API management refers to the processes for distributing, controlling, and analyzing the APIs that connect applications and data across the enterprise and across clouds. The goal of API management is to allow organizations that create APIs or use others’ APIs to monitor activity and ensure the needs of the developers and applications using the API are being met.
Organizations are implementing strategies to manage their APIs so they can respond to rapid changes in customer demands. In most cases, these organizations adopt a microservices architecture in order to meet demands by speeding up software development. HTTP-based APIs have become the preferred method for synchronous interaction among microservices architectures. These APIs are the glue that connects all of the microservices together. Managing these APIs allows an organization to make sure the APIs are used in compliance with corporate policies and allows governance by appropriate levels of security, as some services may require different security policies than others.
API management is largely about centralizing control of your API program—including analytics, access control, monetization, and developer workflows. An API management solution, like Red Hat 3scale API Management, provides dependability, flexibility, quality, and speed. To achieve these goals, and ensure that both public and internal APIs are consumable and secure, an API management solution should provide access control, rate limits, and usage policies at the minimum. Most API management solutions generally also include the following capabilities:
- A developer portal. A developer portal is a common best-practice for API management. Developer portals typically provide API documentation along with developer onboarding processes like signup and account administration.
- An API gateway. The API gateway is the single point-of-entry for all clients. The gateway also determines how clients interact with APIs through the use of policies.
- API lifecycle management. APIs should be manageable from design, through implementation, until retirement. Red Hat 3scale API Management is a leader in API lifecycle management.
- Analytics. It’s important to know what’s going on with your APIs—which consumer or app is calling which API and how often. It’s also essential to know how many APIs have failed and why.
- Support for API monetization. Monetize access to the microservices behind the APIs through usage contracts. API management allows you to define usage contracts based on metrics, like the number of API calls. Consumers can be segmented and differentiated access tiers, and service quality can be offered to different segments.
These capabilities are considered during the API’s design so that the API can use self-managed or cloud components to provide traffic control, security, and access policy enforcement. Well designed APIs can be shared, secured, distributed, controlled, and monetized on an infrastructure platform built for performance, customer control, and future growth.
Microservices and APIs are the foundation for rapidly developing innovative application components to meet new business needs—an approach known as cloud-native application development. This approach is not without its challenges, though.
The key technical challenge to forming microservices is breaking up larger systems into their smaller components. As we mentioned, APIs allow these smaller components to connect with data sources and each other.
Another challenge presented by a microservices architecture is how to coordinate the many frequently changing microservices. Service discovery makes this easier. API management provides the necessary discovery mechanisms to ensure that available microservices can be found and documentation on how to use them is shared through the developer portal.
Microservices require an integrated approach to security. Security mechanisms differ depending on the type of API: external-facing services require different security mechanisms than internal ones. For less mission-critical APIs, simple protection with API keys is usually sufficient. For external or critical APIs, a more secure approach, like OAuth, will be required.
Ask yourself these critical questions:
- How do we control access to our API?
- How do we capture metrics and handle alerts?
- How should spikes in usage be managed?
- Who is responsible for API uptime?
- How do we feel about undesired API usage?
Without measuring the effects of our efforts we have no way of evaluating our success. Analytics provides data about API activities but we still must provide a definition of success. When defining success in your organization consider these 5 key performance objectives for APIs:
- Dependability. Dependability is the availability of the API to developers. A useful metric for measuring dependability is downtime. Is the API always available for use? Another metric is quota which defines how many API calls can be made by a developer within a certain time frame. A quota protects an API from abuse and makes its management more predictable. Some API providers’ business models and price plans are based on quotas.
- Flexibility. Flexibility refers to the options developers have when adopting APIs. Greater flexibility in an API means greater effort (and cost) for the organization managing the API.
- Quality. Quality is the consistent conformance of the API’s behavior to developer’s expectations. It is a way of measuring developer’s satisfaction with the API.
- Speed. Speed can be measured by access latency and throughput. Speed can be influenced by techniques like throttling or caching.
- Cost. The goal of measuring cost is to provide developers with the best value for your money. All of the other 4 objectives contribute, in one way or another, to the cost objective.