API Management with API Management Best Practices plays a very important role in any business with API-Led connectivity in order to ensure that APIs are exposed with a standardized approach by taking care of best practices for API Publishing, API Discovery, API Documentation, API Security, APIs Policy Enforcement, API gateway best practices, APIs analytics, APIs performance tuning and API Management environment upgradation and updates.
In this post, we will explain in detail about API Manager Best Practices with focus on different aspects of API Management in general.
API Management Best Practices Explained
Before we proceed on explanation of various API management best practices, here is a video on YouTube channel of TutorialsPedia which is explaining about the same topic. So if you prefer to go ahead in video format, watch the below video.
If you are a reading lover and would like to continue reading about API Management best practices in text format, continue reading this tutorial.
API Management Best Practices: APIs Security & Policy Enforcement
For any APIs exposed, API security is always a critical and there is no compromise possible on security of the APIs in order to ensure that API-Led connectivity and digital services are provisioned in a secure, reliable yet efficient manner. With API Management platforms on-boarded, APIs should be secured with Security Policies with API Resource & Operation Level Authorization & Access Control Policies. API Management platforms offer a variety of policies which you can consider as per your business requirements to secure your digital assets. E.g. you can enforce Policies for BlackListing certain IPs or IP ranges or you can go with a more reserved approach of IP WhiteListing if your business use-cases are limited to some specific clients with certain IP addresses or IP ranges.
Additionally, various security threats can be avoided by using Payload Validation Policies at API Gateway level so that any abnormal, invalid or potentially dangerous content is dropped at Gateway level by such validation policies without letting such risk oriented content to reach your back-end servers.
In order to minimize the risks of any Denial of Service Attacks or sudden spikes and surges on your APIs traffic, you can use Quality of Service Policies for throttling/rate-limiting, Quota Enforcement etc. Using such policies you can avoid unnecessary heavy loads on your back-end servers and improve throughput for valid traffic and any resource over-utilization can be avoided by smartly defining and configuring such policies.
API Management Best Practices: APIs Discovery Through Developer Portal
APIs are published and made available for developers through API Developer Portals (also known as API stores). When publishing APIs and making them available through portal; APIs should be made available with best practices followed to ensure that APIs can be discovered & utilized conveniently by the developers.
APIs should be well categorized and should be easily discoverable from Developer Portal. Use tags & proper descriptions when publishing APIs so that APIs are easily searchable and through categorization, developers can understand relevant APIs and API products. APIs versioning should be maintained with proper life-cycle management. API management platform should have alerting mechanism for clients to notify them for any important events like availability of any new API version, deprecation of any older version or any other API related changes of their interest or concern.
API Documentation also plays a major role in order to familiarize developers with the powers of your APIs and the use-cases that your APIs cover. APIs should have enough documentation available through API Portal so that developers understand:
* What an API does.
* What are different resources available through your API.
* Which operations are provisioned by your API.
* Any protocol specific and data-format specific information for your API operations.
* Any limitations that are important to be highlighted. (e.g. some technology constraints or protocol version constraints etc.)
* Details about any other linked or related APIs for developers to achieve their business goals.
It is also important that API Portal should provide easier way to subscribe & test APIs with Try It options and readily available SDKs to assist faster on-boarding.
API Management Best Practices: Uptime Considerations
Ideally 100% availability of your exposed APIs is expected by your clients in order to serve end-users without any outages. In order to achieve a maximum availability and up-time for your APIs, you need to follow certain best practices for your API management platform. If you are using cloud based API management platform, your environment comes under direct supervision and maintenance by the vendor and you achieve a more sophisticated operational support but if you are using a hybrid or fully on-premise API management setup, It is very important that you follow all the guidelines and best practices to ensure maximum availability of your APIs. Make sure that you follow API management best practices when setting up your environment including API gateway best practices with a clustered/distributed deployment topology. You should make sure that you prepare your API management environment with sufficient hardware resources as per vendor guidelines and all major components including API gateway, Key Managers, Traffic Managers, Analytics etc. are setup with fault tolerant approach.
Distributed and fault tolerant setup at Gateway level only won’t be sufficient and you need to consider fault tolerance and high availability for your back-end servers as well to make sure that client requests are entertained from back-end services without any glitches.
For traffic distribution among the clustered servers, use load balancers with proper tuning and smartly select the algorithm and scheme to be used for traffic distribution (e.g. weighted round robin or least-connection round robin).
API Management Best Practices: APIs Analytics Considerations
API management products provide a rich set of analytics dashboards which provide you a real-time picture of your API’s eco-system and you can analyze your APIs usage trends, customers registration & subscription trends, APIs health information, APIs faulty invocation reports, geographical API usage trends as well as different readily available and customizable analytics dashboards to graphically analyze your APIs business.
API analytics should be analyzed critically with a decisive approach to take necessary pre-emptive as well as corrective actions based on your analysis findings on various key parameters. E.g. you can identify and rectify certain performance issues by looking at APIs faulty calls dashboards and latency related dashboards. You can also identify opportunities based on user’s usage preferences and trends and offer more sophisticated APIs and you can also devise new monetization strategies based on your analytical understanding of these dashboards.
As a best practice, you should pay a proper attention to the heavy analytics data getting populated and plan and devise strategies for archiving and purging such data to avoid performance degradation of your analytics platform.
API Management Best Practices: API Management Platform Monitoring
Selecting an API management platform for your organization is a major architectural and business decision and once you have chosen an API management product and setup is done on your premised, monitoring the platform becomes a key consideration to ensure that your API management environment is working to the best of its potential and serving your API community efficiently.
For API Management Platform Selection, I have created another video on TutorialsPedia YouTube channel where I have explained various points to consider when choosing API management product for your organization. I am sharing that video as well just in case if you are interested:
API Management Cluster should be monitored for health and performance to ensure that all components of API management product including API Gateway, Key Manager, Traffic Manager, Analytics etc. are working normal. Server’s CPU utilization, Memory utilization and other server related metrics should also be taken into consideration when monitoring performance of API manager.
Alerts should be generated for any abnormal behaviour or activities & for Gateway and Other components issues.
API Management Best Practices: API Management Performance Tuning
Different Proprietary as well as open-source API Management products available in the market are built with performance taken as the highest priority as no organization can afford any performance degradation after adding a new API Gateway layer on top of back-end services. These API management products are equipped with necessary tools and configuration items to fine-tune the performance to utilize resources in an efficient manner. You should always consult with official documentation of respective products to dig deeper about performance tuning as each product might have its own set of best practices for performance tuning. However, some general points are being highlighted below for API management performance tuning best practices:
- Use Caching for APIs wherever possible. E.g. if you have a scenario where an API’s response doesn’t change quite often and client’s requests can be fulfilled from a cache, use caching feature of API manager. As an example, an API returning stock closing points for a stock market for a previous day will have same information for a whole day and hence it makes sense to respond to such API calls from a cache instead of hitting back-end for every call.
- Use policies for Gateway Level Validation to avoid unnecessary load to back-end. Using this approach to validate requests against certain XSD or JSON schema will help you to drop invalid traffic at gateway instead of performing such validations after hitting back-end servers.
- API managers provide rich set of options to perform mediation and transformation on request & response data which is quite useful in various cases but any such mediation and transformation policies should be used with a smart and carefully devised plan. Unnecessarily or heavily using such transformation and mediation policies can cause performance degradation and lower throughput with heavy payloads.
- Synchronous API calls performance shouldn’t be compromised by adding any side actions within the same flow and any actions related to logging, analytics data population & alerting should be loosely coupled so that such actions are considered aside and not in the actual API flows.
- With increased back-end storage pile-up, performance of API management platform might degrade and hence it is important that you follow best practices to archive and purge any historical data for analytics, logs etc.
API Management Best Practices: API Management Platform Upgrade
API management platform should be kept up-to-date with latest product versions, latest security updates & bug fixes so that you are able to serve your customers with maximum potential of your product.
API management products release their new versions regularly and announce major changes and you should consider all changes separately and potential impacts should be assessed before jumping to the upgrades. When upgrading your API management platform, best practices as suggested by the product documentation should be followed to avoid any worst scenarios and you should have proper backups and rollback mechanism to switch back if needed.
API Management Best Practices: Scalability Considerations
Future growth should always be kept in mind when choosing API management platform and scalability factors should be carefully assessed. API gateway and other API management components should be horizontally and vertically scalable.
Back-end services should also be fine-tuned with preference to fine-grained micro-services instead of heavy monolithic services so that individual micro-services can be easily scaled.
API Management Best Practices: Periodic Performance & Security Assessments
A working API Management platform should be regularly/periodically assessed and tested for performance and security related issues against a defined set of metrics as per your business needs. Based on such assessments, any bottlenecks may be identified and necessary corrective and pre-emptive actions may be taken to nip the evil in the bud. You should always consult and coordinate with your product specific support team to get their say on any such item before taking any action as they are at the core of the product and know better than anyone.
Recommend Reading: Why API Management is Important?
Recommended Reading: API Management Introduction and Basic Concepts
If you have any questions or any feedback about this API Manager and API Gateway Best Practices article, feel free to comment below.