coming in and out of the
cluster
Provides a stable API interface to
clients outside the boundary
Concerned with implementing L7
network boundaries and policies but
not API (as a product) boundary

41. Closing thoughts

42. Closing thoughts
4
2
● Discussed different patterns
○ API management for existing APIs
○ Ingress for APIs and services
○ Application Modernization
○ Simplified Aggregated API
○ But with a Service Mesh!?
● Start simple and use patterns as need arises
● Gather design ideas for your new or existing gateway and have fun!

43. References/Additional Interesting Reads
- Time to strangle your Monolith to Microservices
https://medium.com/@manisht/strangle-that-monolith-the-strangler-pattern-40c9eeb94402
- Secure Reactive Microservices with Spring Cloud Gateway
https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
- Backends For Frontends
https://samnewman.io/patterns/architectural/bff/#intro
- API Gateways Are Going Through an Identity Crisis
https://blog.christianposta.com/microservices/api-gateways-are-going-through-an-identity-crisis/
- Seamlessly Swapping the API backend of the Netflix Android app
https://netflixtechblog.com/seamlessly-swapping-the-api-backend-of-the-netflix-android-app-3d4317155187
- Do I Need an API Gateway if I Use a Service Mesh?
https://blog.christianposta.com/microservices/do-i-need-an-api-gateway-if-i-have-a-service-mesh/
43

44. Any questions?
#springone
@SpringOne
Thank you!
Shruti Iyer Alberto C. Ríos
@Albertoimpl