What is API management?

Hello! Friends, already on February 21, we start the course “Backend Developer in PHP” . On the eve of the launch of the course we want to share with you the translation of one interesting material. Enjoy reading!

In October, at the NGINX Conf 2018 conference, we announced a new API management module for the NGINX controller . With this product, we are consolidating our position as the most deployed API gateway in the industry — millions of sites already use NGINX Open Source and NGINX Plus to ensure the secure transmission of traffic between server applications and API consumers provided by these applications.



But effective processing of client requests is only one aspect of a successful API (albeit an extremely important one). You also need to manage your APIs throughout their life cycle, including their definition and publication, as well as the protection and control of traffic. You need to monitor and troubleshoot performance issues to ensure customer satisfaction, and analyze traffic to maximize business value. Integrated API management is essential for the rapid adoption and continued success of your API.



API management covers the entire life cycle of your APIs.
(In the picture: starting from the top clockwise - Definition and publication, Security, Traffic control (API gateway), Continuous monitoring and support, Analytics of the number of access to the API. Adaptation (Dev portal);
in the center - API management)

Like many of our clients, it may seem to you that the overgrowth of concepts and terminology around API solutions is rather daunting. In this blog, we discuss key API concepts and explore the relationship between API management and API gateways.

Key concepts

API management has its own concepts and terminology:

• Internal APIs — Internal APIs are available only to other applications (and their developers) within the enterprise, but not to external users. Internal APIs help open data and develop collaboration between functional units within an enterprise. Here is a good example: before assisting customers, the enterprise technical support team must determine if the client has a valid support contract. This information is already stored in a corporate customer relationship management system (CRM), such as Salesforce. Instead of duplicating information in its own database, the customer support application calls the internal CRM API.
• External APIs — External APIs are available to users outside your enterprise. They provide the means to build partnerships with third-party developers, as well as your entire business ecosystem of suppliers, distributors, resellers and even customers. External APIs also allow enterprises to generate new revenue streams using innovative business models. Google Maps is a good example. Many third-party websites and apps embed a Google map to help end users pinpoint the store’s location or get directions. Access to the map for the end user does not cost anything, but after a certain number of clicks, Google charges a site or application fee for each API call.
• Definition and publication . API management solutions provide an intuitive interface for defining meaningful APIs, including the base path (URL), resources, and endpoints.
  
  
  • Resources are fundamental to any API definition; they are an abstraction of information on which the API performs operations. Examples of resources are documents and customer identifiers. The API is called to get this information.
  • Endpoints (endpoint) indicate where the resources are located. APIs have a base URL to which endpoint paths are added. All API endpoints refer to the base URL.
  
  
• For example, at the endpoint of the API https://app.enterprise.com/v1/inventory/ , /v1 is the base path and /inventory is the resource.
• API management solutions allow API authors to publish APIs in various environments, such as those intended for production, testing, or preparation. This ensures consistency for each environment and prevents misconfiguration. Solutions also automate the creation of new APIs and modifications to existing ones.
• API gateway (API gateway) - As mentioned earlier, API gateways protect and ensure the transfer of traffic between your backend and consumers of your API. Gateway functionality includes authentication of API calls, routing requests to the appropriate backends, applying speed limits to prevent overloading your systems or mitigating DDoS attacks, offloading SSL / TLS traffic to improve performance, and handling errors and exceptions.
• Microgateway (microgateway) - many solutions have a centralized, closely related data plane (API gateway) and a control plane (API management tool). All API calls must pass through the control plane, which adds a delay. The API gateway in this architectural approach is not efficient when processing traffic in distributed environments (for example, intra-service traffic in a microservice environment or processing IoT traffic to support real-time analysis). Consequently, to manage traffic, when consumers and API providers are in close proximity, suppliers of outdated solutions have introduced an additional software component, the micro gateway, to handle API calls.
• Analytics APIs - As your APIs become popular, you need to make sure that they provide value to your users, and also meet your business goals. This is where analytics becomes critical. API management solutions provide much-needed insight through visualizations (such as dashboards and reports) of metrics and API usage, informing you (as examples) which APIs are used more often or less, how API traffic changes over time, and which developers are the best API consumers. Analytics API allows an API business owner, sometimes called an “API Product Manager” (API Product Manager), to gain an in-depth view of the performance of an API program.
• Analytics is also important for troubleshooting. API management solutions provide a deep insight into the performance of each API. These metrics allow infrastructure and operations teams to track and fix performance and security issues. Here are examples of questions that the analyst can help answer:
  
  
  • API gateway instances?
  • When do we see slowdowns for an API?
  • When are HTTP errors occurring for an API?
  • What is the status and uptime of all my API gateway instances?
  • When do we see slowdowns for the API?
  • When do HTTP errors occur for the API?
  
  
• API Security - Security is a critical aspect of the API infrastructure. Without strong security, anyone can access your data and APIs, and introduce malicious behavior by invoking a non-secure API. Security API includes the following elements:
  
  
  • Authentication - Authentication refers to the process of reliable identification of the caller. API keys are a standard authentication and identification mechanism for subscribers who want to access the API. API management solutions provide APIs for API providers to generate API keys, which can then be transferred to third-party developers for use in API calls. OAuth is a widely used authentication mechanism.
  • Authorization - Authorization refers to the process of determining which privileges or access levels are granted to a user. One of the ways to authorize users is through JSON Web Tokens (JWT). JWT is access tokens that claim to be claimed (claims is JWT terminology for individual privileges). For example, a JWT represented by a client application may include a claim allowing access to one particular resource. If the client application attempts to access any other resources, an HTTP 403 error is returned. Forbidden error is returned.
  • Role-based access control (RBAC - Role-based access control) - RBAC refers to the definition of user roles with certain privileges. For example, Infrastructure & Operations employees are usually not responsible for creating and publishing an API, but only for monitoring and troubleshooting. Thus, they are assigned a role that has only these privileges. Similarly, only the API Product Manager is assigned a role that has access to API analytics.
  • Speed ​​Limit - The speed limit refers to the imposition of a limit on the number of requests that the requesting agent can make during a certain period of time (for example, 10,000 requests per second). Speed ​​limits prevent overloading your backend systems and help mitigate DDoS attacks. The API management solution provides an interface to determine the speed limits that the API gateway then applies. Speed ​​limits also offer multilevel service levels (for example, Gold customers can make 10,000 requests per second, and Silver customers can make 5000).
  
  
• Developer portal . The developer portal is an online site where you publish resources that facilitate the rapid adaptation of your consumer APIs, such as the external API catalog, full documentation, and sample code. The developer portal also allows third-party developers to register their applications and receive API keys and JWT. Some solutions also provide a mechanism for interaction between developers who use your API. A well-developed developer portal is crucial to the success of your API program.

NGINX API Management: Using Industry-Defined API Gateway

NGINX is already the industry's most common API gateway - in our recent survey, 40% of our customers reported using NGINX as an API gateway.

A new API control module for the NGINX controller , which will be released soon, combines the power and efficiency of NGINX Plus as an API gateway with the new control-level functionality. The NGINX controller allows Infrastructure & Operations and DevOps commands to define, publish, protect, monitor, and analyze APIs, while maintaining control over the development of the API. Extensive monitoring and alerting capabilities help ensure application availability, performance and reliability. The NGINX controller provides a deep insight into key performance indicators, allowing the teams of Infrastrastructure & Operations and DevOps to avoid performance problems in the first place and quickly resolve any problems that may arise.

Our approach to managing an API is different from traditional solutions. Unlike these solutions, the NGINX Plus API gateway (data plane) does not require a permanent connection to the NGINX controller (control plane), so API execution time traffic is isolated from the control traffic. The NGINX controller eliminates the need for local databases or additional components that can create unnecessary complexity, latency, and points of failure for the NGINX Plus API gateways. This maximizes performance by reducing the average response time for servicing an API call and minimizes the size and complexity of the gateway. Detaching the data plane from the control plane gives you the flexibility to deploy as many instances of the API gateway as your application architecture requires. The NGINX controller gives you the freedom to choose the right deployment for your internal and external API needs with an easy, simple and high-performance solution that takes full advantage of the capabilities of the NGINX Plus data plane.

NGINX technology supports the Capital One Developer Portals - Devexchange . This allowed Capital One to scale its applications up to 12 billion operations per day with peak values ​​of 2 million operations per second with delays of only 10–30 milliseconds. NGINX also supports the Adobe I / O Developer Portal. Adobe I / O allows developers to integrate, expand and create applications based on Adobe products and technologies using the API. The platform processes millions of requests per day with a slight delay.

Here is such a translation, how are you? We are waiting for your comments and traditionally invite you to an open lesson , which our teacher Igor Sakhankov will hold on February 11.