API Gateway

F5® Distributed Cloud Mesh’s API Gateway service is a distributed service that enables users to build, deploy, publish secure, and operate APIs. An API gateway handles all the services required for delivering APIs such as API routing to origin services and applying rate limiting and security policies. Mesh’s API Gateway service is a globally distributed service that can be deployed across the user’s public, private, and edge clouds as well as on F5 Distributed Cloud’s Global Network. Mesh’s API gateway service is centrally managed from F5® Distributed Cloud Console.

Figure: Mesh API Deployment

Mesh API gateway includes the following key features that map to the typical lifecycle of an API.

Figure: Figure: Mesh API Gateway Features

The next section describes each of the features in greater detail.

  • Rate Limiting & Security Policy
  • Monitoring, Metering, and Accounting
  • API and Developer Portal

Mesh API Gateway Features

API Routing

Mesh API gateway leverages the robust HTTP load balancer to allow selective routing of API requests by matching the requests based on the following match conditions:

  • HTTP method
  • Headers
  • Path with flexible matching options (prefix, full path, or regular expression)

These capabilities allow granular routing of requests to API endpoints towards the appropriate origin pool to service those requests.

API Protection

In addition to granular routing capabilities, the Mesh API gateway also enables the application of service-specific Application Firewall, Rate Limiting, Bot Protection, and DoS Protections to protect each API endpoint or request.

Rate Limiting and Security Policy

Mesh API gateway protects the user’s application against security attacks at the network and application layer as well as set granular rate limit policies as described next.

Security Policy

Mesh API gateway enables the following security features:

The following are available at the application layer:

  • Application firewall - Application layer security policy to protect against sophisticated application-layer attacks like SQL injection

  • Captcha/JS challenge - Protect against suspicious users and bots using captcha/JS challenge

  • API Usage Characterization - DevOps teams do not have detailed information about the APIs developed by the developers, yet they need to understand how and when the APIs are used in order to create security policies and optimize performance. DevOps can characterize the APIs advertised on the API gateway at granular level using the APIs Probability Distribution Functions (PDFs).

  • User Anomaly detection - DevOps and Developers can detect anomalies per APIs per client where a client is identified by the following:

    • Client IP address
    • Cookie name
    • HTTP header name
    • Query parameter key

The following is available at the network layer:

  • Network firewall - Network security policy to block IP addresses, AS numbers, network ports.

Rate limiting Policy

Developers and DevOps teams can protect APIs and ensure SLAs for API consumers by setting a maximum request rate, per second/minute, per API path, and method. Furthermore, the APIs can be categorized into groups and the rate limit policy applied per API group as well. DevOps can set multiple rate-limiting policies depending upon their needs. Rate Limiting can be configured at a per-client granularity where the client is identified by the following:

  • Client IP address
  • Cookie name
  • HTTP header name
  • Query parameter key

The API gateway and the origin services providing the API can reside in different namespaces. This aligns well with the existing operational model of organization as the services providing the APIs are managed by a different team compared to the team managing the API gateway itself.

Monitoring, Metering, and Accounting

One of the most critical functions of an API gateway is to provide API monitoring, metering, and accounting to developers and DevOps teams.


API performance monitoring is required for internal use, while metering and accounting is used by users to meter and bill APIs to their end-user.

Mesh API gateway provides eyes-on-glass monitoring of API performance, latency to origin service, requests/responses per second, request/response size, 4xx/5xx errors per second, and health check failures. Users can get insights into API performance via real-time statistics as well as historical trends. Users can baseline normal usage and identify deviations from normal using time series analysis and anomaly detection.

F5 Distributed Cloud encapsulates all these metrics into an easy-to-consume KPI called Application Health Score to get a quick status on the health of their application.

Mesh API gateway also provides alerts for each metric, categorized into multiple categories such as Critical, Major, and Minor. The gateway also supports granular alert policies to avoid alert fatigue. Alerts are integrated with monitoring tools such as Slack, OpsGenie, PagerDuty, and ServiceNow. The support for integration aligns with existing operational workflows.

Metering and Accounting

All the supported metrics can be used for metering and accounting purposes for the end-users. Mesh API gateway enables operations teams to report on the API consumption metrics and also bill the end-users by API usage.

API and Developer Portal

Mesh API gateway enables users to define multiple API portals. For example, public APIs are published to an external API portal and internal APIs are published to a developer portal. The API portal is decoupled and logically separated from the API Gateway data plane. Each API portal can be deployed in different environments with unique branding for each. For example, the developer portal can be deployed in private cloud, while the public API portal can be deployed in the public cloud or F5 Distributed Cloud’s Application Delivery Network.

Developers and DevOps teams can integrate API management into their DevOps workflows and CI/CD pipelines by doing the following:

  • Defining and publishing APIs to development → test → stage → production API portals.

Configure granular access control to each environment’s API portal for specific roles and users.

  • Run multiple versions of APIs simultaneously allowing users to quickly iterate, test, and release new versions. Users and configure API gateways to route traffic to appropriate APIs version programmatically.
  • Configure security policies for APIs on a per-API basis or API group basis

Mesh API gateway enables users to easily manage their APIs and improve the efficiency of the onboarding of API-consumers. Users can define their APIs using openAPI specification (swagger) to easily create

  • Catalog of all published APIs
  • Documentation
  • Sample code

Furthermore, users can configure base API URL path and prefix rewrite to easily create multiple API portals. This is useful when users wish to follow the CI/CD development process for their API development and want an API portal for dev/stage/production stages as an example. The API portal can have a different domain name in each stage of the development process. The system can automatically create API groups and base URL path mappings based on tags assigned by users to their API definition files.