- API Penetration Testing

11 Open-Source API Gateways

Learn about top open-source API gateways that are worth considering in 2022
The microservices approach to software development is increasingly becoming a popular alternative to age-old monoliths. Unlike a monolithic application, a microservices application is decoupled into distinct services that can be developed, deployed, and maintained independently of each other. Each such discrete service is mandated with a distinct task and communicates with other services via simple APIs. Such small and granular services make it easy for software teams to design, code, test, and, further, push code into production faster – making changes faster and lowering the go-to-market time of a business. Besides, these modular services can be scaled individually and independently and much faster than if they were part of a single monolithic application. There's a catch though.

Since microservices run on different servers, a client wanting to access different services would need to make multiple direct requests to these services. This approach increases latency since multiple pieces of data are returned to the client at different times, especially where your applications landscape is a large and complex one. An API gateway is a solution.

Each microservice exposes a set of endpoints (business rules) to enable communication with the client. An API gateway aggregates all of these endpoints from multiple services into a single consolidated endpoint (or URL) and, by so doing, it turns into a single front-facing service for all microservices. In this capacity, it accepts the client's API calls, routes them to the back-end microservices, collects responses, and returns these to the client. This apart, API gateways also support functions like authentication, load balancing, as well as rate-limiting, quoting, and throttling, while reducing risks from DDoS attacks.

API gateways are going to be almost like permanent fixtures in your microservices landscape, we decided to profile some of the most popular API gateways in the market. All of these are open-source and free.
#1 Kong
Kong is a high-performance open-source API gateway built on NGINX proxy server, which happens to the 3rd most popular HTTP server. The server is capable of receiving and processing client requests and rapidly transmitting them. Kong is also awesomely extensible using various plug-ins. Overall, the gateway architecture is pivoted around reducing communication latency and driving app responsiveness. Moreover, with user-role-based permissions and access controls set up in its network layer, the gateway will secure your applications against unauthorized users. The API gateway can manage with minimum hardware resources, unlike traditional servers. Seated between your compute clients and API applications, the Kong Gateway invests applications with capabilities that are not otherwise supported by the operating system. Furthermore, the gateway augments API capabilities and enables them to perform at scale using powerful plugins and some easy integrations. The open-source API gateway is specifically designed for the cloud and it listens for clearly defined events (e.g., creation of new admins, the addition of new plug-ins) in your deployment. Based on this, the gateway triggers outbound calls to alert you to such events and, as a result, your event time gets accelerated. In short, this is a perfect gateway for distributed computing architectures and microservices. Customers include Verifone, First Abu Dhabi Bank, Cargill, Australia Post, and other leading enterprises.
#2 Apache APISIX
Apache APISIX, developed at Zhiliu Technology in Shenzhen, China, was later donated to the Apache Incubator, the entry point to the Apache Software Foundation open-source community. This is considered a high-performance API gateway and it provides for dynamic routing. In this process, the router is able to automatically forward data packets along multiple paths based on the arrangement of your network. There are numerous plugins with a full range of features you can install. These cover processes like authentication, security, traffic control, serverless apps, analytics and monitoring, transformations as well as log data and events. The best part is that you don't need to restart or reset the service in order to add, delete, or modify a plugin. Because all of these plugins are hot-loaded. These and other features make Apache APISIX a good fit for managing microservices API with minimum latency. The gateway handles both north-south (client-to-server) traffic as well as east-west (local area network) traffic. Besides, it can serve as an ingress controller in Kubernetes environments to balance the workload across pods without the need for any extra configuration in most cases. Enterprises like GovTech Singapore, Merck Sharp & Dohme (MSD), and iQIYI online video platform use Apache APISIX.
#3 Tyk
Tyk is an open-source API management platform, comprising a market-leading API gateway, API developer portal, and user-friendly dashboard. This is a lightweight, stable, and performance-oriented API and you can configure it easily. Tyk brings multiple security concepts into play to secure your APIs and gateway. For instance, API tokens, which uniquely identify and authenticate applications, are all stored in the Redis key store and obfuscated using a key hash. It also supports TLS/ Mutual TLS cryptographic protocol to authenticate the identity of the client app. Another application security technique is certificate pinning, and this means only authorized certificates for authenticating client-server connections are accepted to avoid threats to your app's network data from compromised ("rogue") certificates. The Tyk Dashboard is at once a GUI and a highly detailed analytics platform. With a flexible REST API design, it can handle multiple types of API calls. Some platforms auto-publish APIs to the portal. By contrast, Tyk exposes only a façade, a simplified layer, to the developer portal, while masking complex components in the system. Third-parties can then sign up and use the APIs. You can buy Tyk through the AWS Marketplace and deploy it in no time. Tyk's customers include Société Générale, Royal Bank of Scotland, Domino's, GoDaddy, eBay, T-Mobile, Audi, and Deutsche Telekom.
#4 Ocelot
This lightweight, open-source API Gateway is designed to run on any platform supported by the ASP.NET Core web-app development framework. Simply put, it works with HTTP application layer protocol. Ocelot is fast and can easily adapt to increased workloads as well as a set of user-oriented intermediate layers for microservice applications. The gateway features routing, authentication, rate limiting, and load balancing, among others. However, features like chunked encoding of data, host header forwarding, and Swagger framework for API documentation are not supported. Essentially, Ocelot works by breaking down multiple server requests, where required, and then routes them simultaneously to relevant downstream microservices via an "HttpRequestMessage" object. Ocelot, thus, provides a unified point of entry into the system for users of microservices based on .NET Core. Ocelot places limits on the number of upstream requests that can be made in a defined period to avoid overloading downstream services. The gateway uses CacheManager, an open-source abstraction layer for .NET, thus making it easier for developers to deal with otherwise tough caching scenarios. More than 7 million students at nearly 500 educational institutions use Ocelot.
#5 Goku
Goku API Gateway (known in China as "Wukong API Gateway"), from China-based, EOLINK Inc., supports high-performance dynamic routing, unified management of IT resources, multi-tenancy software management, API access control, and more. The gateway is developed in pure Golang, provides good performance, and is highly scalable. On top of that, you can customize it to meet the specifics of your enterprise. Goku gets duplicate components in your internal system to run on the gateway. The benefit here is that duplicate component (e.g., user authorization, access control, firewall, data conversion) do not call the API multiple times. Instead, API is called only once and the same data is shared across the project. Not only does this avoid duplication of API calls, but it also speeds up the process of obtaining relevant data from various services. Apart from standard features, Goku offers to cluster, resulting in a highly available setting and the workload is distributed across multiple nodes. Other features include a graphic user interface and a plug-in tool for easy configuration, apart from hot updates, and easy gateway logging. Goku's parent company EOLINK has so far delivered this API solution to more than 30,000 enterprises.
#6 Express Gateway
Express Gateway is built on Express middleware, a hugely popular open-source web framework. Simplicity and flexibility are Express's great strengths. Basically, the gateway is made up of several components bunched together to create an effective API management tool that can serve as a single point of entry for all clients. A centralized declarative approach to application configuration management ensures all lower-level components in the system stay aligned to the predefined goals. Routes are dynamically added to the gateway in the form of input parameters and no coding changes are required. It allows the addition of new functionalities via JavaScript/Node.js and various plugins to support policies, conditions, and custom routes. Besides, the Express Gateway core is extensible across different platforms and languages. The gateway's credentials management module enables easy integration with different identity and access management services. Express Gateway allows application data to be accessed globally by your developers. The development team also has the luxury of working on multiple instances of the gateway. This means data in one instance is protected from the other and workloads can be allocated across multiple databases. Netflix, Dell, and TUI Group reportedly use Express Gateway.
#7 Gloo Edge
Built on the open-source Envoy client-side proxy, Gloo Edge is an open-source ingress controller capable of offering API gateway functionalities. As a feature-rich ingress controller, it balances the workload across multiple servers in Kubernetes and other containerized environments. Gloo Edge was developed keeping in mind the unique requirements of decentralized and highly dynamic computing platforms. Notably, this gateway can route requests directly to functions such as Lambda serverless compute service, Google Cloud, OpenFaaS serverless functions builder, legacy services (e.g., REST API calls), and cloud-native messaging systems (e.g., NATS). As a result, Gloo Edge is able to support both native and web apps. Moreover, with a flexible architecture, the gateway fits well with the rest of the popular open-source projects like K8s, Nomad workload orchestrator, Red Hat OpenShift container orchestration platform, Consul service networking platform, and HashiCorp Vault. It also supports fully automated discovery of new features, circuit-breaking at the network level to avoid unsafe request overloads, as well as rate-limiting. Gloo Mesh Enterprise, based on industry-standard Istio service mesh, helps unify and effectively manage communication between various distributed microservices applications. Gloo Edge's customer base includes names like ADP, American Express, BMW, ING, Informatica, Mattel, Pega, NTT Communications, SAP, Schneider Electric, and T-Mobile.
#8 KrakenD
KrakenD is a high-performance open-source API Gateway with middlewares. Since early 2017, the gateway is being used by large Internet businesses in Europe, and there were as many as 1,800,000 KrakenD servers running (May 2021). KrakenD was conceived as a pureplay API gateway and, as such, sits in the application layer of the open systems interconnection (OSI) model. It is not linked to the OSI transport layer. As a "true" API, it aggregates multiple client requests into a single one as well as bunches responses from various internal microservices into a single API endpoint and sends these back to the requesting client. All this request processing happens on the fly, with the API shouldering all of your serious and difficult tasks. These include API request aggregation, resource filtering, data decoding, request authentication, and request throttling. KrakenD has a declarative configuration, so the "desired state" of the endpoints is already declared in its coding and it doesn't require any additional coding from your side. The gateway is very modular in its structure, and functionalities can be added using plug-and-play middleware, either open-source or your own proprietary ware. KrakenD counts Group and Pearson among its customers.
#9 Ambassador
Ambassador is an open-source Kubernetes-native API gateway built on Envoy Proxy high-performance server. It is deployed on virtual machines or within the Kubernetes container orchestration system and serves as a gatekeeper controlling all ingress and egress. New or upgraded versions of your services are best kept secret and exposing your APIs to third parties can be risky. With Ambassador, users can access APIs and microservices in a secure and reliable manner. Furthermore, Ambassador's proxy server (Edge Stack) provides developers with a user interface to easily apply policies to the API, thus putting more control in the hands of developers. Ambassador offers a lot more features like testing on many levels. Take Service Preview feature. This allows developers to see how the system functions under a heavy number of concurrent users in a single integrated development environment. The result is quicker fault isolation, fewer bugs and code changes, and, most of all, minimal developer friction in your software delivery pipeline. and supports tasks like service discovery, configuration management, routing rules, and rate-limiting. It provides great flexibility and ease of configuration for your services. Nvidia, Ticketmaster, Microsoft, and PTC software services use Ambassador.
#10 Zuul
Zuul, a Netflix open-source project, is at once a router based on Java Virtual Machine (JVM) and a server-side load balancer responsible for routing traffic across multiple backend servers. Zuul functions like a single entry point when it comes to monitoring and managing all of your API requests. This open-source gateway implementation performs dynamic routing of incoming requests to various backend microservices as requested. It will also route to multiple Amazon Auto Scaling Groups, thus supporting the automatic distribution of incoming application traffic across multiple data centers worldwide. Zuul can be configured as a Eureka server (Discovery server) client. Since every single application is registered into the Eureka server, Eureka knows which client application is running on each port/IP address. So, you needn't bother to hardcode the microservices' IP in the frontend applications. Rather you can point all backend microservices on Eureka and the latter will take over from there to enable seamless communication between the front and back ends. At the same time, the Eureka directory doesn't expose the APIs to the outer world and associated security risks. More importantly, the Zuul Server is bundled with the Spring Cloud dependency, which allows you to authenticate requests (using OAuth2 and JWT protocols) and then pass them to the backend. NEC, T-Systems, Volvo, BMW, GoDaddy, and OpenStack run Zuul.
#11 Apigee
Apigee, part of Google Cloud, is a gateway management tool built on Java Platform Enterprise Edition (JEE). Apigee is capable of turning monolithic old-world applications into APIs and, by so doing, exposes them in a secure manner for consumption by third parties. Essentially, this gateway works by masking your legacy application and its complex components behind a simplified API façade. It ensures security as well as provides for quotas and rate-limiting of requests processed by API servers. Apigee Analytics gathers a trove of data from API proxies and helps develop an accurate and deep understanding of the same. Now add a Drupal 8 content management site to the Apigee Edge API management platform. Wow, you have got a developer portal even. The Apigee Edge API management platform, the on-premises version, is a 9-node clustered installation, and deployment of this multiple-host architecture can be time-consuming (versus open-source API gateways). Besides, to run properly, Apigee relies on Apache Cassandra metadata store, Apache ZooKeeper distributed storage and Postgres database. As things stand, the on-premises edition is more popular with customers through the Google Cloud version is also seeing some traction. By the way, despite delivering some clear benefits, the flipside is that Apigee is not open-source. Customers include Experian, Autodesk, and Macquarie's Banking and Financial Services Group.

Signing off for now. Will be with you soon. Team