Do I need an API gateway for my serverless architecture?

4 minutes to read

What is an API Gateway, anyway?

Cloudflare defines an API gateway as an intermediary that accepts, transforms, routes, and manages API traffic to backend services.

Essentially, it's like a reverse proxy; if that reverse proxy had more responsibilities and a mild caffeine addiction. I'll discuss some of the supercharged features in a sec...

Azure has a native resource - API Management, or APIM for short - which acts as a gateway to your backend.

It provides rate limiting, authentication (through API keys or other authentication forms such as OAuth), and policy-based request middleware.

Serverless? What's that?

In case you're not familiar with the concept, serverless is a model where the underlying infrastructure is handled by Azure (or whatever cloud provider you use).

In Azure, serverless backends are usually written as Azure Function Apps.

So, What Does the API Gateway Provide?

Authentication

One of the biggest benefits of APIM is out-of-the-box authentication.

APIM supports both authentication between the client and the gateway, and the gateway and the backend.

Many authentication options are available, including:

  • API Key
  • Microsoft Entra
  • OAuth2
  • Mutual TLS
  • Basic Authentication

Allowing APIM to do the heavy lifting not only frees you up to work on actual work, but it can also reduce the "busy work" of implementing a suite of microservices.

Rate Limiting

The API gateway can limit the rate of API calls (and the number of concurrent requests) with its rate limiting and quota features.

Request and Response Transformation

There are scenarios where you may want to rewrite a request or response. For example, a layer of defence in your production app may be to rewrite sensitive error information with a generic 400 error message.

This can be achieved with APIM's extensive policy features.

API Versioning

While it's not the only way, APIM does provide an easy way to implement API versioning.

There are complicated, nuanced reasons why this may not work (mainly around database migrations and downstream dependencies), but the option is there if it's applicable to you.

Monitoring

It provides a centralised place to manage request and response logging to Application Insights (including the ability to log a certain percentage of requests, which is super handy).

Automated Deployments and Migration

APIM (like most resources in Azure) offers automated deployment through ARM templates.

Do I Even Need All This Stuff?

Nope!

It does a lot of the heavy lifting, but I've seen Azure systems that utilise serverless components that don't use an API gateway, and they run just fine!

Also, there are drawbacks...

What Are The Drawbacks?

Firstly, it's expensive. As of writing (based on the UK West region), it costs £120 per month (or £560 per month if you need VNet integration!).

Secondly, it's not a firewall. If you need a resource to keep your app safe, it does provide some neat security features, but it does not act as a WAF or NSG, you'll need to add these (which are almost always a necessity, despite the complexity they bring).

Thirdly, as with any new tool, there is a learning curve. While APIM is fairly straightforward, it can be complicated in some areas (such as the automatic deployment of policies).

Finally, it adds additional complexity to your architecture. If you're going for simplicity, maybe this isn't for you.

Azure-Managed or Self-Hosted?

The former is the default option when creating an APIM instance in Azure. In most cases, you're going to want Azure to manage your gateway for you.

However, they do provide another option, which is where you host the gateway on your own infrastructure (or on Azure).

You'll likely already know whether you need the self-hosted version or not. But if not, it's usually only required when you need it to be hosted on-premises, or if you have compliance requirements that mandate it.

What Other Benefits Does APIM Provide?

APIM also contains a "developer portal". This is a hub which provides documentation for your API(s), as well as a console for API testing, and account management.

It also includes a management plane to manage your APIs, users, policies and API schemas.

"But Jess!! My Function App Is Internal Only"

Internal-only function apps likely won't gain enough benefits to justify placing an APIM instance in front of them.

Firstly, features such as rate limiting might not be as impactful if the traffic is all coming from inside the VNet.

Secondly, since the traffic will likely be coming from inside the VNet (or at least, from a place with network connectivity), there isn't the need for the traffic routing features APIM provides.

Conclusion

If you're working on a project where time is more valuable than cost, yes APIM as an API gateway is likely worth it.

If you need to keep costs as low as possible, your system is internal-only, or you have an existing gateway, then think long and hard about it (£6,700 per instance per year can be serious money for a small project).