APIs are the glue that holds applications together. Tools for managing API interactions have become an essential part of application deployment architectures.
API proxies and API gateways are the main API management technologies that can help secure and monitor APIs. They work in different ways and offer varying features, making it critical for developers to understand which type of API tool is best for their needs.
Both API proxies and API gateways serve as intermediaries between APIs and applications. Proxies can perform more basic communication tasks, while gateways offer more advanced features and therefore might consume more resources to operate.
What are APIs and why are they important?
An application programming interface, or API, is a way for different applications or services to exchange data with each other. APIs function as connectors that make it possible for one application to send a request to another, and for the receiving application to send back a response using predefined communication rules.
By standardizing interactions, APIs simplify the task of sharing data between applications. Without APIs, any two applications that need to communicate with each other would require internal code specifying exactly how they should interact. In that scenario, it would be challenging for developers to ensure compatibility between applications because they would need to write custom communication logic for each one. With an API, however, applications can communicate using external protocols that don't require special code inside each application.
APIs enable applications to communicate with each other.
APIs have existed since the mainframe era. They exploded in number and importance with the rise of cloud-native computing starting in the 2010s. Today, the value of an application often hinges not on what the application can do independently, but rather on its ability to interact with other applications. Because APIs enable those interactions, they have become ubiquitous within many modern application architectures.
What is an API proxy?
An API proxy is a simple intermediary between an application and the APIs that it uses to communicate. When a developer deploys an API proxy, the proxy receives incoming API requests and then forwards them to the application.
It can also perform certain basic actions prior to forwarding the requests, such as blocking malicious requests or limiting the number of requests that the application receives in a given time frame. That can be useful because excess requests can overwhelm the application, causing performance problems.
What is an API gateway?
An API gateway is a centralized intermediary that accepts all incoming API requests, processes them in often complex ways and then forwards them to an application. Like an API proxy, an API gateway can process API requests in basic ways, such as blocking malicious requests or limiting request rates.
API gateways can also perform more complex operations, such as authorizing and authenticating a client or converting data within a request from one format to another. For instance, a gateway could convert data from XML to JSON.
API proxy vs. API gateway: What's the difference?
API proxies and API gateways offer the same core functionality: Both can serve as an intermediary that isolates an application from API requests.
But they do this with different levels of functionality. Key differences between an API proxy and an API gateway include the following:
Capabilities. An API proxy can perform only basic routing, security and monitoring operations on API requests. API gateways go further. As noted above, they support tasks such as authorization, authentication and data transformation.
Centralized processing. Often, an API proxy is designed to act as a intermediary between one API and an application. In contrast, API gateways typically function as centralized hubs that can accept all requests from all APIs.
Reverse proxy. API gateways can usually operate as reverse proxies. This means that in addition to accepting incoming requests and directing them to the application, they can also route application responses back to the API clients. Some API proxies can work this way, too, but others are limited to accepting incoming requests and relying on the application to route responses directly.
Resource consumption. Because API gateways offer more features, they also often consume more CPU and memory resources, especially when they perform complex operations such as data transformation.
Blurred lines between vendor tools
Although the differences between API proxies and API gateways might seem straightforward in the abstract, it's important to note that most vendors of API management tools -- such as Kong, Google Cloud Apigee, MuleSoft, Gravitee and Traefik -- are keen to label their software as API gateways. It's tough today to find a tool that is marketed as a mere API proxy.
It's tough today to find a tool that is marketed as a mere API proxy.
Most tools sold as API gateways do offer functionality that extends beyond what a traditional API proxy would provide. However, there can be a gray area. There is no formal definition of how much additional functionality a tool needs to offer to qualify as an API gateway instead of a proxy.
Some API gateways provide more granular or robust security, monitoring and routing capabilities than others. Certain gateways have limited support for asynchronous API calls, meaning ones where clients don't wait for a response before proceeding to other requests. Some also integrate more easily than others with specific platforms. For instance, Traefik Hub is a Kubernetes-native tool, making it easy to deploy on Kubernetes, whereas most other API gateways are not tied to a specific hosting architecture or platform.
The types of API architectures that gateways can support also vary. Virtually all tools can handle REST APIs, but support for managing APIs that use SOAP or gRPC approaches tends to be more limited.
It's worth noting as well that API gateway pricing can vary widely, not just in terms of total charges, but also in pricing models. Some vendors bill based on total API calls, and others charge on a per-gateway basis. Customers can also incur costs for added features, such as API discovery, in addition to what they pay for basic functionality.
So, when choosing a tool, it's important to focus on the types of APIs it can manage, which deployment options it supports and how it is priced. Developers should not assume that just because a vendor sells something called an API gateway, it provides every possible feature they could want from an API management offering.
When to use an API proxy vs. API gateway
An API gateway is preferable for most use cases because it's a more feature-rich and flexible tool. Still, the additional capabilities that API gateways provide must be balanced against their higher resource utilization. API gateways also tend to cost more to license, especially when all their capabilities are enabled.
It typically makes sense to stick with a simple, free or low-cost API proxy tool if the following are true:
The environment uses APIs that don't require authentication or authorization.
The APIs don't require any data transformation.
The architecture needs only basic monitoring and routing capabilities.
Reverse proxy capabilities are not necessary; alternately, choose an API proxy that can also work as a reverse proxy.
In cases that require more advanced capabilities, an API gateway is a better choice.
Remember that API gateway functionality can vary from one tool to another, as can cost and resource requirements. Developers who need a tool that can handle somewhat more complex needs than an API proxy, but don't require every advanced capability, could choose a less sophisticated API gateway.
In some cases, the same vendor offers multiple versions of its API gateway product, with differing capabilities and price points. As a result, it's important not only to compare overall API gateway vendors, but also to understand the details of each of their offerings to find the right tool for a given use case.
Chris Tozzi is a freelance writer, research adviser, and professor of IT and society. He has previously worked as a journalist and Linux systems administrator.
