API management API security

Explore 6 popular API gateway tools and how to choose one

Plenty of vendors have jumped on the API gateway trend, which can make it difficult to choose the right one for you. We examine the key features of six popular gateway tools.

APIs are a pivotal aspect of software development because they enable applications to communicate with each other and access data. However, in a distributed microservices architecture, one request for data will involve calls to numerous independent services and applications, creating a proliferation of messages that can be extremely difficult to track, secure and appropriately manage.

To make sure these calls are properly routed in a timely manner, enterprises can implement an innovative messaging mechanism: the API gateway. In essence, the API gateway provides a single point of entry into a distributed architecture, managing all requests and responses as API calls that the gateway routes appropriately. Additionally, an API gateway tool can apply policies that determine an API's availability and behavior, such as how it processes (or throttles) calls and controls the flow of data. Many API gateways incorporate monitoring and logging capabilities to record and analyze API calls and responses; this enables businesses to centrally track and control APIs and integrations, rather than manage them all individually.

How to choose an API gateway tool

Many providers have jumped at the chance to provide API gateway tools. There are plenty of options choose from, whether standalone tools or functionality incorporated into a broader API management platform. Most API gateway offerings available today include numerous options that support authentication, analytics, load balancing, cache management, dependency resolution and more.

Choosing the right one depends on both your development shop's specific needs and the development platforms your teams already use. Some factors to consider include:

Proprietary versus open source. Oracle users may find Oracle's fully managed API gateway to be a natural fit. Similarly, a company that runs services on AWS, Microsoft Azure or Google Cloud might prefer that platform's specific API gateway. Enterprises comfortable with open source tools also have several API gateway options to choose from. Support is also a consideration, whether it's from a dedicated provider or a community around an open source tool.

Architecture. Some API gateway tools emphasize simplicity, while others are built with extensibility in mind. Different API gateways support different database systems, such as PostgreSQL, Cassandra, Redis or MongoDB. Again, this largely depends on an organization's familiarity with and reliance upon specific external databases. As mentioned previously, API gateways for specific cloud platforms will naturally tie into other services on that platform.

Programming language. Some API gateway options, particularly open source ones, may involve some customization. It might matter if your developers have -- or lack -- knowledge of specific languages, such as Golang or Lua. API gateways may accommodate plugins written in other languages to partly mitigate this issue.

Below are some of the most popular API gateway tools from both proprietary and open source providers. 

Large cloud proprietary options

Cloud providers offer API gateways designed to integrate with their own services. Among these options are:

  • Amazon API Gateway. Part of AWS's suite of cloud platform tools, API Gateway is a fully managed service that is used to create, deploy, manage, monitor and secure APIs, including those based in REST, HTTP and WebSocket protocols. It also focuses on features geared toward resiliency and lifecycle management. API Gateway, of course, integrates easily with other AWS services and tools, such as CloudTrail for logging, Identity and Access Management (IAM) for authentication and CloudFormation for API creation. Users can access the Amazon API Gateway through a number of AWS access points, such as a management console, CLI or SDK.
  • Azure API Gateway. Microsoft's Azure API Management service features an API gateway as one of its three major components, alongside Azure portal (the administrative interface) and Developer portal (the developer interface). Azure's gateway accepts and routes HTTP calls, enforces usage and rate limits, caches back-end responses, logs calls and handles verification. Azure offers different features for a range of defined pricing tiers, which range from a consumer-level option that provides a pay-per-use API gateway to a premium tier designed for enterprise-level production that provides Active Directory integration, Virtual Network support and a self-hosted gateway. The gateway tool also integrates with Azure services like Monitor for diagnostics and Logic Apps for workflow and orchestration.
  • Oracle API Gateway. As part of the Oracle Cloud Infrastructure services, Oracle's fully managed API gateway provides RESTful APIs to back-end services that support cloud-native apps. Developers can publish APIs with private end points and access them through their own network, as well as expose them to public IP addresses for internet traffic. It includes key features such as policy enforcement, metrics and logging. Paired with Oracle Functions, developers can create serverless RESTful APIs. Also, for security, the gateway is integrated with Oracle Cloud Infrastructure IAM.
API gateway diagram
A diagram of the basic API gateway pattern

Third-party open source options

Several popular open source API gateway options provide performance and scale that match most enterprises' needs. Examples include:

  • Kong Gateway. Kong Gateway is a highly scalable, open source API gateway optimized for microservices and distributed architectures. Kong built the gateway on top of top of the NGINX web server, and governs it using the Apache 2.0 license. Kong provides API gateway tools through an open source library of plugin components that add traffic control mechanisms, analytics support, authentication methods and serverless functions that help software teams create custom domains. The gateway also allows developers to configure requests and responses on the fly.
  • Tyk API Gateway. Tyk is another open source gateway option made up of three distinct components: the Dashboard that provides an interface for metrics and API organization; the Pump, which provides data persistence and database connections; and the Gateway, which is the proxy that handles all traffic. The Tyk API Gateway only requires a Redis database to run, and it offers similar features to Kong, including traffic proxying methods, access controls and logging capabilities.
  • Express Gateway. Express Gateway is an open source option built on Express.js. It is made up of four core components: a centralized declarative config that stores API use case configurations as a single YAML or JSON file; a consumer and credentials management module for API access; a distributed persistent data store that allows global data access and scalability across multiple instances; and a plugin system that allows developers to extend policies, pipelines, conditions and actions. Some plugin features also include additional authentication, API customization, rate limiters and serverless capabilities.

Next Steps

How API gateways improve API security

Dig Deeper on API design and management

Software Quality
Cloud Computing