What Is API Management?






Karthik Krishnaswamy of F5
Director, Product Marketing for NGINX
December 4, 2018
At NGINX Conf 2018 in October, we announced the new API Management Module for NGINX Controller.
With this product we build on our position as the industry’s most-deployed API gateway – millions of sites
already use NGINX Open Source and NGINX Plus to secure and mediate traffic between backend
applications and the consumers of the APIs which those applications expose.
But efficiently handling client requests is only one aspect of a successful API (albeit a crucial one). You
also need to manage your APIs across their full life cycle, which includes defining and publishing them,
and securing and managing traffic. You need to monitor and troubleshoot performance to ensure
customer satisfaction, and analyze traffic to maximize business value. Comprehensive API management
is essential to the rapid adoption and continuing success of your APIs.
API management covers the full life cycle of your APIs
Like many of our customers, you might find the thicket of concepts and terminology surrounding API
solutions rather daunting. In this blog, we discuss key API concepts and explore the relationship of API
management to API gateways.

Key Concepts
API management comes with its own concepts and terminology:

 Internal APIs – Internal APIs are exposed only to other applications (and their developers) within an
enterprise, not to external users. Internal APIs help unlock data and foster collaboration among functional
units within an enterprise. Here’s an illustrative example: before providing assistance to customers, an
enterprise’s technical support team needs to determine whether the customer has a valid support contract.
That information is already stored in the enterprise’s customer relations management (CRM) system, such as
Salesforce. Rather than duplicating the information in its own database, the customer support application
calls the CRM’s internal API.
 External APIs – External APIs are exposed to users outside your enterprise. They provide the means to
build partnerships with third-party developers as well as your entire business ecosystem of suppliers,
distributors, resellers, and even customers. External APIs also enable enterprises to generate new sources of
revenue using innovative business models. Google Maps is an illustrative example. Many third-party
websites and applications embed a Google map to help end users pinpoint a retail location or get directions.
It doesn’t cost the end user anything to access the map, but after a certain number of clicks Google charges
the site or app for each API call.
 Definition and publication – API management solutions provide an intuitive interface to define
meaningful APIs, including the base path (URL), resources, and endpoints.

 Resources are fundamental to any API definition; they are an abstraction of the information upon
which the API performs operations. Sample resources are documents and customer IDs. The API is
invoked to retrieve this information.
 Endpoints specify where resources are located. APIs have a base URL to which the endpoint paths
are appended. All API endpoints are relative to the base URL.

As an example, in the API endpoint https://app.enterprise.com/v1/inventory/, /v1 is the base path

and /inventory is the resource.
API management solutions enable API authors to publish APIs to various environments such as
production, test, or staging. This ensures consistency for each environment and prevents
misconfigurations. The solutions also automate creation of new APIs and modification of existing
ones.

 API gateway – As mentioned previously, API gateways secure and mediate traffic between your backend
and the consumers of your APIs. API gateway functionality includes authenticating API calls, routing
requests to appropriate backends, applying rate limits to prevent overloading of your systems or to mitigate
DDoS attacks, offloading SSL/TLS traffic to improve performance, and handling errors and exceptions.
 Microgateway – Many solutions have a centralized, tightly coupled data plane (API gateway) and control
plane (API management tool). All API calls have to pass through the control plane, which adds latency. The
API gateway in this architectural approach is inefficient when handling traffic in distributed environments
(for example intraservice traffic in a microservices environment or handling IoT traffic to support real-time
analysis). Hence, to manage traffic where API consumers and providers are in close proximity, vendors of
legacy solutions have introduced an additional software component called a microgateway to process API
calls.
 API analytics – As your APIs become popular, you need to ensure they provide value for your API
consumers as well as meet your business objectives. That’s where API analytics become crucial.
API management solutions provide critical insights via visualizations – such as dashboards and
reports – into API metrics and usage, informing you (as examples) which APIs are used most and
least, how API traffic is trending over time, and which developers are the top API consumers. API
analytics enable the API business owner – sometimes referred to as the API Product Manager – to
gain deep visibility into the performance of the API program.
Analytics are important for troubleshooting as well. API management solutions provide deep
visibility into operational metrics on a per-API basis. These metrics enable Infrastructure &
Operations teams to monitor and troubleshoot performance and security issues. Here are
examples of questions that analytics can help answer:

 What is the status and uptime of all my API gateway instances?

 When do we see slowdowns for an API?
 When are HTTP errors occurring for an API?
 API security – Security is a critical aspect of API infrastructure. Without robust security, anyone can
access your APIs and data and introduce malicious behavior by invoking a call to an unsecured
API. API security entails the following elements:
 Authentication – Authentication refers to the process of reliably determining the identity of the
caller. API keys are the standard mechanism for authenticating and identifying callers who want to
access an API. API management solutions provide an interface for API providers to generate API
keys which can then be shared with third-party developers to use when invoking API calls. OAuth is
a widely used authentication mechanism.
 Authorization – Authorization refers to the process of determining which privileges or access levels
are granted to a user. One way to authorize users is via JSON Web Tokens (JWTs). JWTs are access
tokens that assert claims (the JWT terminology for individual privileges). For example, the JWT
 presented by a client app might include a claim enabling access to one specific resource. If the client
app attempts to access any other resources, an HTTP 403 Forbidden error is returned.
 Role-based access control (RBAC) – RBAC refers to defining user roles that have certain
privileges. For example, Infrastructure & Operations staff are typically not responsible for creating
and publishing APIs, but only for monitoring and troubleshooting. So they are assigned to a role that
has only those privileges. Similarly, only the API Product Manager is assigned the role that has
access to API analytics.
 Rate limiting – Rate limiting refers to imposing a limit on the number of requests a caller can make
during a defined period of time (for example, 10,000 requests per second). Rate limits prevent
overloading of your backend systems and help mitigate DDoS attacks. The API management solution
provides the interface for defining rate limits, which the API gateway then enforces. Rate limits also
enable you to offer tiered levels of service (for example, Gold clients can make 10,000 requests per
second while Silver clients can make 5,000).
 Developer portal – A developer portal is an online location where you publish resources that facilitate rapid
onboarding of your API consumers, such as a catalog of your external APIs, comprehensive documentation,
and sample code. A developer portal also allows third-party developers to register their apps and obtain API
and JWT keys. Some solutions also provide a mechanism for interaction among developers who are using
your API. A well-designed developer portal is pivotal to the success of your API program.

NGINX API Management: Building On The Industry’s

Foundational API Gateway
NGINX is already the industry’s most ubiquitous API gateway – in a recent survey we conducted, 40% of
our customers reported that they deploy NGINX as an API gateway.
The new API Management Module for NGINX Controller, to be released soon, combines the raw power
and efficiency of NGINX Plus as an API gateway with new control-plane functionality. NGINX Controller
enables Infrastructure & Operations and DevOps teams to define, publish, secure, monitor, and analyze
APIs, while keeping developers in control of API design. Rich monitoring and alerting capabilities help
ensure application availability, performance, and reliability. NGINX Controller provides deep visibility into
key metrics, enabling Infrastrastructure & Operations and DevOps teams to avoid performance issues in
the first place and quickly troubleshoot any issues that may arise.
Our approach to API management is different from traditional solutions. Unlike those solutions, the
NGINX Plus API gateway (data plane) does not require constant connectivity to NGINX Controller (control
plane), so API runtime traffic is isolated from management traffic. NGINX Controller eliminates the need
for local databases or additional components that may introduce needless complexity, latency, and points
of failure for NGINX Plus API gateways. This maximizes performance by reducing the average response
time to serve an API call and minimizes the footprint and complexity of the gateway. Decoupling the data
plane from the control plane gives you the flexibility to deploy as many or as few API gateway instances
as needed by your application architecture. NGINX Controller gives you the freedom to choose the right
deployment for both internal and external API needs with a lightweight, simple, and high-performance
solution that fully leverages the power of the NGINX Plus data plane.

NGINX technology powers Capital One’s developer portal, Devexchange. It has enabled Capital One to
scale its applications to 12 billion operations per day, with peaks of 2 million operations per second at
latencies of just 10–30 milliseconds. NGINX also powers Adobe’s developer portal, Adobe I/O. Adobe I/O
enables developers to integrate, extend, and create applications based on Adobe’s products and
technologies using APIs. The platform handles millions of requests per day with negligible latency.