This morning, we announced the private beta of StrongLoop Gateway. We’ve never seen so much interest in a product that we haven’t even released or promoted. Of course, for any business, this is a “good problem” to have. It’s been rewarding to validate that the StrongLoop Gateway will meet the needs of so many people. It’s also rewarding to see that we have an advantage over competitors because the StrongLoop Gateway is tailored to the needs of API development and not – management.
Let’s start from the beginning and explain the overloaded term “gateway.”
An API gateway externalizes, secures, and manages APIs. It is an intermediary between API consumers (clients) and backend API providers (API servers).
In this intermediary position, the API gateway performs several functions depending on the needs of the enterprise, as summarized in the table below.
|Function||API Gateway Role|
|Security||Acts as both provider and delegator to authentication, authorization, and auditing (AAA) sources within the enterprise as the first intercept to establish identity.|
|Mediation and Transformation||Mediates between protocols and transforms portions of the API payload (both header and body) for clients that have fixed and/or specific requirements for consumption.|
|Infrastructure QoS||Performs infrastructure-level API consumption functions required by client such as pagination, throttling, caching, delivery guarantee, firewall, and so on.|
|Monitoring and Reporting||Instruments APIs to fulfill service-level agreements (SLAs) through the monitoring of APIs and also injects metadata to report on API usage, health, and other metrics.|
|Aggregation||Composes coarse-grained APIs (mashups) from fine-grained micro-APIs to fulfill specific business case operations through dynamic invocation and construction.|
|Virtualization||A layer of abstraction that virtualizes API endpoints and acts as a reverse proxy to API server host instances for high availability, security and scale.|
A Better Way and Experience
As you can see from above, all of the value that the API Gateway provides presumes one thing: you actually have APIs. Composing and surfacing APIs in the first place is becoming a greater challenge because:
- There’s an exponential increase in the types of clients proliferated by legacy systems, cloud, mobile, and now even IoT.
- APIs are developed and exposed through underlying legacy services that…
- Were built on heterogeneous platform and languages, by different teams with different technical skillsets.
- Constructed monolithically within a domain that is not divided into discrete atomic boundaries.
- Assume a fixed number of access patterns and therefore are statically defined.
- Are not well defined, documented, or published centrally internally let alone externally.
- Are faced with a difficult integration problem when interfacing with cloud APIs and services with different protocols and data formats.
- Surfacing an API requires a long, drawn-out workflow with different parties (developers, operations, and business analysts) using different toolsets to complete their part to expose an API all the way down the stack
At StrongLoop, we’ve lived and breathed these challenges and we’re providing a comprehensive toolset that addresses the entire API lifecycle, all of its participating constituents, and we recognize that an integrated platform provides a seamless experience as a solution.
Quite simply put…
“Developing and composing APIs should be easy and flow naturally into deploying, running and managing those APIs in a stack that every one can easily understand and utilize.”
– CTO wearing green wrinkled shirt
- Integrate data and services in LoopBack our open source framework
- Build and deploy them into a Node.js runtime backed by the StrongLoop Process Manager
- Maintain and monitor them using Arc or having the instrumentation data forwarded to your own pre-existing enterprise dashboard.
All of the above using Arc as a unified graphical suite, or having everything scripted and integrated into your existing infrastructure using slc and the Node.js API we’ve built for our toolset.
StrongLoop API Gateway
Functionality Out of the Box
We’ve taken the most common use cases and built in four different types of policies:
- Oauth2 authentication and authorization (The gateway supports other auth schemes and providers through Passport such as SAML, AD, Kerberos etc)
- Rate limiting
- Reverse proxy
At a high level, the StrongLoop Gateway works as follows:
- Register your client application with the gateway with the built-in Oauth2 provider.
- Authenticate through the API gateway using OAuth credentials: covers AAA through identity, authentication, and API endpoint authorization.
- Generate and store tokens.
- Capture invocation and create metric for API endpoint invocation.
- Measure invocations per interval (for example: 5,000 requests per hour).
- If number of invocation exceeds the policy, then limit the rate of invocation, otherwise…
- Proxy the request to the appropriate LoopBack instance.
What Makes our Gateway Different
The StrongLoop Gateway has the following standout features:
- Seamlessly integrates API development with management through the LoopBack framework as the same re-used building blocks.
- Federates many-to-many identity, AAA, and token management.
- Enterprise integration and flexibility leveraging open source modules for Express and Passport.
Get Started Evaluating API Gateway
- Send us an email to get your free evaluation started!
- See the StrongLoop API Gateway in action! Sign up for the webinar on Aug 11.
- Read the step-by-step tutorial
- Read the documentation
- Get the sample apps