--- title: "Why a Hosted API Gateway Is Better Than Building Your Own" description: "Learn why using an open source or in-house API gateway may not be the right decision for your company when accounting for cost, security, customization, and maintenance." canonicalUrl: "https://zuplo.com/learning-center/hosted-api-gateway-advantages" pageType: "learning-center" authors: "josh" tags: "API Gateway, API Best Practices" image: "https://zuplo.com/og?text=Why%20a%20Hosted%20API%20Gateway%20is%20Always%20Better%20Than%20Building%20Your%20Own" --- When you’re getting your API up and running, rolling your own API gateway might seem like a good idea at first — more control, more customization, and maybe even more cost savings. What’s not to love? **Lots of things**. Once you dive into the abyss of [in-house API management](https://zuplo.com/build-vs-buy-api-management-tools), you’ll find a whole buffet of things not to love. Building is fun, but maintenance sucks. And the more you build your API, the more that maintenance will suck in your team and stop the building from happening. The more you have to think about rate limiting, authorization, testing, and infrastructure, all the things that will take your team away from building what your users want. A hosted API gateway takes away all these burdens and will be better along all axes for your API, your team, and your users. ## What is a Hosted API Gateway? A [hosted API gateway](/learning-center/api-gateway-hosting-options) is essentially an API gateway-as-a-product that a vendor would provide to you as either a fully-managed service (ie. a SaaS API gateway) where they host the gateway and you proxy traffic through it, or as a self-hosted service where the API gateway software is provided to you to deploy to your own infrastructure (ex. via Kubernetes helmchart). There are several benefits to choosing a hosted API gateway, like the following. ## Better for Costs Costs are one of the first reasons API teams don’t want to turn to a cloud-hosted solution. They’ll see a clear price, know it's going on their credit card, and think, _“We can save X bucks here by doing it ourselves. How hard can it be?”_ Famous last words. This is a clear case of a false economy, where the apparent savings mask the hidden costs, but: 1. **Developers are expensive**. Engineering is a valuable skill, especially at the level required to develop, maintain, and manage an API gateway. You’ll need individual contributors or teams dedicated to this task. You’ll also need to consider the costs of hiring, onboarding, and retaining this talent over time. These costs can quickly add up and eclipse any perceived savings from building in-house. 2. **You’ll pay for infrastructure either way**. API management tools provide some of the infrastructure for managing your API. If you don’t use a platform for doing this, you need to build that platform. What is this going to entail? Maybe some nice serverless instances. A little bit of an edge network. A load balancer here and there. Some reverse proxies, some monitoring, some caching. All of it has its own costs (unless you are heading around the world setting up your own edge network? I guess then you have to factor in flight costs), and all also need managing. 3. **You’re not doing other things**. In proper terminology, there is an _opportunity cost_ any time you choose to go it alone instead of seeking help. If you have developers maintaining your API, they aren’t building your API. If you want them building your API, then you have to hire someone dedicated to managing your API, which (back to point one) is going to cost you more than paying for a gateway. A [hosted API gateway saves money](https://zuplo.com/build-vs-buy-api-management-tools#cost), meaning your developers can continue to develop, and your infrastructure can continue to be a simple backend, so you don’t need a whole new ops team. ## Better for Security APIs get attacked. A lot. The world is littered with stories of [APIs](https://www.itsecurityguru.org/2024/03/11/what-we-learned-from-these-3-api-security-breaches/) [that](https://thehackernews.com/2022/11/dropbox-breach-hackers-unauthorizedly.html) [disclosed](https://www.cnn.com/2019/06/03/business/quest-diagnostics-breach/index.html) [data](https://www.darkreading.com/cyberattacks-data-breaches/fbi-helping-australian-authorities-investigate-massive-optus-data-breach-reports). APIs are a significant attack surface for bad actors. [Salt Security’s State of API Security Report](https://content.salt.security/state-api-report.html) found that **94%** of respondents had experienced a security issue in their _production_ APIs. You're kidding yourself if you think you can ward off these attacks in-house. You are also kidding your customers into thinking your API is safe. Like payments, compliance, or preparing Fugu, [API security](/learning-center/api-security-best-practices) should be outsourced to professionals. When we say security, we mean: - **Authentication**. _Who you are_. Verifying your users is the minimum requirement for API security. But, it requires significant integration with identify providers, understanding standards such as OAuth 2.0 and JWT, and managing users and their data throughout their API usage. An API gateway will provide out-of-the-box integration with authentication mechanisms like OAuth 2.0 and JWT, ensuring your API is secure. - **Authorization**. _What you can do_. This is the next step as users use your API more. What exactly are they allowed to do? What can they GET? What can they POST? What can they DELETE? You need to control all of this through access control mechanisms, such as [role-based access control](/learning-center/how-rbac-improves-api-permission-management) (RBAC), attribute-based access control (ABAC), or resource-based access control (ReBAC). Think you can do this yourself? Here’s [Google’s fourteen-page research paper](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/) on their system for you to implement. API gateways should offer comprehensive authorization features such as [RBAC](/learning-center/how-rbac-improves-api-permission-management), making defining and enforcing access policies across your API ecosystem easy. - **API Key management**. API keys are how you are going to manage access to your API most of the time. This means implementing key generation, distribution, storage, rotation, and revocation. Each component here then becomes its own vector for attack. API gateways provide built-in API key management functionality, handling the secure creation, storage, and lifecycle management of API keys, alleviating the burden on your development team and reducing the risk of key compromise. - **Rate limiting**. Rate limiting might seem like it is about stopping your backend becoming overloaded. Still, its core function is as a crucial security measure that prevents abuse and protects your API from being overwhelmed by excessive, malicious traffic. By setting limits on the number of requests a user or system can make within a given time frame, you can mitigate the risk of DDoS attacks and ensure the stability and performance of your API. API gateways offer configurable rate-limiting options, allowing you to define and enforce usage limits based on various criteria, such as API key, IP address, or user account, without implementing and maintaining this functionality yourself. ## Better for Customization This one seems counterintuitive. Surely, building in-house gives you infinite customization–after all, in-house is the epitome of custom! To a point. Building in-house will give you an entirely custom solution but along the wrong axis. You’ll end up with custom solutions to, e.g., OAuth 2.0 integration (just for clarity: _this is bad_), but without access to customizations that might be helpful for your APIs. An example: **Brownouts**. Brownouts are a technique used to gracefully degrade API performance before you fully deprecate a functionality. Instead of letting the API crash or become unresponsive, specific functionality is temporarily disabled to prepare users for its imminent decline. Implementing brownouts requires careful planning, monitoring, and dynamically adjusting API behavior based on real-time conditions. Another example: **A/B testing**. You might want to test different API functionality or performance versions to determine which one provides the best user experience or achieves specific business goals. A/B testing involves routing a portion of your API traffic to a variant version of your API while the remaining traffic is sent to the original version. These are just two examples of the customization options available with API gateways. The key advantage is that these customizations are built on top of the platform's robust, secure, and scalable foundation. This means you can focus on tailoring your API to your specific needs and user requirements rather than reinventing the wheel for basic functionality. API gateways often offer a wide range of pre-built policies, templates, and integrations that can be easily customized and extended to fit your unique use case (here's a list of the [most important API gateway features](/learning-center/top-api-gateway-features) to get you familiar). This allows you to leverage best practices while still having the flexibility to adapt your API to your business goals. ## Focus on Innovation, Not on Maintenance A [cloud-hosted API gateway](https://zuplo.com/?utm_source=blog) is the way to go when managing your APIs. By outsourcing the heavy lifting of infrastructure, security, and customization to the experts, you can free up your team to focus on what matters: building and innovating on your APIs. When you add it all up, the benefits of [cloud-hosted API management solutions](https://zuplo.com/features/multi-cloud) are clear: - **Peace of mind:** With a team of experts handling the nitty-gritty details of reliability, scalability, and security, you know your API is in good hands. - **Efficiency:** Outsourcing infrastructure management allows your developers to focus on what they do best: building great software. - **Strategic advantages:** With the flexibility to scale on-demand and access to customizations and features, you can stay ahead of the curve and adapt quickly as your API grows. So, don't let your developers waste their time playing catch-up with infrastructure and security. Let them do what they do best: build amazing APIs that will delight your users and drive your business forward.