E-Handbook: For API-based integration, a gateway is your friend Article 3 of 4

Andrea Danti - Fotolia


Use API gateways to aid microservices communication, security

Discover where API gateways fit into microservices architectures to help manage interactions between client applications and users.

If you commit to a microservices architecture for a business project, it's important to determine how this architecture will interact with the external world and how the external world will respond to the microservices architecture.

There's no one right answer, of course, but for many microservices-based applications, an API gateway is the best choice to manage interactions with client applications and users, including enhanced microservices communication and security.

API gateway basics

At the most basic level, an API gateway manages all outside interactions with a microservices application through APIs. A client app makes an API call to the gateway, and the gateway parses the request and directs it to the appropriate microservice. The client app communicates with the microservices strictly by means of the gateway's APIs, and the only thing it needs to know about the microservices is how to use those APIs.

Monolithic vs. microservices

API gateways aren't new, of course; the world of Monolithic applications has used them for some time. With monolithic applications, it's the application itself that serves as an added layer of abstraction, as it further insulates individual services from the outside world.

With microservices-based applications, on the other hand, an API gateway serves as the main layer of abstraction between the microservice and the outside world. As such, it must take on some of the communication and even administrative roles that are typical of a monolithic application.

For microservices, API gateways also take on expanded management roles, which typically handle such responsibilities as service discovery, basic business logic, stabilization and balancing, security and analytics -- whereas, monolithic applications would handle most or even all of these responsibilities internally.


Most API gateways are highly configurable; they maintain multiple sets of APIs for the same microservices, each optimized for a specific type of client. At the same time, they typically translate API calls to the protocols and formats that work best for individual microservices. As a result, new clients and new or changed microservices can accommodate with relatively minor adjustments to the gateway configuration and with little or no effect on the rest of the application.

Overhead tradeoffs

What about overhead? In order to get the most out of an API gateway, start at the design phase with an architecture that can take advantage of the services provided by an API gateway. A microservices-based architecture can include a basic set of API standards in the code requirements, and the code requirements for outward-facing services should include similar standards.

The purpose of this standardization is to ease configuration of the API gateway and the ability to update the configuration to accommodate new clients and new or changed microservices. While it's true that the API gateway itself provides a standardized interface, a systematic approach to communicating with the gateway can reduce maintenance overhead, even if it does involve greater upfront overhead during the design and code phases.

An API gateway can also speed up microservices communication by standardizing protocol translation and by removing the job from both the application and the client -- neither of which is likely to be optimized for the task.

Gateways and security

Not only do API gateways provide a consistent layer to microservices communication, they're also likely to improve system security. They serve as a filter for all incoming communication simply by placing a layer between microservices and the outside world. In addition, most API gateways have their own built-in security features, which can take advantage of the gateway's position as a communication intermediary and protocol translation system. An API gateway typically manages authorization and authentication, but if configured appropriately, it can also work with an authorization server that incorporates decentralized authorization managed by individual microservices. API gateways can even function with a system that combines both kinds of authorization.

While it is true that API gateways may present a tempting potential attack surface, the standardized nature of the inward- and outward-facing interfaces provided by the gateway makes it easier to identify and secure potential points of intrusion.

Making the right choice

If your business's application and its interactions with clients and users are of substantial size and complexity, then there are a variety of open source API gateway applications capable of meeting the needs of a microservices-based architecture. Whether your business is starting from scratch, breaking a monolithic program down into microservices or simply considering ways to better manage an existing set of microservices, look closely at the benefits offered by using an API gateway.

Dig Deeper on Enterprise application integration

Software Quality
Cloud Computing