API Management within a Microservice Architecture

API Management within a Microservices
Architecture
Nadeesha Gamage
Senior Lead Solutions Engineer

WSO2 At-A-Glance
2
$25m Sales in
2017
53% YoY
growth
450+
Customers,
175 New
Customers in
2017
Open
Source
Founded 2005,
Backed by
Cisco and Toba
Capital
Colombo
London
Mountain View, CA
New York, NY
São Paulo
Sydney
500+
Employees
(300 Engineers)

3
#1
6th
Open Source Integration Vendor
Largest Apache Committer
Largest Open Source Vendor
5th
WSO2: Helping Digitally Driven Organizations
Become Integration Agile

OPEN TECHNOLOGY FOR AGILE DIGITAL BUSINESS
4
Build internal and
external developer
ecosystems with an
API marketplace.
Manage identity,
security, and
privacy across
your digital
business.
Create real-time, intelligent,
actionable business insights
and data products.
Platform enable your digital
business with “micro-services”
and “micro-integrations”.

All WSO2 PRODUCTS ARE
5
WSO2 PRODUCTS
Seamlessly Integrated
Comprehensive platform
Go to market faster
Flexible
Deploy on-premises, public or private
cloud, or hybrid environment
Easily migrate between on-premises and
in the cloud
100% Open source
Quickly build POC
Affordably scale out to production
systems
Backed by world class team
More than a decade of experience
helping companies realize digital
transformation goals

The WSO2 Subscription
Get the most from your WSO2 product with enterprise-grade services:
Open
source
technology
WSO2
Subscription
Options:
- WSO2 managed cloud
- Consulting services
- Managed services
6

WSO2 Training and Certification
Training material free online; learn at your own pace
7
WSO2 Provides
Certification a verifiable way to present skills to team, employers, customers, partners.
Standard training (onsite and online)
Customized training (on-site) in-depth, personalized training for your specific need

ANALYSTS SAY
8
“Strong Performer for Hybrid
Integration”
- The Forrester Wave™: Hybrid Integration for
Enterprises, Q4 2016 report, published November 18,
2016
“Leader in API Management
Solutions”
- The Forrester Wave™: API Management Solutions, Q4
2018 report, published November 1, 2018.
“Visionary”
- Gartner Cool Vendors in Internet of Things Analytics,
2016 report, published May 11, 2016.
“Strong Performer for Big Data
Streaming Analytics”
- The Forrester Wave™: Big Data Streaming Analytics,
Q1 2016 report1, published March 30, 2016.
- Gartner Magic Quadrant for Full Life Cycle API
Management, published October 27, 2016
“Cool Vendor”

Flagship Customers
Across every industry and geography
Financial Healthcare Governments Education Telecom Retail TechnologyTransport
10

Agenda
● APIs, the digital connector
● Microservices Architecture
● WSO2 API Manager
● Introduction to WSO2 API Microgateway
● Demo on WSO2 API Manager and Microgateway
● API Microgateway deployment patterns
11

It Is The Age Of The Consumer
12
Source: Forrester Research

API - “The Digital Connector”

API - “The Digital Connector”
● APIs are the interfaces that allows various
services to expose their functionality for
consumption.
● Enables platform independent, language
neutral way of integration.
● Enables Digital Transformation.

Digital
Transformation is all
about creating a
“Digital Experience”
for your customers

Why is it needed to manage APIs?
○ Open API access to consumers
○ Easy API discoverability
○ Protecting APIs
■ Securing for unauthorized access
■ Fine grained access control
■ Throttling
○ Metering and Monitoring
○ Monetization
○ Manage lifecycle and versioning

Monolithic vs Microservices
17

http://www.rafaelhart.com/2018/03/18/monolith-or-microservices.html

Monolithic Application (continued)
● Despite modularity, application is packaged as
a single monolith
● Packaging depends on the language
○ .war, .jar or directory structure
● Simple to test and deploy
● If simple, what is the issue?
○ Simple and easy only at the beginning

Problems with Monolithic applications
● Increasingly difficult to make code changes
Disrupts agile development
● Overtime, no single developer will understand the entire
code. Changes will be error prone
● CI/CD would become painful
● Scaling would be difficult
● An issue in one component could potentially bring down the
entire application
● Stuck with a single language

Microservices Architecture (MSA)

Microservices Architecture pattern
● An application written as small interconnected services,
each implementing distinct functionality
● Self contained, maintains its own datastores
● Each service may expose a REST API, a transactions
require interaction with multiple service.
● Services may also use other Inter-process-
communication methods to interact, such as queue etc.

Advantages with MSA
● Faster and focused development
● Easy deployment and thus easy CI/CD
● Demand based scalability and flexibility
● Reduced downtime due to modularity
● Reduce time to market for new features and
capabilities.

API Management within a Microservice Architecture

Drawback of MSA
● Inherent complexity of distribution of systems
○ Handling transactions (partial failures)
● Multiple databases
● Need for advanced technology (service mesh,
service discovery, circuit breaker, container
orchestration etc)

Does MSA need API Management?
● Common misconception that Microservices
Architecture eliminates the need of API
Management.
● Rather it augments and works collaboratively
● Don’t we need control on what we expose as a
REST API in microservices?
● Its not a good practice to allow apps to directly
consume microservice

What API Management brings to MSA
● Control API access and security
● API portal and discoverability
● Monitoring usage
● API documentation and testing before adoption
● Versioning and lifecycle management

Traditional Gateway vs Gateway for MSA

Microservices with an API Gateway
● API Microgateway for service
- Deploying Gateway closer to the microservice
API Gateways
MicroservicesProducts Orders

● API Microgateway for each client
- The same API interface exposed to 3 types of Gateways. Each
optimized for the client type it serves.
Products
Orders
MobileWebPublic
Microservices with an API Gateway

WSO2 API Manager
Design, create, publish and manage APIs to
unlock the true value of your digital assets

36
WSO2 API Manager
● Available as a single
downloadable package
● Available as a cloud / SaaS
solution
● Flexible deployment choices
● High performance gateway
● API governance, marketplace
solution

37
Cloud First or Start On-Prem
● Multi-tenanted, shared
everything
● WSO2 Hosted and managed
● Pay as you go
● Multi-region availability
● VPN tunnel to private DC
● Guaranteed uptime
● Limited options in customizing
● Hybrid Cloud
● Privately hosted
● WSO2 managed
● Upgrades, patches installation
● Guaranteed uptime
● Full flexibility in customization
● Better control
● Self hosted
● Self managed
● Full flexibility
● Dev-ops learning curve
● Self managed upgrades
http://wso2.com/api-management/cloud/
https://docs.wso2.com/display/ManagedCl
oud/WSO2+Managed+Cloud+Documenta
tion

Creating an API
Designing or Publicizing an API
38

39
● Start with an existing endpoint/contract or design and prototype a new API
● Exposing SOAP services (convert to REST or as a passthrough)
● Exposing streaming APIs (Websocket endpoints)
Creating APIs

40
● API Design - Over the wizard & with swagger
Creating APIs

41
● Point to a production backend or prototype at the gateway
Managed or prototyped

Publishing an API
Enforcing Security and SLAs
42

43
● Protecting for applications and users
● Controlling access and entitlement with scope
● Multi-Tier subscription model
Protecting APIs

45
Authorization & Introspection

46
● Encapsulate the client application
● Associates OAuth2 keys
● Support different integration
patterns for application security
through OAuth grant types
● Pre-generated access tokens for
testing
Client Application

47
● Tier based simple model
○ Application developer selects the tier at app registration
○ Each tier is tied to a policy that describe the quota
○ Tiers can be applied at the application, API or at the API resource level
● Advance rule based models
○ Policies containing IP conditions, message attribute based conditions,
transport header based conditions
○ Complex real time pattern based conditions
Traffic Management

49
Traffic Manager Architecture

50
● Manage stages of an API
● Manage associated states
● Create a new version from an
existing
● Audit changes to lifecycle
states
● Support for custom lifecycles
API Lifecycle Management

Consuming an API
The developer portal / marketplace
51

52
● Searchable (with context) - by name, tag,
description, author etc.
● Social features: tagging, commenting,
rating
● Minimalistic forum
● Themeable: change color, logo, view
● Configure alerts for application developers
● Application based API analytics
● OAuth2 application management
● API Monetization
The Developer Portal

Monitoring an API
Analytics and Insight
53

54
● Analytics dashboard on API stats
○ API Usage / Response
times / Backend latency /
Geo-location etc
● Stats on Applications for
application owners (subscribers)
● Stats on subscriptions
API Analytics: Batch

55
● Leverages real-time analytics streaming engine
● Used for various alerting use-cases
○ Fraudulent access token usage
○ Keeping API developers alerted on backend performance issues
○ Alerting on SLA violations
○ Alerting on tier crossing for subscriptions
● Detect trends
● Detect API call sequences that needs to be blocked
● Detect non-usage scenarios
API Analytics: Realtime

56
API Analytics: Architecture

The API Manager Runtime
Processing Flow and Extensibility
57

59
● Message manipulation,
transformation and enrichment
● WSO2 developer studio based
tooling
● Wizard based mediation policy
application
Message mediation

60
API Gateway Performance
WSO2 API Manager all in one simple deployment performance
H/W config: 4 core cpu with 8GB memory / c4.xlarge ec2 equivalent

Extensibility & Enhancements
61

62
● API gateway handlers
○ Security handlers
○ Analytics handlers
● OAuth custom grant types
○ SAML extension grant type
○ NTLM / Kerberos
○ JWT extension grant

63
● OAuth scope handlers
○ Role based scope validation
○ XACML based scope validation
● Mediation extensions
○ Message transformation
○ Routing to backends
○ Payload validation
● Lifecycle extension
○ Executor plugin for lifecycle stages / transitions

Introducing the WSO2 API Microgateway
● Designed to scale.
○ Immutable
○ Self validating tokens
○ Localized rate limiting
○ Offline analytics
● Native support for Docker/K8S.
● Dedicated gateway for microservices.
● First class support for lifecycle management across
environments.
● Low resource requirement (2 core, 256 MB RAM).

Characteristic of WSO2 API Microgateway
● Ability to execute in isolation without connection to other
components; key manager, traffic manager etc.
● Ability to manage a subset of APIs, instead of all.
● Offers a proxy that is capable of performing security validation,
in-memory (local) throttling and operational analytics.
● Immutability.

Microgateway Overview
Microgateway Toolkit
Microgateway
Runtime
Request
API
Definitions
Download API
Definitions
(JSON)
Generate Microgateway
Runtime

Microgateway Security - JWT/JWS
Microgateway Products
Orders
Request
Access
Token (with
scopes)
Provide
Signed
JWT
1
2
3
3
Microgateway
4
4
Client Application
sends Signed JWT
to Microgateways

Microgateway Security - Standard OAuth2.0
Request
Access
Token (with
scopes)
Provide
Opaque
Token
1
2
3
Microgateway
4
Client Application sends
Token to Microgateway
Validate
Token

Microgateway - Localized Rate Limiting
Rate limiting policies are burnt into the microgateway runtime
Microgateway
Products Orders
Apply 1000
req/min on
Products
microservic
e
Apply 500
req/min on
Orders
microservic
e

Microgateway - Offline Analytics
Microgateway
Microgateway
Accumulate data in files
and upload offline

Microgateway - Native Support for Docker/K8S
Microgateway Toolkit
Request
API
Definitions
Download
API
Definitions
(JSON)
Microgateway VM
Microgateway
Docker
Microgateway K8S
Provide relevant arguments in
build phase for desired output

Microgateway - Cross Environment Lifecycle Mgt
Microgateway VM
Microgateway
Microgateway
Staging
Prod
Products
Products
gateway -e
ProductsAPI.v1.prod.endpoint.0="http://staging.apis.wso2.com/products"
gateway -e ProductsAPI.v1.prod.endpoint.0="http://apis.wso2.com/products"

API Gateway vs Microgateway
Feature API Gateway Microgateway
Self contained token based authentication No Yes
OAuth 2.0 token based authentication Yes Yes
Mediation extension support(in/out sequences) Yes No
Response Caching(GET and HEAD methods) Yes Yes
Javascript based mediation logic Yes No
Analytics support Yes Yes
Logging and monitoring support Yes Yes

When to use API Microgateway
● Run in lockdown or offline mode
● Cater to unusual traffic patterns of APIs (run in private
jet mode)
● Scaling a subset of APIs.
● When consumers and services reside in the same
network and a gateway is required in close proximity to
reduce latency.
● Running the gateway in sidecar mode.

When to use the traditional API gateway
● When there is requirement to throttle API calls based
on counters across all gateway nodes.
● Run API gateway as centralized gateway. Handle
requests for many different APIs and different backend
servers.
● Traditional SOAP architecture which requires Gateway
to perform mediations, orchestrations.

API Microgateway
deployment patterns in MSA

79
Centralized API Gateway
Shared Cluster of API Gateways to Handle the Internal and External Load

80
Private Jet API Gateway
Dedicated API Gateways to Each Microservice or a Group of Microservices

81
Sidecar API Gateway
API Gateway alongside Microservices - Service Mesh Architecture

API Management within a Microservice Architecture

More Related Content

What's hot (20)

Similar to API Management within a Microservice Architecture (20)

More from WSO2 (20)

Recently uploaded (20)

API Management within a Microservice Architecture