Tech Insights / API Management

API management: Enabling API delivery and operations at scale

The application programming interface (API) is a key enabler of modern applications, and API use is increasing rapidly in virtually every industry as software development accelerates to meet digital transformation goals. Businesses are embracing an API-first approach to application development and using APIs and microservices to create modern applications and to integrate new applications with legacy systems. However, the proliferation of APIs is creating increased complexity and management challenges.

What is API management?

To address the challenges associated with creating and managing APIs at scale, enterprises are turning to API management. API management encompasses the set of tools and processes that are necessary to manage APIs throughout their lifecycle, from planning to coding to testing to production to retirement. The goal of API management is to rationalize the process of creating and using APIs so that organizations can accelerate development and maximize the benefits of APIs while minimizing risks. Security is closely associated with API management. However, API security is often treated as a separate topic.

In its Magic Quadrant for Full Life Cycle API Management, Gartner enumerates five functional areas that are important for API management:

  • API design and development tools facilitate the creation of well-designed, secure, and well-documented APIs.
  • API developer portals allow developers to discover and utilize a company’s existing APIs.
  • API testing tools simplify basic code testing as well as advanced functional, performance, and security testing.
  • API gateways act as a frontend to receive API requests—and possibly transform them—before passing the requests on to backend systems.
  • Policy management and analytics allows teams to define security and other policies and understand API usage.

Many teams already have tools that provide some of these elements. In our annual survey of Spring users, 2 out of 3 are using API management as a part of their Spring development environments. Organizations need API management tools that help:

  • Implement security, access control, and other policies.
  • Correlate metrics, interpret complex data, and provide actionable information.
  • Reduce complexity of tasks such as designing APIs, updating existing APIs, or discovering what APIs are available.
  • Integrate with existing software. Tools should be extensible to interoperate with other tools in your environment and support unique requirements.

What are the key elements of API management?

API design and development tools, API testing tools, and API developer portals help serve the needs of development and testing teams, enabling them to deliver better, more secure APIs in less time. API gateways and policy management and analytics tools help teams operate APIs more efficiently.

API design and development tools

Because of the current focus on APIs, many tools are emerging to help teams design and build APIs more easily. The OpenAPI initiative (formerly known as Swagger) defines specifications for how REST APIs should be described, produced, and consumed. Open source tools such as Stoplight help developers design, document, and build OpenAPI-compatible APIs.

API testing tools

Newly created APIs need to be thoroughly tested to ensure they perform as expected and are as secure as possible. A variety of automated API testing tools exist that can streamline the testing process and ensure better test coverage. For example, Spring Boot makes it simple for Java developers to create and test APIs as described in the developer guide, Building an API with Spring Boot. There are also many popular API testing tools that are available as open source, such as Postman.

API developer portal

The explosion of APIs can make it difficult for developers to find, manage, and test APIs for use with their applications. An API developer portal enables teams to more easily discover and share internal and external APIs, along with their documentation.

API gateways

API gateways provide an easy way to route, secure, and monitor API requests and manage access to APIs. Using an API gateway can help simplify the communication between a client and a service, whether between a user’s web browser and a server miles away, or between a frontend application and the backend services it relies on. API gateways provide cross-cutting functionality like authentication and authorization, policy enforcement, and data transformation. For example, a single API might be accessed from a client using a web browser, a mobile phone, or a tablet. An API gateway can perform specific transformations for each client type so that the API endpoint itself doesn’t have to do that work. Development teams can remove code and eliminate duplication across upstream services since the API gateway provides that functionality.

Read the guide Applying the API Gateway Pattern to learn more.

API policy management and analytics

API monitoring and management tools can provide greater insight into your API environment, enabling developers and operators to view key metrics about API performance, such as response time, error rate, authentication, and authorization data. Ideally, these tools should also provide traceability, enabling requests to be traced through the API gateway to upstream applications, potentially including supporting data and messaging services as well. API management tools may also incorporate API security.

What are the benefits of API management?

Our annual survey of Spring users found that more than 4 in 5 developers are using modern architectures like microservices and serverless, and 97% think APIs are critical to their development efforts. This reliance on APIs is why API management is so important. Here are a few of the specific capabilities of API management that provide notable benefits:

  • Sending metrics, traces, and span logs to dashboards to help troubleshoot service issues.
  • Identifying and fixing vulnerabilities in API endpoints early in the development lifecycle before they become harmful.
  • Managing access control and applying appropriate security measures and policy requirements, streamlining application integration.
  • Enhancing API discovery and sharing API code and documentation, improving team collaboration between API producers and consumers and across teams and departments.
  • Spending less time managing APIs and enabling developers to stay up to date with modern technologies like microservices and serverless.

What to keep in mind when considering API management

API management is important to the success of cloud native applications. As with any modernization effort, choosing the right API management tools will help encourage skill development and team building. API management should empower application developers, lower costs, and accelerate application and feature delivery. As you add new tools and technologies, it’s important to consider how you will evolve your culture and practices.

These are some important topics to think about as you adopt API management:

External vs. internal APIs: API management tools may need to manage externally facing APIs separate from internally used APIs. Externally facing APIs may need curated API portals and ways to provide billing and entitlement plans with specific rate limiting and other controls.

Internal API management may need to support API development tools, distributed API gateway solutions for each business unit, or bounded contexts for domain-driven design. Discovery and management should ideally be consistent across all internal APIs.

API governance: The explosion of API use creates new challenges: How do developers discover, learn about, and manage so many APIs without becoming overwhelmed? When developers spend too much time and energy creating, finding, and configuring APIs, it takes precious time away from their ability to write code, innovate, and deliver business value. Do you need an API developer portal to provide a simple interface for developers to access internal and external APIs and allow you to easily view documentation? Can your API gateway route, secure, and monitor API requests? Can your team publish and access APIs themselves, enabling scale and self-service?

Modernization and microservices: Monolithic systems and technical debt take years to accumulate and do not magically go away when you start to modernize. Do your chosen API management tools support an API-first approach to application migration? Do they help reduce the complexity and effort of connecting modern applications and legacy systems while promoting well-defined roles and effective collaboration across teams?

API security and observability: Multi-cloud workloads make APIs more vulnerable, and as API usage rises, security risks increase, too. Both developers and security teams need a comprehensive understanding of when, where, and how APIs are communicating across multi-cloud environments. API management tools are necessary to verify that APIs remain secure, compliant, and performant as their use increases. Tools should detect data-related issues such as exfiltration or theft, identify API vulnerabilities, anticipate new vulnerabilities, and scale security accordingly.

API management at VMware

VMware Tanzu is a leading resource for modern application development and Kubernetes. VMware Tanzu products integrate the API management capabilities that teams need to accelerate development and succeed. VMware Tanzu experts can help jump-start your team’s efforts to modernize and rationalize your approach to APIs.

VMware Tanzu Labs can help teams turbocharge their application modernization efforts and provide advice on the best tools and methods to manage APIs to achieve security and scale.

VMware Tanzu Application Platform is a modular, application-aware developer platform that provides a rich set of developer tooling and a prepaved path to production to build and deploy software quickly and securely on any compliant public cloud or on-premises Kubernetes cluster. Tanzu Application Platform integrates all the tools that developers need, including a developer portal built on Backstage.

Spring Cloud Gateway and Spring Cloud Gateway for Kubernetes provide flexible capabilities for routing API requests, with a strong focus on cross-cutting concerns such as security, resiliency, and monitoring/metrics.

VMware Aria Operations for Applications offers scalable observability for multi-cloud environments.

API portal for VMware Tanzu provides a unified interface to search for APIs. It works out of the box with Spring Cloud Gateway, but also supports adding any number of OpenAPI document source URLs.

Frequently Asked Questions

What is an API?

An application programming interface (API) allows different applications, or application services in a microservices architecture, to interact with each other. APIs often transmit data and may exchange sensitive information, making security considerations critical.

What is API management?

API management provides tools to help control and secure the API lifecycle. This can include access control and security, API discovery, data analysis, and monitoring.

What is an API gateway?

An API gateway provides a single access point for a set of backend APIs. A client only needs to know how to reach the API gateway rather than each individual service. A gateway can provide shared functionality for an entire set of APIs, such as authentication and authorization, policy enforcement, and data transformation. Using the API Gateway pattern offers significant advantages in terms of centralization and control: rate limiting, authentication, auditing, and logging can all be implemented in the gateway.

What is an API developer portal?

An API developer portal enables developers to more easily discover and share APIs and associated documentation.

What is API monitoring?

API monitoring enables developers to view key metrics about API performance and provides meaningful insights in the form of transaction logs, analytics, and event alerts.

What is API lifecycle management?

API lifecycle management tracks and manages an API from design, development, testing, and deployment to deprecation and retirement.