APIs
7
min of reading
February 17, 2022

API Gateway in the Multiverse of APIs

Marcelo Dias
Solutions Architect
Information technology professional certified in Cloud Computing, Service Oriented Architecture (SOA), Container Orchestration (Kubernetes and OpenShift), Java EE and Web services.
More about the author

In my interactions with customer to discuss solutions involving the use of an API Management platform, the use case of integrating with partners consuming APIs exposed by the company is a common and generally well understood scenario. However, there are still some doubts when we talk about the use of the API Management platform to consume the APIs provided by partners

The diagram below illustrates in a simple way a common scenario of using an API Management platform, exposing its backend services through an API Gateway and consumed by customer applications, including business partners.

Figure 1. Common and generally well understood use case: partners consuming APIs exposed by a company through an API Gateway

In the above scenario, the exposure of backend services takes place in the context of a given company, which connects its legacy systems, databases, web services, ERP and microservices to its API Management platform, providing APIs for customer applications. 

We can understand this context as the Customer Universe.

But in an increasingly digital, connected and open world, the adoption of APIs for integration between businesses and governments, of all sizes, becomes the new normal, leveraged by the impacts of COVID-19.


Therefore, in addition to the Customer Universe of APIs, there are also other contexts that need to be integrated: the Business Partners’ Universe of APIs. And an API Management platform can be a key piece to the successful integration of these different API contexts.

Figure 2. Use of the API Gateway to integrate with internal APIs and APIs provided by business partners

Why connect my partners’ APIs to my API Gateway? 

Imagine that your business partner exposes well-documented APIs for you to consume in your applications. So why would you include your API Gateway as another layer of architecture in this integration? In short, the answer is Safety & Control and Cost Optimization.

The API Gateway is the main component of an API Management platform. There are numerous benefits of adopting an API platform, such as security, governance, connections and transformations, among others. These benefits apply both to your internal APIs, which you are exposing to customer applications, and to your partners’ APIs that you need to consume.

Security & Control

  • Will all the operations of the APIs offered by your partner be used in your business processes? 
  • Will all areas of your company be able to access all the APIs, and their respective operations, provided by your partner?
  • Is there sensitive or confidential data trafficked in these APIs that should be obfuscated or encrypted?
  • And when the partner releases a new version of the API, can you perform an impact analysis on your applications that consume said APIs?
  • Can the partner manage the APIs provided by them directly in your API Gateway?

These are some questions that help you understand why you should connect your partners' APIs into your API Gateway rather than a direct connection from your applications to those APIs.

You don't always need to use all the operations provided by an API, especially when there is a cost involved. By integrating your partners' APIs into your API Gateway, you can choose to expose only the APIs and operations required for your business processes, preventing the misuse of any operation.

Another important issue is the security involved in these APIs. Using the API Gateway you can create specific access plans for each customer application, limiting access only to the operations that application needs to have (principle of least privilege) and avoiding the sharing of access credentials, provided by your partner, for all customer applications that need to consume some API operation.

For APIs that handle sensitive or confidential data, you have the option to configure additional security policies in your API Gateway to encrypt some data or even obfuscate data in the audit logs.

And when your partner releases a new version of the API, you can easily perform an impact analysis from your API Gateway, identifying which customer applications consume a certain API and thus draw up an appropriate work plan to adapt to the new version and discontinue the use of the old version of the API.

In a more advanced security scenario, it is possible for your partners to manage the APIs provided by them directly in your API Gateway, through security features such as controlling organisations, teams and profiles, determining visibility rules for the resources and objects of your API Gateway, integrating with external user repositories through protocols like LDAP or SAML 2.0.

Cost Optimisation

It is increasingly common for APIs provided by business partners to be monetised. APIs are treated as products of these companies, generating revenue by charging for their consumption, usually based on the number of calls to these APIs.

By including your partners' APIs in your API Gateway, you can implement policies to control calls to these APIs, limiting the number of calls in a period of time (rate limit) or avoiding peak calls (spike arrest), even if you have not yet reached the established limits.

There is also the possibility of configuring a cache policy when calling APIs, avoiding some triggers in the APIs of your partners for operations where the data does not change so dynamically.

Conclusion

In this article, I attempted to explore the scenario of integration with business partners through your API Gateway from a perspective where the partner provides the services to be consumed by your company, together with a more common scenario where a business partner consumes the APIs provided by your company.

There are several benefits to using an API Gateway, such as security, governance, connections and transformations, among others, but here I mainly highlighted security and control, in addition to cost optimisation.

To find out more...

  • Partner ecosystem support: Use APIs to simplify developer onboarding and boost your partner ecosystem, reducing integration cycles from months to weeks - https://www.sensedia.com/partner-ecosystem-integrations  
  • The Resource Centre offers various materials prepared by Sensedia experts, from Design and Reference Guides to APIs and Microservices Adoption Roadmaps - https://www.sensedia.com/resources 
  • In Sensedia Docs you will find technical information on how to configure and use Sensedia products, both from the API Platform and its Add-ons, such as Adaptive Governance, Connectors, Events Hub, Flexible Actions and Service Mesh - https://docs.sensedia.com/ 
  • In the Help Centre, besides the possibility of customers opening calls, there are also some articles with more specialised technical content about configurations and use of the platform - https://sensedia.zendesk.com/ 

How Developer Experience can transform your community and engagement with developers - https://www.sensedia.com/developer-experience

Thanks for reading!