Guidance for Application Programming Interface (API) Gateways

On this page

  1. Manage the Traffic
  2. Control the Connectivity
  3. Control the Access
  4. Inspect the Content
  5. Monitor the Requests

Application Programming Interfaces (APIs) provide powerful interfaces to remotely access data and system functionality. Direct system-to-system access enabled through APIs increases the risk and impact of a security breach. API security should be top of mind in any API implementation. The API Gateway is a solution concept to address the various security risks associated with exposing APIs both within and outside of an organization, such as throttling and proxying.

This guide is intended to serve as a baseline set of considerations for technical practitioners (e.g., API developers, architects) when implementing API-centric solutions. It is by no means an exhaustive list of all possible API Gateway functionality. The marketplace for API Gateway technologies is evolving rapidly, especially due to the rise of microservice architectures, and the boundaries between API Gateways, API Management, Enterprise Service Buses, and Service Meshes are blurring quickly. There is no one-size-fits-all approach to API Gateways and it is unlikely that a single product will address all of your needs.

1. Manage the Traffic

Various methods should be deployed to control the amount of traffic hitting an API to reduce the risk of an API being brought down due to unexpected high request loads, either malicious or not. Most of these methods are available in even the most basic open source HTTP reverse proxy technologies (e.g., NGINX).

2. Control the Connectivity

API Gateways provide a connectivity consolidation point to simplify and control network flows between APIs and API consumers. This is particularly important for APIs exposed to other departments or external parties as the internal IPs should be abstracted from external systems. This also ensures any internal changes to deployment topology or infrastructure does not impact the API consumers. These features are typically available in any HTTP reverse proxy technologies and are universally available in most API Gateway products.

3. Control the Access

More robust API Gateway solutions offer authentication and authorization on API requests. While offloading the heavy lifting in authentication and authorization logic makes sense in some cases, it does not mean that authentication or authorization is not required at the API level as well. Unauthenticated APIs are only appropriate for Open Data and public unclassified APIs, while Gateway access control is an added layer of security for more sensitive data.

4. Inspect the Content

Security-focused API Gateway solutions provide the ability perform a significant amount of the payload data security controls in addition to implementing it within the API itself. The goal is to move the initial security enforcement point further into the perimeter and away from the data without compromising the security posture of the API itself.

5. Monitor the Requests

All traffic through the API Gateway solution should be monitored, logged, and reported on. This data is one of the key benefits to using a gateway and should be used to provide both an operational and a business view on how the API is being leveraged and how it is performing.

Page details

Date modified: