At NGINX Conf 2018 in October, we announced the new API Management Module for NGINX Controller. With this product we build on our position as the industry’s most‑deployed API gateway – millions of sites already use NGINX Open Source and NGINX Plus to secure and mediate traffic between backend applications and the consumers of the APIs which those applications expose.
But efficiently handling client requests is only one aspect of a successful API (albeit a crucial one). You also need to manage your APIs across their full life cycle, which includes defining and publishing them, and securing and managing traffic. You need to monitor and troubleshoot performance to ensure customer satisfaction, and analyze traffic to maximize business value. Comprehensive API management is essential to the rapid adoption and continuing success of your APIs.
Like many of our customers, you might find the thicket of concepts and terminology surrounding API solutions rather daunting. In this blog, we discuss key API concepts and explore the relationship of API management to API gateways.
API management comes with its own concepts and terminology:
- Internal APIs – Internal APIs are exposed only to other applications (and their developers) within an enterprise, not to external users. Internal APIs help unlock data and foster collaboration among functional units within an enterprise. Here’s an illustrative example: before providing assistance to customers, an enterprise’s technical support team needs to determine whether the customer has a valid support contract. That information is already stored in the enterprise’s customer relations management (CRM) system, such as Salesforce. Rather than duplicating the information in its own database, the customer support application calls the CRM’s internal API.
- External APIs – External APIs are exposed to users outside your enterprise. They provide the means to build partnerships with third‑party developers as well as your entire business ecosystem of suppliers, distributors, resellers, and even customers. External APIs also enable enterprises to generate new sources of revenue using innovative business models. Google Maps is an illustrative example. Many third‑party websites and applications embed a Google map to help end users pinpoint a retail location or get directions. It doesn’t cost the end user anything to access the map, but after a certain number of clicks Google charges the site or app for each API call.
Definition and publication – API management solutions provide an intuitive interface to define meaningful APIs, including the base path (URL), resources, and endpoints.
- Resources are fundamental to any API definition; they are an abstraction of the information upon which the API performs operations. Sample resources are documents and customer IDs. The API is invoked to retrieve this information.
- Endpoints specify where resources are located. APIs have a base URL to which the endpoint paths are appended. All API endpoints are relative to the base URL.
As an example, in the API endpoint https://app.enterprise.com/v1/inventory/, /v1 is the base path and /inventory is the resource.
API management solutions enable API authors to publish APIs to various environments such as production, test, or staging. This ensures consistency for each environment and prevents misconfigurations. The solutions also automate creation of new APIs and modification of existing ones.
- API gateway – As mentioned previously, API gateways secure and mediate traffic between your backend and the consumers of your APIs. API gateway functionality includes authenticating API calls, routing requests to appropriate backends, applying rate limits to prevent overloading of your systems or to mitigate DDoS attacks, offloading SSL/TLS traffic to improve performance, and handling errors and exceptions.
- Microgateway – Many solutions have a centralized, tightly coupled data plane (API gateway) and control plane (API management tool). All API calls have to pass through the control plane, which adds latency. The API gateway in this architectural approach is inefficient when handling traffic in distributed environments (for example intraservice traffic in a microservices environment or handling IoT traffic to support real‑time analysis). Hence, to manage traffic where API consumers and providers are in close proximity, vendors of legacy solutions have introduced an additional software component called a microgateway to process API calls.
API analytics – As your APIs become popular, you need to ensure they provide value for your API consumers as well as meet your business objectives. That’s where API analytics become crucial. API management solutions provide critical insights via visualizations – such as dashboards and reports – into API metrics and usage, informing you (as examples) which APIs are used most and least, how API traffic is trending over time, and which developers are the top API consumers. API analytics enable the API business owner – sometimes referred to as the API Product Manager – to gain deep visibility into the performance of the API program.
Analytics are important for troubleshooting as well. API management solutions provide deep visibility into operational metrics on a per‑API basis. These metrics enable Infrastructure & Operations teams to monitor and troubleshoot performance and security issues. Here are examples of questions that analytics can help answer:
- What is the status and uptime of all my API gateway instances?
- When do we see slowdowns for an API?
- When are HTTP errors occurring for an API?
API security – Security is a critical aspect of API infrastructure. Without robust security, anyone can access your APIs and data and introduce malicious behavior by invoking a call to an unsecured API. API security entails the following elements:
- Authentication – Authentication refers to the process of reliably determining the identity of the caller. API keys are the standard mechanism for authenticating and identifying callers who want to access an API. API management solutions provide an interface for API providers to generate API keys which can then be shared with third‑party developers to use when invoking API calls. OAuth is a widely used authentication mechanism.
- Authorization – Authorization refers to the process of determining which privileges or access levels are granted to a user. One way to authorize users is via JSON Web Tokens (JWTs). JWTs are access tokens that assert claims (the JWT terminology for individual privileges). For example, the JWT presented by a client app might include a claim enabling access to one specific resource. If the client app attempts to access any other resources, an HTTP
Forbiddenerror is returned.
- Role‑based access control (RBAC) – RBAC refers to defining user roles that have certain privileges. For example, Infrastructure & Operations staff are typically not responsible for creating and publishing APIs, but only for monitoring and troubleshooting. So they are assigned to a role that has only those privileges. Similarly, only the API Product Manager is assigned the role that has access to API analytics.
- Rate limiting – Rate limiting refers to imposing a limit on the number of requests a caller can make during a defined period of time (for example, 10,000 requests per second). Rate limits prevent overloading of your backend systems and help mitigate DDoS attacks. The API management solution provides the interface for defining rate limits, which the API gateway then enforces. Rate limits also enable you to offer tiered levels of service (for example, Gold clients can make 10,000 requests per second while Silver clients can make 5,000).
- Developer portal – A developer portal is an online location where you publish resources that facilitate rapid onboarding of your API consumers, such as a catalog of your external APIs, comprehensive documentation, and sample code. A developer portal also allows third‑party developers to register their apps and obtain API and JWT keys. Some solutions also provide a mechanism for interaction among developers who are using your API. A well‑designed developer portal is pivotal to the success of your API program.
NGINX API Management: Building On The Industry’s Foundational API Gateway
NGINX is already the industry’s most ubiquitous API gateway – in a recent survey we conducted, 40% of our customers reported that they deploy NGINX as an API gateway.
The new API Management Module for NGINX Controller, to be released soon, combines the raw power and efficiency of NGINX Plus as an API gateway with new control‑plane functionality. NGINX Controller enables Infrastructure & Operations and DevOps teams to define, publish, secure, monitor, and analyze APIs, while keeping developers in control of API design. Rich monitoring and alerting capabilities help ensure application availability, performance, and reliability. NGINX Controller provides deep visibility into key metrics, enabling Infrastrastructure & Operations and DevOps teams to avoid performance issues in the first place and quickly troubleshoot any issues that may arise.
Our approach to API management is different from traditional solutions. Unlike those solutions, the NGINX Plus API gateway (data plane) does not require constant connectivity to NGINX Controller (control plane), so API runtime traffic is isolated from management traffic. NGINX Controller eliminates the need for local databases or additional components that may introduce needless complexity, latency, and points of failure for NGINX Plus API gateways. This maximizes performance by reducing the average response time to serve an API call and minimizes the footprint and complexity of the gateway. Decoupling the data plane from the control plane gives you the flexibility to deploy as many or as few API gateway instances as needed by your application architecture. NGINX Controller gives you the freedom to choose the right deployment for both internal and external API needs with a lightweight, simple, and high‑performance solution that fully leverages the power of the NGINX Plus data plane.
NGINX technology powers Capital One’s developer portal, Devexchange. It has enabled Capital One to scale its applications to 12 billion operations per day, with peaks of 2 million operations per second at latencies of just 10–30 milliseconds. NGINX also powers Adobe’s developer portal, Adobe I/O. Adobe I/O enables developers to integrate, extend, and create applications based on Adobe’s products and technologies using APIs. The platform handles millions of requests per day with negligible latency.