What is an API gateway? Learn everything you need to know about the world of APIs, and see how NGINX can help you create a high-performance, secure API gateway.

1. Deploy and Secure
Your API Gateway
with NGINX
FROM ZERO TO HERO
Scott van Kalken
Solution Architect
November 17, 2021

2. | ©2021 F5 | NGINX SPRINT APAC 2.1
2
Scott van Kalken
Everyone just calls me svk (it’s easier)
Interested in devops and application testing.
Super passionate about open source (not just
software, but data too)
I have the privilege of helping run a few
meetups.

3. | ©2021 F5
3
• What is a (REST) API?
• API essentials – what do users and owners want?
• What are API Gateways and how do they help deliver mission-critical digital
experiences?
• Deploying NGINX as an API Gateway
• Securing an API Gateway using NGINX App Protect WAF
Table of contents

4. | ©2021 F5
4
What is a (REST) API?

5. | ©2021 F5
6
Developers provide dedicated URLs that are optimized to
return pure data to requesting clients
Web client à Web server à Request returns HTML
API client à API Endpoint à Request returns data
API endpoint
EASY TO CONSUME DATA

6. | ©2021 F5
7
Components of an API request
a) API endpoint (URL)
b) API method
c) Request body (if sending a POST/PUT request)
d) API client -> curl, postman, client application, etc…

7. | ©2021 F5
10
Anatomy of an API call
API Client Internet API(s)

8. | ©2021 F5
11
$ curl -s -X GET https://pokeapi.co/api/v2/pokemon/ditto | jq '.types'
[
{
"slot": 1,
"type": {
"name": "normal",
"url": "https://pokeapi.co/api/v2/type/1/"
}
}
]

9. | ©2021 F5
12
$ curl -sI https://pokeapi.co/api/v2/pokemon/ditto
HTTP/2 200
date: Wed, 06 Oct 2021 16:06:01 GMT
content-type: application/json; charset=utf-8

10. | ©2021 F5
13
API Essentials
What do users and owners want

11. | ©2021 F5
14
APIS ARE EXPERIENCING EXPLOSIVE GROWTH
The rise of APIs

12. | ©2021 F5
15
Drivers for API Adoption
Ease access to
information
• Break down siloes and
unlock data (within and
among organizations)
• Increase collaboration
amongst developers
Create new digital
revenue streams
• New opportunities to
generate revenue
• Build partnerships with
third-party developers
and business ecosystem
Connect
microservices
• Primary interface for
communication amongst
microservices

13. | ©2021 F5
18
API essentials
USERS / CONSUMER
Documentation
Ease of use Low latency Security

14. | ©2021 F5
19
Developer
productivity
Revenue
growth
API essentials
OWNERS
Customer
experience
Brand
protection

15. | ©2021 F5
20
API Gateways
How do they help deliver mission-critical digital experiences

16. | ©2021 F5
21
AUTHENTICATION
REQUEST ROUTING
TRAFFIC CONTROL
EXCEPTION HANDLING

17. | ©2021 F5
22
Anatomy of an API call
API Client
Internet /
WAN
API
Gateway
API(s)

18. | ©2021 F5
23
API gateway essentials
CONTROL ACCESS TO YOUR APIS
• Centralized logging
• Client authentication
• Fine grained access control
• Load balancing
• Rate limiting
• Request routing
• Request/response manipulation
• Service discovery of backends
• TLS termination

19. | ©2021 F5
24
PERFORMANCE IS KEY
API gateway essentials
30 ms ... to process
an API request
end-to-end
... to route, shape,
authenticate, secure,
and cache an API
@p99
(latency)

20. | ©2021 F5
25
NGINX Plus
as an API Gateway

21. | ©2021 F5
27
30%
Source: NGINX User Survey 2020
of NGINX deployments
are as an API Gateway

22. | ©2021 F5
28
ACCESS YOUR APIS IN LESS THAN 30MS EVEN WHEN USING AN API GATEWAY
What makes NGINX API Gateways special?

23. | ©2021 F5
30
+

24. | ©2021 F5
31
NGINX API gateway
KEY STRENGTHS
High performance
for real-time APIs
DevOps friendly Platform flexibility Distributed environments

25. | ©2021 F5
32
Authentication options
API
gateway
HTTP
basic
Client
cert
JWT
(NGINX Plus)
API key

26. | ©2021 F5
33
API Security

27. | ©2021 F5
35
• “The continuous growth in open source
usage”
• “A substantial increase in security
research, resulting in a rise in the
number of reported security issues
including a high number of API
vulnerabilities”
• “The growing popularity of containerized
environments, which suffer from a high
volume of code and configuration issues”
FORRESTER’S STATE OF APPLICATION SECURITY REPORT 2021
Bridging the Gap Between
Security and Dev
Source:
https://www.whitesourcesoftware.com/resources/blog/forre
sters-state-of-application-security-2021-key-takeaways/

28. | ©2021 F5
37
+

29. Demo Time

30. | ©2021 F5
60
In conclusion…

31. | ©2021 F5
61
=
Step 1 – api’s
Step 2 – custom error messages
Step 3 – add URI request routing
Step 4 – add rate limiting
Step 8 – Web Application Firewall
Step 5 – static API key
Step 6 - JWT
Step 7 - Input validation

32. | ©2021 F5
62
Resources
FIND OUT MORE!
https://www.nginx.com/resources/library/nginx-api-gateway-deployment https://www.nginx.com/blog/deploying-nginx-plus-as-an-api-gateway-part-1/

33. | ©2021 F5
63
DEPLOY AND SECURE YOUR API GATEWAY WITH NGINX’S FREE TRIAL -> HTTPS://WWW.NGINX.COM/FREE-TRIAL-REQUEST/
Check out NGINX Plus and NGINX App Protect!

34. | ©2021 F5
64
Q&A