API Best Practices
4 likes911 views
This document outlines best practices for API management, emphasizing the importance of APIs in modern application architectures, particularly in cloud environments. It covers key aspects such as design, security, operational integration, and performance analytics to enhance API effectiveness and reliability. Additionally, it highlights the need for organizations to adopt an API-first strategy and automates processes to ensure seamless developer engagement and operational efficiency.
API Best Practices
- 1. API Best Practices Sai Koppala
- 2. APIs are critical to evolving application architectures Public clouds μService μService μService μService μService μService Platform-as-a-Service Microservices Private cloud APIs App workloads Microservices Distributed apps 2©CC BY SA
- 3. Companies need to address these new challenges … Public Clouds μService μService μService μService μService μService Platform-as-a-Service Microservices Private Cloud APIs App workloads Microservices Distributed apps Silos Disparate implementations are creating new silos, limiting reuse Insecure Inability to secure critical assets exposed beyond trust boundaries Flying Blind Lack of insight into usage, performance, users, products, and anomolies 3©CC BY SA
- 4. … by managing APIs holistically across the enterprise DESIGN SECURE DEPLOY PUBLISH ANALYZE OPERATE 4©CC BY SA
- 5. Design and build your APIs focusing on ease of use for app developers API DESIGN 5©CC BY SA
- 6. Adopt an API-first, layered strategy for agility SYSTEMS OF RECORD EXPERIENCE APIs BUSINESS APIs EXPOSURE APIs HRCRM Financials Inventory Supply chain Highly reusable APIs, mimic underlying data models & resources /crm/account /support/customer Consumable and reusable APIs, the core set of developer-friendly APIs /customer Highly consumable APIs, specific for set of devices or apps /android/customer API DESIGN 01 6©CC BY SA
- 7. Design APIs that are easy to consume for developers Readable, intuitive URLs Good error handling Relationships as links Open API specifications Data-centric modeling Easy-to- consume APIs Simple JSON Non- hierarchical URLs API DESIGN Get detailed API design best practices in the Apigee Web API Design ebook 02 7©CC BY SA
- 8. Handle multiple northbound API versions effectively API DESIGN 03 Backend target supports multiple API versions Backend target supports only one API version Limited business logic in API tier Moderate business logic in API tier ROUTING PASS THRUERROR HANDLING MEDIATION Forwards all incoming requests to the right backend version Backend versions are transparent. Requests routed based on header, payload, user, etc. Requests & responses processed to deliver as expected to both backend and clients Returns errors gracefully for old API version requests 8©CC BY SA
- 9. Enforce a consistent set of security policies across all of your APIs API SECURITY 9©CC BY SA
- 10. Protect against cyber threats with API management Backend SQL threat protection JSON threat protection Regular expression protection IP-based restrictions Bot detection DATA SECURITY Two-way TLS API key OAuth2 THREAT PROTECTION OAuth2 SAML API key verification IP access control Logging & auditing ACCESS CONTROL Apps Injection threats Broken authentication & session mgmt attacks Cross-site scripting Insecure direct object reference Missing function-level access control Sensitive data exposure Cross-site request forgery API MANAGEMENT API SECURITY 04 DATA SECURITY Two-way TLS API key OAuth2 10©CC BY SA
- 11. Handle volumetric attacks and business spikes05 78% Spike arrest 74% Caching 68% Rate limiting Spike arrest Concurrent rate limit Quota OUT-OF-THE-BOX TRAFFIC MANAGEMENT IN API PLATFORMS Response cache Lookup cache Populate cache Invalidate cache Reset quota Percentage of companies using capability in the API tier* API SECURITY 11©CC BY SA * See “About this report”
- 12. Use AI-based solutions to secure against bots Continuously recognize bot patterns and create new rules API TRAFFIC DATA DASHBOARDS BLACKLIST AI MODELS & RULES Block, throttle, or honeypot bot traffic depending on your needs MITIGATION ACTIONS Continuously monitor billions of API calls to identify anomalies MODELS TRAFFIC DATA ENFORCEMENT API MANAGEMENT Backend Apps API SECURITY 06 12©CC BY SA
- 13. Don’t just rely on WAFs for API security API SECURITY 07 API PLATFORM WAF API PLATFORM API PLATFORM WAF A B C Advanced API platforms cover all API security needs. Eliminating WAF lowers latencies and provides consistent app security policies. If your existing WAF is built into your CDN, this option might be the right approach (API platform sits behind the WAF/CDN). In situations where applications can only be accessed through a WAF gateway, this might be the right approach. APP APP APP WAF & API platform configurations 13©CC BY SA
- 14. Sync API lifecycle with your SDLC and automate testing and deployment of APIs TESTING & DEPLOYMENT 14©CC BY SA
- 15. Align the API lifecycle with your SDLC and automate08 TEST & DEPLOY API Lifecycle Target Backend App SDLC API Target DEV INTG PER F UAT PRE PROD MOCK DEV TEST PERF UAT PROD PROD Create similar number of API environments as your SDLC stages to simplify testing and automation To ensure separation of concerns between production and non- production APIs, use the concept of organization in API management to separate users, APIs, and API traffic Use mock API targets early in the API lifecycle, in line with API-first and test- driven development (TDD) principles With API management plugins to DevOps tools like Apache Grunt or Maven, automate your API lifecycle and fit into your SDLC 15©CC BY SA
- 16. External use cases (partner, consumer-focused) Pure internal use cases Target app – legacy interfaces, monolith Target app – microservices, REST APIs PUBLIC CLOUD CENTRALIZEDCOLLOCATE CLOUD Given external use, deploy APIs to the centralized API management for ease of operations As microservices are in the cloud and given external use, deploy your APIs in the public cloud for scale and cost For internal use cases and modern apps, deploy APIs to the cloud (public or private cloud) For legacy target apps focused on internal use cases, collocate your APIs with the application Deploy APIs to the cloud based on workload TEST & DEPLOY 09 16©CC BY SA
- 17. Publish easy-to-use APIs with interactive documentation and self- service capabilities DEVELOPER PORTAL 17©CC BY SA
- 18. Package APIs for easy developer consumption DEV PORTAL 10 inventory Item id trafficLocation ratingsPromotions /store /catalog API API Product 1 Price $0.0005 per call Quota 10 requests per sec Product 2 Price FREE Quota 100 requests per sec Provide differentiated access to APIs and resources to various user groups Quickly try out new API- based business models (e.g., revenue share, API pricing) 18©CC BY SA
- 19. Publish automated, interactive documentation DEV PORTAL 11 Sandbox environment to test APIs Create rich documentation directly from your Open API specifications Interact with the API and see the request and response formats 19©CC BY SA
- 20. Automate onboarding for scalable developer adoption DEV PORTAL 12 Broad adoption Managed adoption Controlled access To drive broader adoption of public APIs and for internal API usage, set up your developer portal with automated onboarding. In this mode, developers sign up, register their app, get app keys, and get started, without any portal admin approvals. To engage strategic partners with a set of private APIs, you need to simplify partner developer onboarding, while retaining access control. In this mode, app developers register on their own, but you have an admin approval step. Upon approval, the developer can register apps and get keys and access to docs. This is uncommon, but in certain, highly sensitive cases, organizations use this mode to restrict access to APIs. In these use cases, the portal administrators sign up app developers. Although you have control, you lose scalability due to manual onboarding. 20©CC BY SA
- 21. Use analytics to gain better insights into your API usage and performance ANALYTICS 21©CC BY SA
- 22. Enable API developers to optimize API functionality13 ANALYTICS Run step by step through an API request to get timing information for each stage as it flows through the API proxy 22©CC BY SA
- 23. Equip ops teams to monitor performance and availability ANALYTICS 14 Operations teams need to monitor API traffic volumes, understand traffic patterns over time and identify anomolies Ensure your APIs are meeting target response time SLAs that have been set with your API consumers Be the first to know if your API error rates increase beyond a particular threshold—and then rectify any issues TRAFFIC AVAILABILITY LATENCY Operations admin 23©CC BY SA
- 24. Measure API program success with the right metrics ANALYTICS 15 Product manager As an API product owner, always know the most popular APIs, API traffic volumes, and usage patterns Track business metrics associated with your APIs (API- related fees, revenue share etc.) Identify the most active developers and apps consuming your APIs, from traffic volume and breadth of APIs USAGE ADOPTION BUSINESS METRICS 24©CC BY SA
- 25. Empower app developers with data ANALYTICS 16 App developers have visibility into availability of APIs they’re consuming Identify if the errors are due to API policies, API infrastructure, or target backends App developers can track the error rates of APIs they consume over time 25©CC BY SA
- 26. Automate API operations by integrating API management into your enterprise infrastructure API OPERATONS 26©CC BY SA
- 27. Deploy your API platform in cloud, based on needs18 API OPERATIONS Time to success Total cost of ownership Security / compliance Performance Scale / reliability HYBRID ★★ ★★ ★★★ ★★★ ★★★ PRIVATE CLOUD ★ ★★ ★★★ ★★★ ★★★ PUBLIC CLOUD ★★★ ★★★ ★★ ★★★ ★★★ Public cloud satisfies most customers’ needs, except for specific situations Leading API cloud providers can provide significant scale with auto scaling & reliability With skilled people and infrastructure ready to go, private cloud is still a viable option For apples-to-apples comparison, use a three-year period and include all operations costs Public cloud satisfies most use cases (exception: purely internal use cases) 27©CC BY SA
- 28. Integrate API platform with existing monitoring infrastructure19 API OPERATIONS Monitoring API infrastructure Log monitoring Use built-in message logging policies in API platform to generate logs and use logging tools like Splunk Runtime data Collect runtime statistics like response time and error rates using JMX MBeans and access them using any JMX-compliant APM tool API monitoring Component monitoring Analytics Monitor performance and conduct stress testing of APIs and target systems with health check capability of API management platform Monitor availability of infrastructure components (CPU, memory, thread statistics) with management APIs and existing monitoring tools Gain visibility into a variety of usage (developer usage, API traffic) and performance data with out-of-the-box API analytics provided by API platform 28©CC BY SA
- 29. Automate scaling your API platform infrastructure20 API OPERATIONS Actual API traffic Auto scale runtime and database Infrastructure Infrastructure manually provisioned for peak 29©CC BY SA
- 30. SPEED MATTERS - API best practices are only one part Adopt modern software practices Agile, scrum, test-driven development Execute First, Align Later Focus on business impact with your initial API projects and address broader alignment after initial successes Fail-fast approach Get the set of APIs out FAST—you never know if and how they will be consumed by developers 30©CC BY SA
- 31. About this report As a leader in API management, Apigee is privileged to work with hundreds of customers to develop and manage a large number of APIs. By reflecting on our experiences and those of our customers and the industry at large, we have gained some insights into which API design innovations are bringing real benefits and becoming notable trends. This report aims to capture some of the best practices in API design that we have seen emerge in the past couple of years. Data in this report are based on hundreds of billions of API calls made through the Apigee cloud and distributed across Apigee’s global network of datacenters from customers spanning 20 industry sectors. None of these data are from companies that deploy our technology in their private cloud. If you have questions regarding the report, please email [email protected] or tweet @apigee. Apigee® powers the APIs that make every business a digital business. Apigee provides a leading API platform that helps companies—from disruptive start-ups to the Fortune 100—rapidly adapt to the business and technology requirements of the connected, digital world. Many of the world’s largest organizations select Apigee to enable their digital business, including over 30 percent of the Fortune 100, four of the top five Global 2000 retail companies, and five of the top 10 global telecommunications companies. For more information, visit apigee.com. About Apigee 31©CC BY SA Last published: November 2016