API Gateway

API Gateway Definition

An application programming interface (API) gateway is a tool for API management.

An API gateway acts as a reverse proxy, sitting between a collection of backend services and a client. In this role, the API gateway accepts API calls; fulfills them by aggregating the various required services; and returns the correct results.

At the enterprise level, most APIs are deployed using API gateways. API gateways generally handle typical tasks for various API services across a system, such as rate limiting and user authentication. API gateways can also decrease errors and make coding easier, making mobile application development more efficient.

API Gateway FAQs

What is an API Gateway?

An API gateway accepts client API requests and directs them to the appropriate microservices via composition, request routing, and protocol translation. This produces a synchronous user experience.

Image Source

Typically an API gateway handles a request by aggregating the results from invoking multiple microservices to identify the optimal path. It serves as a bridge between internally used web unfriendly protocols and web protocols that users understand.

For example, an e-commerce site might use an API gateway to invoke and combine the results from various services, such as reviews and product info, to provide a more seamless shopping experience for users on mobile and web applications. More specifically, it might use the API gateway to allow mobile clients to retrieve all product details with a single request via one endpoint.

How Does an API Gateway Work?

The single-entry point that sits in front of an API, the gateway enforces API security for microservices (which can be both internal and external) and defined back-end APIs. The API gateway also ensures high availability and scalability.

An API gateway decouples the backend implementation and the client interface on the server side by determining which services are needed to respond to client requests and combining them into a seamless, unified user experience. The API gateway receives and responds to client requests by breaking them down into multiple, more manageable tasks, routing those to the appropriate services, and tracking the response produced.

What is API Gateway Swagger?

An interface description language, Swagger is a specification or set of rules for a format that describes RESTful APIs expressed using JSON. This format is both human-readable and machine-readable, so developers, testers, and product managers can use it to share API gateway documentation, and various tools can use the format to automate API processes.

pasted image 0

Image Source

Developers use Swagger along with various other open source tools and software to design, document, build, install, and use RESTful web services. Test case and code generation as well as automated documentation are all included with Swagger.

The Amazon API gateway or AWS API gateway supports the Swagger definition format.

API Proxy vs API Gateway

Both an API gateway and an API proxy allow access to backend services. However, although an API gateway may serve as a simple API proxy, an API proxy cannot replace the more robust range of features of the API gateway. This is particularly true around monitoring and API security.

pasted image 0-3

Image Source

API Gateway vs Load Balancer

Load balancers smooth out demand across multiple resources. Horizontally scaled infrastructure clusters are the traditional home of load balancers, where they are used to distribute requests. Inside this type of infrastructure cluster, a single server lacks power sufficient to handle all the demand because systems are replicated across multiple servers. Load balancers are also used in a cloud architecture setting to decouple clients and services.


Image Source

API gateway can also balance and smooth out network traffic, but not in the same way the load balancer does. A user can configure direct requests to specific resources based on requested endpoints instead of evenly distributing requests to a cluster of servers or some other set of backend resources, achieving API gateway traffic management.

However, the API gateway serves its own critical purpose in microservices architectures. It routes each request to the appropriate backend service on-demand, and allows users to map multiple services to particular HTTP endpoint representations and connect.

Why Use an API Gateway?

An API gateway platform is a critical piece of API security for several reasons.

Prevents unnecessary exposure. An API gateway separates internal microservice APIs and external public APIs, enabling users to change boundaries and add microservices. This in turn lets users gradually adjust and improve microservices without affecting external clients negatively. And by providing a single point of entry for all microservices, it hides versioning and service discovery details from the client.

Enhances microservices security. API gateway microservices are more secure, with an additional layer of protection from malicious API security attack vectors such as XML parser exploits, SQL injection, and denial-of-service (DoS) attacks. This enhanced security is among the most important benefits of API gateways.

Supports mixed communication protocols. Possible communication protocols may include AMQP or ProtoBuf, or service integration with JSON-RPC, SOAP, or XML-RPC. Although internal microservices may benefit from using different protocols, external-facing APIs typically offer just REST-based or an HTTP-based API. With an API gateway, teams can select the protocols that best suit the internal architecture, and the gateway will provide a unified, external REST-based API across them.

Reduced complexity. Microservices share common issues, and each may require development and implementation time per service. These concerns include access control enforcement, API gateway authorization using tokens (also called API gateway token validation), and rate limiting. An API gateway allows microservices to manage just their own tasks by taking over these code concerns.

Virtualization and mocking. The team can virtualize and mock up services to assist in API gateway service integration testing or validate design requirements because the gateway separates the external API and the microservice APIs.

Who Uses API Gateways?

API developers and app developers implement API gateways. API developers create APIs and deploy them to achieve the functionalities they require in API gateways. An app developer, who is the API developer's customer, uses a REST API or WebSocket created in an API gateway by the API developer to call services.

How an API Gateway Supports API Security

There are several API gateway security best practices to keep in mind. By following these simple tips it is easier to secure APIs and avoid security risks—one of the main benefits of using API gateways.

Use encryption. No communication, internal or external, should remain unencrypted. Cipher all exchanges the latest TLS versions, either standard one-way TLS encryption, or ideally mutual two-way TLS encryption.

API gateway authentication. Always use basic access authentication (user/password) or an API key (asymmetric key) to make hacking the system more difficult and limit who is calling the API.

Use OAuth and OpenID Connect. Use OAuth, a frequently used delegation protocol, to convey authorizations and the OpenID connect standard, which extends OAuth 2.0 with ID tokens, for API gateway authentication. This allows the API provider to manage authorizations via a third-party server. This way, users give tokens from the third-party server, not their credentials. API gateway token validation is better, because the API provider need not protect authorization data, and the consumer keeps their credentials private.

Actively pursue a web API security gateway. Use experienced ICAP (Internet Content Adaptation Protocol) servers or antivirus systems to enhance security at the gateway and turn it into a security hub.

Engage in monitoring. Audit and log relevant information and keep it ready for troubleshooting. Those logs are debugging resources should any incidents arise. Save that history as long as your production servers allow. Track API consumption using monitoring dashboards, and remember to add the version on all APIs.

Restrict access. Particularly in error messages, display as little information as possible. Lock down email content and subjects so they can’t be customized and are pre-defined messages. Keep IP addresses, which can reveal locations, private. Separate access into different roles, limit the number of administrators, and hide sensitive information in all interfaces. Restrict access to resources with IP blacklists and IP whitelists.

Use quotas and throttling. API gateways support throttling settings such as a burst rate limit per second and a standard rate limit for each WebSocket API route or REST API method. Additionally, API gateways reduce the threat from distributed denial-of-service (DDoS) attacks against backend systems, whether via layer 3 in the form of SYN floods, or via layer 7 in the form of counterfeit requests.

Data validation. Check all incoming data and refuse anything suspicious. Large packages should receive special scrutiny. Verify parameters using JSON or XML schema validation to prevent XML bombs and SQL injection attacks.

Maintain secure infrastructure. API gateway security relies on up-to-date software for load balancers, servers, and other components, and an updated infrastructure and security network. Always install the most recent patches and security fixes.

Secure against the OWASP top 10. These are the ten worst vulnerabilities according to the Open Web Application Security Project (OWASP), ranked based on impact and exploitability.

Use an API gateway. If you want to manage all of this API security, the API management capabilities of a gateway are important.

10100191-screen-shot-2018-08-28-at-25821-pmImage Source


Does Noname Security offer API Gateway Security?

Yes. The Noname Security API security platform offers a solution that runs completely out-of-band to deliver industry-leading API discovery. D.A.R.T. is Noname’s holistic API security strategy: Discover, Analyze, Remediate, and Test.

Discover. With Noname you can actually discover and inventory all APIs—even at the enterprise level where there may be thousands of APIs to manage. Many may be unrouted, unmonitored, unaudited, and highly vulnerable to mishaps, mistakes, and mischief. Without a complete API inventory, the system is vulnerable. This is at the heart of what makes Noname one of the best API security testing tools.

Analyze. The next step in Noname’s comprehensive API security strategy is to leverage AI and ML to analyze API usage, access, and behavior in real-time. This helps to assess API changes, anomalies, and misconfigurations.

Remediate. Noname's platform enables users to remediate and resolve detected misconfigurations, anomalies, and other API security issues using multiple approaches. Users can react immediately to alerts and block API security attacks in real-time—even responding to attacks that would be invisible for other platforms due to undetected APIs.

Test. Thorough testing is essential to avoiding API security issues while confidently deploying APIs at enterprise speed.

The Noname Security API Security Platform and D.A.R.T. API security strategy sits completely out-of-band. This means you can Discover, Analyze, Remediate, and Test every single API—without introducing new risk or complexity, or modifying the network.

To learn more about the Noname API Security Platform, our approach to API security, and our API security services, please schedule a demo. Find out why we are one of the only API security companies offering a real solution.