API Gateway in Oracle Cloud Infrastructure

What is API Gateway in OCI?

  • A service to publish APIs.
  • APIs can have private or public endpoints.
  • Endpoints support:
    • API validation.
    • Request & response transformation.
    • CORS
    • AuthN & AuthZ
    • Request limiting.

API Gateway Concepts

  • API Gateways:
    • A virtual network appliance in a regional subnet.
    • Private API gateways can only be accessed by resources in the same subnet.
    • Public API gateways are publicly accessible, including from the internet.
    • An API gateway routes inbound traffic to back-end services.
    • Each API gateway is a private endpoint that you can optionally expose over a public IP.
    • To ensure high availability, you can only create API gateways in regional subnets (not AD-specific subnets).
    • You can create private API gateways in private or public subnets, but you can only create public API gateways in public subnets.
    • An API gateway is bound to a specific VNIC.
    • Each API gateway has:
      • A single frontend.
      • 0 or more backends.
      • 0 or more APIs deployed on it as API deployments.
  • APIs:
    • An API is a set of resources, and the methods (GET, POST, etc) that can be performed on each resource.
    • API is deployed to API gateway by creating an API deployment.
  • API Deployments:
    • An API deployment is the means by which you deploy an API on an API gateway.
    • Before the API gateway can handle requests to the API, you must create an API deployment.
    • When you create an API deployment, you define properties for the API deployment, including an API deployment specification.
    • You can deploy multiple APIs on the same API gateway, so a single API gateway can host multiple API deployments.
  • API Deployment Specifications:
    • An API deployment specification describes some aspects of an API deployment.
    • Each API deployment specification defines:
      • 1 or more backend resources.
      • The route to each backend resource.
      • The methods (GET, POST, etc) that can be performed on each resource.
    • The API deployment specification describes how the API gateway integrates with the back end to execute those methods.
    • The API deployment specification can also include request & response policies.
  • Frontends:
    • A frontend is the means by which requests flow into an API gateway.
    • Frontends can be public or private:
      • A public frontend exposes the APIs deployed on an API gateway via a public IP address.
      • A private frontend exposes the APIs deployed on an API gateway to a VCN via a private endpoint.
  • Backends:
    • A backend is the means by which a gateway routes requests to the backend services that implement APIs.
    • If you add a private endpoint backend to an API gateway, you give the API gateway access to the VCN associated with that private endpoint.
  • API Caller:
    • A person or system that calls an API by sending requests to the API gateway on which the API is deployed.
  • API Gateway Developer:
    • A user responsible for creating API deployment specifications & deploying them to API gateways.
    • Might also create API gateways.
  • API Gateway Administrator:
    • A person responsible for setting up the API Gateway service, eg, IAM policies.
    • Might also create API gateways.
  • Routes:
    • A route is the mapping between a path, one or more methods, & a backend service.
    • Routes are defined in API deployment specifications.
  • Policies:
    • A policy describes actions to be performed on a request/response:
      • A request policy describes actions to be performed on an incoming request, before it’s sent to a backend.
      • A response policy describes actions to be performed on a response returned from a backend, before it’s sent to a caller.
    • Use request policies to:
      • Limit the number of requests sent to backend services.
      • Enable CORS
      • Provide AuthN & AuthZ
    • Request policies can apply:
      • Either to all routes.
      • Or to particular routes.

API Deployment Specification

  "requestPolicies": {},
  "routes": [
      "path": "<api-route-path>",
      "methods": ["<method-list>"],
      "backend": {
        "type": "<backend-type>",
        "<backend-target>": "<identifier>"
      "requestPolicies": {}
  • requestPolicies:
    • Optional policies to control the behavior of an API deployment.
    • Place the policies:
      • Outside the routes section to apply them to all routes.
      • Inside the routes section to apply them to a particular route.
  • <api-route-path>: Specifies a path for API calls using the listed methods to the backend service. The route path:
    • is relative to the deployment path prefix.
    • must be preceded by a slash.
    • can be just a slash.
    • can contain multiple non-adjacent slashes.
    • can end with a slash.
    • can include alphanumeric upper & lowercase chars.
    • can include some special chars.
    • can include params & wildcards.
  • <method-list>:
    • 1 or more comma-separated methods accepted by the backend.
  • <backend-type>:
  • <backend-target> & <identifier>:
    • Specifies the backend.


  "routes": [
      "path": "/hello",
      "methods": ["GET"],
      "backend": {
        "functionId": "ocid1.fnfunc.oc1.phx.aaaaaaaaab______xmq"