Introducing ngrok’s developer-defined API Gateway: Shifting the paradigm of API delivery

01-21-2015: We updated this blog post with new code snippets for our new on_http_request phase and links to our API gateway guides.

We are delighted to announce the launch of ngrok’s composable "API gateway".

ngrok's API gateway builds additional capabilities on top of the powerful ngrok platform, including traffic routing, JWT authentication and authorization for API security, rate limiting for ensuring fairness, preventing resource exhaustion of origin services, and flexible request/response manipulation—all powered by our new Traffic Policy engine.

At the core of everything we do is empowering developers while adhering to the organization’s security and governance policies. ngrok’s core functionality equips developers to bring secure connectivity to their applications and APIs across test/dev/CI and production environments with just a single command or function call. ngrok already serves billions of API requests on a daily basis powered by our global network. These new features further strengthen API gateway capabilities so that developers can deliver production grade APIs with ease.

The challenges with API delivery todayCopy link to clipboard

APIs are the lifeblood of modern software, connecting applications and services across diverse environments. However, managing API delivery can be a complex beast, riddled with friction, operational burdens, and environment lock-in.

In the early days of APIs, developers would build APIs and throw them over the wall to operations teams. This team would deploy and configure a simple load balancer to manage traffic to these APIs. But now, there’s a fundamental shift in software development practices—developers, while primarily responsible for building the business logic for their applications and APIs, also have to ensure their performance, scalability, security and availability. However, developers don’t always control or manage the ingress layer and the API gateway infrastructure, leading to these challenges:

• Reduced development velocity: Developers have to rely on IT Ops/NetOps teams to deploy and deliver APIs in production. They have to file tickets and coordinate with these teams who are responsible for ensuring compliance, security and governance of enterprise applications and APIs. Operations teams in turn have to provision, deploy, configure and manage potentially hundreds of these gateways at scale. Consequently, deploying an API in production can take weeks or even months, resulting in substantial revenue losses.

• Underutilized API gateways: Because developers don’t have direct control over API gateways, they are not always able to take advantage of critical API gateway capabilities such as rate limiting or authentication. They are not able to fine-tune the gateway to fulfill non-functional requirements required to ensure performance, stability and security of APIs.

• Security and performance incidents: Lack of developer control increases the risk of a broken contract between the API services and traffic management. For instance, an API service expects a custom HTTP header field that indicates the authenticated user for every request. This could be a pricing API that requires only authenticated users to make modifications. However, an update could accidentally change or remove this custom HTTP header configuration in the API gateway, which could break the service. Misconfigured API gateways could cause downtime, slowness or unauthorized access.

• Unsuitable for test/dev and CI environments: Utilizing API gateways requires making changes to routing configurations and firewall settings, tasks often beyond the realm of familiarity for developers. As a result, these users struggle to establish connectivity for test/dev/sandbox/CI environments, which is necessary for comprehensive API testing. Furthermore, spinning up API gateways for every single test case is cumbersome and time consuming. Because of these challenges, developers forgo driving traffic to their APIs in test/dev and CI environments resulting in undetected issues and deployment risks in production.

• Deployable or public cloud gateways—a tough choice: Today, operations teams and developers have to choose between these two types of API gateways, and it’s not an easy choice. They both have their strengths and weaknesses as presented below:

Ultimately, enterprises are forced to choose between two difficult options that limit their ability to fully deliver on the promise of APIs and serve the needs of their customers.

ngrok’s developer-defined API gateway: A new paradigm for efficient API deliveryCopy link to clipboard

ngrok cuts through the complexity with a composable API gateway built for speed, agility, and control. ngrok puts developers in the driver seat and this approach advances business outcomes in the following manner:

• Accelerated development velocity: ngrok enables developer self-service, eliminating reliance on Ops for API delivery to production. While this frees developers and speeds time to market, ngrok also empowers operations teams with robust control and governance capabilities. Developers operate within the secure confines of guardrails set forth by Operations teams.

• Eliminate operational overhead and friction: With control over API gateways, developers can fully leverage key functionality such as rate limiting, and fine-tune traffic management. This allows them to optimize performance, security and cater to specific user needs.

• Prevent security and performance incidents by eliminating broken contracts: ngrok SDKs allow embedding ingress into the application itself. With this approach, the hidden dependency between the delivery infrastructure (API gateway) and the API itself is removed. It minimizes the risk of configuration errors that can occur with manual updates to API gateways, ensuring the API requests match the exact parameters needed by the API.

ngrok breaks the binary choice between deployable and cloud-based gateways by combining the strengths of both these solutions:

• As-a-service simplicity: ngrok removes the hassle of deploying, provisioning, configuring and managing multiple API gateways with its always-on service, simplifying operations.

• Feature-rich and flexible: Supports a wide range of features that can be leveraged with a flexible, easy-to-use, and powerful traffic policy engine.

• True environment independence: Enables frictionless operation across multi-cloud, localhost and CI environments by using the same configuration across these. Eliminates the burden of maintaining environment specific configurations.

• Pay-as-you-go scalability: Scalable model without massive initial financial commitments, enabling smooth transition from development to production. You only pay for successful API calls that return a HTTP/200 response.

ngrok API gateway capabilitiesCopy link to clipboard

The ngrok API gateway offers a comprehensive set of features for traffic management and security, all powered by a powerful traffic policy engine.

Traffic Policy engine: This is a flexible CEL and JSON based policy rules engine with tremendous expressive power to control and shape traffic flow. ngrok’s traffic policy engine analyzes requests and responses and takes appropriate actions based on pre-defined rules. It allows developers, DevOps and SecOps teams to create fine-grained traffic routing such as denying access to specific resources or performing URL rewrite to tailor responses to specific client requirements without altering origin services. It acts as the brain of ngrok, evaluating each request against a set of criteria and taking appropriate action based on the result. Traffic Policy Engine can be used to authenticate APIs using JWT, set rate limits and support request/response manipulation such as URL path rewrite.

ngrok API Gateway unlocks these capabilities for developers:

• Instant secure connectivity to APIs: Building a new API is the fun part, but getting it to your customers in a secure and reliable way usually means learning and deploying new infrastructure to your organization. With ngrok, all the infrastructure is in our cloud, and so bringing your new API into production is literally a single command:

ngrok http 80 --url=api.example.com --traffic-policy-file /path/to/policy.yaml

• JWT based Authentication & Authorization: When machines need to talk to other machines securely, one option is to use JSON Web Tokens (JWTs). These tokens contain information that can be verified and trusted because it is digitally signed. ngrok’s JWT validation action allows you to configure ngrok to validate JWT signatures before they ever touch your services, ensuring only authorized traffic reaches your API. It’s just one more way building with ngrok makes your APIs and infrastructure more secure.

• Rate limiting: ngrok’s rate limiting enables multi-tenant system resiliency by fairly distributing access among all clients. It controls the number of requests or calls each client can make, ensuring equitable resource usage. This is crucial for maintaining the stability and performance of APIs, as it prevents any single client from overwhelming the system, thereby protecting service quality for all users. In this example, only 30 requests per minute are allowed.

on_http_request:
  actions:
    - type: rate-limit
      config:
        name: Only allow 30 requests per minute
        algorithm: sliding_window
        capacity: 30
        rate: 60s
        bucket_key:
          - req.getHeader('x-api-key')

• Request/response manipulation for efficient routing: ngrok’s API gateway rewrites user friendly and search engine friendly requests to the URL of the actual service.

on_http_request:
  actions:
    - type: url-rewrite
      config:
        from: v0/user/([0-9]+).*
        to: v1/user?id=$1

Simplify API delivery across test/dev and production environmentsCopy link to clipboard

ngrok's API Gateway is more than just a cloud-based, platform agnostic API gateway solution; it's a philosophy shift. It empowers developers, streamlines operations, and unlocks the true agility and scalability of modern API-driven architectures. This ensures developers can innovate freely within the guardrails established by operations teams, creating a win-win scenario for both teams and setting the business up for success.

All you need to get started is a free ngrok account. Next, check out our end-to-end guides on setting up ngrok as your composable API gateway.

• Deliver and secure APIs in production
• Deliver and secure ingress for APIs in Kubernetes

Questions about using ngrok in production? Want to beam over a feature request? Reach out to support@ngrok.com, join us on our monthly Office Hours livestreams or drop an issue in our ngrok/ngrok community repo on GitHub.