Original author: NGINX

Original link: Concept review: API management and API gateway

Reprint source: NGINX open source community

The only official Chinese community of NGINX, all at nginx.org.cn

With the rise of microservice architecture, the number of APIs has increased dramatically, which has also produced a series of challenges and solutions. Read this article to learn about fundamental concepts related to APIs: API first, API proliferation, API management, API gateways, and API developer experience.

What is API first?

An " API-first " approach is a development model in which the design of an application starts with the API and is then coded. APIs are not an afterthought but a necessary, established product. The entire development process starts with an API specification, and the application is first conceptualized as an API. This is in stark contrast to the traditional "code first" approach. In the traditional "code first" approach, monolithic code comes first, and API design comes later.

An API-first strategy is particularly suitable for microservices architecture because it ensures that the application ecosystem starts out as a modular, reusable system. Paying attention to the API early can draw attention to the structure of API requests and data, so that the API can provide the functions developers need most and avoid wasting developer time on functions that later prove to be unnecessary.

Why adopt an API-first model?

When a company adopts an API-first model (and thus becomes an "API-first company"), it prioritizes APIs (both internally and externally) and recognizes the impact of the API lifecycle on its business. For enterprises, API-first often means faster time to market because it's easier to update and change backend services.

In addition to increasing productivity, taking an API-first approach helps develop more powerful software. Developers can focus on design because teams don't have to start from scratch and can reuse their APIs and code across projects. Since most of the problems are solved before writing the code, the work is reduced, which in turn saves costs.

The API-first model also simplifies API governance and provides operations teams with greater control and observability. Having greater control and visibility over the API helps teams understand the current state and future potential of the API.

API-first security risks

APIs are often open, which gives them great functionality but also means that any developer can access the API. Unfortunately, not every developer has pure intentions.

When creating a successful API-first model, API security strategies must be centrally defined and security integrated throughout the API lifecycle. The API-first model emphasizes a security-centric philosophy and therefore has stronger security boundaries than previous code-centric models.

What is API sprawl?

“ API Sprawl ” describes two intertwined problems that arise as enterprises digitally transform: the proliferation of APIs, and the dispersion of APIs across multiple architectures and teams.

Many factors can lead to API creep. Some of the most common factors include:

Hybrid infrastructure - 81% of today's enterprises operate across three or more architectures, including public cloud, on-premises data centers and edge infrastructure.
Microservices architecture – The growing popularity of microservices architecture has led to a proliferation of API endpoints as new services are continuously launched.
Continuous software deployment - Developers can quickly develop dozens of APIs or multiple versions of an API in a short period of time.
Abandoned APIs – When developers move on to support and work on other projects, they stop managing and maintaining previously created APIs.

Why is API sprawl a problem?

API sprawl poses huge operational and security challenges to enterprises. As API endpoints proliferate across multiple teams and environments, securing and managing APIs becomes a serious challenge. For enterprises, API sprawl often brings hidden costs, such as reduced developer productivity, increased rework, and slower review times. Such costs are difficult to measure and are often not noticed until it is too late.

Some of the main challenges with API creep include:

Lack of visibility – In a hybrid architecture, it is difficult to have a unified view of API traffic and configuration.
Lack of clear sources - Developers have difficulty finding APIs and the latest documentation.
Decreased reliability - misconfigurations become more common and can easily cause business disruption.
Increased security threats – Insecure API endpoints are easy targets.

To learn more about API sprawl and why it poses a significant threat, see our blog post Five Ways to Fight API Creep (and Why You Should Be Concerned about API Creep) .

What is API management?

" API Management " refers to the tools and processes used by enterprises to oversee and publish APIs. In some environments, API management refers specifically to the control plane that manages APIs in production, defining policies, pushing configurations, generating reports and alerts, and providing visibility across all API gateways.

Today, most modern applications are built using APIs. An API is a software interface that enables two applications to communicate with each other and allows products and services to interact in the form of requests and responses.

API management solutions provide key tools and capabilities that simplify the process of publishing and sharing APIs among development teams. The following are components and use cases that help achieve powerful API management.

infrastructure

API Manager — A management plane (sometimes called "API Manager") that provides a single interface to fully manage the API lifecycle, including publishing APIs, monitoring API performance, and applying access control policies.
API Developer Portal - The Developer Portal is an online platform where you can publish resources to help API consumers get started quickly, such as a catalog of external APIs, comprehensive documentation, and sample code. The developer portal also allows third-party developers to register their applications and obtain API and JWT keys.
API Gateway  —Secures and handles traffic between backends and API consumers. API Gateway capabilities include validating API calls, routing requests to the appropriate backend, implementing rate limiting to prevent system overload or mitigating DDoS attacks, offloading SSL/TLS traffic to improve performance, and handling errors and exceptions.

Example

API Analytics — API management solutions provide critical insights through visualization capabilities such as dashboards and reports. API analytics can help API owners gain insights into various operational aspects, such as API metrics, usage, traffic trends, and which developers are the main API consumers.
API security — Security is an important aspect of API management: without strong security, anyone can access your APIs and data and commit malicious acts by calling unsafe APIs. API security includes authentication, authorization, role-based access control (RBAC), and rate limiting.
API Governance —Refers to the application of rules and security protections in APIs and API gateways. Implementing a flexible API governance model helps balance global policies such as logging, error response codes, and TLS configuration.
Define and publish —API management solutions provide an intuitive interface for defining meaningful APIs, including base paths (URLs), resources, and endpoints.

The main goal of API management is to help enterprises monitor API activity in order to quickly respond to any changes based on current developer or application requirements.

In API management, the focus is on managing the life cycle (design, release, operation, monitoring, and deprecation) of an individual API.

What is an API gateway?

The API gateway accepts requests from clients (specifically API calls) and routes them to the appropriate microservices. It protects and handles critical traffic between backend services and API consumers, reducing the risk of vulnerabilities, downtime, and poor performance.

Today, most modern applications are built using APIs. An API is a software interface that enables two applications to communicate with each other and allows interactions between products and services in the form of requests and responses. As APIs become more ubiquitous and distributed across microservices architectures, additional infrastructure is required to ensure scalability and security.

Why use API Gateway?

Using an API gateway means that you can maintain a single API domain (such as api.example.com). With an API gateway, you can provide a single entry point for all clients to route requests to different versions of your API based on user requests. API Gateway enables you to call multiple microservices with a single request and aggregate the results to provide the best response.

Basic functions of API gateway

API gateways can be used for both monolithic and microservices-based applications. API Gateway has the following capabilities, including:

Authenticate requesters making API calls (AuthN)
Verify that the requester is authorized to make the request (AuthZ)
Route requests to the appropriate backend
Implement rate limiting to prevent system overload
Implement rate limiting to mitigate DDoS attacks
Offload SSL/TLS traffic to improve performance
Handle errors and exceptions

API Gateway and API Management

"API gateway" and "API management" are sometimes used interchangeably, but are not actually synonymous. An API gateway is the data plane that sits between clients and API endpoints. It is a single proxy server responsible for routing, policy and security. API management refers to the control plane that manages APIs in a production environment. It defines policies, pushes configurations, generates reports and alerts, and provides visibility across all API gateways.

Ideally, an API management platform is infrastructure independent, giving you the freedom to deploy API gateways in a variety of environments (such as on-premises data centers, cloud platforms, and edge nodes) in a manner that best suits your use case.

Using API Gateway for microservices

In a microservices architecture, a single API may have hundreds of endpoints, and a single application may contain multiple microservices, each connected through the API . Since each microservice exposes a large number of API endpoints, the potential attack surface is much larger than that of a monolithic application.

Using an API gateway for microservices reduces risk by simplifying access and communication between clients and APIs. But API gateways still encapsulate APIs, which are usually open. APIs expose data required for the connection and may also expose sensitive data.

API security

The Open Web Application Security Project (OWASP) identified the most common vulnerabilities among the OWASP Top 10 API security risks:

API1. Invalid object-level authorization

API2. Broken User Authentication

API3. Excessive data exposure

API4. Lack of resources and rate limits

API5. Invalid function-level authorization

API6. Batch assignment

API7. Security protection configuration error

API8.Injection

API9. Improper asset management

API10. Insufficient logging and monitoring

To protect APIs from these rampant new attacks, it becomes critical to secure API gateways. To learn more about the importance of protecting your API gateway, see our blog post Securing your API gateway with NGINX App Protect WAF .

API governance

API governance refers to the application of rules and security protections in APIs and API gateways. Implementing a flexible API governance model helps balance global policies such as logging, error response codes, and TLS configuration.

For any organization implementing an API-first strategy, especially larger organizations employing thousands of APIs, ensuring consistency through API governance can effectively combat potential API sprawl. While API governance was once thought to potentially slow down development, it is now necessary to manage APIs at scale.

What is the API developer experience?

API developer experience refers to the overall perceived and emotional state of a developer when interacting with an API. It involves the infrastructure, tools, processes, support, and other touchpoints that work together to provide developers with a pleasant, smooth experience when integrating APIs into applications.

API Developer Experience is one aspect of providing developers with an optimized experience at every touchpoint on the platform. By reducing friction among developers, software engineering leaders can increase the productivity of internal team developers and accelerate the adoption of their APIs and tools by external developers.

When designing an API, you need to ask these basic questions:

Function — What does the API do?
Usability – How easy is the API to use?
Experience - How is the experience of using the API?

In a developer-centric world, it’s imperative to have an API strategy that covers every stage of the API lifecycle and strive to create a positive experience. When designing the API developer experience, identifying who interacts with the API, defining how the API operates, optimizing its usability, and enhancing the overall feel of the API are all important considerations.

To learn more about API developer experience, see our blog post Why API developer experience matters .