Understanding the Role, Architecture, and Selection of API Gateways in Enterprise Systems

1. Use Cases of API Gateways The author identifies three scenarios where an API gateway is essential: (1) Open API platforms that expose company data and services to external partners (e.g., Taobao, QQ, WeChat); (2) Microservice gateways that handle routing, load‑balancing, caching, access control, monitoring, and logging in a microservice architecture; (3) API service management platforms that centralise and monitor inter‑system API calls for enterprises with many legacy systems.

2. Position in Enterprise Architecture As enterprise systems grow in complexity, three categories of applications emerge—external partner apps, public‑facing internal apps, and internal intranet apps. The author proposes using separate API gateways for each category to isolate priorities, access methods, and management processes.

3. Practical Application For Open API gateways, partners register applications on a dedicated portal, and the gateway must provide APIs for that portal. For internal networks, the gateway acts as a microservice gateway, requiring non‑blocking I/O, clustering, and unified monitoring. For public‑facing internal apps, a dedicated gateway can isolate business priorities and allow finer‑grained control.

4. Competing Solutions The article surveys alternatives: (a) Service Mesh (e.g., Istio) as a gateway‑less approach; (b) Dubbo‑style direct service discovery; (c) Open‑source gateways such as Kong (NGINX+Lua), Netflix Zuul, and the Chinese project orange; (d) Public‑cloud gateways from AWS, Alibaba Cloud, and Tencent Cloud; (e) Custom in‑house solutions based on NGINX+Lua/OpenResty, Netty, Node.js, or Java Servlets.

5. Selection Criteria When evaluating gateways, consider performance (sub‑10 ms latency, non‑blocking I/O, clustering), scalability, extensibility/maintainability, fit to functional requirements (Open API vs microservice needs), open‑source availability and internal development capability, and whether a private‑cloud or public‑cloud deployment aligns with security and customization needs.

6. Recommendation For most enterprises, especially those with strict security or extensive legacy systems, a private‑cloud API gateway (or a self‑hosted open‑source solution) is recommended over basic public‑cloud offerings, which may lack the necessary customization and internal network integration.