Middleware and API Gateways

After spending quite a few years working with services, and, more recently, API gateways, I've become intimately familiar with the desire to add layers and layers of middleware. When a service is initially designed it focuses only on pure functionality - each endpoint offering a unique business feature - and the backing code is focused on delivering that value. Then maturity happens, and things like authentication, logging, schema validation, and shared mapping began to leak in, usually in the form of middleware layers. A few years in and the once-concise codebase is now a mixture of business features and shared utilities.

Enter the gateway. At my current job at Shutterstock, we started with adding extra logic into our nginx load-balancers. This was both efficient and incredibly scary, as none of us were proficient with this technology, and we never came up with a good pipeline to test our proxy with the same confidence as our primary application. We gained modest performance increases with a large slice of risk. When our product owner introduced the idea of Apigee we leaped at the chance to use a more robust solution.

There are some very tempting ideas that a shared gateway brings. You can enforce a common authentication interface, group endpoints with rate limiting, even if the features are delivered from disparate applications. By offloading shared business logic into the proxy you reduce the complexity of the backend and allow the services to optimize for their flows, all while masking any differences for the end consumer. This is all in an ideal world, though - in my experience, gateways can do a few things very well and some things not at all.

One day I'd like to treat gateways just like another tier in the stack. That is, if you wrote a middleware function that impacts all (or a subset) of the endpoints in your service, you could easily upload it to a gateway, toggle it for the affected endpoints, and then let it do the processing. The middleware could either execute within your application (local development) or within the proxy (production). In my mind, gateways are just enterprise-scale middleware, so it only makes sense to treat them as such.