Mindset Shift - Deploy an Egress Gateway Remotely

A Remote Egress Gateway - The TLD;R

‍

At Lunar.dev, we emphasize the critical need for deploying an Egress Gateway remotely as a powerful approach to managing API consumption in microservice architectures where horizontal scaling is often hindered by API providers becoming bottlenecks. In such environments, where scaling is essential, having an effective API management layer is crucial. 

Traditionally, we have advocated for deploying our API Consumption Gateway within a customer's VPC as a mediation layer to govern outgoing API traffic between their applications and third-party APIs. However, this blog post introduces an important extension of this concept: deploying the Egress Gateway not within the customer's VPC, but remotely at their customers' or vendors' VPCs. 

This approach allows for dynamic control and governance of API usage across different environments, ensuring compliance, security, and optimized API consumption on behalf of others. For companies that operate as "Consumers on Behalf of" (COBO), or large organizations working with multiple vendors, this remote deployment model offers an essential solution to manage API consumption more effectively.

This approach addresses two distinct scenarios:

1. The first scenario involves being an API provider or marketplace that seeks to actively regulate the traffic coming to your servers from major customers. In this case, deploying an Egress Gateway on your customers' premises enables you to control and manage their API traffic as it reaches your servers.
2. The second scenario applies to large organizations that provide access to public APIs and need to govern how these APIs are consumed by their vendors. In many cases, these vendors—often "Consumers on Behalf of" (CoBo) companies—use the organization's API keys to interact with various public APIs as part of their service offerings. To maintain control and security over API consumption done on their behalf, these organizations should deploy an Egress Gateway at their vendors' locations. This setup ensures that API traffic originating from the vendors, using the organization’s credentials, is effectively regulated and monitored according to the organization’s compliance and usage policies.

Now, we will dive into both scenarios to explore the detailed considerations of such an architecture and provide practical examples. By examining these use cases, we aim to shed light on why deploying an Egress Gateway remotely—whether at a customer's site or a vendor's premises—can be a strategic move to enhance API governance, security, and compliance. This approach ensures that both API providers and consumers maintain control and visibility over API traffic, thereby optimizing performance and mitigating risks.

Scenario #1: Deploying an Egress Gateway on Your Customers' Premises

Let’s consider a scenario where you are an API provider granting access to multiple customers. 

A prime example is OpenAI, which provides APIs that allow customers to leverage powerful AI models for various applications. In such cases, many customers—ranging from small startups to large enterprises—consume your APIs and API endpoints, potentially overloading your backend infrastructure. This is precisely why API providers often implement rate limits or quotas for each customer tier, considering factors like the plan or subscription level they are on.

For API providers like OpenAI, granular access control and monitoring of API usage become essential, especially for premium or large customers. Deploying an mediation and controls component, such as an Egress Gateway, directly on your customer’s side enables real-time management of API consumption. With this gateway in place, you can dynamically adjust usage limits, apply rate limiting rules, and prioritize access for specific VIP customers of yours. All of the features traditional API Gateway offer, but without the redundant traffic that will hammer your production just to return 429 error.

Another relevant example is a large marketplace like Monday.com, which supports integrations for multiple APIs—some of which are provided directly by the marketplace itself. In this context, the marketplace might want to regulate how customers use its APIs and even prioritize API access among its customers, such as VIP clients or based on regional or seasonal demands. 

Here again, deploying an Egress Gateway at these customers’ sites can provide better control and granularity over API consumption, enabling more refined management strategies tailored to specific business needs.

‍

Benefits of  Deploying a Remote Egress Gateway for Your Customers

*

1. Prioritizing API Access for VIP Customers: Deploying an Egress Gateway remotely allows you to prioritize API access for your most valuable customers. This can be a strategic differentiation for your API offering and can also be packaged as a premium feature. By controlling API traffic directly from the client-side, you can ensure that VIP customers always receive priority access during high-demand periods, enhancing their user experience and satisfaction.
2. Preventing Overload by Enforcing API Controls from the Client-Side: One of the primary reasons for deploying an Egress Gateway at your customers' sites is to prevent unwanted or excessive API calls from even reaching your backend. By enforcing rate limits and other controls directly from the client-side, you can proactively manage and mitigate the risk of overload or abuse, ensuring that your servers remain stable and that service levels for all customers are maintained. Additionally, this setup allows you to handle strategies like exponential backoff directly within the gateway logic. 

By managing backoff policies at the client-side gateway, you remove the burden from your customers to implement complex retry logic in their code to comply with your exponential backoff strategy. This simplifies integration and ensures consistent, fair traffic management without "punishing" customers with additional development overhead.

3. Reflecting API Usage to Your Customers: With a remote Egress Gateway, you can provide customers with a clear reflection of how they are utilizing your platform—whether it’s an API or a marketplace. This transparency is valuable for customers looking to optimize their API consumption and can drive better engagement by allowing them to understand and manage their own usage more effectively.
4. Comparing Usage Patterns Among Customers: Deploying Egress Gateways locally at each customer site enables you to collect and compare usage patterns across different customers. By analyzing these patterns, you can make more informed business decisions about your API or marketplace offerings, such as adjusting pricing models, introducing new tiers, or creating targeted marketing campaigns based on actual usage data.

Scenario #2: Deploying an Egress Gateway on Your Vendors' Premises

Consider a hypothetical example to illustrate this scenario: A company like Costco, which relies on numerous SaaS services ranging from financial tools, CRM systems, Slack, Microsoft Office, HR systems, and more, seeks to manage and control how its API keys are being used. Costco gas 3 COBO vendors:

1. Tenable - a SaaS security company, such as Tenable. As a COBO (Consumer on Behalf of) company, Tenable consumes Costco's API keys to provide SaaS Security Posture Management services, monitoring and securing Costco’s various cloud and SaaS applications. 
2. Zappier - a low-code no-code platform, which uses Costco’s API Keys
3. Retool - A business analytics tool, uses Costco’s API keys

By enforcing the deployment of an Egress Gateway at Tenable's end, Costco can gain proper control over what API calls are made and what data is extracted by Tenable, Zappier and Retool, ensuring compliance and maintaining a strong security posture.

Benefits of Deploying a Remote Egress Gateway on Your Vendors

1. Security - Governing Access to Your Premises: Deploying an Egress Gateway at your vendors' premises ensures that they have just the right level of access to your systems. If a vendor gets compromised, an Egress Gateway allows you to enforce strict controls over what data can be extracted from your APIs. This proactive approach minimizes the risk of malicious actors exploiting your API keys to exfiltrate sensitive data, thus safeguarding your infrastructure.
2. Compliance - Active Monitoring of Vendor Activities: Vendors like SaaS and cloud service providers often have extensive access to your sensitive data and APIs. To ensure compliance with regulatory requirements, it’s crucial to have visibility and control over their actions. By deploying an Egress Gateway at your vendors' locations, you can actively monitor and validate their API calls, ensuring that they are only performing authorized operations and adhering to your compliance policies.
3. Resource Controls - Enforcing Consumption Policies: Managing resource consumption is another critical consideration for deploying an Egress Gateway at your vendors' premises. By having an active component on their end, you can enforce a consumption policy that prevents vendors from exhausting your API quotas or consuming prioritized resources. This ensures that your own applications and operations are not adversely affected by a vendor’s excessive or inefficient API usage.

Deploying an Egress Gateway at your vendors’ locations offers robust control and visibility over how your APIs are consumed. It not only enhances your security and compliance but also ensures that you can manage resources more effectively, leading to a more sustainable and secure digital ecosystem.

Considerations for Remote Egress Gateway Deployment

Now that we’ve discussed the need and explored different scenarios for deploying an Egress Gateway remotely, it's important to address the key considerations for such an architectural shift. Deploying an Egress Gateway, whether at a customer’s or a vendor’s site, requires thoughtful planning to ensure it integrates smoothly into existing systems and meets the intended objectives of control, security, and visibility. Here are the critical factors to consider:

1. Ease of Installation and Configuration: The Egress Gateway should be easy to install as a standalone component, minimizing the complexity for the end user. It should also be configurable to manage only the selected external APIs, giving you fine-grained control over specific API traffic without overwhelming the customer or vendor with unnecessary configurations.
2. Self-Served and Controlled Options: The Gateway should be flexible enough to be self-served, meaning it can be controlled either by the customer or by you through a SaaS control plane. This allows the end user to manage their API traffic policies directly while giving you the ability to enforce necessary regulations and updates from a centralized platform.
3. Real-Time Visibility and Monitoring Integration: You need to ensure that the Gateway can provide real-time visibility into your customers' or vendors' API consumption. This visibility should seamlessly integrate into your existing tech stack, allowing you to configure thresholds, alerts, and automated actions when certain conditions are met. This capability is crucial for proactive management and quick responses to potential issues.
4. Fail-Safe Mechanism for Business Continuity: To prevent any disruption to business operations, the Egress Gateway should have a robust failsafe mechanism in place. In the event that the Gateway goes down or becomes unavailable, the API calls should be able to bypass the Gateway and connect directly to their destination. This ensures that business continuity is not compromised and that the flow of critical API traffic remains uninterrupted.

By considering these key factors, you can effectively deploy a remote Egress Gateway architecture that not only enhances security, compliance, and resource management but also ensures a seamless and resilient API ecosystem for both your customers and vendors.

‍

To Conclude

As we've explored throughout this post, deploying an Egress Gateway remotely—whether at your customers' or vendors' sites—offers a powerful solution for managing API traffic, enhancing security, ensuring compliance, and optimizing resource usage. 

At Lunar.dev, we provide exactly this type of Egress Gateway:

1. That can be deployed in a self-hosted manner on behalf of companies, 
2. Offering unparalleled control and visibility over API consumption. 

If you're looking to implement a robust API management strategy that aligns with your business needs and compliance requirements, feel free to contact us for more information. We're here to help you navigate and master the complexities of API consumption management in today's digital landscape.

‍