apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Headless API Management
Snehal Chakraborty, Cloud Integration Architect at Accenture Netherlands B.V.
2. ABOUT MYSELF
• I am Snehal Chakraborty
• Working at Accenture Netherlands as a Cloud Integration
Architect
• Help customers in solving API Management problems
• Living in Netherlands with my family
3. HOW API MANAGEMENT HAS EVOLVED ?
No API Gateway
Common API
Gateway
Distributed API
Gateways
• SOAP APIs were
used
• Tightly coupled
services with low
reusability
• Sometimes service
registry was used
• Mostly service bus
type platforms
were used to
create/publish
APIs
• One API platform
to manage all
• Consumers and
Providers mostly
located in a single
location
• Single developer
portal for the
entire API
catalogue
• One big monolith
installation with a
large footprint
• Distributed API
gateways spread
across the IT
landscape, with a
common
management plane
• Consumers and
providers spread
across on premise,
cloud, SaaS
instances
• Regulatory and
performance
requirements play a
key role.
• Multiple API
Gateways with
multiple
management planes
• Inclination towards
to use of cloud
native gateways
• Demand of
dedicated API
gateways to support
team autonomy
• Better scalability
• Impact of vendor
locking minimized
Multiple API
Gateways
4. DISTRIBUTED API GATEWAYS VS MULTIPLE API GATEWAYS
Developer
portal
Management Plane
API
Gatewa
y
API
Gatewa
y
On
Premise
API
Gateway
API
Gatewa
y
Manageme
nt
Plane
Management Plane
Developer
portal
Developer
portal
5. WHY MULTIPLE API GATEWAYS ?
Cloud Native gateways
All major hyper scalers offer native API
gateways as a resource . AWS & Azure
native gateways are most popular as
per Smartbear state of APIs 2020
PaaS offering
Native gateways are PaaS offerings
leading to less operational
maintenance and quick spin up
time using IaC products.
Hybrid setup
Multiple organizations are in their cloud journey,
they have work loads running on premise and cloud-
environments
1
Regulatory requirements
There may be regulatory around data
or to not have multitenant instances
leading to keep some work loads on
premise with dedicated gateways
Different requirements
An organization can have different requirements
around security, regulations etc.
2
Comfort
Teams within an organization are
becoming more inclined and
comfortable with a certain cloud
hyper scaler and find the learning
curve for incumbent native API
gateway less steep
Own choice
Domains/subsidiaries within an
organizations are demanding more
freedom in making choices around
products to grow at their own pace
Cost optimization
Setup and run cost plays a key role
in determining the choice of a
product
Autonomy
Teams are demanding autonomy to make their own
choices
3
Type of traffic
With the Open API ecosystem
picking, there is a need to
differentiate between external and
internal traffic
Shared vs Dedicated
An organization may need shared
and dedicated gateways due to
governance, performance and
security requirements.
Migration
Some work loads may still be
running on premise making an API
gateway necessary on premise as
well leading to multiple API
gateways/
6. CHALLENGES POSED BY MULTIPLE API GATEWAYS
Security
Securing APIs is a challenge as the traffic is
spread across multiple API gateways. Security
mechanism & subscription management are
some challenging propositions
Governance
Enforcing governance over teams to make use
of the multiple API gateways is a challenge.
Ensuring consistent policy enforcement and
avoiding duplication of efforts are key.
Observability
Monitoring and troubleshooting is a big
challenge since API raffic is spread across
multiple gateways.
Discovery
API discovery for consumers is a challenge due
to multiple API gateways and uniform SOPs
around onboarding is difficult to achieve/
7. WHAT IS HEADLESS API MANAGEMENT ?
Headless over here means moving away from UI
based management plane to an API based
management plane to manage APIs on API
Management runtimes
Management APIs
Management Plane
API Management (PaaS)
Runtime Plane
Develope
r
Portal
Develope
r
Portal
API Marketplace
Discovery
Documentatio
n Subscription
Lifecycle Management
REST APIs Pipelines
Security
AuthN
AuthZ
RBAC
Governance
Document
repository
APIs
8. API MARKETPLACE
API Marketplace
The go to place to discover
subscribe all APIs within an
organization
Importance:
An API marketplace is the one stop shop for all APIs within an organization. It can be used to publish standard and guidelines, business case studies,
inspirations etc. It acts as a bridge between consumers and providers and is a trust signal between them. It can also act as community space for
collaboration between developers. Eventually it has the potential to be expanded into a digital marketplace
Salient features:
• Discovery – The API marketplace should be able to search and provide list of APIs across the different API management platforms
• Documentation – This is the key to a successful API ecosystem. Good documentation makes life easy for both consumer and provider
• Subscription – This feature allows consumer to request access to APIs. This could include subscription for API Keys and an Oauth client with defined
scope(s).
Setup:
• The API marketplace can source the static content from a document repository (for e.g., GitHub). The document repository can store the API
documentation and any other documentation in Open API specification and markdown formats respectively. The content can be fetched via APIs and
rendered as HTML. The biggest benefits this setup provides is that documentation is sourced from a single source. Since the documentation is stored
in Github, docs as code approach is possible for e.g. triggering a build to for linting after every merge.
• For subscription management the marketplace needs to integrate with the management APIs of the different API gateways and also APIs from the
chosen identity API Keys are required to identify a consumer on an API apply traffic management policies, generate consumer specific analytics etc.
Oauth client setup is required to allow the consumer to allow coarse grained authorization.
• The API marketplace can be federated with an identity management for implementing SSO and RBAC (can be very helpful if marketplace needs to be
opened for partners)
9. LIFECYCLE MANAGEMENT
API Lifecycle
Management
Ability create/modify/delete
API proxies and other
artifacts
Importance:
Lifecycle management is key for API providers. This will allow providers to manage API proxies on their choice of API gateways, but under defined
governance. This allows proper quality control on naming conventions, policy usage, adherence to standard & guidelines.
Salient features:
• REST APIs - Provide abstracted APIs to create/modify/delete API proxies on a chosen API gateway. This allows API providers to integrate this into
their own pipeline/processes and automate lifecycle stages. This can be handy for shared API gateways
• Pipelines – Provide pipeline templates (for dedicated gateways) and central pipelines or plugins for shared gateways.
Setup:
• Both the REST APIs and pipelines need to be built upon the management APIs of the different API gateways. RBAC becomes very important over
here in case of shared API gateways to ensure providers do not overwrite each other’s API proxies. Hence each API proxy and related artifacts need
to be assigned to the right group of users. The REST APIs/pipelines can take a manifest file and an open api specification as input to create the API
proxy and can have rules inbuilt to follow the right naming convention, choose the right policies and overall maintain adherence to the standard and
guidelines.
10. SECURITY
Security
RBAC
Authentication
Authorization
Importance:
Security plays a key role in maintaining the confidentiality and integrity of the resources in a company’s ecosystem. APIs being the gateway to an
organization’s back office, this Backoffice data needs to be secure and safe from all kinds of security vulnerabilities and risks. This covers both securing
access to an API from usage and management perspective on the gateway.
Salient features:
• RBAC – Role Based Access Control is absolutely necessary to facilitate DIY usage on shared API gateways. This ensures only the required provider
team has privileges to perform CRUD operations. The REST APIs or pipelines which allow these operations need to ensure that the requestor has the
right privilege to perform the initiate action. RBAC will require the API gateway to create roles/groups and assign to users. Once an API proxy and
other related artifacts are created, they need to be be made accessible only the required role/group.
• Authentication – The API gateway needs to know who the consumer is to generate the right analytics and apply consumer-based traffic
management policies
• Authorization - The API gateway needs to know if the consumer is allowed to do the initiated action. This can be done using Oauth tokens with the
right scope.
Setup:
• RBAC for shared gateways will require an automated onboarding process to create users (if SSO is allowed then sync from enterprise IDP),create
roles/groups, attach users to roles/groups. All API gateways come with a management API suite which allow these actions to be done via APIs. The
required APIs need to be used for creating the whole onboarding flow. An onboarding app can be created very quickly with Office365 tools like
PowerApp and PowerAutomate.
• Subscription flow will facilitate that the consumer is able to subscribe to an API and get an API Key. Along with this another workflow will be required
to onboard the consumer in the IDP and get the right scopes assigned. 2 sets of APIs are of importance to automate these flows. Management APIs
for subscription on API gateway and APIs from IDP for client onboarding and scope assignment.
11. GOVERNANCE
Governance
Standards & Guidelines
Best Practices
Dos and Don’ts
Importance:
Governance plays a key role in ensuring quality, consistency and defining clear roles and responsibilities for each layer. This involves both people and
processes
Salient features:
• Define standard & guidelines around API specification, create linting capability around this and include it in build/deployment pipelines
• Define dos and don’ts around API gateways for e.g., HTTP verb-based routing is allowed, but transformation is not allowed. Incorporate this rules
into the lifecycle management assets.
• Define security guidelines for each layer for e.g., coarse grained & fine-grained security responsibilities.
Setup:
• A center of excellence team is required to define and maintain API & Platform governance
• A platform team is required to maintain the shared API gateways
and utility assets for dedicated API gateways
• DevOps teams are required to create APIs and publish them on the desired API gateways.
12. OBSERVABILITY
Observability
Monitoring
Analytics
Logging
Importance:
Observability is an important part of maintaining the reliability, availability, and performance. Monitoring/ logging can provide useful insights about the
APIs. They are an integral part of the automation workflow of any business and as more applications rely on the APIs the need for them to be reliable is
important
Salient features:
• Proactive monitoring of the API gateway
• Proactive monitoring of APIs using a health check endpoint
• Logging events In a central logging platform for the shared API gateways
• Analytics around usage of APIs
Setup:
• Resource level monitoring of API gateways for e.g., using cloud native monitoring tools for cloud-based API gateways
• Setup a separate health check endpoint for every API and probe at regular intervals to check availability of full chain (need to be careful here as this
could increase traffic load)
• Log events in a central platform and open up viewing access for DIY troubleshooting for e.g., log in Splunk and open up index access. Correlation IDs
can be used to stitch logs across layers
• Open analytics APIs of API gateways for users of the platform. This could help them monitor API usage, adoption etc. as they wish.
13. THINGS TO REMEMBER
Vendors
• Limit choice on API gateway vendors
• More vendors bring more complexity
• Have concrete requirements ready before choosing a vendor
Governance
• No compromise on API & Platform governance
• Align with business to emphasize importance of governance
• Make adherence to governance rules the path of least resistance
• Educate that governance is beneficial and not a bottleneck
Security
• Follow zero trust model
• Make responsibilities around security crystal clear
API-First
• Develop new features around API Management with an API first mindset