Category: OSS

7 Critical Factors For Selecting Your API Management Layer

Remember the final scene of Indiana Jones and the Last Crusade, where the old Knight says: “You must choose, but choose wisely”? Admittedly Indy wasn’t choosing an API Management Solution and certainly had other things on his plate that day. However the adage still applies and to help you choose wisely we’ve got James Higginbotham, who has put together a list of the seven critical factors to consider when choosing your API Management Layer.

choose-wisely-nofwvs

I’m often asked which API management layer is the best one available today. The answer is always, “It depends”. Whether you are considering an open source or closed source API management layer, the number of vendors and options available today are astounding. Many API management solutions focus on delivering specific capabilities, while others strive to cover a breadth of features but don’t go very deep in all areas. This article will shed some light on how to approach the decision making process for managing your API, so that you can ensure the needs of your business, product, and development teams are met.

Why Do You Need API Management?

For those unfamiliar, API management layers accelerate the deployment, monitoring, security, versioning, and sharing of APIs. They are often deployed as a reverse proxy, intercepting all incoming API request traffic and applying rules to determine if requests should be routed to the API. In addition to traffic management, they commonly offer:

  • Token-based authorization support through API-key based authentication and/or OAuth 2
  • Deployment and versioning support for redirecting incoming requests to the current or newly deployed release of an API
  • Rate limiting to reduce the impact of greedy API clients and denial of service (DoS) attacks
  • Developer portals for hosted documentation and self-onboarding by developers
  • Administrative portals for viewing usage reports
  • Billing and payment support for selling subscription-based access to your API
  • On-premise, cloud, and hybrid hosting deployment options

API management layers may be offered as purely closed source, purely open source, or in a hybrid model using a combination of open source components and closed source offerings.

Factor #1: Self-hosted and SaaS deployment options

Your deployment requirements are a huge factor in API management layer selection. While most vendors offer managed cloud-based options, some choose to do so only during the early stages of your API, requiring you to move to an on-premise solution as your traffic increases. Knowing how you need to deploy your API management layer, including the resources available to monitor and maintain it, is important to the selection process. Look for a vendor that offers the kind of deployment you require: on-premise or managed cloud services. If you are unsure, select a vendor that offers a seamless transition from one to the other, such as Tyk.io.

Factor #2: Simple installation process

If your API management layer will reside within your own cloud environment or data center rather than hosted, then installation needs to be simple. Evaluate the installation process to ensure that standing up new instances and new environments (e.g. staging, UAT, integration) will be easy – and preferably automated. If you prefer containerization, consider vendors that offer a container-based distribution to reduce the effort required to support your deployment process.

Factor #3: Meets feature requirements

Part of your selection process should include an evaluation. We covered this in a previous article, but I’ll repeat it here for reference. Your evaluation should include the following considerations:

  • Authorization – can you implement your desired authorization mechanism (e.g. API tokens, keys, OAuth 2, etc) to meet your needs?
  • Performance – how much overhead does the layer require for each request? Measure the performance of your API endpoints before and after installing the API management layer. Expect some reduction in performance, but also ensure that the management layer doesn’t cause a drastic decrease in performance that may require additional server capacity
  • Security – perform some basic penetration testing to verify that the layer is catching common attack vectors. Attacks such as SQL injection, denial of service attack prevention through rate limiting, and other attacks can often be simulated with some simple scripts
  • Onboarding – how easy or hard will it be for your developers to get onboarded? Does the onboarding process support the business, product, and technical needs of your company?
  • Reporting – does the management layer provide the information you will need on a day-to-day basis to better serve your developers? Can you export data via an API or push it into an external reporting solution easily, for integration into other daily/weekly reports?

Factor #4: Customization should not be required

I was recently discussing the abundance of infrastructure tools available to development teams today. With every tool comes the burden of understanding it and getting it integrated into your environment. Some tools choose to offer a variety of options, but require considerable effort to get them running. Be sure to evaluate the effort required to start using the API management layer. Customization options are great, but if you can’t get started easily or without installing lots of plugins, you need to know this ahead of time.

Factor #5: Easy upgrades

Whatever solution you select, you will need to keep it upgraded to ensure you have the latest improvements and available features. Evaluate the upgrade process by reading past release notes to better understand the process that will likely be required. If there are no release or upgrade notes, then that should generate a concern. Just keep in mind that some commercial offerings only supply these details directly to customers or via a customer portal. If you don’t find anything, contact the vendor to ensure that they are available to paying customers.

Factor #6: Vendor viability

We all want API management vendors to experience growth and success. However, not everyone will be around in the long term. Consider the vendor’s viability by understanding their revenue model. For open source solutions, take into consideration the companies backing the solution, along with the community that is supporting it. If there isn’t much activity, then the solution may become abandoned in the future.

Factor #7: Management Automation

Finally, consider the automation options available to configure, manage, and integrate the solution into your operations processes. Vendors that offer APIs for every feature available in their configuration APIs, along with reporting APIs and webhooks for important events ensure that you can easily automate changes and integrate it into your deployment process.

Conclusion

As you have likely realized, it isn’t easy to select an API management layer. However, your decision will have ramifications for months or years to come. It may offer tremendous flexibility or severely limit your options in the future. Take the time to properly evaluate the API management layer that best fits your needs.

Why Open Source is right for your business

This month we feature a guest post by the editor of the excellent API Developer Weekly: James Higginbotham who talks about the benefits of Open Source API Management for your organisation – Take it away James!

tykblogtykblog2

Over the last 5 years, we have seen tremendous growth and options available for API management. While some are closed source, many vendors, such as Tyk.io, are choosing to launch as open source API management solutions. Companies are now asking the question, “Is an open source API management layer the right choice?” Let’s examine some of the advantages of open source API management, to help us through the decision-making process.

Advantage #1: Avoid the “DIY” API Management Solution

I have spoken to some groups that have rolled their own API management solution. While your team may be the unique snowflake that needs to build your own API management layer, doing so requires considerable time, resources, and expertise. Instead, start from an open source API management layer.

Dave Koston, VP Engineering for Help.com, agrees: “There’s simply no way we could internally build the feature set of many of the OSS products we use as it would take 10-20 times longer than learning their product and the cost would be many times higher as well.”

A good open source API management layer should offer ways to customize the solution, either via clearly defined APIs or plugin-architecture. Your focus should be on delivering value to the market, not becoming experts in API management.

Advantage #2: Code Reviews Create Confidence

Open source solutions allow the API provider to perform a code and security review – perhaps pairing someone from the API provider with an engineering resource from the vendor. However, Mr. Koston recommends caution when factoring code reviews into your OSS selection: “We reviewed other solutions which were wrapped into other web servers like nginx but having multiple levels of software inside the gateway made it hard to determine where problems arose. Being able to simply read the source of a single product and talk to a single vendor makes the product, and any issues much easier to reason about and deal with.”

Keep in mind that your API management priorities may not be the priorities of some vendors. API management layers must offer a breadth of features. Not every vendor will focus on the ones most important to you. Being confident in the code that is protecting your APIs is important.

Advantage #3: Jumpstarts Your API Management Early

API monitoring and security should start early, not after experiencing growth. Too often, I have seen companies deploy without an API management solution, only to realize that they have no insights into how it is consumed, who is consuming it, and if any security compromises have occurred. The most often cited reason is due to one of limited time, limited/no budget, or uncertainty if the API program will succeed. Once the API program experiences growth, the impact of installing an API management layer is much greater and can have a negative impact on existing API consumers due to changes in account and API token management. Open source API management layers make this an easy and affordable option, even if your API is only used internally or to power web and mobile apps.

What About Technical Support?

When adopting an open source development tool, technical support may vary from Github tickets to mailing lists and Slack groups. However, choosing an open source API management layer doesn’t mean you have to go without vendor support. Many vendors, including Tyk.io, and others offer technical support packages that address the needs of the enterprise, mid-size companies, and growing startups. Be sure to evaluate how your API management layer will be supported long-term as part of your assessment.

Getting Started

Many open source vendors offer distributions of their API management layer that are easy-to-install on a laptop, on-premise, or in the cloud. Start by building a prototype API that mimics your needs, then try out each API management layer to make sure it meets your needs. Your evaluation should include the following considerations:

Authorization – can you implement your desired authorization mechanism (e.g. API tokens, keys, OAuth 2, etc) to meet your needs?

Performance – how much overhead does the layer require for each request? Measure the performance of your API endpoints before and after installing the API management layer. Expect some reduction in performance, but also ensure that the management layer doesn’t cause a drastic decrease in performance that may require additional server capacity

Security – perform some basic penetration testing to verify that the layer is catching common attack vectors. Attacks such as SQL injection, denial of service attack prevention through rate limiting, and other attacks can often be simulated with some simple scripts

Onboarding – how easy or hard will it be for your developers to get onboarded? Does the onboarding process support the business, product, and technical needs of your company?

Reporting – does the management layer provide the information you will need on a day-to-day basis to better serve your developers? Can you export data via an API or push it into an external reporting solution easily, for integration into other daily/weekly reports?

Part of any API program’s responsibility is to select a great API management layer. Make the time to do a proper evaluation to ensure that the one you select will meet the needs of your company.

Scroll to top