API Management Architecture

Regardless of the type of API services your applications are built upon, and unless you still live in SOAP world and need a serious overview of technology and architectural decisions, your APIs are RESTful. Note that GraphQL is still RESTful at the base but let’s talk if you feel this needs more meat around the bone.

API Management manages consumer grade APIs that an organization provides and organizes as API products and it does that beautifully. Note that I am not naming any particular API Management tool.. vendor.. instance or creed, but if you need to know, I have used and like like Apigee and Azure API Management equally and I’m discovering Mulesoft’s offering but don’t have an opinion yet.

Back to the party, an API Management provides a set of tools to manage and expose APIs to the outside world in a secure and efficient manner, an API Gateway, hooking into the 4 pillars of the API Management.

• Security
  • authentication
  • subscription management
  • rate limiting
  • throttling
  • quotas
• Governance
  • discoverability
  • reusability
  • lifecycle and documentation
  • API as a product – API Portal
• Analytics
  • log streaming and central analytics
  • real time dashboards
  • interactive reporting
• API as a Product
  • customized packages and API plans
  • API product license and SLA

The key aspect here is security. Unlocking business assets by means of API to the outside world is not an easy task. With so much security vulnerabilities present in and around us, we need a robust platform with state of art security measures to protect our assets and provide the right information to the right consumers.

API Management –  Typical architecture setup

An ideal API management platform is a layered architecture of different components interacting with each other. Core components of an API Management platform are:

• API Policy Manager
• API Portal
• API Lifecycle Manager
• API Analytics
• API Gateway

The image below showcases the reference architecture and how these components interact with each other.

The above architectural scheme shows a typical layered API Management platform setup where an external and an internal API Gateway are interacting with different components . Let’s walk through each of the components to understand their roles and responsibilities.

a) API Policy Manager – Policy Manager is an administrative component which is used to manage the life-cycle of the policies that we need to define to manage the APIs. Like a normal APIs, the policy has its own life-cycle management and goes through:

• Design
• Develop
• Test
• Deploy
• Deprecate
• Retire

Every product provides out-of-the-box policies that enable you to augment your API with sophisticated features to control traffic, enhance performance, enforce security, and increase the utility of your APIs, without requiring you to write any code or to modify any back-end services. Extension policies enable you to implement custom logic in the form of JavaScript, Python, Java, and XSLT.

b) API Portal – The portal, sometimes known as the community manager, is used to manage the APIs exposed to the developers or community members. Their usage is twofold.

The portal is used by the API Owners/API developers to onboard the APIs – i.e. managing the complete life-cycle of APIs, onboarding community developers and their consuming applications, granting and controlling access of the API by means of applying plans and contracts.

The portal is also used by the external/internal developers and different community managers who can view the API’s availability, document the APIs and test APIs. Usually this is powered by CMS which can be used to build custom sites and to interact with the developers.

c) API Life-cycle Manager – The API life-cycle manager is used to manage the life-cycle state of the API. Usually an API goes through Design -> Development -> Testing -> Deployment -> Deprecated -> Retired. The life-cycle manager provides you the capability to build and manage the deployment of APIs across the environment stacks till production.

d) API Analytics – The API Analytics platform provides various dashboards to report the business analytics as well as the operational aspects. The analytics platform provides in-depth views of the API usage and can provide insights on the usage patterns and trends. And thus helps business to decide whether to monetize the API.

From operation aspects, it gives insight on the error and performance constraint of an API.

e) API Gateway – The crucial component of the API Management platform suite. The gateway sits between API consumers and providers, and provides the controlled access to the back end services/API. The gateway reads the API configuration and the associated policies, rules and metadata from the policy manager,, and performs authentication, authorization, SSL termination, and rate limiting. The gateway also integrates with the external or internal IAM/Oauth server for token validation.

The table below explains the interaction among the different components and the relationships between them.

From	To	Purpose
API Gateway	API Policy Manager	Read the policies, rules attached with the API. Legal contracts and agreements for a consumer to access API.
API Portal	API Policy Manager	API Owner/Developers defines API, policies, license, contracts according to the business needs and gets stored in the database which can be read by the policy manager.
API Lifecycle Manager	API Policy Manager	To manage the life-cycle of APIs, Policies and other rules.
API Lifecycle Manager	API Gateway	To manage the deployment of the APIs and its associated policies.
API Gateway	NoSQL	No SQL database is used for storing the audit logs, metrics data and usage data. API Gateway interacts directly with NoSQL database to store the logs which will be used by API analytics to prepare the dashboard.
API Policy Manager	RDBMS	RDBMS is necessary to store the relational data. Mostly these are API configurations and policies which would be accessed by the API Gateway using policy manager to enforce the policy to access the API.
NoSQL	API Analytics	API Analytics will read the usage, alerts and metrics data from NoSQL database to prepare the dashboards.