Recently at API world I was able to see many new Enterprise API architectures (“marketechtures,” as one engineering director called it, got few laughs but I chuckled quietly to myself) including some high-level diagrams from large well-known providers of services leveraged by enterprises and common end-users alike.
Several companies separate the concept of API Gateways and API Management platforms. They appear as two different entities in their high-level diagrams which I found very interesting.
API Gateway features that they mentioned include providing authentication, authorization, and rate limiting at the perimeter of the network. Features that they separated from the Gateway included features such as schema validation, message transformation and data filtering, protocol mediation and version management (and all kinds of other cool stuff).
I don’t necessarily agree with separating these features and functions from the gateway, but I am biased since I know that these are all things that are performed by the Layer7 Gateway quite well, and can be executed without an extra network hop (or extra TLS handshake) which can contribute to extra cycles and intermediate latency added to the overall round trip.
I understand why some companies choose to do this. Often this is a side effect of build vs. buy. They chose to build their own Gateway, which is arguably not as difficult if you are only trying to solve the problem of authentication and rate limiting. (You still take on the effort yourself, take on extra testing cycles, maintenance, technical debt, upgrades, so maybe it’s still not really worth it, but maybe it is.)
My takeaway is this: you don’t need to separate your API Gateway from your API Management platform conceptually in your architecture diagram. If you spend the time to analyze what you need your API Gateway to do, plan your traffic and performance needs accordingly, you can have it all in a pre-packaged component that you don’t need to build yourself and requires little customization.
The API Gateway can be leveraged to do what it does well: provide security, perform data validation, protect back-end resources using rate limiting and throttling, and include version management. Couple that with a developer design-time portal and you have the full package that can reduce cost, reduce technical debt, and help you to sleep better at night.