Modern applications based on microservices, or based on serverless or event-driven architectures, or even efficient supply chain integrations, are several technical approaches that support the digital transformation strategy in many different businesses. And for all of these paths, Application Programming Interfaces (APIs) are the interface structure that makes it possible, becoming the common “language” within the solution. But we can go even further: new business models and profound transformations of entire sectors occur through approaches worked through APIs, such as Open Banking and Open Finance in the financial sector, or Fast Healthcare Interoperability Resources (FHIR) with Health Level Seven International (HL7) in the health sector.
Another way to observe this movement is to see the trend reported by F5 in its Continuous API Sprawl, study which estimated that the market has already reached around 200 million public and private APIs. Based on this study, Bill Doerrfeld, in an article in DevOps.com, states: “APIs are becoming increasingly crucial to the global digital economy. They are the backbone of many digital platforms and drive the composable enterprise model.”
As a result, we have a context of constant growth in the volume of APIs, where they become critical for business transformation and modernization. So, the question then becomes: how to manage these APIs? What are the challenges involved? Managing APIs can be seen from two perspectives, commonly referred to as an east-west view and a north-south view. Let’s work out what these views would be.
An east-west API management approach works with the the communication and management of APIs taking place internally, within the service or the organization. The north-south approach, on the other hand, works with communication and management of APIs externally, so that communication originates from outside the company or infrastructure.
This means there is a different solution direction to manage in each of these approaches. For an east-west approach, we work with a more technical solution, known as a service mesh. Among the best known are Istio, Linkerd, NGINX Service Mesh. For a north-south approach, technical capacity is also observed, but it is combined with a business vision, as the APIs’ exposure to external agents raises other topics to be addressed, suc as monetization, usage and SLAs. Therefore, these solutions are known as API Gateway or API Management (varying in terms of capabilities from vendor to vendor). These solutions usually work on the following pillars:
- API Lifecycle Management (building, deployment and retirement).
- Usability (including accessibility, API catalog and experience management).
- Usage monitoring and analysis (possibly also encompassing the monetization capabilities).
- Performance metrics reporting (including status reporting to clients and SLAs).
- Security Access (vulnerability intelligence, authentication, authorization, threat, or integration to DevSecOps).
Some well-known solutions are: Google ApiGee, Sensedia Platform, AWS API Gateway, Azure API Management, Software AG.
But API management does not stop at understanding these two views (east-west and north-south), nor at building or implementing the solution or technology to be used. Even this implementation requires nuances and alignment on how to model what is considered internal or external, and what needs to be managed by a service mesh or an API gateway. This field goes much further: how to integrate the API lifecycle with the application lifecycle – whether that’s DevSecOps, CI/CD or SDLC – how to work with version control on APIs, backward compatibility, demand management, reliability, business-aligned SLAs.
