Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HEADLESS API MANAGEMENT
API DAYS HONG KONG- 26TH AUGUST 2021
ABOUT MYSELF
• I am Snehal Chakraborty
• Working at Accenture Netherlands as a Cloud Integration
Architect
• Help customer...
HOW API MANAGEMENT HAS EVOLVED ?
No API Gateway
Common API
Gateway
Distributed API
Gateways
• SOAP APIs were
used
• Tightl...
DISTRIBUTED API GATEWAYS VS MULTIPLE API GATEWAYS
Developer
portal
Management Plane
API
Gatewa
y
API
Gatewa
y
On
Premise
A...
WHY MULTIPLE API GATEWAYS ?
Cloud Native gateways
All major hyper scalers offer native API
gateways as a resource . AWS & ...
CHALLENGES POSED BY MULTIPLE API GATEWAYS
Security
Securing APIs is a challenge as the traffic is
spread across multiple A...
WHAT IS HEADLESS API MANAGEMENT ?
Headless over here means moving away from UI
based management plane to an API based
mana...
API MARKETPLACE
API Marketplace
The go to place to discover
subscribe all APIs within an
organization
Importance:
An API m...
LIFECYCLE MANAGEMENT
API Lifecycle
Management
Ability create/modify/delete
API proxies and other
artifacts
Importance:
Lif...
SECURITY
Security
RBAC
Authentication
Authorization
Importance:
Security plays a key role in maintaining the confidentiali...
GOVERNANCE
Governance
Standards & Guidelines
Best Practices
Dos and Don’ts
Importance:
Governance plays a key role in ensu...
OBSERVABILITY
Observability
Monitoring
Analytics
Logging
Importance:
Observability is an important part of maintaining the...
THINGS TO REMEMBER
Vendors
• Limit choice on API gateway vendors
• More vendors bring more complexity
• Have concrete requ...
THANK YOU
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, Accenture Netherlands

Download to read offline

apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021

Headless API Management
Snehal Chakraborty, Cloud Integration Architect at Accenture Netherlands B.V.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, Accenture Netherlands

  1. 1. HEADLESS API MANAGEMENT API DAYS HONG KONG- 26TH AUGUST 2021
  2. 2. ABOUT MYSELF • I am Snehal Chakraborty • Working at Accenture Netherlands as a Cloud Integration Architect • Help customers in solving API Management problems • Living in Netherlands with my family
  3. 3. HOW API MANAGEMENT HAS EVOLVED ? No API Gateway Common API Gateway Distributed API Gateways • SOAP APIs were used • Tightly coupled services with low reusability • Sometimes service registry was used • Mostly service bus type platforms were used to create/publish APIs • One API platform to manage all • Consumers and Providers mostly located in a single location • Single developer portal for the entire API catalogue • One big monolith installation with a large footprint • Distributed API gateways spread across the IT landscape, with a common management plane • Consumers and providers spread across on premise, cloud, SaaS instances • Regulatory and performance requirements play a key role. • Multiple API Gateways with multiple management planes • Inclination towards to use of cloud native gateways • Demand of dedicated API gateways to support team autonomy • Better scalability • Impact of vendor locking minimized Multiple API Gateways
  4. 4. DISTRIBUTED API GATEWAYS VS MULTIPLE API GATEWAYS Developer portal Management Plane API Gatewa y API Gatewa y On Premise API Gateway API Gatewa y Manageme nt Plane Management Plane Developer portal Developer portal
  5. 5. WHY MULTIPLE API GATEWAYS ? Cloud Native gateways All major hyper scalers offer native API gateways as a resource . AWS & Azure native gateways are most popular as per Smartbear state of APIs 2020 PaaS offering Native gateways are PaaS offerings leading to less operational maintenance and quick spin up time using IaC products. Hybrid setup Multiple organizations are in their cloud journey, they have work loads running on premise and cloud- environments 1 Regulatory requirements There may be regulatory around data or to not have multitenant instances leading to keep some work loads on premise with dedicated gateways Different requirements An organization can have different requirements around security, regulations etc. 2 Comfort Teams within an organization are becoming more inclined and comfortable with a certain cloud hyper scaler and find the learning curve for incumbent native API gateway less steep Own choice Domains/subsidiaries within an organizations are demanding more freedom in making choices around products to grow at their own pace Cost optimization Setup and run cost plays a key role in determining the choice of a product Autonomy Teams are demanding autonomy to make their own choices 3 Type of traffic With the Open API ecosystem picking, there is a need to differentiate between external and internal traffic Shared vs Dedicated An organization may need shared and dedicated gateways due to governance, performance and security requirements. Migration Some work loads may still be running on premise making an API gateway necessary on premise as well leading to multiple API gateways/
  6. 6. CHALLENGES POSED BY MULTIPLE API GATEWAYS Security Securing APIs is a challenge as the traffic is spread across multiple API gateways. Security mechanism & subscription management are some challenging propositions Governance Enforcing governance over teams to make use of the multiple API gateways is a challenge. Ensuring consistent policy enforcement and avoiding duplication of efforts are key. Observability Monitoring and troubleshooting is a big challenge since API raffic is spread across multiple gateways. Discovery API discovery for consumers is a challenge due to multiple API gateways and uniform SOPs around onboarding is difficult to achieve/
  7. 7. WHAT IS HEADLESS API MANAGEMENT ? Headless over here means moving away from UI based management plane to an API based management plane to manage APIs on API Management runtimes Management APIs Management Plane API Management (PaaS) Runtime Plane Develope r Portal Develope r Portal API Marketplace Discovery Documentatio n Subscription Lifecycle Management REST APIs Pipelines Security AuthN AuthZ RBAC Governance Document repository APIs
  8. 8. API MARKETPLACE API Marketplace The go to place to discover subscribe all APIs within an organization Importance: An API marketplace is the one stop shop for all APIs within an organization. It can be used to publish standard and guidelines, business case studies, inspirations etc. It acts as a bridge between consumers and providers and is a trust signal between them. It can also act as community space for collaboration between developers. Eventually it has the potential to be expanded into a digital marketplace Salient features: • Discovery – The API marketplace should be able to search and provide list of APIs across the different API management platforms • Documentation – This is the key to a successful API ecosystem. Good documentation makes life easy for both consumer and provider • Subscription – This feature allows consumer to request access to APIs. This could include subscription for API Keys and an Oauth client with defined scope(s). Setup: • The API marketplace can source the static content from a document repository (for e.g., GitHub). The document repository can store the API documentation and any other documentation in Open API specification and markdown formats respectively. The content can be fetched via APIs and rendered as HTML. The biggest benefits this setup provides is that documentation is sourced from a single source. Since the documentation is stored in Github, docs as code approach is possible for e.g. triggering a build to for linting after every merge. • For subscription management the marketplace needs to integrate with the management APIs of the different API gateways and also APIs from the chosen identity API Keys are required to identify a consumer on an API apply traffic management policies, generate consumer specific analytics etc. Oauth client setup is required to allow the consumer to allow coarse grained authorization. • The API marketplace can be federated with an identity management for implementing SSO and RBAC (can be very helpful if marketplace needs to be opened for partners)
  9. 9. LIFECYCLE MANAGEMENT API Lifecycle Management Ability create/modify/delete API proxies and other artifacts Importance: Lifecycle management is key for API providers. This will allow providers to manage API proxies on their choice of API gateways, but under defined governance. This allows proper quality control on naming conventions, policy usage, adherence to standard & guidelines. Salient features: • REST APIs - Provide abstracted APIs to create/modify/delete API proxies on a chosen API gateway. This allows API providers to integrate this into their own pipeline/processes and automate lifecycle stages. This can be handy for shared API gateways • Pipelines – Provide pipeline templates (for dedicated gateways) and central pipelines or plugins for shared gateways. Setup: • Both the REST APIs and pipelines need to be built upon the management APIs of the different API gateways. RBAC becomes very important over here in case of shared API gateways to ensure providers do not overwrite each other’s API proxies. Hence each API proxy and related artifacts need to be assigned to the right group of users. The REST APIs/pipelines can take a manifest file and an open api specification as input to create the API proxy and can have rules inbuilt to follow the right naming convention, choose the right policies and overall maintain adherence to the standard and guidelines.
  10. 10. SECURITY Security RBAC Authentication Authorization Importance: Security plays a key role in maintaining the confidentiality and integrity of the resources in a company’s ecosystem. APIs being the gateway to an organization’s back office, this Backoffice data needs to be secure and safe from all kinds of security vulnerabilities and risks. This covers both securing access to an API from usage and management perspective on the gateway. Salient features: • RBAC – Role Based Access Control is absolutely necessary to facilitate DIY usage on shared API gateways. This ensures only the required provider team has privileges to perform CRUD operations. The REST APIs or pipelines which allow these operations need to ensure that the requestor has the right privilege to perform the initiate action. RBAC will require the API gateway to create roles/groups and assign to users. Once an API proxy and other related artifacts are created, they need to be be made accessible only the required role/group. • Authentication – The API gateway needs to know who the consumer is to generate the right analytics and apply consumer-based traffic management policies • Authorization - The API gateway needs to know if the consumer is allowed to do the initiated action. This can be done using Oauth tokens with the right scope. Setup: • RBAC for shared gateways will require an automated onboarding process to create users (if SSO is allowed then sync from enterprise IDP),create roles/groups, attach users to roles/groups. All API gateways come with a management API suite which allow these actions to be done via APIs. The required APIs need to be used for creating the whole onboarding flow. An onboarding app can be created very quickly with Office365 tools like PowerApp and PowerAutomate. • Subscription flow will facilitate that the consumer is able to subscribe to an API and get an API Key. Along with this another workflow will be required to onboard the consumer in the IDP and get the right scopes assigned. 2 sets of APIs are of importance to automate these flows. Management APIs for subscription on API gateway and APIs from IDP for client onboarding and scope assignment.
  11. 11. GOVERNANCE Governance Standards & Guidelines Best Practices Dos and Don’ts Importance: Governance plays a key role in ensuring quality, consistency and defining clear roles and responsibilities for each layer. This involves both people and processes Salient features: • Define standard & guidelines around API specification, create linting capability around this and include it in build/deployment pipelines • Define dos and don’ts around API gateways for e.g., HTTP verb-based routing is allowed, but transformation is not allowed. Incorporate this rules into the lifecycle management assets. • Define security guidelines for each layer for e.g., coarse grained & fine-grained security responsibilities. Setup: • A center of excellence team is required to define and maintain API & Platform governance • A platform team is required to maintain the shared API gateways and utility assets for dedicated API gateways • DevOps teams are required to create APIs and publish them on the desired API gateways.
  12. 12. OBSERVABILITY Observability Monitoring Analytics Logging Importance: Observability is an important part of maintaining the reliability, availability, and performance. Monitoring/ logging can provide useful insights about the APIs. They are an integral part of the automation workflow of any business and as more applications rely on the APIs the need for them to be reliable is important Salient features: • Proactive monitoring of the API gateway • Proactive monitoring of APIs using a health check endpoint • Logging events In a central logging platform for the shared API gateways • Analytics around usage of APIs Setup: • Resource level monitoring of API gateways for e.g., using cloud native monitoring tools for cloud-based API gateways • Setup a separate health check endpoint for every API and probe at regular intervals to check availability of full chain (need to be careful here as this could increase traffic load) • Log events in a central platform and open up viewing access for DIY troubleshooting for e.g., log in Splunk and open up index access. Correlation IDs can be used to stitch logs across layers • Open analytics APIs of API gateways for users of the platform. This could help them monitor API usage, adoption etc. as they wish.
  13. 13. THINGS TO REMEMBER Vendors • Limit choice on API gateway vendors • More vendors bring more complexity • Have concrete requirements ready before choosing a vendor Governance • No compromise on API & Platform governance • Align with business to emphasize importance of governance • Make adherence to governance rules the path of least resistance • Educate that governance is beneficial and not a bottleneck Security • Follow zero trust model • Make responsibilities around security crystal clear API-First • Develop new features around API Management with an API first mindset
  14. 14. THANK YOU

apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange August 25 & 26, 2021 Headless API Management Snehal Chakraborty, Cloud Integration Architect at Accenture Netherlands B.V.

Views

Total views

1,078

On Slideshare

0

From embeds

0

Number of embeds

17

Actions

Downloads

10

Shares

0

Comments

0

Likes

0

×