The document discusses the deployment and security of an API gateway using NGINX, outlining the essential components and benefits of APIs and API gateways. It emphasizes the importance of performance, security features such as authentication and traffic control, and the increasing adoption of APIs in digital ecosystems. The presentation also includes steps for implementation and additional resources for further learning.

1. Deploy and Secure
Your API Gateway
with NGINX
FROM ZERO TO HERO
Scott van Kalken
Solution Architect
November 17, 2021

2. | ©2021 F5 | NGINX SPRINT APAC 2.1
2
Scott van Kalken
Everyone just calls me svk (it’s easier)
Interested in devops and application testing.
Super passionate about open source (not just
software, but data too)
I have the privilege of helping run a few
meetups.

3. | ©2021 F5
3
• What is a (REST) API?
• API essentials – what do users and owners want?
• What are API Gateways and how do they help deliver mission-critical digital
experiences?
• Deploying NGINX as an API Gateway
• Securing an API Gateway using NGINX App Protect WAF
Table of contents

4. | ©2021 F5
4
What is a (REST) API?

5. | ©2021 F5
6
Developers provide dedicated URLs that are optimized to
return pure data to requesting clients
Web client à Web server à Request returns HTML
API client à API Endpoint à Request returns data
API endpoint
EASY TO CONSUME DATA

6. | ©2021 F5
7
Components of an API request
a) API endpoint (URL)
b) API method
c) Request body (if sending a POST/PUT request)
d) API client -> curl, postman, client application, etc…

7. | ©2021 F5
10
Anatomy of an API call
API Client Internet API(s)

8. | ©2021 F5
11
$ curl -s -X GET https://pokeapi.co/api/v2/pokemon/ditto | jq '.types'
[
{
"slot": 1,
"type": {
"name": "normal",
"url": "https://pokeapi.co/api/v2/type/1/"
}
}
]

9. | ©2021 F5
12
$ curl -sI https://pokeapi.co/api/v2/pokemon/ditto
HTTP/2 200
date: Wed, 06 Oct 2021 16:06:01 GMT
content-type: application/json; charset=utf-8

10. | ©2021 F5
13
API Essentials
What do users and owners want

11. | ©2021 F5
14
APIS ARE EXPERIENCING EXPLOSIVE GROWTH
The rise of APIs

12. | ©2021 F5
15
Drivers for API Adoption
Ease access to
information
• Break down siloes and
unlock data (within and
among organizations)
• Increase collaboration
amongst developers
Create new digital
revenue streams
• New opportunities to
generate revenue
• Build partnerships with
third-party developers
and business ecosystem
Connect
microservices
• Primary interface for
communication amongst
microservices

13. | ©2021 F5
18
API essentials
USERS / CONSUMER
Documentation
Ease of use Low latency Security

14. | ©2021 F5
19
Developer
productivity
Revenue
growth
API essentials
OWNERS
Customer
experience
Brand
protection

15. | ©2021 F5
20
API Gateways
How do they help deliver mission-critical digital experiences

16. | ©2021 F5
21
AUTHENTICATION
REQUEST ROUTING
TRAFFIC CONTROL
EXCEPTION HANDLING

17. | ©2021 F5
22
Anatomy of an API call
API Client
Internet /
WAN
API
Gateway
API(s)

18. | ©2021 F5
23
API gateway essentials
CONTROL ACCESS TO YOUR APIS
• Centralized logging
• Client authentication
• Fine grained access control
• Load balancing
• Rate limiting
• Request routing
• Request/response manipulation
• Service discovery of backends
• TLS termination

19. | ©2021 F5
24
PERFORMANCE IS KEY
API gateway essentials
30 ms ... to process
an API request
end-to-end
... to route, shape,
authenticate, secure,
and cache an API
@p99
(latency)

20. | ©2021 F5
25
NGINX Plus
as an API Gateway

21. | ©2021 F5
27
30%
Source: NGINX User Survey 2020
of NGINX deployments
are as an API Gateway

22. | ©2021 F5
28
ACCESS YOUR APIS IN LESS THAN 30MS EVEN WHEN USING AN API GATEWAY
What makes NGINX API Gateways special?

23. | ©2021 F5
30
+

24. | ©2021 F5
31
NGINX API gateway
KEY STRENGTHS
High performance
for real-time APIs
DevOps friendly Platform flexibility Distributed environments

25. | ©2021 F5
32
Authentication options
API
gateway
HTTP
basic
Client
cert
JWT
(NGINX Plus)
API key

26. | ©2021 F5
33
API Security

27. | ©2021 F5
35
• “The continuous growth in open source
usage”
• “A substantial increase in security
research, resulting in a rise in the
number of reported security issues
including a high number of API
vulnerabilities”
• “The growing popularity of containerized
environments, which suffer from a high
volume of code and configuration issues”
FORRESTER’S STATE OF APPLICATION SECURITY REPORT 2021
Bridging the Gap Between
Security and Dev
Source:
https://www.whitesourcesoftware.com/resources/blog/forre
sters-state-of-application-security-2021-key-takeaways/

28. | ©2021 F5
37
+

29. Demo Time

30. | ©2021 F5
60
In conclusion…

31. | ©2021 F5
61
=
Step 1 – api’s
Step 2 – custom error messages
Step 3 – add URI request routing
Step 4 – add rate limiting
Step 8 – Web Application Firewall
Step 5 – static API key
Step 6 - JWT
Step 7 - Input validation

32. | ©2021 F5
62
Resources
FIND OUT MORE!
https://www.nginx.com/resources/library/nginx-api-gateway-deployment https://www.nginx.com/blog/deploying-nginx-plus-as-an-api-gateway-part-1/

33. | ©2021 F5
63
DEPLOY AND SECURE YOUR API GATEWAY WITH NGINX’S FREE TRIAL -> HTTPS://WWW.NGINX.COM/FREE-TRIAL-REQUEST/
Check out NGINX Plus and NGINX App Protect!

34. | ©2021 F5
64
Q&A