API management refers to the processes for distributing, controlling, and analyzing the APIs that connect applications and data across the enterprise and across clouds. The goal of API management is to allow organizations that create APIs or use others’ APIs to monitor activity and ensure the needs of the developers and applications using the API are being met.
Organizations are implementing strategies to manage their APIs so they can respond to rapid changes in customer demands. In most cases, these organizations adopt a microservices architecture in order to meet demands by speeding up software development. HTTP-based APIs have become the preferred method for synchronous interaction among microservices architectures. These APIs are the glue that connects all of the microservices together. Managing these APIs allows an organization to make sure the APIs are used in compliance with corporate policies and allows governance by appropriate levels of security, as some services may require different security policies than others.
What can API management do for you?
API management is largely about centralizing control of your API program—including analytics, access control, monetization, and developer workflows. An API management solution, like Red Hat 3scale API Management, provides dependability, flexibility, quality, and speed. To achieve these goals, and ensure that both public and internal APIs are consumable and secure, an API management solution should provide access control, rate limits, and usage policies at the minimum. Most API management solutions generally also include the following capabilities:
A developer portal. A developer portal is a common best-practice for API management. Developer portals typically provide API documentation along with developer onboarding processes like signup and account administration.
An API gateway. The API gateway is the single point-of-entry for all clients. The gateway also determines how clients interact with APIs through the use of policies.
API lifecycle management. APIs should be manageable from design, through implementation, until retirement. Red Hat 3scale API Management is a leader in API lifecycle management.
Analytics. It’s important to know what’s going on with your APIs—which consumer or app is calling which API and how often. It’s also essential to know how many APIs have failed and why.
Support for API monetization. Monetize access to the microservices behind the APIs through usage contracts. API management allows you to define usage contracts based on metrics, like the number of API calls. Consumers can be segmented and differentiated access tiers, and service quality can be offered to different segments.
These capabilities are considered during the API’s design so that the API can use self-managed or cloud components to provide traffic control, security, and access policy enforcement. Well designed APIs can be shared, secured, distributed, controlled, and monetized on an infrastructure platform built for performance, customer control, and future growth.
API management and microservices
Microservices and APIs are the foundation for rapidly developing innovative application components to meet new business needs—an approach known as cloud-native application development. This approach is not without its challenges, though.
The key technical challenge to forming microservices is breaking up larger systems into their smaller components. As we mentioned, APIs allow these smaller components to connect with data sources and each other.
Another challenge presented by a microservices architecture is how to coordinate the many frequently changing microservices. Service discovery makes this easier. API management provides the necessary discovery mechanisms to ensure that available microservices can be found and documentation on how to use them is shared through the developer portal.
Microservices require an integrated approach to security. Security mechanisms differ depending on the type of API: external-facing services require different security mechanisms than internal ones. For less mission-critical APIs, simple protection with API keys is usually sufficient. For external or critical APIs, a more secure approach, like OAuth, will be required.