We have listed several key benefits and contributions of API gateways toward microservice-centric business applications. However, there are a few drawbacks too. As we all know, this gateway infrastructure is an additional abstraction layer, so all the control and the data flows happen via this middleware solution; therefore, there is the possibility of system performance degradation. This introduces an additional hub through which service requests and responses pass. Not only is it a single point of contact but also a single point of failure. When the number of microservices goes up significantly, complications will increase steadily. Service-to-service communication resiliency is not provided by API gateways. There are service mesh solutions, which guarantee the much-needed service resiliency that, in turn, results in reliable applications. With the widespread use of technologically advanced cloud infrastructures, we can safely expect lots of reliable systems and environments.

Policy configuration in API gateways—we indicated in the preceding section that the API gateway is capable of doing content attack protection (CAP). By specifying and modifying security policies, API gateways can thwart any security attacks. Content attacks are primarily performed by inserting malicious data into service request messages. The most widely known content attacks include inserting special characters. The other prominent content attack methods are text patterns, and SQL and XPATH injections. The way to surmount this type of attack is to have appropriate CAP policies configured for inbound as well as outbound traffic. These measures can protect against SQL and XPATH injection attacks. The other considerations include security attacks being forbidden by limiting the HTTP versions, methods, and URL path. There are other ways, such as defining a whitelist of domain names, client IP addresses, limiting query parameters and HTTP headers.

The IoT device (client) sends a message request to microservice via an API gateway. An inbound CAP policy scans the service request message for any possible content-based attacks. If there is any violation, then the API gateway sends an error message back to the IoT device client. If everything is perfect, then the API gateway passes verified and validated messages to the service mediation layer for identity verification and authentication, authorization. Then, the right microservice endpoint is invoked and messages are processed. The microservice in turn calls one or more microservices. Then, the outbound CAP policy scans the reply message for any content-based attacks. If there is no violation, then the response is delivered to the requested client.