Open Source API Gateways?

twitter logo github logo Updated on ・1 min read

I've been reviewing the market recently for open source API Gateways. I'm looking to sit my gateway in-front of a number of API services provided by node.js express applications.

I'm looking for basic rate limiting, throttling and some form of API monitoring. Upon a quick Google search I've come across the following products but I'm completely clueless as to whether the community feels any one is better than the other or if anyone has any real world experience with these products and can offer some insights into good / bad points.

https://tyk.io
https://moesif.com
https://gravitee.io/
https://apiumbrella.io/
https://getkong.org/

twitter logo DISCUSS (25)
markdown guide
 

I'm one of the core commiter on Gravitee.io API Platform.

The main difference between Gravitee.io and all the other open-source solutions is that Gravitee.io is fully open-source, and not only the API Gateway. The Management API, Analytics, Authorization server are freely available and all source code are available in our github organization.

Gravitee.io is already used in production by many major and business-critical companies all over-the-world. They like the performance of the gateway, the minimal overhead and the fact that they can very easily extend it by writing Java plugins.

You're looking for basic rate-limiting, throttling and API monitoring? Perfect! All of them are available in Gravitee.io. More, you may be able to create your own Kibana or Grafana dashboards since all the analytics are stores into Elasticsearch...

I can't tell you that Gravitee is better than the other solution, all of them have their own pros / cons, but I can tell you that, even if their some missing features, we can work on them very quickly. If you have a look to our releases, you can see that we are doing many releases: one major per month, and the next one is coming next tuesday: github.com/gravitee-io/issues/rele....
An other point you have to know: many companies have subscribed to support... and all the bug fixes are directly in the next major version... Also, compagnies are sponsoring the company behind Gravitee.io, GraviteeSource: they ask us to create and develop new features and they paid for that: and all of them are freely available in the next major release... We are doing open-source API Gateway / API Management, and we are doing it from 'A' to 'Z'...

See you!

 

Hey David, I just took a look at Gravitee and like the highly abtracted and modularized approach a lot. Is the project still under active development? I would also be interested in controlling other gateways, e.g. CA API Gateway (which has an API) through Gravitee API-M front-end - is this possible?

Thanks & cheers, Chris

 

Hi Chris,

Yes, the project is still under highly active development, you can have a look to our github repositories : github.com/gravitee-io

For your other questions, I don't know well how the "other gateways" are running and how they are managed. What you can do from gravitee is to define your API, then export the API's definition in JSON and convert / import the file somewhere else.

Regards,

Thanks for the quick reply - is there an abstraction for gateways already in Gravitee? Like an API managing the gateway, querying capabilities and apply configuration and service policies.
The common things (auth, throttling, logging, routing, etc) can be implemented on almost every gateway (and you probably know there are many), so I would be highly interested in finding (or contributing to) an API management solution (catalog, subscriptions, etc) which can be used to control different gateway types.

I believe this would be very interesting for many enterprises looking for a central dev portal, but needing to support different gateway technologies, like CA API Gateway, WSO2, Envoy (ingress to Istio), etc.

I was thinking that an abtracted interface to the gateway (like the one you built for storing repository data in Mongo, Redis or via JDBC) could be a way to achieve this.

No there is no abstraction for gateways for now. And nothing about this in our roadmap.

Most of the stuff would be to look on what would be the best format to describe an API, before being able to deploy the API in different gateway technologies.

It is a very interesting feature but also time consuming...

We need a standard to describe an API (inherited from OAI ?) :-)
Ready ? Go !

 

Hi Chris,
I am a bit late to the discussion but I am really intrigued by your message :-)
Would you be able to share more details on potential use cases you identify?
Why would a company use several gateways?
Thanks

Cheers:
Feel free to PM me on twitter.

Hi Jean
All companies with API Management projects I have contributed to recently use different gateway vendors internally. This may be due to organizational reasons (lack of coordination between different departments) or technology evolution (central gateway vs micro gateway, advent of service meshes).
In addition I think this could be a door-opener for Gravitee in companies using CA, WSO2 or other vendors with weak developer portal solutions.

Since Gravitee is already highly modularized, the only thing needed is an abstracted API gateway interface (sounds simple, but might be a lot of effort). I'm in discussion with David about it.

Cheers, Chris

 

Hello guy,

I`m curius about Gravitee solution.
Does gravitee is cloud native?

tks

 

Hello su,

Yes it is. Feel free to join our gitter channel to talk with the community.

Regards

 

Hi there:

I am curious, is there a more up to date documentation available for the gateway? a lot of information/pages seems to be empty from docs.gravitee.io

 

Hi Bill,

Sorry for the delay, I was off last week.
You're right, some content are missing because of a lack of time from developers.
We were expecting more help from the community but nothing is coming :(
Sorry for I'm really sorry about it. Also, you may have to understand that we are providing an open-source platform so that, some companies need our help / our expertise because of this lack of documentation... But it's not a good reason and I'm sure we need more to start with Gravitee.io. Perhaps you can help us by indicating which parts are really missing from your pov.

Thanks a lot.

 

Hi Brassely,

Does Gravitee has OpenID connect support? I couldn't find a clear documentation for that.

Regards

 

Hi Ranadima,

What are you looking for exactly ?

We have an aAccess Management module which is certified OIDC.
See docs.gravitee.io/am/2.x/am_overvie...

Thanks Brassley for the quick response. I'll have a look.

Regards

 

I've played with Kong a tiny bit out of curiosity in the past. It works and it's built on battle tested nginx. The open source community is active and there are many plugins for basically everything.

Rate limiting and throttling are supported out of the box.

Keep in mind that if you put all your APIs behind a gateway you need it to not become a single point of failure, so you might have to cluster at least two instances of the API gateway.

The great thing about the API gateway "pattern" is that you can work and evolve APIs in the backend keeping the same interface for the clients if you need to, or for example make it so that all APIs have the same authentication system and so on.

 

Kong is a great recommendation, It's the most straightforward of the choices above and the community is very much alive.

 

I should mention thought that it's a bit "crippleware", features you might need like advanced tranformations and OAUTH requires an enterprise license.

 

I consultant working in the domain those are the ones I saw:

Well my personal opinion is I don’t feel 100% confident with this kind of tools as OSS (even if I am an active OSS commiter myself) Those pieces are meant to protect and secure your IS in a way. If I got the source code of the tool protecting your IS it’s easier for me to forge an attack.

 

Hey Cédrick, thanks for mentioning tyk.io open source API Gateway

Our gateway is 100% open source, the same open source version is used by Cisco and Capital One, as is used by anyone taking the gateway from our package repositories or Github.

Precisely because it is open and transparent, it is trusted and loved by highly regulated industries. This is why Tyk has so many healthcare, financial service and telco customers - no "black boxes" or "systems calling home" from your network!

Enterprise customers can also purchase a support SLA and contract, to ensure ongoing maintenance and support for their deployment.

We believe that open and transparent code makes for better security, and our users agree.

Vive la Open Source!

 

Check out Tyk.io also. It is probably the most popular free API gateway.

We at Moesif (moesif.com), an API analytics platform is integrated with Tyk.io core codebase. Once your needs goes beyond basic rate limiting or monitoring, check it out.

 

Ambassador (getambassador.io) is an open source API Gateway specific to Kubernetes services that's built on the Envoy Proxy (envoyproxy.io/). If you're using Kubernetes, definitely check it out!

 

Here in my company I use TreeGateway, which is completely free and opensource. It is built to run on Express (Node.js).

The has a number of features and can be customized using JavaScript. Here are a few:

  • Rate limiting
  • Throttling
  • Api monitoring
  • Cache
  • Circuit Breaker
  • Authentication
  • Routing
  • And others

The strengths are:

  • Implements all features that other gateways in the market have
  • It's completely free
  • It's easy to customize it
  • Has almost zero overhead when inserted into the infrastructure

The weaknesses are:

  • The Gateway seemed complete, but I have not seen some features like Portal and Building APIs (although they are outside the scope of a Gateway)

I believe that the choice depends on your needs. Basic functionality is common among Gateways, but you have to check for customization, ease of deployment and product support.

Good luck!

 

Most of the Node.js based API Management solution(that you listed above) comes with features limitation in the free version and require you to upgrade to an Enterprise solution.

However, I will recommend WSO2 if your team is comfortable with Java frameworks and Integration solution to an Enterprise scale. It's free and All the Basic and Enterprise features are OOTB (Rate Limiting, Throttling, caching LDAP Integration, and RBAC).If you looking for a more SAAS solution with minimum cost opt for APIGEE.

Above mentioned node.js solution are still amateur for a Enterprise level solution.
I hope to see more advanced features in these tools from company and communities to build.

 
 

kong and tyk are basically API gateways.

Moesif is an API analytics platform, it provides plugins for Kong and Tyk for easy integration.

btw, I am the co-founder of moesif.

Classic DEV Post from Mar 15

What was your win this week?

Got to all your meetings on time? Started a new project? Fixed a tricky bug?

ImTheDeveloper profile image
Developer 😎 Business Analyst 🌍 Solution Architect Still a developer at ❤ and spend a lot of my time building personal and client projects from home.

A blogging community of over 100,000 software developers Join dev.to