API gateway management: options and possibilities for 2019’s enterprise
Across modern enterprises, there may be several thousand APIs between the organisation, its customers, partners and suppliers, and acting as conduits between internal code instances that need to connect. APIs can be part of monolithic apps or microservices and can be located just about anywhere, from on-premise to distant clouds, in data centres, or complex hybrids of all the above.
Providing the interoperability APIs offer is essential for the continuation of an enterprise’s business at a data level, but often too, companies charge for API access, so ensuring safe and efficient API traffic is also a monetary matter, as well as an operational issue for SecOps, NetOps and, at the end of the day, the CIO and CFO alike.
Managing APIs is increasingly being done by a single API domain in order to bring some oversight to the complexities involved — a single point of entry for multiple APIs. Depending on the technology deployed, the gateway may be supplemented by a gateway management service which adds extra value to the enterprise’s APIs, wherever they might be located. Functionality considered attractive for IT teams and C-suite level management alike might include:
– Rate limiting. Data prioritization allows key service interactions to continue at maximum bandwidth and availability, while less important services can be throttled to prioritize production services.
– Enforcement of specified request methods means there’s a more standardized approach that can be used to normalize API requests and help adhere to security policies that are set centrally for all exposed services.
– Managing API keys means there’s a single point of identifying API uses and applying access controls to the entire enterprise surface.
– Dropping or responding appropriately to deprecated API services also helps overall service access homogeneity, and can be used in combination with…
– …rewriting API requests where necessary to promote broader use by partners and suppliers, for example.
– Providing fine-grained access control to discrete APIs based on rules, privileges, available resources, and so on.
– Providing easy self-service for development teams involved in testing, QA, and general bug fixes and support.
– API lifecycle management for designing, developing, and deploying APIs, and versioning these as work progresses, for open and auditable documentation.
– Developer payment portal, so partners and suppliers can, for instance, purchase and manage API access to specific single, or groups of, services.
Clearly, ensuring that API management services are as safe, efficient, and as quick as possible is crucial. API gateways represent one of the several steps that exist between a developer’s code and the end-user, joining ingress controllers, firewalls, DNS, proxies, CDNs and so forth.
In order to manage the API system and those other hoops through which data must jump, many enterprise IT functions are looking to fewer providers or vendors across the entire stack. That means less re-skilling of staff is needed to cover off the potentially dozens of technologies deployed but also makes overall management easier and any issues easier to trace and ameliorate.
Here at Tech Wire Asia, we’re looking at two such providers, capable of API management in complex, hybrid and multi-cloud topologies. But also, two vendors that are providing a more unified approach to network management, thus clearing away a good deal of the proprietary technology “clutter” that is dampening the IT function’s ability to run an efficient and agile service.
NGINX (PART OF F5 NETWORKS)
Ask industry professionals, and many will have heard of, and probably used iRules on the company’s BIG IP platform. However since those beginnings as load-balancing specialists, F5 has been known for the last several years as providers of complete application development and deployment solutions, a role in which it has become significant market leaders, due to (amongst other reasons) its technology being ideally suited to hybrid deployments. It was the next logical step for the company to increase its capabilities across the entire IT stack by acquiring the company behind the open source project, NGINX, in May of this year.
NGINX already runs a majority of the world’s web servers, and the platform can also load-balance and provide proxy services. Like Oracle’s MySQL, NGINX operates under a version of an open source license that adds proprietary code for a paid version of its solutions, which it terms NGINX Plus.
In combination with F5 Networks, the advantages the newly-merged company offers includes no specific platform limitations or stipulations anywhere in the entire application/service development and deployment environment. That means almost limitless interoperability and portability, irrespective of hardware or topology.
API Gateway, part of the NGINX Plus application delivery platform, and the API Management Console (a module of the NGINX Controller) can be deployed anywhere, from any public or private cloud environments to on-premises, to a private data centre, or spread across hybrid and multi-cloud setups.
Read more about the flexible and scalable API Management capability available to your enterprise IT function on the pages of Tech Wire Asia here.
Google’s Apigee (Alphabet acquired Apigee to extend its SaaS enterprise-oriented product portfolio) is a highly capable cloud-based platform that offers a quick-to-deploy API management system, coming with dozens of pre-configurations to test, re-use and edit as required. These include configurable transformation policies including SOAP to REST, XML to JSON and vice versa.
Additionally, there’s thorough versioning system, with policies and config ready for filing in XML. Versioning can be applicable at the URI level, according to the enterprise’s own policies, too.
There’s a good deal of consideration of security — crucial for any API gateway, as, by definition, it represents a presentation of a significant data ingress and exit point. To tie down authentication, for example, security goes together with configurability, as you can plug in policies such as OAuth, whitelisting and SAML assertions, as required.
API key verification is handled centrally too, making granular access control simple to configure from the management console, and access can, therefore, be switched on (or off) for suspect transactions (XML/JSON threat protection routines are baked in, as you might expect).
There’s a Drupal-based developer portal for community and corporate knowledge-sharing, plus development teams can request API keys and differing levels of access from the same portal. Developers can even document their tested APIs when ready, using SmartDocs, if required.
To learn more about the cloud-based Apigee, click here to read more on the Google pages.
*Some of the companies featured are commercial partners of Tech Wire Asia