This presentation will illustrate what is the common issues when the API is made publicly available, how API gateway can be utilized to enhance security, performance improvement can be accomplished by using API gateway.

1. Web API Gateway
Kumaresh Chandra Baruri
Software Engineer

2. Terminologies
• Service: The unit/part of software which performs
some specific operation or task is known as Service.
• Microservice: This is software development
technique that structures the software/application
into a collection of finely-grained services. These
services are –
 Loosely coupled with others.
 Self-contained.

3. Terminologies(Cont…)
• API: An API is a set of definitions and protocols
for building and integrating application software.
API is used to –
 Allow its services to other application or services.
 Provides different methods – POST, GET, UPDATE etc
to accomplish desired operations.

4. API Endpoints & Accessing Criteria
/home /wallpaper/list
/wallpaper/details? id={id}
/product/list
Authentication Authentication
Authorization
SSL Certificate
1 2 3
Business
logic is
defined in all
the API
endpoints
Here few sample API endpoints are defined and in order to
consume these -
• Group #1 can be accessed directly.
• Group #2 requires authentication.
• Group #3 needs both authentication and authorization.
• All the APIs are secured by using SSL certificate.

5. Conventional Way of API Consumption
/home
/wallpaper/list
/wallpaper/details?id={id}
/product/list
 4 endpoints are available here.
Different users from Android phone, iPhone or
Web browsers are accessing API directly.
Authentication, authorization or both needs to
ensure before calling an API from the consumer.
Business logic

6. Conventional Way of API Consumption(cont..)
1
2
3
4To accomplish a single tasks, 4 API calls
are being performed here.

7. Issues of Conventional Calling
In case of direct access to the API from known and unknown
consumers, the security issues will be raised-
 It will be publicly exposed.
 Would be easier for the cracker to find out
business logic.

8. Issues of Conventional Calling(cont..)
If multiple API calls and their resultant aggregation is required to
accomplish a single task at frontend application, it leads to -
 Higher latency
 Slower performance.

9. Issues of Conventional Calling(cont..)
Required authentication and/or authorization, security need to
ensure for all the associated APIs and consequently
Along with business logic, it is very essential to include 3 additional
Components for the defined API-
1. Authentication
2. Authorization based on user roles.
3. SSL certificates and their rotational changes.

10. Target
The intention of these slides is to separate out 3 additional
components from business logic into a separate component called-
API Gateway
A software component which acts as an entry point to
access API for consuming services. This is basically a new
microservice.
Middle layer
between consumer
and APIs

11. API Gateway Components
API Gateway
Security
Authentication
Authorization
Forward
Request
After satisfying the required criteria of the target API, request will be forwarded.

12. API Gateway as Middle Layer
API
Gateway
Mobile application
request & response
Web application
Request & response
API gateway is a revere proxy

13. Gateway Confirms Security
Gateway
Private IP
Private IP
Private IP
Public IP
Secured network
Only one public IP of gateway is available to the
consumer which enhances the security.

14. Gateway Lowers the Latency
Gateway
Latency will be reduced through-
1. Frontend application sends one request to API gateway.
2. Gateway will collect data from multiple services, aggregate and
finally sends to the consumer.
3. Viewmodel or an adapter at gateway will hold aggregated
data(response) to send back to the consumer.
4. Will have improved latency for the request-response feedback.
1
2
3
Response = Data 1+ Data 2+ Data 3
Request

15. Gateway Authentication and Authorization
Without gateway, it needs to ensure authentication and authorization for all the APIs
so that lots of duplicate code needs to write in the API along with business logic.
Gateway ensures that
integration in a single place.

16. Gateway Makes Easier Service Discovery
1. API definition is exposed to Gateway only.
2. In case of any changes in API definition, only needs to change
in Gateway. This makes loose coupling with different
consumer.
3. Enhances service discovery integration via Gateway.

17. Response Caching at Gateway
1. Response caching can be implemented at Gateway by
implementing cross cutting concerns.
2. Clean codes within the Microservices.
3. In case of repeating request, API gateway will send response
from Cache rather than calling the services once again.

18. Different Types Of Protocols
Gateway
Unsupported protocols of client
request is handled by Gateway to
access the right microservice.
Websocket
http-1
http-2
http-1
HTTP-2

19. Other Facilities of Gateway
1. Retry or circuit breaker policy can be implemented in case of any failure to
get response from microservices.
2. API access limit can be handled from Gateway to avoid repeated and a
threshold number of connection in a certain period.
3. Gateway can be worked as a load balancer to handle multiple requests.
4. Event logger could be integrated at Gateway.
5. Query transformation is accomplished at Gateway.
6. White/black listed Ips are handled from Gateway.

20. Drawbacks of API Gateway
Gateway is a single entry point and in case of
any failure, entire application will not work.
In order to avoid Gateway failure,
1. It needs to publish multiple Gateway instances to make available for
24X7.
2. Load balancer can be used to handle requests from different instances.

21. API Gateway Tools
1. Kong: https://github.com/Kong/kong
2. Ambassador: https://www.getambassador.io/products/api-gateway/
3. Ocelot: https://github.com/ThreeMammals/Ocelot