Introducing the API Security Workshop Learn More  

What is an API Gateway?

Property 1=What is API Gateway_

 

An API gateway acts as a reverse proxy, sitting between a collection of backend services and a client. The gateway accepts client API requests and directs them to the appropriate microservices. In a nutshell, the API gateway accepts API calls, fulfills them by aggregating the various required services, and returns the correct results. It serves as a bridge between internally used web unfriendly protocols and web protocols that users understand.

For example, an e-commerce site might use an API gateway to invoke and combine the results from various services, such as reviews and product info, to provide a more seamless shopping experience for users on mobile and web applications.

At the enterprise level, most APIs are deployed using API gateways. API gateways generally handle typical tasks for various API services across a system, such as rate limiting and user authentication. API gateways can also decrease errors and make coding easier, making mobile application development more efficient.

 

How does an API gateway work?

As the single-entry point that sits in front of an API, the gateway enforces API security for microservices (which can be both internal and external) and defined back-end APIs. The API gateway also ensures high availability and scalability.

An API gateway decouples the backend implementation and the client interface on the server side by determining which services are needed to respond to client requests. The API gateway receives and responds to client requests by breaking them down into multiple, more manageable tasks, routing those to the appropriate services, and tracking the response produced.

Why use an API gateway?

An API gateway platform is a critical piece of API security for several reasons.

Prevents Unnecessary Exposure

An API gateway separates internal microservice APIs and external public APIs, enabling users to change boundaries and add microservices. This in turn lets users gradually adjust and improve microservices without affecting external clients negatively. And by providing a single point of entry for all microservices, it hides versioning and service discovery details from the client.

Enhances Microservices Security

API gateway microservices are more secure, with an additional layer of protection from malicious API security attack vectors such as XML parser exploits, SQL injection, and denial-of-service (DoS) attacks. This enhanced security is among the most important benefits of API gateways.

Supports Mixed Communication Protocols

Possible communication protocols may include AMQP or ProtoBuf, or service integration with JSON-RPC, SOAP, or XML-RPC. Although internal microservices may benefit from using different protocols, external-facing APIs typically offer just REST-based or an HTTP-based API. With an API gateway, teams can select the protocols that best suit the internal architecture, and the gateway will provide a unified, external REST-based API across them.

Reduced Complexity

Microservices share common issues, and each may require development and implementation time per service. These concerns include access control enforcement, API gateway authorization using tokens (also called API gateway token validation), and rate limiting. An API gateway allows microservices to manage just their own tasks by taking over these code concerns.

Virtualization and Mocking

The team can virtualize and mock up services to assist in API gateway service integration testing or validate design requirements because the gateway separates the external API and the microservice APIs.

 

1-3

 

API proxy vs API gateway

Both an API gateway and an API proxy allow access to backend services. However, although an API gateway may serve as a simple API proxy, an API proxy cannot replace the more robust range of features of the API gateway. This is particularly true around monitoring and API security.

 

API gateway vs load balancer

Load balancers smooth out demand across multiple resources. Horizontally scaled infrastructure clusters are the traditional home of load balancers, where they are used to distribute requests. Inside this type of infrastructure cluster, a single server lacks power sufficient to handle all the demand because systems are replicated across multiple servers. Load balancers are also used in a cloud architecture setting to decouple clients and services.

API gateway can also balance and smooth out network traffic, but not in the same way the load balancer does. A user can configure direct requests to specific resources based on requested endpoints instead of evenly distributing requests to a cluster of servers or some other set of backend resources, achieving API gateway traffic management.

However, the API gateway serves its own critical purpose in microservices architectures. It routes each request to the appropriate backend service on-demand, and allows users to map multiple services to particular HTTP endpoint representations and connect.

 

Do API gateways offer adequate security?

Though API gateways provide very much needed basic API security controls, they unfortunately are not enough to adequately protect your business from API specific threats. For example, broken object level authorization (BOLA) attacks appear as normal API traffic to gateways. This lack of contextual awareness between API requests and responses enables these attacks to pass through undetected. This gap can leave you vulnerable not only to BOLA exploits, but other attacks and business logic abuse that simply cannot be easily identified using standard gateway.

Another gap in visibility involves maintaining an accurate API inventory. Enterprises manage thousands of APIs, many of which are not routed through a proxy such as an API gateway. Without visibility into how many APIs you have, it becomes easy to underestimate just how big your API estate really is.

 

Does Noname Security integrate with API gateways?

Yes, Noname Security works with your existing API gateways and encompasses all aspects of API security – from development, to deployment configuration, and run-time operations. For those reasons, Noname Security has crafted our portfolio around three recommended strategies:

API Posture Management

Our API discovery tool finds and inventories all your organization’s APIs, including legacy and shadow APIs. It provides a clear and accurate picture of your potential exposures and what the true surface looks like across APIs and web applications. 

API Runtime Protection

Our platform uses automated AI and machine learning detection to conduct real time traffic analysis and provide contextual insights into data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.

API Active Testing

Noname Security provides a suite of API-focused security tests that security operations can run on-demand or as part of a CI/CD pipeline to ensure that APIs aren't implemented with security vulnerabilities in them.

Click here to learn more about how the Noname Security platform integrates with your existing API gateways and web application firewalls to provide holistic API security.