DX

DX Gateway deep dive

Slava Hanzin

5 min read
DX Gateway deep dive
Photo by Derek Lynn / Unsplash

Streamlining API Access and Security within DigitalRealty

As DigitalRealty continues to expand its digital footprint, our reliance on various APIs to drive operations and serve our customers grows. Managing the diverse authorization requirements and ensuring consistent security across this expanding API landscape can become a significant challenge.

To address this, we're excited to introduce the DX Gateway – an internal DigitalRealty project designed to simplify API access, enhance security, and standardize our approach to API management. It serves as a critical component for both our internal development teams and our external API consumers.

Historically, each new API or service we deployed often came with its own distinct authorization mechanism. This decentralization presents challenges:

  • Operational Burden: Development teams spend time configuring and managing multiple sets of credentials and integration patterns.
  • Security Gaps: Inconsistent security postures across different APIs can introduce vulnerabilities and complicate compliance.
  • Integration Friction: Acquiring the correct access for new integrations can be a manual and time-consuming process.

The DX Gateway: Your Unified Point of Control for APIs

The DX Gateway is engineered to be the central intelligent entry point for all our APIs. It consolidates access management and security enforcement, providing a consistent experience for all users.

API Gateway: An API Gateway acts as a single point where all API calls first arrive. It then intelligently routes these requests to the correct backend services, while also handling crucial tasks like security checks, rate limiting, and other policy enforcements, before the request ever reaches the target API.

1. Easy Access: One Credential, Many APIs

The DX Gateway streamlines how applications connect to our services. Instead of managing distinct credentials for every individual API, users (both internal and external) interact with the Gateway using a single, unified set.

Client ID and Client Secret: These are a standard pair of credentials that an application uses to identify itself to an API gateway. With the DX Gateway, our internal and external applications can use a single client_id and client_secret to authenticate, and the Gateway handles the API-specific authorization dynamically.

This approach, supported by our DX TrustHub, transparently handles the underlying authorization requirements for each API. Your applications simply present their DX Gateway credentials, and the Gateway ensures they are authorized for the specific API request. This reduces integration effort and minimizes credential management overhead.

2. Robust and Adaptable Security

The DX Gateway significantly strengthens our API security posture by centralizing policy enforcement. It offers an additional layer of security, particularly valuable for APIs that may not natively support complex authorization requirements.

Policy Engine: This is a system that evaluates incoming requests against predefined rules (policies) to determine if access should be granted or denied, and under what specific conditions. Our DX Policy Engine uses a logical language called Rego, allowing for highly flexible and attribute-based security rules.

With the DX Policy Engine, we can:

Enforce uniform security standards across all integrated APIs, ensuring a consistent level of protection.

Dynamically implement access rules for specific subsets or functionalities of APIs without needing changes to the backend API code. For instance, if a customer is permitted to access only a specific data subset, this can be enforced at the Gateway level.

Introduce flexible controls such as rate limiting based on customer tiers, which aids in managing API consumption and ensures equitable usage for both internal teams and external partners.

Centralize security audits and policy management via the DX Portal, enhancing our capability to demonstrate compliance.

3. Proactive Monitoring and Incident Response

The DX Gateway provides comprehensive monitoring to ensure the reliability and performance of all APIs. This proactive approach means we can quickly identify, diagnose, and address issues, maintaining service continuity and transparency.

Unified Observability Stack: This refers to a comprehensive set of tools and processes for collecting, correlating, and analyzing data (like logs, metrics, and traces) from all parts of our API ecosystem. This allows us to gain deep insights into API health, performance, and security events, often visualized through tools like Grafana.

Our monitoring framework uses both passive and active methods:

    • Automatic Distributed Tracing: The DX Gateway automatically assigns a unique trace_id to every request. If a trace_id is not already present, the Gateway adds it. This identifier links all subsequent actions and services involved in fulfilling that request, giving us a complete, end-to-end view of every transaction.
    • Comprehensive Logging & Metrics: The Gateway captures detailed logs and performance metrics for every API call, without needing any changes to your APIs. This gives us crucial data about request volume, error rates, and latency.
  • Active Observability: We do not just wait for issues; we actively look for them.
    • Synthetic Monitoring: The Gateway can perform automated, simulated API requests around the clock. These "synthetic transactions" mimic how real users interact with our APIs, helping us detect potential problems before they impact you.
    • Health Checks: Regular checks verify that all integrated APIs are responsive and functioning correctly.

Passive Observability: As API requests flow through the Gateway, it automatically collects detailed operational data.

Trace ID: A trace_id is a unique identifier assigned to an incoming request. As that request moves through various services, microservices, and databases, the trace_id follows it, linking all the pieces together. This allows us to track the exact path and timing of a request, making it much easier to pinpoint where delays or errors occur in complex systems.

This combined approach means:

  • Rapid Incident Detection: We proactively detect anomalies or failures across all APIs managed by the Gateway. When an issue arises, we know what happened quickly.
  • Automated Notifications for API Owners: API owners are automatically alerted to issues affecting their services, providing them with critical information for rapid resolution.
  • Transparent Customer Communication: In the event of a service disruption, we can efficiently notify affected internal and external customers, keeping them informed and managing expectations.

This capability is essential for upholding our service level agreements and maintaining trust with both our internal stakeholders and our valued customers.

4. Tailored for DigitalRealty's Diverse User Base

The DX Gateway is designed with the distinct needs of DigitalRealty's internal and external API users in mind:

  • For Internal API Users (DLR Developers & Projects):
    • Reduced Friction for Inter-API Calls: Internal teams can integrate with other DLR APIs more rapidly, eliminating the need to obtain separate credentials or understand unique authentication flows for each service.
    • Consistent Development Experience: Developers benefit from a standardized approach to consuming APIs, fostering faster development cycles and easier knowledge sharing.
    • Clearer API Discovery: The DX Portal will offer a centralized repository for supported APIs, including standardized documentation (e.g., Swagger interfaces), making internal API discovery more efficient.
    • Faster Issue Resolution: Proactive monitoring and automated alerts mean internal API owners are quickly aware of and can respond to problems.
  • For External API Users (Customers & Partners):
    • Simplified Integration: External users experience a consistent, straightforward authentication process for DigitalRealty APIs, improving their onboarding and integration experience.
    • Enhanced Security Assurance: Customers can trust that their interactions with DLR APIs are protected by a unified, robust security framework, enforced at a central point.
    • Tiered Service Management: Rate limiting and other policies can be tailored to external customer tiers, ensuring service quality and aligning with contractual agreements.
    • Improved Reliability and Transparency: Proactive monitoring helps minimize service disruptions, and when issues do occur, transparent communication ensures customers are kept in the loop.

5. Additional features

  • Advanced Authentication Options (via DXM SSO): Beyond standard methods, the Gateway benefits from advanced authentication capabilities provided by DXM SSO. This includes support for 2FA Apps (Two-Factor Authentication), White Labeling for custom branding of login experiences, Social Login options, WebAuthn (Passkey) for modern, secure authentication, and flexible Custom SSO Integration to connect with diverse identity providers. This integration also helps Streamline User Onboarding processes.
  • Comprehensive Management (via Administrative UI / DX Portal): The capabilities for managing user and developer experiences are central. This includes dedicated features for Role/Permissions ManagementLogin Experience Tuning for Each CustomerCustomer Onboarding, and specialized Customer's Developer Onboarding. These tools allow for precise control and customization of the access journey.

DX Gateway: Building a More Secure and Efficient DigitalRealty

The DX Gateway is a foundational piece of our internal strategy to improve API governance and security. By standardizing authorization, centralizing policy enforcement, and simplifying access for all users, it allows our teams to focus more on core development and less on complex security configurations. This strategic investment underpins a more secure, efficient, and cohesive digital ecosystem for DigitalRealty.