API Gateways: Do I Need One, None, or Many? Balancing Multiple API Gateways at Vanguard

With a substantial IT division, APIs have become vital in Vanguard’s shift from monolithic systems to APIs and microservices in the cloud.

API gateways act as intermediaries between API consumers and producers, simplifying API communication by serving as a single entry point for client requests. At Vanguard, API gateways offer control, flexibility, and the ability to maintain a loosely coupled microservices architecture, enhancing overall efficiency.

To decide whether an API gateway is necessary, organizations need to weigh their unique requirements. 

“You might be asking yourself if you even really need an API gateway, which is an important first thing to assess,” said. Katie Zhuang. “Generally, if you're foreseeing, you would need configurations for multiple API services to have security, optimization, or monitoring and logging activity, adding an API gateway to your architecture can be a great addition.”

Zhuang added that the value of having a gateway goes up in line with economies of scale. The more APIs you have, the harder they'll get to manage without a standardized platform.

Adding an API gateway becomes increasingly beneficial when managing multiple APIs. The gateway ensures uniform configurations for security, optimization, and monitoring, making it ideal for large-scale operations.

There are some situations where a single API gateway can’t satisfy a team's needs.

As Vanguard matured in the API space, the team uncovered several mutually exclusive requirements that couldn't be satisfied by a single API gateway: including stable URLs, developer portals, global plugins, and API standardization.

1. Stable URLs for APIs

API gateways typically route traffic through specific URLs. However, for APIs undergoing frequent changes, having stable, unchanging URLs can be invaluable. These stable URLs, also known as persistent URLs, provide a way to call an API without worrying about its underlying architecture.

Vanguard introduced an external API gateway with stable URLs for their externally-facing APIs, ensuring a consistent and reliable access point for external consumers. However, as the majority of their APIs were for internal use, they required a solution to offer the same stability to their in-house developers. 

The solution? A separate internal API gateway exclusively for these internal APIs.

2. Developer Portals

Developer portals are indispensable for internal teams with a plethora of APIs. They serve as a comprehensive directory, making it easy for developers to discover and access APIs. 

While Vanguard's external APIs catered to specific vendors and didn't require a general developer portal, their internal developers could significantly benefit from such a portal. Vanguard addressed this need by creating an internal Kong API gateway with an integrated developer portal. Now, teams have an organized way to explore the full range of available internal APIs.

3. Custom Global Plugins

One unique aspect of API gateways is the ability to use custom plugins to enhance functionality. 

However, some plugins need to be applied universally, impacting all APIs on a gateway. What if a particular API has unique requirements and doesn't align with these universal plugins? It would pose a roadblock to onboarding that API to the gateway.

To tackle this, Vanguard considered having separate API gateways to cater to different use cases. This approach allowed teams to take advantage of universally mandated plugins without sacrificing the unique needs of their APIs.

4. API Standardization

Vanguard imposes rigorous standards on its external APIs to ensure compliance, best practices, and high-quality code. They use a linter to check APIs for security and quality issues. However, applying the same level of rigor to internal APIs could potentially hinder development, especially when APIs are still in non-production stages.

To address this, Vanguard decided that internal APIs could deploy to their own separate gateway, free from the strict linting requirements. This allowed internal APIs to be more flexible in their development while still following best practices.

However, implementing multiple gateways isn't without its challenges. It requires careful consideration of cost, latency, and security concerns. Teams must ensure they have a valid use case that justifies the investment and evaluate whether alternative solutions can serve their needs.

• Monetary cost: This encompassed license fees, cloud costs, and staffing expenses related to both building and maintaining the gateway.

• Added latency: The concern about potential delays caused by routing API calls through an additional step in the gateway, which could become more pronounced with the inclusion of custom plugins and business logic.

• Single point of failure: API gateways introduce the risk of being a single point of failure. They can couple independent microservices, potentially disrupting the entire system if the gateway's configuration is compromised.

Vanguard weighed the financial, performance, and security considerations when deciding to use API gateways, ultimately opting to leverage their benefits while being aware of the associated risks.

“Ultimately, we decided the benefits outweighed the risks,” Sophia Trump said. “And today at Vanguard, we have multiple Kong API gateways that satisfy our unique use cases.”

There are many benefits of using multiple API gateways for both external and internal traffic.

For external traffic, benefits realized can include:

• Authentication, authorization, and auditing — ensuring only valid users have access to Vanguard APIs and enforcing the standard in a centralized way.
• Traffic management — to product underlying services behind the gateway, in particular, with server-level throttling to prevent attacks, and enforcing per-consumer level traffic quotas.
• Threat protection — beyond the security measures baked into Kong, organizations can integrate with their own WAF (web application firewall) and use custom security plugins.
• Analytics — via logging integration and Kong Vitals.

For internal traffic, benefits realized can include addressing unique use cases rather than cluttering a single API gateway with multiple types of traffic. In particular, for the team at Vanguard, this meant addressing an internal need identified for API standardization and stable URLs — and universal plugins that can be applied to calls all across services linked to the gateway.

Conclusion

The decision to implement API gateways ultimately depends on the specific needs of your organization. A well-thought-out strategy can enhance API management, improve security, and provide valuable insights into API performance. Whether it's one, none, or many, API gateways should align with your organization's unique requirements and goals.