API Gateway is a pattern commonly used in Microservices Architecture. API Gateway serves as an Edge Server in the overall system architecture.
Why do we need an API Gateway?
- Different clients (like mobile devices, tablets, browsers etc.), might need and demand services with different granularity. For instance, a particular client might need a service which returns a heavier payload and doesn’t want too many calls, back and forth to the server whereas; another client might need a smaller payload and might require additional calls to the server to get more data as needed.
- Exposing all the individual service end points to the client may not be a good idea. Exposing one end point would be easier to manage from a client perspective.
- Managing and applying security is easier if one common end point is exposed.
- In a cloud environment with a pay per use model for services, metering the service usage is easier if it is centralized.
An API Gateway could help address the above concerns and provide services like routing, transformation and service aggregation, in addition to applying security. An API Gateway can also manage versions of service APIs which are exposed to clients.
Rate Limiting and Throttling:
An API Gateway implements throttling of requests and also applies rate limiting so that the number of requests could be monitored and controlled.
When an API is exposed to consumers, there is a possibility of the API being abused intentionally or inadvertently, in the absence of controls. Rate Limiting will limit the number of times an API could be invoked by a consumer in a specific window of time. For example, the API could be invoked let's say 200 times in 4 hours. The charge back to the consumer could be applied accordingly. If the consumer exceeds this limit in a given window, then the API gateway would reject the request and send back appropriate error (Generally, a 403 status code will be returned).
Throttling is a process of queuing the requests, when the rate limit has been applied. i.e, when the number of requests have exceeded in a given window, the future requests could also be throttled, i.e, instead of returning 403, the request would be queued for a specified amount of time, say 100 ms. After this time has elapsed, the request would be picked up again for processing and if the window has still not elapsed and the quota is exceeded, then 403 error is returned back to the client.
A few libraries/solutions which implement API Gateway are Netflix Zuul, WSO2, Kong, Apigee.