Technology is right at the fingertip, accessed using gadgets such as Desktop computers, Laptops, Mobile phones, and tablets, increasing the mobility of services. To reach out to more customers and to serve existing customers better, backend services need to be accessed via the web. You can expose a variety of services ranging from the pricing of a product, stock status, ordering, tracking and many more, as required by Client Applications. Once the services are made available, it is extremely crucial for those to be available to a large section of the community and simultaneously be protected from wide range of attacks to which data becomes vulnerable when it is published on the internet.
The exponential explosion of IT Assets and mobile devices provides new opportunities for Enterprises to interact with customers over new mobility and social channels. The imperatives of digital business have created an urgent need for enterprises to innovative and evolve ways to exploit partner channels and third-party channels to reach out to a growing consumer base. API Management is the underlying core technology that enables this change.
API management allows enterprises to selectively externalize their assets, not just via the traditional browser-centric model, but also over mobile devices and other channels.
In the modern digital business, customers require on-demand information on mobile devices, partners need real-time information via web channels, while programable APIs and other channels and third-party application developers (both independent and business partners) require secure, managed access to internal enterprise information. The enterprise needs to dynamize existing static data as well as internal applications to create new business opportunities.
It is also important to understand the usage and analyze the trends of usage of different APIs to adapt to changing consumer behaviour.
The essential requirement for API management is to expose selected internal enterprise data and applications to third-parties including end-users and business partners, and to do so in a managed, metered, monitored and secure manner.
In many enterprises, such data exposure is performed in an ‘ad hoc’ manner. Whenever a department needs to expose data/applications to the external world, a custom project is typically created and outsourced to a third party services company. Each project implements a customized method of security, data-access, service-creation and monitoring. Over time, this unstructured approach leads to increased development and maintenance costs thereby making the process difficult to scale and manage.
A Structured Approach
Modern enterprises require a Secure, Monitored, Metered and Managed approach for exposing enterprise data and applications. This is done via API Management solutions. API management servers allow enterprise data to be exposed in the form of REST or Web Services. REST is normally preferred because of its inherent flexibility. Each exposed REST Service is referred to as an “API”. The API can expose either enterprise data (from a file, database or other enterprise systems) or an internal enterprise application. In a typical enterprise, there may be tens to hundreds of exposed APIs running on as well as managed by the API Management platform.
The API Management platform typically comprises server technology that provides:
- Security: Security descriptors provide the enterprise with fine-grained control over which end-users and user-groups can access an API.
- Metering: For each API, a count is maintained for the number of times the API has been called, together with a list of which applications have made those calls. It is possible to set metering limits as well as charges on a per-call (or other) basis for all API calls.
- Monitoring: This allows system administrators to track the APIs that use the most number of resources (CPU, memory etc.) and to graphically represent the related information to identify hotspots and contention. Using this information, system administrators may decide, for instance, to split API call-load over multiple API Management servers (provided that the underlying solution allows for this scaling-out process).
- Management: This refers to a high-level view of the overall implementation of API Management across the enterprise, including a synopsis of the security, metering and monitoring processes running across multiple servers within and outside the enterprise firewall.
- Developer Support and Socialization: Exposed APIs need to be marketed or socialized to third-party developers which, typically is done via Developer Portals, either within or external to the API Management platform, where available APIs are published.
Figure 1: API Management – structured data and application access
A scaled, managed and structured approach to exposing data and applications via API Management brings many benefits to an enterprise including:
- Increased business velocity: By allowing partners and suppliers to directly access relevant information, enterprises drive increased revenues since information flows on-demand and in real-time. Previous batch processes are easily replaced by just-in-time data flows, helping all parties to optimize costs, reduce delays and manage inventories.
- New revenue streams: The metering features of an API Management platform allow the enterprise to charge third-parties for making calls to the API, leading to new revenue streams. For instance, a financial analysis firm may charge for API calls to allow access to high-value information on hot stock picks for the day/week. Fine-grained control over the charging process allows the enterprise to structure charges for various services as and when required.
- Leveraging external development teams: Exposed APIs can be used directly by third-party developers to create applications that access enterprise-internal data, reducing development costs and freeing up internal development teams for other projects.
- Increased development team productivity: By using APIs, development teams within the enterprise are more productive since they no longer have to spend time writing data, or application access functions within the firewall.
Fiorano API Management
Fiorano API Management resolves the crucial problem of making data available on the web to a large number of people. It provides a user-friendly interface that smartly handles various services, hiding the underlying technical aspects and complexities, thereby creating communication which takes place seamlessly with internal as well as external Web Services.
REST/SOAP services may be used as a set of target endpoints for better security and visibility. Depending on the endpoint, the service might then return data, formatted as XML or JSON, back to the application. Fiorano API Management manages all these functions smoothly, no matter what type of data is being sent/received, without direct intervention with the actual functions.
Fiorano API Management can create customized "API Projects" which encapsulate the various policies/features that have to be applied to existing services.
Fiorano API Architecture
The Fiorano API Management product is built upon the below attributes:
- API Management Server
- API Gateway Servers
- API Dashboard
- Developer Portal
The Fiorano Approach
Fiorano API Management implements features such as security, metering, monitoring, management and developer support. The Fiorano API Management platform architecture scales linearly, allowing the infrastructure to grow on an as-needed basis. The API Management System is illustrated in the figure below.
Figure 2: Fiorano API Management System Architecture
The system comprises of a Central ‘API Management server’ which serves to administer and control a network of available API Gateway servers. There may be multiple API Gateway servers, all of which are controlled by a single Management server. Each API Gateway server may host several hundred APIs in the form of REST or Web-services calls. The Fiorano API Management server works with all REST or Web-services or JMS-based systems that are already implemented within the enterprise. There are no Fiorano-related dependencies on the creation of the REST or Web-service that has to be managed and exposed as an API.
As depicted in the figure above, the Fiorano architecture scales linearly. As the number of APIs to be hosted increases, one deploys additional API Management servers in the form of ‘peers’. This allows distribution of load across multiple servers, enabling a build as you grow strategy.
Features of each attribute in the Fiorano API Management architecture are explained below.
API Management Server
This is the central server which acts as the repository of API Projects created by the customers and deploys them to the API Gateway servers. In addition, the Central server:
- Acts as a repository of API Projects and Server Groups/environments, and controls the life cycle of the Gateway servers.
- Enables runtime enforcement of policies without downtime.
- Hosts the API dashboard.
- Provides REST API for management of different modules.
- Acts as the Analytics engine and performs various aggregation/ingestion functions.
- Provides Role-based Access Control to various resources.
API Gateway Servers
Gateway server receives requests from users/customers and sends responses after processing the same for different Web Services as per configuration. The client requests are first received by these servers which act as a reverse proxy server for the backend REST/SOAP-based Web Services. These servers also perform the activities below:
- Enforces the functions below before letting the request pass to the backend server:
- Quota Management
- Traffic Control
- Provides Load balancing capability in case the target service is hosted on multiple servers.
- Gathers analytic information asynchronously which is then processed by the Management server.
It provides the interface to create API projects with zero or no coding effort. Below are the main functions of the API Dashboard:
- Enables defining various API products, Clients, and Client Subscriptions.
- Enables defining various roles, server groups, and partners.
- Helps to quickly analyze API trends and investigate resource utilization.
- Helps to monitor the Fiorano API Management deployment status.
Self Signup support for developers allows automatic subscription to Public APIs. The developer portal provides support in simplifying the process of Developer Onboarding and greatly simplifies the interaction of developers with the services published using the API Manager. Important functions include:
- Support for secure self-signup for developers.
- Automated documentation for the APIs exposed in an engaging manner.
- Support for an automatic subscription of selected API Products.
- Support for OAuth access token generation for registered applications.
- Support to test the APIs exposed.