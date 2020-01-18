API management is a discipline that has evolved to provide the processes and tools required to discover, design, implement, use, or operate corporate APIs. The discipline divides two different communities and deserves the attention of both: developers who develop APIs, and business people and IT managers who use APIs as growth drivers.

in the Enterprise API managementLuis Weir shows how to define the right architecture, implement the right patterns and define the right organizational model for business-oriented APIs. The book looks at architectural decisions, implementation patterns, and management practices for successful business APIs. You will also receive clear and actionable advice on choosing and executing the right API strategy in your company.

Let’s see what Luis has to say about API management and the key principles for improving API design for business organizations.

What API management includes

What does API management mean and include?

Luis Weir: Simply put, it’s the discipline that aligns tools with processes and people to realize the value of implementing enterprise-class APIs across the cycle. By company APIs I mean APIs that meet a minimum of quality standards, not only in the actual API itself (e.g. use of normalized semantics, well-documented interfaces and good user experience), but also in the engineering processes behind it Delivery (e.g. CICD pipelines and robust automation at all levels, different test levels, etc.).

Guiding principles for API design

What are the guiding principles that can improve API design?

LW: The main thing is to identify APIs yourself. It’s not just about building an API, and the value will come soon. Without a process (e.g. an idea) that can be used to identify APIs that offer real added value, there is a real risk that an API is only a DOA (Dead On Arrival), as it may not even be required becomes.

Assuming that such a process has taken place and APIs with real value creation potential have been identified, the next step is to design a design. At this point, disciplines such as domain-based design can help create such a design that both business people and IT staff can refer to. This design should cover things such as: B. the consumption of applications, the creation of applications (data sources), data entities and services that are involved in the concept. It should clearly and simply define the relationship between the components and define boundaries (limited contexts) as these are not only critical to the actual implementation of the API or APIs (as they may be more than one), but also in IDLs were taken into account when creating the API specifications (e.g. an OAS file, an API blueprint, a GraphQL schema, a .proto file in gRPC, to name just a few).

The next and very important step in creating a good API is to follow an API design first process. This process ensures that the API specifications and API mocks (created from the API specifications themselves) are subject to a series of validations by potential consumers of the API itself and other relevant parties. The idea is to get as much feedback as possible through multiple iterations (or feedback loops) to ensure that the API is functional but also provides a good user experience.

For more information, see the API lifecycle section in my book.

Test APIs

What are different API testing approaches?

LW: API tests should include at least the following test approaches:

Interface testing

functional test

performance test

safety test

Interface tests are used to check whether an API implementation complies with the API specification. Function tests are used to check whether the API offers the functionality it is supposed to deliver and has the expected behavior. Performance tests ensure that APIs can process the expected volume and scale as needed. Security testing ensures that the API is not vulnerable to the general threads described in the OWASP Top 10 projects.

Other more complex test approaches can include A / B tests and chaos tests. A / B tests dynamically test new API functions based on a subset of the API target group and in an ongoing environment (also in production). Chaos testing (e.g., randomly shutting down components of the solution in production to ensure that the API is stable) should be considered when the API initiative is mature.

Understanding API gateways

What are the main features of an API gateway?

LW: Many functions are expected from an API gateway, which are described in detail in the API exposure section of my book. In addition to such features, which I think are all essential, there are some key features that differentiate modern API gateways (3rd generation) from more traditional ones (1st and 2nd generations). These are:

Light : Requires at least hard disk space, CPU and RAM to run.

: Requires at least hard disk space, CPU and RAM to run. Hybrid : Can run on-premises, in the cloud and on multiple cloud platforms (e.g. AWS, Azure, Google, Oracle, etc.).

: Can run on-premises, in the cloud and on multiple cloud platforms (e.g. AWS, Azure, Google, Oracle, etc.). Kubernetes ready : k8s has become the most popular runtime platform for microservices. Modern APIs should be easy to implement in the K8 runtime environment and support many of the patterns described in my book.

: k8s has become the most popular runtime platform for microservices. Modern APIs should be easy to implement in the K8 runtime environment and support many of the patterns described in my book. Common control level : If the management of APIs deployed on gateways is in no way centralized, form, or form, it is extremely difficult to enable enterprise users to recognize APIs that have already been created and reuse a lot of duplication. We saw this in the SOA days. Modern API gateways should therefore be pluggable to control levels that take care of things like API lifecycle management and gateway infrastructure management.

: If the management of APIs deployed on gateways is in no way centralized, form, or form, it is extremely difficult to enable enterprise users to recognize APIs that have already been created and reuse a lot of duplication. We saw this in the SOA days. Modern API gateways should therefore be pluggable to control levels that take care of things like API lifecycle management and gateway infrastructure management. Call home: This is a key function that is not yet supported by many modern gateways. The ability of an API gateway to enable communication to the management level via the control level (phone home) using standard ports is key in hybrid architectures to avoid network and other security restrictions.

I think Enterprise API Management offers a fairly comprehensive overview of what modern API platforms look like and how to differentiate them from more traditional ones.

Common API management errors

What are the most common API management errors?

LW: During my time as an API strategist and practitioner, I saw a lot of mistakes and made a few myself. It is important to recognize what they are and to learn from them. The top 3 that come to mind:

The idea that API management means only the implementation of a product or tools without the business strategy and customer benefit at the center of the API strategy. (Sometimes there is no API strategy.) This is possibly the most common and one that was common in the old SOA days. Unfortunately, it still occurs in the modern API-led era. My book Enterprise API Management can be used as a guide to avoid an API management initiative referring less to tools than to business / customer benefits, people, and processes.

Think that all APIs are the same and therefore treat them the same. In some cases, this happens accidentally. In other cases, API layering is avoided because “microservices architectures and practitioners say so”. The fact is that an API that is specifically designed to support a particular mobile application is less general and less suitable for use outside of the context in which it was created than an API that was created regardless of a particular consuming application (and is therefore not linked to an application lifecycle).

Adopting the wrong organizational model to provide API functions across the enterprise. For example, this could be a model that centralizes all API efforts and features, becoming a bottleneck and eventually slowing down (also known as traditional IT). Modern API initiatives should think about introducing self-service platform models in the epicenter.

In addition to the above three points, there are many common pitfalls in terms of API architecture and design. To address this, I highly recommend that you talk about the 7 deadly sins of the API design …

(embed) https://www.youtube.com/watch?v=Sx2_etbb9JA (/ embed)

API management and DevOps

What do you think of 3rd generation API management that has a huge impact on DevOps?

LW: In order to be successful in modern API management and microservices architectures, not only must technological changes be made, but also deeply immersed in the organization and its culture. It means moving away from traditional project-based deployments, where teams only gather for the duration of a project and deliver the supplied software (e.g., an API and related services) to different support teams. Instead, move to a product-based organization where teams gather around business skills and retain accountability and ownership throughout the product lifecycle.

This fundamental change in the approach to software delivery means that there is no longer a division between development and operations teams because a product team has full responsibility and responsibility for their product. Against this background, a platform operating model can be adopted in order to avoid that these product teams are (newly) put together and the basic IT functions are maintained from scratch (e.g. API platforms and service periods). This model can offer general IT functions, albeit remotely, on demand and in self-service mode.

And for me it’s true to be DevOps. At this point, companies can become more agile and significantly extend their time to market.

What were your goals in this book and how well did you achieve them?

LW: When I started defining and implementing API and microservices strategies in large companies (many of them Fortune 500), I literally had to go through several articles, books, videos and others to get a top-down, business-oriented one Develop an approach to delivering end-to-end API and microservices strategies.

When I say end-to-end, it’s not just about defining PowerPoints and detailed Word documents that explain how API / microservices strategies are deployed, and then just moving on. Or in the worst case with an opinion but without accountability sitting on the side (unfortunately only too often in the consulting world – many senior consultants with a strong opinion but who have little or no real practical knowledge and experience). Rather, it is about leading the conversation, defining the strategy and delivering all of its implications.

With this book, I wanted to give the community an approach that I have developed, that has developed over the years, and that has worked. It is not just theory, but a mixture of theory and practice. It is not just ideas, but ideas that I have put into practice. This book is about sharing my hands-on experience and approach to delivering API and microservices strategies.

So I think (or hope) that I’ve achieved my goals with this book. I felt that there are great things that focus on certain end-to-end things, but not the actual end-to-end that I wanted to talk about in this book. I didn’t want to be too high or too detailed. I wanted to offer something to several target groups, since several (technical and non-technical) target groups have to work together in order to successfully carry out API management. Ultimately, the readers will be the judges, but I think I’ve achieved my goals with this book.

Search for Enterprise API Management in the Packt Store.

Read the first chapter for free on Packt’s subscription platform.