API Gateway: What Is It and How Does It Work?

API gateways control access to APIs to protect them, reduce API abuse, and increase their value. Additionally, an API gateway add an insulation layer between providers and consumers of APIs. At a high level, an API gateway:

• Authorizes and authenticates: Ensures secure access to APIs and who (authorize) can call APIs
• Controls traffic: Throttling API traffic to avoid denial of service attacks — for example, order status API can be called a maximum of 10 times in a minute
• Adds telemetry and analytics: Understands how APIs are being used across traffic and usage patterns

API gateways can also help and enable additional capabilities, such as:

• API alerts: Traffic and policy alerts for more efficient API monitoring and health
• Efficient API development: Run multiple versions of APIs allowing customers to iterate, test, and release new versions quickly and protocol conversion to support multiple clients with single API
• Support modernization initiatives: Support DevOps and microservices initiatives by providing a security mechanism to control access to one API or a group of APIs
• API monetization: API analytics or usage provided by an API gateway can enable API monetization initiatives through billing, reports, and more

The best API gateways are designed from the ground up to provide robust security. An API gateway typically performs the following functions:

• Serving as an inline proxy point of control over APIs
• Verifying the identity associated with API requests through credential and token validation and other authentication means
• Determining which traffic is authorized to pass through the API to backend services
• Metering the traffic flowing through the APIs using rate limiting and throttling
• Logging all transactions and applying runtime policies to enforce governance
• Providing last-mile security to the backend services that power the APIs

Organizations with a unified approach to universal API Management can use Anypoint Platform to discover, build, govern, and manage any API for universal visibility and consistent management. Use the adjustable Flex Gateway or embedded Mule Gateway to control access to any API and use a centralized control plane to manage security policies and analyze API traffic.

MuleSoft's industry-leading API management platform provides end-to-end, enterprise-grade security with the following API gateway options:

Flex Gateway is an ultrafast and lightweight API gateway designed to manage and secure APIs running anywhere. Built to integrate with DevOps and CI/CD workflows seamlessly, Anypoint Flex Gateway delivers the performance required for the most demanding applications and microservices. It also provides enterprise security and manageability across any environment.

Mule Runtime includes an embedded Mule Gateway. Using this gateway, a user can

• Apply a basic authentication policy on top of a Mule application
• Enrich an incoming/outgoing message
• Add any complex capability to an API without having to write any code

Anypoint Mule Gateway is embedded on top of a Mule application runtime and in this mode protects one API basic endpoint. The entire Mule application can also be used as a proxy to support multiple upstream applications. Anypoint Mule Gateway allows you to add a dedicated orchestration layer on top of your backend APIs and services to help you separate orchestration from implementation concerns.

Mule Gateway is purpose-built for MuleSoft-based applications and integration use cases — rather than tailored to a modern microservices approach.

It's easy to recognize the value in API gateways as they control and protect APIs and applications, but how do they compare to service mesh? A service mesh is an architectural pattern used for microservices deployments that enables secure, faster, and more reliable service-to-service communications.

Anypoint Service Mesh enables you to extend your microservices network by including your non-MuleSoft applications within Anypoint Platform’s network. You can then manage and secure all of your applications and systems seamlessly from a single plane, regardless of their coding language or which platform or environment they're deployed on.

Both a service mesh and an API gateway can handle request routing, authentication, rate limiting, and monitoring, but an API gateway mainly focus on managing client-to-service traffic while a service mesh focuses on service-to-service communication. Together an API gateway and service mesh can drive digital transformation, support innovation, and scale security.

To learn more about finding the right API gateway for your business, check out this Anypoint Flex Gateway Benchmarking Guide.