What is an API gateway?

An API gateway is a single-entry point for all application programming interface (API) calls made by client devices to a particular set of backend services, such as containerized web applications within a Kubernetes cluster. The API gateway sits directly between desktop and mobile clients and the different services they are trying to connect to.

The API gateway functions as a reverse proxy that fetches and aggregates appropriate resources before delivering a response to each API request. At the same time, it can perform multiple actions including IP filtering, token-based API authentication, rate limiting, and integration of web application firewall (WAF) functionality—all to support secure and reliable access to APIs as well as to microservices.

Explore additional API security topics:

Benefits of using an API gateway

Applications and the broader internet economy are both API-driven. Because API calls constitute a large and growing share of network traffic, businesses need the right practices and API management tools in place to optimize performance and protection.

More specifically, as organizations pursue digital transformation initiatives and navigate the challenges of scaling and securing APIs along the way, they can benefit from an API gateway that helps them:

  • Consistently enforce authentication and WAF policies for API access
  • Use load balancing and content routing to optimally direct API requests
  • Know if APIs are being abused, for instance by excessive API calls
  • Rate limit and audit API traffic as needed to protect backend services
  • Collect detailed analytics on API requests and traffic
  • Determine if microservices architectures are working as designed
  • Reduce operational complexity by consolidating network functions
  • Improve app performance with fewer TCP and TLS decryption hops
  • Apply rewrite and responder policies to HTTP transactions
  • Broadly shield APIs from threats like injection attacks and data exposure

With an API gateway configuration, it’s possible to gain comprehensive API management and protection for fulfilling these core tasks and others as they emerge.

How an API gateway works

An API gateway performs a wide range of management and protective functions.

Authentication and authorization: Organizations can use an API gateway to authenticate all API calls—via such mechanisms as token validation and inspection of JSON Web Tokens—and authorize their requests. An API gateway configuration can also be customized to limit API access by application and user.

Rate limiting and traffic analysis: API gateways can throttle API requests to prevent backend services from being overwhelmed. Granular controls may be available for limiting request frequency and response size, setting rules-based responder policies, and sending alerts about anomalous API traffic.

WAF policy configuration and enforcement: To protect API instances and endpoints against injection attacks, an API gateway makes it easy to maintain WAF policy configurations, automatically update applicable security signatures, and check for buffer overflows.

Content routing and optimization: With an API gateway, you can guarantee API calls are routed to the best available destinations through a combination of load balancing and content switching capabilities. Parameters for routing include URL path, HTTP method, and policy expression.

Rewrite and responder policy management: Protocol-aware policy expressions can be used for transforming HTTP transactions as they pass through an API gateway. Through rewrite and responder policies, client requests can be reliably directed to the optimal destinations.

Single-Pass security insights and enforcement: Modern API gateways consolidate multiple API security functions into one appliance that handles WAF, load balancing, content routing, and more in a single pass. This simplification of the API security architecture within the API gateway architecture improves application performance as well.


Adopting web app and API protection with Citrix

Learn how to ensure comprehensive protection for your applications and APIs.

Citrix API gateway solutions

Organizations can easily deploy a customizable API gateway through Citrix ADC to manage and protect backend services within environments such as Kubernetes clusters. The Citrix API gateway functionality is integrated into Citrix ADC, which serves as the ingress gateway for all north-south traffic into the cluster.

Working in tandem with the Citrix Application Delivery Management, Citrix ADC simplifies the creation, publication, maintenance, and security of APIs. Advanced traffic management and security features, coupled with centralized controls and API definitions, defend APIs from the biggest threats while ensuring legitimate clients can still reliably access them.