API Gateway – What’s in it for me?

Reading Time: 5 minutes

Today we live in digital world driven by Tech Savvy Consumers that are more demanding in terms of services and experience. In this connected world customers engage with companies on a variety of devices and channels including in-store, web, smartphones, tablets, laptops, and even connected devices in the burgeoning Internet of Things (IoT).

API (Application Programmable Interfaces) are the foundation for building your digital business, they are sets of routines, protocols, and tools for describing how software applications and components should interact with each other. They are the key driver in today’s economy for integrating with an ecosystem much larger than most companies can build on their own.

A lot of companies are exposing their services as part of an SDK that includes the APIs and instructions to help developers understand the specifications of how to use them. The API layer abstracts all the underlying platform complexities by exposing a simple contract, and the value in the data is made available via an easy-to-use readable format.

So in a nutshell for a digital platform, we will be creating a plethora of services that may be interacting with each other as well as 3rd Party services making their management hell of a job. This is where API Gateway also is known as API Manager comes in to help us manage the APIs in a better and easy way.

Key Challenges for Business on their way to Digital Transformation

Client Communication with Services – We will be building a lot of services and most of them will be used by clients to drive the consumer experience. The clients (Mobile App, Web App, IoT devices, etc.), if they are accessing the services directly, will need to know how the multiple functionalities of the application are decomposed in microservices. This will lead to tight coupling between the clients and microservices, as well as a lot of effort will be spent by clients to do the necessary orchestration like aggregating data from multiple services. If there are changes in the internal code of mmicroservices it may break the contract and since every client is directly referencing to microservice it will also need to be updated, making it more troublesome.

Network Latency – To display data on a Single Page there might be multiples calls to different microservices or even to the same service. This will result in multiple network round trips between the client and the server, adding significant latency. The result of this will be slower UI even though your back-end services are returning data in milliseconds.

Cross-Cutting Concerns – How do we handle authentication and authorization in services as every service it is a valid concern, building it in every microservice will result in bulkier service and duplicate code. It should be handled in a separate tier altogether. There are many such functionalities that may be needed across services so we need to have a common ground where we can build them and they can be used by all of the services

Support for Multiple Protocols – Many of the protocols are not supported by Client Apps like binary or AMQP. Similarly, there may be legacy components which can be wrapped in Microservice and used across different clients so there may be need of transforming the request or response like XML to JSON or XML by XSL. Building all this will raise the cost of our platform substantially unless we have a readymade solution that can easily be customized to cater these.

Security Concerns – Since clients are directly accessing the Microservices it means we have to expose all our microservices to the external world making it vulnerable to attack. We have to minimize what we are exposing to the external world. The smaller the attack surface is, the more secure our application can be. Then there is also a probability of someone hitting our endpoints intentionally or unintentionally with a lot of requests bringing out service down. Is there a solution for the same?

Monetization of the API – Since we are building our functionality through services and at a later point of time we may found that some of the services can be commercialized and we would like to derive financial benefits for the same. So then the challenge will be how to monetize the API is there a way where we can limit control it for different tenants.


All of the above concerns can be resolved using an API Gateway as a layer between microservices and clients. This is a service that provides a single entry point for certain groups of microservices. You can think of API Gateway as a middleman that sits between the client apps and the microservices. It acts as a reverse proxy, routing requests from clients to services. It can also provide additional cross-cutting features such as authentication, SSL termination, and cache.

I will talk about one of the most popular and feature-rich API Gateway solution APIGEE and discuss the high-level features here.

API Management – API management provides the ability to design and build APIs that are intuitive and easy for developers to adopt and use.

API Key Management – Generate and distribute the keys for your API, so that only people who have access to the keys can access it.

Security – Protection of your APIs is of utmost importance, in Apigee you can protect your APIs, message, and backends with configurable policies such as OAuth, API key verification, XML/JSON threat protection, access control (IP whitelisting and blacklisting), and SAML assertions.

Protocol Transformation – Apigee provides out of the box support for transforming your existing legacy APIs to be more usable without touching the code. Configurable policies include SOAP to REST, XML to JSON, JSON to XML, and XSL Transformation.

Developer Portal – Apigee also provides a developer portal which is more of a playground for developers to learn about the enterprise’s APIs, become a registered developer, and collaborate with peers and with the
enterprise. It also includes productivity tools like API console and debugger.

API Traffic Management – Apigee provides all the basic features of traffic management like routing, mediation, orchestration and transformation. In addition to above it also provides cache to speed up the traffic, rate limiting , and, spike arrest etc. to prevent your services from being misused.

API Versioning – API Versioning is an important aspect of API Management, it helps in achieving dynamic changes in the existing API without hampering the usage of existing APIs. The new version can co exist with the old version and clients can be migrated to new version eventually at their own pace.

Monetization of API – Apigee has a feature rich API Monetization capabilities, we can define our own Rate Plans, limits of usage as well as documentation on the rate plans. It also provides reports and billling documents.

API Analytics – Apigee also provides valuable insights on the API Usage patterns, traffic trends, response times, and error rates etc.


In this post I have tried to list down some of the challenges that you will surely encounter on your journey of digital transformation and how can they be taken care of using an API Gateway solution. The idea is to reuse what has been already built and focus on the key functionality rather than trying to solve what has already been solved. There are many API Gateway solutions available and you can pick and choose based on your needs and cost.


Written by 

Bhavya is CTO at Knoldus Inc. with 16+ years of experience. He is a Java & Scala expert and experienced in managing large customers. He is currently focused on Bigdata and Reactive Stack. Technology and process improvements have been a forte of Bhavya and he has worked on varied technology stack starting from COBOL, Mainframe, JAVA, Scala, Dataware House, Oracle, PL/SQL Salesforce, JMS - Active MQ etc. His hobbies include reading and playing badminton.