API Gateway for data egress

Most larger organizations route their outbound web traffic through a web proxy. The primary motivation for this is to measure where traffic is going. Log traffic for analysis to try and detect activities trying to egress data that should remain within the organization and prevent access to websites that are considered harmful in one form or another.

So why consider an API Gateway as part of an outbound traffic flow? After all, isn’t a Gateway there to protect us? Several very good reasons. Let’s look at them:

• Managing the use of an external paid service. You may have multiple solutions using a third-party service — for example, an SMS service. Rather than expecting all these different calls to the external API, each having a copy of the 3rd party credentials to manage, we could use the gateway as a single point to attach the credentials.
• When it comes to being charged for a service, being able to identify the requests at the API level makes it very easy to track your own consumption and forecast forward before being billed. This is really helpful if you have an agreement that provides a good price for pre-booked capacity and a higher charge for overage/capacity not pre-booked.
• Economies of scale for using 3rd party services can be very powerful. But it can also present two problems.
• Switching providers quickly can be difficult as multiple points of possible change.
• How to partition the cost of the external service across different departments if everyone is using a common account.

The first of these issues can be easily overcome using the anti-corruption layer pattern where the gateway represents the correct route so it can reformat the requests in one place to work with a different provider.

At the same time, we can more intelligently use Gateway’s metering mechanisms rather than having to implement functionality to mine the proxy’s logs.

Of course, you can achieve the same effect without a gateway, but you don’t get the benefits that a gateway will offer out of the box. In addition, the chances are that you have already got an API Gateway running for your current North-South traffic.

Originally published at http://blog.mp3monster.org on January 11, 2023.