Understanding API Gateways

Understanding API Gateways

An API Gateway is a server that acts as an API front-end, receiving API requests, enforcing throttling and security policies, passing requests to the back-end service, and then passing the response back to the requester. It plays a crucial role in managing and routing API traffic between clients and backend services.

Key Features of an API Gateway:

Request Routing: Directs requests to the appropriate service.

Load Balancing: Distributes incoming requests across multiple servers to ensure no single server is overwhelmed.

Authentication and Authorization: Ensures that only authorized clients can access the API.

Rate Limiting and Throttling: Controls the number of requests a client can make in a given period.

Caching: Stores copies of responses to reduce latency and improve performance.

Logging and Monitoring: Tracks API usage and performance, which helps in identifying and troubleshooting issues.

Data Transformation: Modifies request and response data, such as changing protocols, message formats, or even content.

Benefits of Using an API Gateway:

Simplified Client Code: Clients only interact with the API Gateway rather than multiple services.

Improved Security: Centralized control over authentication and authorization.

Increased Scalability and Performance: Optimized routing, load balancing, and caching capabilities.

Flexibility and Extensibility: Easily add or modify services without changing the client code.

Popular API Gateway Solutions:

• AWS API Gateway
• Kong
• Nginx
• Apigee
• Zuul (Netflix)
• Traefik

Use Cases:

Microservices Architecture: Efficiently manages and routes requests between various microservices.

Mobile and Web Applications: Simplifies API management for diverse client applications.

Third-Party Integrations: Provides secure and controlled access to APIs for external partners.

Overall, an API Gateway serves as an intermediary layer that helps streamline and secure communication between clients and backend services, making it an essential component in modern application architectures.

his architecture shows the flow of user requests:

1. The client application sends a request to Amazon Cognito using the /oauth/authorize or /login API. Amazon Cognito authenticates the user credentials.
2. Amazon Cognito redirects using an authorization code grant and prompts the user to enter credentials. After authentication, it returns the authorization code.
3. It then passes the authorization code to obtain a JWT from Amazon Cognito.
4. Upon successful authentication, Amazon Cognito returns a JWT, such as acccess_token, id_token, refresh_token. The access/id token stores information about the granted permissions including tenant ID to which this user belongs to.
5. The client application invokes the REST API that is deployed in API Gateway. The API request passes the JWT as a bearer token in the API request Authorization header.
6. Since the tenant ID is hidden in the encrypted JWT token, the Lambda authorizer function validates and decodes the token, and extracts the tenant ID from the JWT.
7. The Lambda token authorizer function returns an IAM policy along with tenant ID from the decoded token to which a user belongs.
8. The application’s REST API is configured with usage plans against a custom API key, which is the tenant ID in API Gateway. API Gateway evaluates the IAM policy and looks up the usage policy using the API key. It throttles API requests if the number of requests exceed the throttle or quota limits in the usage policy.
9. If the number of API requests is within the limit, then API Gateway sends requests to the downstream application REST API. This could be deployed using containers, Lambda, or an Amazon EC2 instance.