Oracle API Gateway Architecture


This topic provides a high-level overview of the basic Oracle API Gateway product architecture, and describes its main components and user roles. It also describes the highly scalable and reliable group-based architecture, which enables you to manage API Gateways across your organization. For an introduction to product features and benefits, see the Oracle API Gateway Overview topic.

[Note] Note

Oracle API Gateway is available on Windows, Linux, and Solaris (for more details, see the Oracle API Gateway Installation and Configuration Guide).

Basic Architecture

This section provides a simple high-level overview of the Oracle API Gateway architecture. The following diagram shows the main components:

Simple API Gateway Architecture

This diagram is a simplified view that includes clients, a single API Gateway, and enterprise services. However, you can deploy multiple API Gateways to suit the needs of your distributed environment.

API Gateway

The API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. For example, it can perform application networking by routing traffic based on content and sender, and by performing message content screening. The API Gateway applies policies to incoming messages by running message filters on requests. The API Gateway supports a wide range of message transports, protocols, and formats (for example, XML, JSON, SOAP, REST, HTTP, JMS, TIBCO, FTP, SMTP, POP, and so on). For more details on API Gateway features, see Oracle API Gateway Overview.

In a typical deployment scenario, Oracle API Gateway components are deployed in the demilitarized zone (DMZ). The connection between the client and the API Gateway is protected by a perimeter firewall, and the connection between the API Gateway and the back-end service by a Network Address Translation (NAT) firewall.

Configuration and Management Tools

The following diagram shows a simplified view of the tools used to configure and manage the API Gateway:

Simple Design Time Architecture

These tools are described in the context of the main API Gateway user roles in the sections that follow.

Policy Development

A Oracle API Gateway policy developer typically performs the following tasks:

  • Develops API Gateway policies and solution packs.

  • Customizes and extends the API Gateway using scripting.

  • Creates Java classes and/or custom filters using the API Gateway filter SDK.

  • Uses the Policy Studio, API Gateway Explorer, and API Gateway Manager tools.

Policy Studio

Policy Studio is a policy development and configuration tool that enables policy developers to easily configure API Gateway policies and settings to control and protect deployed API services and Web services. For example, Policy Studio enables you to create and assign policies, configure the full range of API Gateway configuration settings, and manage API Gateway deployments. Policy Studio is typically installed on a separate machine from the API Gateway to enable remote administration.

API Gateway Explorer

API Gateway Explorer is an API service and Web service test client used by policy developers to generate test messages, which are sent to the API Gateway and back to API Gateway Explorer. API Gateway Explorer supports both REST-based and SOAP-based invocations, and is available as a separately installed tool.

API Gateway Administration

The API Gateway administrator typically performs the following tasks:

  • Manages, monitors, and troubleshoots the API Gateway.

  • Configures and manages the domain, group, and API Gateway hierarchy.

  • Uses the API Gateway Manager tool.

For example, if a client presents an invalid SSL certificate, the API Gateway administrator needs to be alerted and works with the client to address the issue. The API Gateway administrator also debugs transactions on a day-to-day basis. For example, if a partner reports that his file is blocked, the API Gateway administrator uses traffic monitoring to find the transaction and figure out what went wrong.

API Gateway Manager

API Gateway Manager is a centralized web-based dashboad that enables administrators to control and manage API Gateways and groups in a domain. API Gateway Manager connects to the Node Manager on each host, and displays aggregated monitoring data from multiple API Gateway instances. For example, this includes real-time statistics, traffic log, log files, and alerts. You can view all monitoring data at the level of a domain, group, and API Gateway, depending on which of these components are selected. For more details, see Starting the API Gateway Tools.

API Service Administration

The API service administrator typically performs the following tasks:

  • Manages, monitors, and troubleshoots the API Services that are virtualized on the API Gateway.

  • Has expertise of the services and APIs (what they do, and why they are used).

  • Does not manage and troubleshoot the API Gateway, and does not have expertise of API Gateway operation.

  • Uses the API Service Manager, traffic monitoring, and real-time monitoring components in API Gateway Manager tool, and the Oracle API Gateway Analytics tool.

For example, the API service administrator is interested in who is using an API, its usage by time of day, how its usage compares to other APIs (is it going up or down over time, are clients reaching their quotas, is it meeting its Service Level Agreement (SLA), and so on).

Oracle API Gateway Analytics

Oracle API Gateway Analytics is a separately installed tool used by administrators to generate reports and charts based on usage metrics for all services and API Gateways in a domain. API Gateway Analytics provides integration with databases such as MySQL Server, MS SQL Server, and Oracle. API Gateway Analytics includes both real-time and historical metrics. For example, the API service administrator can generate and store reports that monitor which authenticated clients are calling which API services over time.

System Administration

The system administrator typically performs the following tasks:

  • Installs and monitors the API Gateway in a system and/or Virtual Machine (VM) production environment.

  • Has expertise in the system/VM environment and the tools that the API Gateway runs in.

  • Does not use API Gateway management tools.

Managed Domain Architecture

This section drills down to describe the API Gateway product architecture in more detail. It describes the API Gateway's group-based domain architecture, which enables you to break down your projects into logical groups and manage configuration across your organization. This provides manageability and scalability, and enables you to perform load balancing and failover across distributed deployments. This group-based architecture includes the following main components:


A domain is the set of all hosts running API Gateway instances, which are managed centrally by the API Gateway Manager tool. A host is defined as a physical machine. A domain administration password is used to secure the domain’s Certificate Authority private key.


A group is a number of API Gateway instances (one or many) that all run the same configuration. API Gateways always run in a group, and each API Gateway can only be a member of one group. You can deploy, manage, and monitor a group of API Gateways using the Policy Studio and the browser-based API Gateway Manager.

A group normally runs across more than one physical host machine (see the following diagram). However, a group can also include more than one API Gateway instance on the same host. Each API Gateway in the group runs the same configuration. Each API Gateway has its own deployment descriptor file ( This enables the API Gateways in the group to use different host-specific settings as required (port bindings, certificates, and so on). A group also has a deployment descriptor, which specifies settings values that are the same across the group but may differ in different environments. A standalone API Gateway runs in a group of one member (TEST GROUP in the diagram).

API Gateway Groups

For example, you can use dedicated groups and API Gateway instances for high value services and to avoid potential down time due to lower value services. This makes API Gateway upgrades and maintenance much easier. You can also create dedicated API Gateway instances for specific API Gateway users or groups. When you create an API Gateway instance, the newly created configuration files are stored separately from the API Gateway executables, which makes them easier to maintain.

[Note] Note

You cannot deploy configuration to a single API Gateway instance, the deployment must occur at group level to ensure that all API Gateways in the group are running the same configuration. API Gateway names are unique in a group, and group names are unique in the domain.

Node Manager

The Node Manager is a server-side process that runs on each host in the domain, which manages and monitors the API Gateway instances on that host. Only one Node Manager runs per host. Communication between the Node Manager and the API Gateway is secured using SSL by default. The Policy Studio and the browser-based API Gateway Manager are clients of the Node Manager.

The first Node Manager added in a domain is known as the Admin Node Manager. This is the Node Manager that the user connects to using the API Gateway Manager, Policy Studio, or API Gateway Explorer clients. The Admin Node Manager acts as the master Node Manager. It performs Role-Based Access Control (RBAC), and forwards requests to other Node Managers when required. The Admin Node Manager also manages and deploys configuration to the API Gateway instance(s) in a domain.

Node Manager

In addition, the Node Manager also supports process management (for example, starting and stopping API Gateway instances) using system tools such as initd on UNIX and Service Control Manager on Windows.

[Note] Note

The Node Manager is not critical to the running of API Gateway instances, or to the business services protected by the API Gateway. If the Node Manager is not running, the API Gateway instances can still process requests for business services. However, the Node Manager must be running to manage and monitor the API Gateway, or to make updates to the API Gateway configuration. In addition, the Node Manager is required to create API Gateway instances.


API Gateway instances can have associated tags. A tag is a form of metadata consisting of a case-sensitive key-value pair. This enables you to create user-friendly names that help to organize, search, and browse API Gateway instances using API Gateway Manager and Policy Studio. You can add tags when the API Gateway is created or updated. For example, you could define a tag with key="QAStatus" and value=“Passed iteration one of performance testing”.

Groups do not have tags. However, you can apply a tag at the group level, which simply creates the same tag for each API Gateway in the Group. You cannot aggregate data based on tags. Tags are purely an internal client-side (API Gateway Manager and Policy Studio) tool, which can be used to search for API Gateways that match a specific tag value. In the API Gateway Manager, you can use tags to search for API Gateways in a table view of the entire domain. Tags are stored on disk in a configuration file specific to each API Gateway.

Further Information

For more details on API Gateway architecture and concepts, see Oracle API Gateway Concepts.