An API gateway is in its simplest form, a bridge between the clients and your APIs. API Gateways act as a reverse proxy to client requests by routing them to appropriate services and returning an appropriate response.
There are many different benefits of using API gateways, but the most common are :
- Enhancing security by disabling direct access to API’s, being able to white and black list IPs
- Simplifying the client by moving logic for calling multiple services from the client to API gateway
- Reducing latency by handling possible round trips to many services as a single point of entry
- Translating from web-friendly API protocols to many other protocols used internally
- Handling authentication to control which data is transmitted to your APIs.
- Ensuring the API does not get flooded with requests by setting up Cache, Rate Limiting & Quotas
For this post, we decided to compare Tyk Gateway to Amazon API Gateway, because of the wide use of AWS as one of the biggest cloud providers globally and Tyk API Gateway, as it's the Open Source Gateway that powers the highest rated API Management Platform according to Gartner Peer Insights, with a market leading 4.7 out of 5.
Production-Ready Authentication
Authentication enables companies to keep secure their public APIs and networks by allowing them to be used by only authenticated users. The user or computer has to prove its identity to the requested resource. In client-server architectures, this mechanism is best practice and almost inevitable.
Tyk Gateway
Tyk Gateway OSS supports lots of industry-standard authentication and authorization options to lock-down APIs and handles the traffic securely. Tyk Gateway supports Basic Authentication, Bearer Tokens, JSON Web Tokens(JWT), Multiple Auth, OAuth 2.0, OpenID Connect, custom plugins, written in many languages for complex authentication and authorization scenarios, including legacy auth servers. Tyk Gateway is seamlessly integrated with almost every access control solution.
Tyk Gateway works with Redis, and it is a highly available and consistent key-value store. Redis stores in-memory Tyk session objects. The session objects can include metadata, access rights, policies, tags, and many other things. You can use stored in-memory session objects in custom Tyk Gateway custom plugins and middlewares, and it is convenient to process this data for any requirement.
There is no alternative that can be used as open source software that supports all of these features, which makes tyk stand out compared to its competitors.
AWS Gateway
Amazon API Gateway supports AWS Cognito or Lambda Authorizers for access management. AWS Cognito is a managed service and it supports sign-in with social identity providers and enterprise identity providers via SAML 2.0 and OpenID Connect.
Lambda Authorizers are AWS Lambda functions constructed to control access to the API Gateway with user-defined logic. Users are required to create and maintain their Lambda Authorizers. This Lambda function can programmatically fine-tune your authorization process, or it can connect to already existing authentication mechanisms running on your, let’s say, on-premises. Only disadvantage about using custom authorizer Lambda functions is that users are required to code and maintain their custom Lambda function.
|
Tyk Gateway |
AWS Gateway |
|
|
JWT and Bearer Tokens |
✅ |
Supports through AWS Lambda Authorizers or AWS Cognito |
|
OAuth 2.0 |
✅ |
Supports through AWS Cognito |
|
OpenID Connect |
✅ |
Supports through AWS Cognito |
|
Custom Authentication |
✅ |
Supports through AWS Lambda Authorizers |
Policies
API Gateways policies give granular authorization control after authentication mechanism. These controls are very important in terms of controlling, limiting and invoicing customers.
Tyk Gateway
Policies are JSON-based documents that give you granular control of APIs for rate limiting, access rights, and quotas, and are applied as soon as with hot reload support. They can be used with trial keys as a temporary policy with a fixed expiration date. We can apply different policies for each environment. Also, Tyk Gateway policies have a granular path and method based control feature which allows you to define policies for each API’s version.
AWS Gateway
On the AWS API Gateway, you can allow and restrict user-based access with IAM User and Group policies. However, for this, these access rights must be defined for each IAM user. If we want to control Rate and Quota limits separately, we can also use AWS Gateway Resource Policy and Usage Plan services. AWS API Gateway allows you to build API versions with a gateway like Tyk. There’s a feature on Amazon API Gateway called stage variables. Stage variables act like environment variables and can be used to change the behavior of your API Gateway methods for each deployment stage; for example, making it possible to reach a different back end depending on which stage the API is running on.
Keep in mind that applying policies on AWS has some caveats, you may define your policies at the API level, Usage Plan level, IAM level and/or Resource Policies level.
|
Tyk Gateway |
AWS Gateway |
|
|
Access Rights |
✅ |
IAM User and Group Policies |
|
IP Level Rate Limiting |
✅ |
Supports through Usage Plans |
|
Key Level Rate Limiting |
✅ |
Supports through Resource Policies |
|
Versions |
✅ |
Supports through AWS API Gateway Stage Variables |
White-Black List For Url Paths
For API versioning, enabling or disabling access to paths or HTTP methods is important. White-black listing allows you to block the access instead of vanishing the paths.
Tyk Gateway
Tyk Gateway has Black and White list features that allow or block specified paths and methods (POST, GET).
Adding a path or method to a blacklist will force it to be blocked. By using the Tyk blacklisting feature, you can depreciate your resources easily. This feature allows you to block access to paths or methods. In this way, Tyk Gateway makes API versioning easier for you.
Adding a path to a whitelist will cause other paths to become blacklisted. This means you can open specific endpoints and close others by just adding paths that will open to the whitelist. Moreover, there is regex support to define white and black lists.
AWS Gateway
API Gateway Resource Policies allow users to define access policies at the API and method levels. Resource Policies can be used to white/black list the access to the entire API or selected methods. However, Resource Policies does not support regex, users would be required to define each IP address or CIDR blocks.
|
Tyk Gateway |
AWS Gateway |
|
|
White-Black List For Url Paths |
✅ |
Supports through Resource Policies |
|
White-Black List Regex Support |
✅ |
❌ |
Rate limit and Quota for consumer API key
Rate limiting is one of the fundamental aspects of the API gateway. It is used to control the rate of requests to the servers. It protects services from being overloaded.
Quota is similar to rate limiting. However, It is not used to protect services from overwhelming API resources. It is used to regulate the usage of API resources.
Tyk Gateway
Tyk Gateway has key level and API level rate limiting. Key level rate limiting is focused on controlling traffic from individual sources. As a use case, let's say there is an API service that has different pricing plan such as silver and gold and platinum. This way users who need to consume more of the service faster, can pay more for the service in the form of a plan. When they try to use more than a limit, the Tyk Gateway key level rate-limiting feature stops them.
API level rate limiting is used to defend our services from DOS and DDOS attacks.
Tyk Gateway has a quota feature. Let's say, you want to offer 5,000 requests to the API per month. You can implement that by just adding quota to Tyk gateway. Tyk Gateway handles resetting and managing.
AWS Gateway
API Gateway allows users to configure Usage Plans to allow customers to access selected APIs, and begin throttling requests to those APIs based on defined limits and quotas.
API Gateway also allows users to block IP addresses using Resource Policy definitions.
|
Tyk Gateway |
AWS Gateway |
|
|
IP Level Rate Limiting |
✅ |
Supports through AWS Resource Policies |
|
Key Level Rate Limiting |
✅ |
Supports through Usage Plans |
|
API Level Rate Limiting |
✅ |
✅ |
Request Manipulation (Middleware) / Transform
Tyk Gateway
Tyk Gateway has a powerful middleware scripting custom plugin. In the middleware, you can intercept and manipulate requests pre and post execution chains by Javascript functions. Request contexts, session, and specs objects are exposed in the middleware pipeline.
Request context manipulation is not limited to the header section, it can apply to body, URL, and all other contextual attributes. By changing the body, URL, query string of the request, you are able to change upstream endpoints and fulfill business requirements. Post-middleware have access to session objects (metadata, quota, policies), so after execution, you are able to do anything with these objects.
In addition to middleware scripts, the transform feature can cover many cases, it can change every attribute of the request, including method type. You can also convert SOAP services to REST endpoints so you can keep using your legacy services while modernizing them. Moreover, if you compile Tyk Gateway yourself, you can use an external cli tool like jq, a popular and powerful JSON processor
AWS Gateway
Amazon API Gateway does not have the middleware scripting support Tyk Gateway has. In middleware, you can intercept and process pre- and post-execution requests, along with Lambda functions.
For Input Manipulation, after integrating the API Gateway with a Lambda function, by default, the request is delivered as-is. If you want to intervene and manipulate the input, you need to change the configuration of the Integration Request and not use “ Lambda Proxy integration”. Also if you need Manipulating with API Gateway, you would create a Mapping template after integrating Lambda and Amazon API Gateway.
Custom middleware Lambda has some disadvantages such as users having to code and maintain Lambda functions. On top of that, for each API Gateway request will invoke the middleware function and the actual Lambda function, doubling the cost.
|
Tyk Gateway |
AWS Gateway |
|
|
Request Manipulation |
✅ |
Supports through Lambda Functions |
Custom JSVM Middleware
Tyk Gateway
Tyk Gateway includes a JavaScript virtualization environment called JSVM to execute JavaScript code without a browser, which can also be used with the middlewares. This enables Tyk Gateway to have a unique feature called Virtual Endpoints that allows you to define JavaScript functions as API Endpoints.
Virtual Endpoints are added on top of the existing API methods, and can be used to aggregate data from different resources, or to produce a dynamic response object that converts or computes data from upstream services.
AWS Gateway
AWS API Gateway does not include a JavaScript virtualization environment, because AWS Lambda provides execution runtime for most of the programming languages.
So, API Gateway does not support Virtual Endpoints as Tyk Gateway does. Every API Endpoint should be defined explicitly with a target Lambda function that can use different programming languages, including JavaScript.
|
Tyk Gateway |
AWS Gateway |
|
|
Virtual Endpoints |
✅ |
Supports through Lambda Functions |
What else?
So far, we’ve only compared Tyk Gateway component with Amazon’s API Gateway, but there are lots of other feature sets available with Tyk, including their different deployment options (On prem, hybrid and Cloud/Multi-Cloud) as well as the open and closed source components. For example Pump, Sync, and Identity broker are open source while Dashboard and Dev Portal are closed source components. Let’s dive into these components.
Pump
Tyk pump provides observability which is really important in order to take full control of APIs and identify bottlenecks, including security and operational issues. It has rich integrations with external analytic storage such as Elasticsearch, Kafka, Prometheus, and traffic analysis can be done with these tools. Also, Tyk pump supports sharded analytics, so every API or organization can use its own analytics tool.
Sync
Tyk-Sync is a command-line tool and library to manage and synchronize with version control systems (VCS). Tyk-Sync used to dump all the API’s and Policies to VCS as well as publish it back to another environment. It has also support for using Swagger/OpenAPI JSON files to publish APIs.
GraphQL Support
One of the great features of Tyk Gateway is Universal Data Graph. It offers us a GraphQL service to aggregate data from multiple services. You do not need to write code. You just need to create your schemas and configure data sources
Amazon API Gateway does not support GraphQL because AWS offers its GraphQL service separately, called AWS AppSync. Both APIGateway and AppSync are services that help users create APIs, so users would be required to use both the AppSync and the APIGateway to attain GraphQL features.
Dashboard
The Tyk Gateway Dashboard is a GUI and visual analytics platform. It provides an easy alternative for developers to set up resources in the Tyk gateway. Moreover, the dashboard provides a customizable Developer Portal for API documentation, developer auto-enrolment, and usage tracking.
In the Tyk Gateway dashboard, the Developer Portal is exposed as a separate component of the application. So, it is up to you to deploy it as an internet-facing application or admin application.
Developer Portal
Tyk Developer Portal is used to expose a facade of your APIs. It lets third-party developers register and consume your APIs. It has Swagger support. By just adding Swagger content into the code editor, or via a link to a public Swagger hosted URL, you can expose Swagger UI to third-party developers.
The Final Verdict
Based on the different feature sets compared above, it’s fair to say if we compare Tyk Gateway with Amazon’s API gateway alone, Tyk Gateway leads the front by a huge margin. This is mostly because Tyk Gateway OSS is a standalone API Gateway tool that has a wide set of features, and Amazon API Gateway is a lightweight service that has to integrate with other AWS services to solve the same issues as Tyk Gateway, but without much flexibility.
In this article alone, we have mentioned the use of 8 different AWS services to solve the same issues that Tyk Gateway solves alone. Below are various other reasons to choose Tyk:
- The number of AWS services have grown massively over the years. The learning curve gap required to solve the same issues as Tyk Gateway does on AWS is massive.
- Tyk has great documentation and is just easy to work with.
- Tyk OSS is free! AWS gets costly very quickly as most of our clients also have to spin up other services.
- Tyk has great support, and the power of open source! Any and all problems you come across, you can find your answers to problems on either on Tyk docs or contact Tyk support for assistance. If that just doesn’t cut it, you can always ask the community for help on guidance.
- You have the Tyk source code at hand. You can fork the latest version of Tyk to develop tailor-made solutions for your use-case.
Kloia’s opinion, as an Advanced AWS Consulting Partner, and a Tyk Partner would be that even though both of these tools serve the same purpose, they both have different use cases and as an always valid response in Software Engineering, there is no silver bullet, and you should always choose a solution based on your needs.
