2. March 2, 2013 | 2
David Bressler
Chief Architect
@djbressler
3. March 2, 2013 | 3
Agenda
• Why API’s and Why now?
• What is API Management
• Enterprise API Trifecta
• Capabilities of API Management
• API Management Infrastructure
• Customer Case Studies
4. March 2, 2013 | 4
Poll #1: Are you currently exposing APIs for developers or have
plans to do so? (Choose One. Tweet to explain your choice. Use
#APISoftwareAG.)
a) Yes, mostly internally
b) Yes, mostly externally
c) Yes, both internally and externally
d) No plans to do so
11. March 2, 2013 | 11
API’s Help Organizations Delegate Complexity
- Mall of America Brand Manager
12. March 2, 2013 | 12
Cost of Ownership
$600,000
$500,000
$400,000
$300,000
$200,000 Cost of Ownership
$100,000
$-
Single App Single API & 10 Apps
Developer
Community
13. March 2, 2013 | 13
Review: API’s & Why Now?
• Mobile / Tablets
• Need to do more with less
• Very connected world, have to reach the long tail
• Digital natives expect to be able to “solve their own problems”
15. March 2, 2013 | 15
ProgrammableWeb (Jan 2013 Survey)
16. March 2, 2013 | 16
Providing API’s
New Support Model
Service Level Agreements
Security
Governance, Risk, & Compliance
API Versioning
17. March 2, 2013 | 17
ProgrammableWeb (Jan 2013 Survey)
18. March 2, 2013 | 18
Consuming API’s
Versioning Disruption
Service Level Agreements
Data Security
Risk to Business Model (dependent on T&C of Provider)
Governance, Risk, & Compliance
19. March 2, 2013 | 19
Summary
Delegating complexity provides leverage
API’s are part of the cultural narrative
2 perspectives – Producer & Consumer
Producers require a mechanism to deliver a new support
model, as well as manage the lifecycle of the API
Consumers require a way to manage risk to prevent
disruption from provider technical or business term
changes
20. March 2, 2013 | 20
Poll #2: Do you agree with the way we have defined API
management? (Choose One. Tweet to explain your choice. Use
#APISoftwareAG.)
a) Yes
b) No
c) Kind of agree (or I am still learning)
21. March 2, 2013 | 21
Enterprise API Trifecta
1. API Management
2. Code Academies
3. Hackathons & Coding
Challenges
http://bit.ly/APItrifecta
23. March 2, 2013 | 23
API Management: Functional Capabilities
• For App Developers • For API Managers • For API Developers
• Discover APIs • Secure & mediate the • Manage the process of
• Understand usage & traffic between APIs & design, development, d
• Sign up for access its consumers eployment, versioning
of APIs
API Portal API Gateway API Lifecycle
24. March 2, 2013 | 24
Poll #3: Which capabilities do you see as most critical for an API
management solution? (Multiple Choice. Tweet to explain your
choice. Use #APISoftwareAG.)
a) API portal
b) API gateway
c) API design & lifecycle
25. March 2, 2013 | 25
API Management: In Operation
• Rapid Scalability
• 24x7 Availability
• Ease of smooth operations
• Operational governance
• Deployment options
26. March 2, 2013 | 26
API Management: Value Delivered
Build an API portal for API discovery
& collaboration
Host & mediate API’s securely
Manage the process of
planning, designing & developing
APIs
Understand API usage with analytics
& reporting
27. March 2, 2013 | 27
API Management: Infrastructure
Client App
Developers
Cloud
Discover APIs
Client Apps
API Portal
Invoke APIs
DMZ
Optional Load API Gateway
Balancer Edge Security
API Managers and
API Developers
Enterprise
API Metering &
API Gateway Analytics CentraSite
API Lifecycle
Mediation API Lifecycle & Design
Stratgey
Publish APIs
Invoke Backend
Services
Enterprise Service Bus
29. March 2, 2013 | 29
API Portal: Usage Dashboard Example
30. March 2, 2013 | 30
API Gateway: Traffic Management Example
31. March 2, 2013 | 31
API Gateway: Runtime Monitoring Example
32. March 2, 2013 | 32
API Lifecycle: Lifecycle States Example
33. March 2, 2013 | 33
API Lifecycle Management: Dependencies Example
34. March 2, 2013 | 34
Partnership among States
and EPA for exchange of
environmental info.
The mission of the EPA is
to protect human health
& the environment.
APIs to deliver Environmental Data for
the State Agencies and Developers
38. March 2, 2013 | 38
Leading Global Logistics Corporation
“Freight should be as simple
as shipping parcels”
API to access 140+ procurement & logistics
services for sea, air, road & rail freight
3/2/2013 38
39. March 2, 2013 | 39
API Management in webMethods
• Organizing & documenting APIs • DMZ-level security between • Lifecycle management of APIs &
with custom taxonomies client apps and internal APIs metadata from inception/design
all the way to deployment
• Full-text search of APIs with • Extensive mapping &
Google style search results transformation • Automatic provisioning of
support, allowing API consumers policies based on a specific
• Consumer onboarding with to have flexibility in criteria
approval workflow protocols, message formats &
transports • Graphic view of API
• API Dashboards with a large dependencies & versions
selection of widgets to track • OAuth2 based authentication &
personal KPIs authorization.
• Customizable information feeds • Single point to set up policies to
for collaboration with other uniformly secure and monitor
developers API access
• API traffic management to
shape the incoming traffic to a
granular level.
API Portal API Gateway API Lifecycle
The single API + developer community is a project to write a good API (which we assume to be the same as a single App, which might be high), and a single person to support the community full time at a loaded cost of $150K, which is enough to get started, and certainly to support the first 10 apps. It could be more depending, but that’s beyond the complexity of this conversation.
Make sure to introduce the idea of 2 perspectives – provider and consumer. The provider needs to make sure his trains can run, and that stray animals don’t get in the way. The consumers need to make sure their horses don’t break their legs on these strange tracks!
Version disruption (need mediation)SLA (is your provider delivering in a way that lets you meet your needs? If not, what can you do?)What if provider changes terms and puts you out of business? (small company acquired, or Twitter example; need GRC for developer best practices)What are other employees in the org doing? (are we using 2 different sets of weather data, for example? Are we paying twice for the same information? Are we building higher level libraries twice, differently?)Are we conforming to internal standards around data, security, performance?
http://bit.ly/APItrifecta
Capabilities in 3 buckets:API PortalAPI providers set up a portal for their APIs to attract and on-board external app developers. It allows client app developers to search the APIs they need, read up on the documentation and get notifications on APIs they use.API GatewayAllows API managers to secure and mediate traffic between the API consumers and back-end servers. Also allows monitoring of API traffic to collect metrics for tasks such as performance dashboards and invoicing.API LifecycleAllows API developers to manage the entire process of designing, developing, deploying, versioning and retiring APIs. This is a critical piece for implementing a sustainable API strategy.
In addition to API capabilities, it is also important to consider the operational aspects of an API management solution.Obviously you need something that will scale elastically with the peaks and valleys of the demand. Mobility a huge driver for APIs and #1 reason why it is hard to predict demand.You also need your solution to support high availability. API’s are essentially a globally available resource and adoption of your API is dependent on a highly reliable operation.Another thing that sometimes get easily overlooked is the ease of ensuring smooth operations. How easy it is to do daily housekeeping tasks such as taking timely backups, cleaning up log files and even automating some of these tasks using scripts.Operational governance is another key aspect. Who has the rights to provision and de-provision APIs? What is the criteria for doing so? What is the process of changing authentication mechanism for APIs? What is the security model and what are the rights based on roles?Consider deployment options for API management – what combination of cloud, on-premise and hybrid – works for your organization – it is probably easiest to think in terms of API capabilities we discussed and where they can be deployment. For instance is the monitoring piece of your API gateway deployed on-premise or in the cloud. There’s no one right answer but your API management solution need to support a good mix of options.Finally also consider if it makes sense to have a separate solution for both internal and external APIs.
In this example client app developers perform full text search. The results are displayed in a Google type layout. They can narrow down searches using keywords. Developers can then select a group of APIs and perform actions such as, setting up a watch, marking them as their favorite, and/or requesting access.
Or another example where your API portal may provide app developers a selection of graphical widgets to track their personal KPIs. For instance, what API’s are most used by mobile applications or what kind of apps are other developers are building using a specific API or what are the most popular APIs.Next let’s look at some API gateway examples.
This example shows how an API Gateway may implementtraffic management policies. API managers can shape the incoming traffic to a granular level. They can apply throttling limit across a segment of API consumers or across all consumers. They can decide to shut down the API request when violations happen or simply issue a warning to the user and log notifications.
In this example of an API gateway, you see how it makes it easy to apply a combination of monitoring and security policies. API managers simply check all the policies from a list of pre-populated options that they need to apply consistently to API invocations.Ok a couple of more examples for API lifecycle management.
In this example of an API lifecycle there are four states that an API goes thro – proposed, approved, in production and retired. The example shows how it is possible to define transitions from one state to another, and what checks may be performed at the gate before the transition is completed. Again a great way for API developers to ensure that the APIs exposed meet the standards and the goals of the API strategy.
In this final example, this API lifecycle capability let’s you graphically analyze the impact of changes to the WarehouseInformation API. It shows that the Mobile CRM and Employee Portal applications are using the API. And it shows that this API is related to the Warehouse Inventory Process and uses the canonical definition of an employee.Now there are a number of reasons why organizations may implement APIs. Some organizations use APIs to unlock the business value of their unique data. Whereas others use APIs to better enable partners and increase their reach. Finally many are using APIs as the means to mobilize their enterprise applications. I have hand-picked a couple of our customers to illustrate how diverse business drivers to do APIs can be.
EPA’s data standards branch (DSB) has implemented Reusable Component Services or RCS which is an umbrella registry serving as a clearinghouse for all kinds of reusable components regardless of where they reside. Why? DSB has been repeatedly approached by Exchange Network partners and EPA programs for access to various services and reusable components to support their information management needs. RCS serves as the vehicle for this outreach and discovery. The services provide a one-stop place to discover components of many different types, hosted and/or managed by many different organizations. RCS that contains over a 1000 assets and federates data for a dozen different registries and sources. For developing new applications using environmental data RCS provisions API’s that are used by EPA programs, public mobile apps, web sites and data.gov. Developers can go to EPA’s site called Developer Central where they can search for the appropriate API. For instance
Envirofacts API is a centralized data warehouse which provides access to several EPA environmental databases. Envirofacts has developed a RESTful data service API to all of its internal data holdings.
Based on EPA’s data, EPA now has a collection of 100+ “Green Apps”. You can find apps by mobile platform and by topic, or suggest a new app. EPA hosted a developer challenge in summer of 2011 to encourage developers to create green apps.
This is one of the top 3 logistics company in the world. It believes that freight shipping should be just as easy as shipping documents around the world. This company hosts an API that is used by procurement and logistics officers to access over 140 services across different types of freight – sea, air, road and rail. Examples of such services include shipment tracking and border toll calculation. The company is now planning a self-service portal to expose the APIs to customers and partners who can use is to onboard applications and to collaborate. Under the covers the API is powered by virtualized services that are securely exposed to external consumers. A small group of experts manage the operational aspects of hosting the API including provisioning and deprovisioning of services. The system allows business owners of services to track consumption and usage of those APIs.
wM Gateway: Inspects the headers• For DoS checks (global or by consumer)• Does basic firewall checks• Message Size Limit Checks• OAuth2 app to service validation (in 9.0)Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser.