You have 1 free story left this month. Sign up and get an extra one for free.

The Roles of Service Mesh and API Gateways

in Microservice Architecture
And how to make the most of both

Tanmay Deshpande
Oct 3 · 5 min read

Image credit: Author

If you’re into microservices, then you might’ve heard about these two terms multiple
times. Often people get confused between the two. In this article, I’m going to talk about
service meshes and API gateways in detail and discuss when to use what.

Network Layers Refresher

Before diving into service meshes and API gateways, let’s revisit the network layers. The
following is the OSI network layer model:

Image credit: Author

The reason for having this refresher is we’re going to talk about some of these layers in
the next sections.

Service Mesh
A service mesh is a technology that manages service-to-service communication within a
distributed software system. Service meshes manage the east-west type of network
communications. East-west traffic indicates a traffic flow inside a data center,
Kubernetes cluster, or a distributed system.

Service meshes consist of two important components:

 Control plane

Data plane

The proxies residing next to the app are called the data plane, while the management
components coordinating the behavior of proxies are called the control plane.

Service Mesh — Image credit: Author

A service mesh allows you to separate the application’s business logic from the network,
reliability, security, and observability.

Networking and traffic management

A service mesh allows you to perform dynamic service discovery. A sidecar proxy can
help you do the load balancing and rate limiting. It can help you do traffic splitting to
perform an A/B type of testing, which can be helpful for canary releases.

Observability and reliability

A service mesh supports distributed tracing, which helps you do advanced monitoring
(number of requests, success rates, and response latencies) and debugging. It even has
the capability to tap service-to-service communication to better understand
communication.

Since the service mesh provides health checks, retries, timeouts, and circuit breaking, it
improves the baseline reliability of your application.

Security
A service mesh allows mutual TLS among the services, which helps increase the security
of service-to-service communication. You can also implement access-control lists (ACLs)
as security policies.

A true service mesh/sidecar proxy supports a wide range of services and implements
L4/L7 traffic policies.

There are numerous service meshes available on the market. The following are a few of
them:

Istio

Linkerd

Kuma

Consul

You can find a number of articles on the internet comparing the service meshes listed
above.

API Gateway
An API Gateway acts as a single point of entry into a cluster, a data center, or a group of
distributed services. In the network topology, it’s often referred to as north-south traffic.
Typically, mobile clients fall into this type of network traffic.

It’s also quite possible that people may end up using API gateways for communication
between two products deployed in the same data center. In that case, the traffic type
can be east-west.
An API Gateway takes calls from clients and routes those to appropriate services. While
doing so, it can also translate protocols.

Image credit: Author

There are various benefits of using an API gateway:

Abstraction: An API gateway can abstract the complexity of the microservices

underneath and create a uniform experience for the clients

Authentication: An API Gateway can take care of the authentication and pass on
the token information to the services

Traffic control: An API Gateway can throttle inbound and outbound API traffic

API monitoring/monetization: If you plan to monetize APIs, an API gateway can

help you do that by providing capabilities to monitor API requests/responses by the
client

Transformations: An API Gateway can help translate/transform API

requests/responses. It can also help with protocol translations.

API gateways typically focus on L7 policies only.

Types of API gateways
From the deployment perspective, there are two ways in which API gateways can be
used:

Internal API gateway: Acts as a gateway for a group of services or a for product
scope

Edge API gateway: Acts as a gateway for outside organizations’ consumers or

mobile clients

There are a number of API gateways available on the market. The following are a few of
them:

Apigee

Kong Gateway

NGINX’s API gateway

Software AG’s API gateway

When to Use What

Now that you know what service meshes and API gateways are, let’s try to understand
when to use what.

When to use a service mesh

When you need to achieve L4/L7 service communication with security and
monitoring within the same product scope

When you can deploy sidecar proxies for every single service instance and its
replicas

When services can share the same CA certificate in order to establish secure
communication (this might not be possible across various products)

When to use an API gateway

When you need to achieve L7 service communication with security and monitoring
across various products
 When you want to expose the API as a product with/without the monetization

When you want to provide the API full lifecycle management to the developers

When you need to translate the protocols of service communications

A Service Mesh and an API Gateway Together

It’s very well possible that a service mesh and an API gateway can coexist. The following
diagram showcases coexisting service mesh and API gateway scenarios:

Service meshes and API gateways — Image credit: Author

The above diagrams showcase that for a product scope, you can implement a service
mesh (east-west traffic). When there needs to be communication across products, an
internal API gateway can be used (east-west traffic). When clients at the edge need to
communicate with the services, an edge API gateway can be used (north-south traffic).

Thanks to Zack Shapiro.

Programming Software Engineering Software Development API Microservices