Documente Academic
Documente Profesional
Documente Cultură
3
AGENDA
• What is API Management?
• API Management--The Full Stack
• API Management Solution Architecture
• What Is API Governance?
• One Organization’s Requirements
• API Lifecycle Management
• API Governance Ties Into...
• Lessons Learned
• Questions
4
WHAT IS API MANAGEMENT?
5
WHAT IS API MANAGEMENT?
6
WHAT IS API MANAGEMENT?
7
WHAT IS API MANAGEMENT?
• The process of publishing, promoting, and overseeing APIs
in a secure, scalable environment
• Ensuring that developers and partners are productive
• Managing, securing, and mediating your API traffic
• Allowing an organization to grow their API program to
meet increasing demands
• Enabling the monetization of APIs
• The intersection of technology, business, organization,
and integration concerns
8
THE API MANAGEMENT ”FULL STACK”
Data Modeling Interface
Modeling
DevOps
Logging
Registry & Repository
Applicatio
User
Repositor
Federatio Identity User
Provisioni
n
Firewall
n
y
Stack ng Reverse
Proxy
Application Infrastructure
9
API MANAGEMENT SOLUTION
ARCHITECTURE
10
WHAT IS API GOVERNANCE?
11
WHAT IS API GOVERNANCE?
Governance is not a bad thing; though, your experiences with it would, probably,
make you disagree.
In fact, for anything to be truly adopted by the enterprise, it must have adequate
and functional governance.
The trick is to strike the right balance. Self-service and automation is the key to
making the governance process(es) workable.
12
WHAT IS API GOVERNANCE?
14
One Organization’s Requirements
• Every organization’s governance requirements will
have some unique aspects.
• There will also be a large amount of overlap.
• Example Requirements this organization had
• Isolation between Non-Production and Production. Two
Apigee organizations; (NP: 3 environments, PRD: 1
environment)
• Four environments included in SDLC (Software
Development Life Cycle)
• Organization uses Swagger 2.0 to describe interfaces
One Organization’s Requirements
•Requirements
• 3rd Party IdP (Azure Active Directory) used
• AAD acts as token generator for all actors. Apigee customized to work
with AAD-produced tokens.
• came from the organization's IAM and Information Security teams.
• drove much complexity
• Top-down development methodology utilized.
• Building a program that supports the entire business. Rather than a
particular line of business or development group.
• Many different concerns.
16
API LIFECYCLE MANAGEMENT
API Lifecycle Management (which tracks the interface’s life-cycle, not the
implementation) is part of API Governance.
The details will vary, but this basically describes the promotion process (life-cycle)
of an API version from initial concept, to definition, to the lowest-level
development environment, to production, and eventually to sun-setting.
17
API LIFECYCLE MANAGEMENT
Suppose your organization has the following environments:
• Unit Test Environment
• Quality Assurance Environment
• Load Test Environment
• Production Environment
Now, let’s assume that your API life-cycle captures the following additional steps:
• Inception (identification of a business or technical need)
• Definition (interface definition)
• Development
• Sun-setting (retiring a version of the API)
The API Lifecycle will account for all of these states
18
API GOVERNANCE TIES INTO
API Governance ties into:
• Change Management
• Asset Management
• Configuration Management
• Legacy SOA Governance (with the goal of eventually replacing it)
• Quality Assurance
• Information Security
• IT Auditing
Within Enterprise IT all of these things are interrelated. The processes and organization should
reflect this.
Yes, it sounds heavy weight. But, effective self-service and good processes makes all the
difference in the world.
19
DEVOPS TIE-IN
API Governance ties into DevOps
•The Developer Portal provides a self-service platform to
allow developers to
register with the system
create applications
provision credentials
subscribe to APIs
view documentation
other activities
•The Developer Portal can also
increase development and decrease cycle time
decrease Mean Time To Resolution (MTTR)
enable stakeholder-level overview
ease compliance and reporting
20
LESSONS LEARNED
Most small to medium sized organizations can probably use the Apigee
developer portal and built-in processes out of the box without significant
modification.
21
LESSONS LEARNED
Not all organizations are focused on opening their data up to arbitrary third
parties. It may be that internal development teams and B2B Business Partner
development teams are the primary focus of the API Management Developer
Portal.
• Not the API Management use case we often hear about, but very important
for many organizations.
• Anything that involves interacting with many development teams outside of
your control can benefit from an API Management solution to better
manage and communicate with those actors.
22
LESSONS LEARNED
For this organization, API Governance was an evolution of SOA
Governance paradigm that was already in place.
23
LESSONS LEARNED
Integration with a Third Party Identity Provider is likely imperative
in a large organization.
• Is Apigee Edge or the third-party IdP issuing tokens to API
consumers?
If third-party IdP, introduces much complexity to Edge.
If so, applications must be registered with the third-party IdP
and Apigee Edge.
If the third-party IdP is issuing tokens, necessitates replicating
client identifiers into Apigee Edge's IdP for Quota Enforcement and
Business Analytics.
24
LESSONS LEARNED
• The group that is supporting your Apigee Edge API
Gateway may not be the same group that supports the
Developer Portal infrastructure. Different skill sets.
• Drupals/PHP vs. Javascript/node.js/Edge Policy