API GATEWAY and Microservices Architecture | How API Gateway act as a Single Entry Point?

00:00

hey guys Shan the side and welcome to

00:02

concept and coding and today in system

00:04

design playlist I'm going to cover a new

00:07

topic which is very very important which

00:09

is API Gateway there are so many

00:11

questions which built on top of it and

00:14

I'm going to tell you the complete uh

00:17

overall design where this API Gateway

00:20

fit and these two are the most

00:23

frequently interview question get asked

00:25

if API Gateway is a single entry point

00:28

how does it handle millions of request

00:30

per second or sometime also like how API

00:33

Gateway is different from load balancer

00:35

does it come before or after the load

00:37

balancer and trust me so many Engineers

00:41

has doubt on this

00:42

one what is API

00:45

Gateway in simple term it accept the

00:48

client API request and Route them to

00:52

correct backend service based on API end

00:57

point read this line again because this

01:00

is what makes it different from a load

01:02

balancer so let's say that this is a

01:04

client and API Gateway is in mid so it

01:09

accept your

01:10

request Now API get will will decide hey

01:14

if it is this API / API invoice it has

01:17

to route to this micros service invoice

01:20

micros service if API structure is like

01:24

this it has to route to order

01:26

microservice if API structure is like

01:28

this it has to route to sales micros

01:30

service okay so it route the API to

01:35

correct backend

01:37

service isn't this what load balancer

01:39

also do

01:41

no generally load balancer simply

01:45

distribute the traffic to multiple

01:47

instance of a

01:49

microservices so for example once the

01:52

request is coming load balancer task is

01:55

to just equally distribute the traffic

02:00

between multiple instances of a same

02:03

microservice so invoice microservice 1

02:05

invoice microservice 2 invoice

02:07

microservice three and many

02:08

more but it do not have the capability

02:13

to understand an API okay and then take

02:16

a decision where to Route so load

02:19

balancer doesn't have capability to

02:21

understand this API okay it is slash

02:23

invoice I have to move it to invoice

02:25

otherwise I have to move it to order no

02:29

and that's the m major difference

02:30

between API Gateway and load

02:33

balancer so apart from routing what API

02:37

Gateway is doing right based on the end

02:39

point it decide where to Route which

02:41

microservice to

02:43

Route it has so many other capabilities

02:46

right API Gateway is very intelligent

02:47

compared to load balancer so fun thing

02:50

is API composition so here if you see I

02:53

will tell you the problem with the API

02:55

composition so now let's say that uh you

02:57

are opening a e-commerce website and you

03:00

are going to like view my order view my

03:04

order click on button now you have to

03:07

see your past purchase history now let's

03:10

say if you are uh clicking that option

03:13

from mobile device so mobile device has

03:17

very less uh bandwidth you can say that

03:19

so we show less details so we show let's

03:22

say only these two details product

03:24

details and invoice details so mobile

03:27

device client is using an API just uh

03:30

take it as an example one from the

03:32

product microservice and one from the

03:34

invoice microservice and fetching the

03:36

detail of product and fetching the

03:37

detail of invoice and showing the

03:40

details but now let's say if you are

03:42

using computer or a personal computer

03:45

there it has more space and uh bandwidth

03:49

so you might show more details so maybe

03:54

the same page for the PC device client

04:00

apart from product and invoice it is

04:02

also showing ratings and reviews it is

04:04

might be also showing recommendations so

04:08

even though the same page but based on

04:12

the device also you see the

04:13

functionality

04:15

differs okay now on the PC device L you

04:18

need to query more apis or maybe it is

04:21

possible that different microservices

04:23

also to F those

04:25

dils now here if you see this is an

04:28

additional headache on the client so

04:31

with the help of API composition feature

04:34

of API Gateway this can be simplified so

04:38

now here if you see that in the API

04:40

Gateway we can configure the endpoint

04:43

let's say/ API SL my order if the client

04:47

calls this Now API Gateway has a

04:51

intelligent that okay if it is a mobile

04:55

device I will call this two API this two

04:59

Microsoft services and F the product

05:01

detail and invoice

05:03

detail API Gateway has the intelligent

05:05

okay if it is a personal uh computer

05:07

device then I have to call additional

05:12

apis okay gather the result and return

05:15

the single response so now here if you

05:18

see that the client work is and the

05:21

complexity is reduced a lot so this is

05:24

this feature is known as API composition

05:26

and it is very very important and it is

05:28

very frequently used used

05:31

in Netflix so

05:34

Netflix the API Gateway which uses it is

05:37

highly used this API composition okay

05:41

then we have another feature

05:43

of API gateways authentication so what

05:46

happen is so let's say you have a client

05:49

they are calling an API Gateway okay Now

05:53

API Gateway also has capability to

05:56

authenticate the client so now let's say

05:58

that if it is using o 2.0 flow so in the

06:02

first step the client get an access

06:06

token from the authorization server if

06:09

you if you don't know about the O 2.low

06:12

check out this hld playlist I have

06:13

covered in depth of this or 2.low so it

06:16

would becomes uh clear to you so in the

06:19

first step the client get an access

06:21

token from the authorization server now

06:24

any subsequent request the client pass

06:26

this token to the API Gateway

06:29

API Gateway integrates with

06:32

authorization server and validate this

06:35

token hey the client it is trying to

06:38

access an API and it gives me this token

06:41

is it a valid token or not now

06:44

authorization server validated yes yes

06:46

or no if it is yes valid then only API

06:51

Gateway allow it to pass to a

06:54

microservices instead of you are putting

06:56

an authentication logic here here here

07:00

you are duplicating the things so we are

07:03

putting the authentication at the front

07:06

itself only after authenticated it will

07:09

go

07:11

further the third important feature of

07:13

API Gateway is rate limiting so we can

07:16

set various rules like managing the

07:18

burst Ram burst limit so burst limit is

07:21

something like it's handling the

07:24

peak means maximum number of concurrent

07:27

requests that API Gateway can handle

07:29

before it returned 429 too many requests

07:33

so if you're using aw as aure API

07:37

Gateway you will have a option to set a

07:40

burst Limit you can put the value okay

07:42

500 something like this so what burst

07:46

Limit says that at a peak what is a

07:49

maximum concurrent request API Gateway

07:51

can

07:52

handle then we have API throttling API

07:55

throttling I would say that it's a more

07:57

granual level like

08:00

we can limit a particular individual or

08:04

an application right by blocking them

08:09

once they cross an allowed request rate

08:11

for example I say that okay this API /

08:16

API SL

08:18

invoice this API should not get invoke

08:23

uh more than 10

08:26

times in a minute

08:29

okay so with API throttling we can do

08:33

that so 10 times in a minute as soon as

08:35

the 11th call

08:37

come in a minute it will fail it this

08:39

will block it even you can go more

08:42

granual that okay but 10 times in a

08:45

minute by a particular

08:47

user by a particular user

08:51

also okay so this

08:53

all rules comes under API

08:56

throttling you can also set a rules to

08:59

IP based blocking that a particular IP

09:01

will get blocked and also API qes which

09:05

is uh you can say that a part of rate

09:07

limiting hold request to an API which

09:10

cannot be processed immediately it helps

09:13

to handle the uh thundering her issue so

09:17

as soon as subsequent traffic comes now

09:20

let's say that th000 request comes in

09:23

the B limit I have only said 500 so 500

09:25

request are will not be able to process

09:28

so we can put in into apiq they will

09:30

wait in the waiting area till your API

09:34

Gateway get the bandwidth to process

09:37

them so this rate limiting is also very

09:40

important feature another very important

09:43

feature is service Discovery very

09:45

important okay so now understand that

09:48

you have multiple components let's say

09:51

you have microservices you have load

09:54

balancer right there are multiple

09:57

instances of everyone

09:59

and today in the distributed World some

10:02

go scale up scale down so their IP

10:05

address and port number keep on changing

10:07

so you need somebody to keep track of

10:09

their location who does that service

10:13

Discovery a microservices can scale up

10:15

and scale down it's necessary to know

10:18

the

10:19

location IP address and Port service

10:22

Discovery keep track of those so there

10:25

are two different approaches approach

10:27

one whenever each micros Services uh

10:30

scales up or scal down it has to

10:32

register or deregister themselves so

10:35

they have to uh register to the service

10:38

Discovery and then only service

10:40

Discovery would be able to know about

10:41

their location another approach is that

10:44

service Discovery keep the heal check of

10:46

all the registered microservice and keep

10:49

only active microservices location so

10:52

earlier it has multiple microservices

10:54

which is registered in the service

10:56

Discovery so service Discovery keep

10:58

frequently Health checkup now let's say

11:01

if it is not able to see the heartbeat

11:03

of this one it will remove this one from

11:05

its location and only whatever the uh

11:08

somebody asks that hey this is uh

11:11

invoice microservice one invoice

11:13

microservice instance 2 invoice

11:15

microservice St 3 anybody ask for hey

11:18

give me a location for invoice

11:20

microservice service Discovery will

11:22

provide one of

11:24

them

11:26

okay so here you have a client

11:30

it is calling an API it goes to an API

11:33

Gateway Now API Gateway has the logic

11:36

that okay it's slash order means it has

11:38

to invo order micros

11:42

service now it has to know the location

11:45

before invoking that right so how API G

11:49

will know it will call service Discovery

11:52

there are various software like zul and

11:55

urea so they provide they serve as a

11:59

Serv service Discovery uh software so

12:02

API Gateway check with them hey I need a

12:05

location for order microservice service

12:08

Discovery will give it a location and it

12:11

will pass it to the proper micros

12:16

service okay so sometimes there is a

12:19

separate service for service Discovery

12:22

and sometimes this the complete

12:24

functionality itself is inbuilt there in

12:27

the API Gateway

12:29

so these four are the major capabilities

12:32

of API Gateway but there are other

12:34

capabilities like request response

12:37

transformation the request which is

12:40

coming and the response which goes out

12:43

you can transform this according to your

12:45

company needs you can even cash the

12:48

response which is going out you can cash

12:50

it so that the next time same request

12:52

comes uh you don't have to invoke an API

12:55

itself you can directly response from

12:56

here itself and even you can put

13:01

logging now if API Gateway is a single

13:04

entry point how does it handle million

13:06

of request per second so before I goes

13:09

to this diagram let me do some rough

13:11

here and then I will tell you so till

13:15

now what we have seen is we have

13:18

microservices let's say invoice

13:21

microservice and it has multiple

13:25

instances okay then you have

13:29

order

13:31

microservice and it will have its own

13:34

multiple instances now you know that who

13:37

will take care of uh Distributing the

13:40

traffic to a

13:41

single uh microservices to a multiple

13:44

instance it's load balancer so you have

13:47

one load balancer which takes care of

13:51

Distributing the traffic between

13:53

multiple instances of this invoice

13:56

microservices this is invoice microser

13:59

Services similarly you will have one

14:01

load balancer which takes care of

14:03

responsibility to distribute the traffic

14:06

to a multiple instances of order

14:10

microservices

14:13

now who will route the traffic to a load

14:16

balancer you

14:18

have API Gateway so whenever the request

14:22

comes to an API

14:24

Gateway API Gateway check with service

14:28

discovery

14:29

hey this is the API / API SL invoice

14:33

let's

14:34

say now with service Discovery it will

14:37

give me an address of this load balancer

14:39

here you have to interact

14:40

with this in this scenario and if it is

14:45

uh SL API SL order then API Gateway will

14:49

check with service Discovery service

14:51

Discovery will give an address of this

14:53

load

14:54

balancer and this load balancer will

14:56

take care of Distributing whatever the

14:58

traffic it is coming com among multiple

15:00

instances of that that so now I am just

15:04

extended this to a Next Level now here

15:08

if you see I bring couple of new points

15:11

region and availability zone so you need

15:14

to First understand what is region and

15:16

what is availability zone now let's

15:20

say when we have to answer that how it

15:22

handle millions of requests per second

15:24

and when it say that it's a single entry

15:26

point does it really a single entry

15:28

point

15:30

right then what things comes into mind

15:33

is we have to understand first region

15:34

and

15:36

AZ consider this region as I'm saying

15:39

let's

15:40

say uh

15:43

Mumbai Mumbai is one region and AZ is

15:46

particular area area one let's say area

15:49

2 uh let's say

15:52

bandra and uh now XY Z area inside this

15:56

region so now in this each a there they

16:00

have a dedicated data

16:03

center dedicated

16:05

data

16:07

center notice that this AZ so this is

16:11

let's say AZ 1 this is az2 in this

16:14

region this region Mumbai has 2 a

16:17

availability zone right uh maybe bandra

16:21

and some other area and each area has a

16:24

dedicated Data Center and they do not

16:27

share any resource

16:30

if anyone goes down it's not like the

16:33

complete region is down this region its

16:35

traffic will now move to this

16:38

one when this also both goes down then

16:41

only we say that hey region is down

16:43

region one is down then companies do

16:46

have different region also region two

16:49

let's say maybe Chennai in Chennai

16:54

multiple az1

16:57

az2 Okay so so let's say one a area is

17:01

Shing another is some other area so even

17:06

though one a got down doesn't matter

17:09

this region has another a if all the A's

17:12

availability Zone get down then then

17:15

also there will not be any single point

17:17

of failure because this region is also

17:20

we have multiple

17:21

regions so the same thing here so you

17:25

already know that I have already showed

17:27

you microservices

17:29

now slowly understand this now I'm going

17:31

to extend it further you have a

17:34

microservices one it has multiple

17:40

instances who control the traffic to a

17:42

multiple instance of a single

17:44

microservice is your load

17:48

balancer similarly you have multiple

17:51

different uh microservice itself let's

17:53

say this is order micros service 2 it is

17:56

also has its own instances

18:00

load balancer will take care of

18:02

Distributing the traffic to this

18:04

multiple

18:05

instances so this would be all under one

18:08

availability

18:09

Zone this is your one availability

18:13

Zone similarly you have

18:16

a

18:18

same structure in az2 different

18:23

availability Zone okay same

18:25

microservices one it's multiple

18:27

instances microservices to it multiple

18:29

instances and load

18:32

balancer Now API Gateway is one region

18:35

level let's say that any request which

18:37

comes to an API Gateway API Gateway

18:40

check with service Discovery service

18:42

Discovery has many criteria and rules it

18:46

uh checks let's say that user belongs to

18:49

area one and the nearest availability

18:52

zone is this so the location with

18:55

service Discovery will give to an API

18:57

Gateway so API Gateway will route the

19:00

traffic to this availability zone now

19:03

based on the API uh either this load

19:06

balancer get invoked or this load

19:08

balancer right if it let's say an

19:10

invoice API this load balancer which is

19:13

has an invoice micros service if this is

19:16

an order API this load balancer get

19:18

invoke which is an order microservice

19:20

let's

19:20

say similarly uh if the user is nearest

19:25

to this availability Zone API Gateway

19:28

get the location from service Discovery

19:30

for this a and then based on the API uh

19:35

appropriate load balancer will get

19:38

invo now here if you see that this is

19:41

region one similarly you can have

19:44

multiple regions like this region two

19:46

there could be possible Region Three and

19:48

inside each region you have the same

19:50

thing so one thing is very clear that

19:52

it's not a single point of failure if

19:54

both the load balancer will fail mean

19:56

this a got down this az2 will take care

19:59

of it now if this also got failed this

20:03

also got failed means your complete

20:06

region is failed

20:08

then region two comes into the picture

20:11

let's say region two will take care of

20:14

it okay so it's not a single point of

20:16

failure first thing now the question

20:19

which might to be coming that hey

20:22

how we thought that API Gateway is a

20:25

single entry

20:26

point but now we have a different

20:29

regions different API

20:32

Gateway how the request is divided

20:34

between different regions also who who

20:38

like here load balancing is Distributing

20:41

the traffic between single uh

20:43

microservice instance right similarly

20:45

API Gateway is kind of another micros

20:47

service you can say or a software and it

20:50

has its multiple instances here in

20:52

different different regions now who is

20:54

going to distribute the traffic is it

20:56

the load balancer who is going to

20:57

distribute the traffic

20:59

you can say kind of so here if you see

21:02

that the DNS comes into the

21:05

picture so if you're using AWS there is

21:08

something called AWS 53 route you can

21:11

say that it is considered as a DNS based

21:13

load balancer similarly if you are using

21:15

Azure there is something called Azure

21:17

traffic manager it's again a DNS B load

21:21

balancer so whenever the client makes a

21:24

call okay so a specific DNS based load

21:29

balancer distribute the traffic between

21:32

an appropriate API Gateway and again it

21:35

has the same uh intelligence like a

21:39

service Discovery okay which traffic

21:41

should goes to which region depending

21:44

upon the latency compliance maybe there

21:46

is certain countries let's say XY Z

21:49

country its traffic should not goes to

21:51

this region it can only be goes to this

21:54

region so no matter even though it's far

21:57

the because of liance the traffic has to

22:00

be moved to this region so it's a very

22:03

intelligent uh DNS based load balancer

22:07

and it can help to Route the traffic

22:09

between multiple regions and appropriate

22:12

API Gateway get the request from this

22:15

now if you are curious another question

22:18

might comes to you that hey isn't that

22:20

DNS is a single point of failure then

22:23

what if this DNS goes down who will take

22:25

care of uh moving the traffic to the API

22:28

gate

22:29

ways no this is again a very big topic

22:33

but DNS is not a single point of failure

22:36

it's not a single point of failure so

22:39

whenever you type let's say that hey uh

22:42

example XY

22:46

z.com so this has to be converted to an

22:49

IP address who helps it DNS helps it but

22:54

there is no single instance of this

22:56

there are multiple like local DNS this

22:58

is a hierarchy local DNS root DNS top

23:01

level DNS then it goes to authorative

23:03

DNS but maybe in future video of system

23:07

design I will explain the DNS in depth

23:10

if you have any doubt and question we

23:11

can discuss further and DNS I will cover

23:13

in the second part all right thank you

23:16

bye