Building APIs in a Cloud Native Era
- 2. Hello!
Nuwan Dias
VP and deputy CTO for API Management and Integration - WSO2
@nuwandias
Co-Author of Microservices Security in Action
- 3. "By 2021, over 75% of midsize and large
organizations will have adopted a multi-cloud and/or
hybrid IT strategy."
- Gartner
3
- 4. ● APIs connect systems together.
● APIs are built by connecting systems together
APIs….
4
- 5. A simple Order Processing API
5
Order Processing API
Purchase order request
Save order in database
Purchase order response
- 7. Python code that calls the Twilio Send SMS API
Initializing the Twilio
client with credentials
Sending Message
- 8. cURL request to send an SMS from Twilio
curl -X POST
https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID/Mess
ages.json
--data-urlencode "Body=Hi there$EXCLAMATION_MARK"
--data-urlencode "From=+15017122661"
--data-urlencode "To=+15558675310"
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
Basic Auth Header
Message Payload
- 9. That was the happy path!!
9
Wait! What? There’s an unhappy path too? It’s Twilio, what could possibly go wrong?
- 10. ● How to deal with credentials securely
⦿ How to obtain credentials?
⦿ How to store credentials securely?
⦿ How to propagate credentials through CI/CD pipelines of the app?
● How to handle application errors.
⦿ When the phone number is invalid or disconnected
⦿ When the credentials are invalid or expired.
● How to handle connectivity issues.
⦿ Network connectivity issues.
⦿ APIs being retired.
⦿ Expired certificates.
What problems did you not see above?
10
- 11. ● Lots of boilerplate code.
● The need for developers to learn things outside the scope of their business.
⦿ Learning how to use the APIs/SDKs (if available).
⦿ Learning how to obtain and manage credentials securely.
⦿ . . . .
● Risk of mistakes and the need of a good governance model to avert them.
● Developers having to keep up with the new versions of the endpoints
⦿ For security and other important updates.
● A repetition of all drawbacks above as more developers start connecting to the
same endpoints.
Drawbacks of writing code to connect well known endpoints
11
- 12. Introducing Integration APIs to solve the problem
12
Orders
Microservice
Products
Microservice
Cloud Services
Integration APIs Utility APIs
- 13. ● Can be implemented using low-code/no-code tooling.
● Flexible enough to be extended using code (doesn’t stop at low/no code).
● Has all characteristics of a proper cloud-native microservice
⦿ Atomic execution.
⦿ Lightweight in distribution and resource utilization.
⦿ Supports GitOps based CI/CD flows.
⦿ Observable.
⦿ . . . . .
● Has a rich family of connectors to well known cloud APIs.
● Provides rich value for connecting to any endpoint (even non-SaaS)
● Has rich constructs for well known integration needs (data mapping, error
handling, etc)
Important characteristics of Integration APIs
13
- 15. ● The primary goal of a service mesh is to solve problems in a MSA when service
communicate with each other.
⦿ Service discoverability
⦿ Transport level security
⦿ Circuit breaking
⦿ Message tracing and observability
What is a service mesh and what problems does it solve?
15
Orders Microservice Shipping Microservice
- 16. We now have a functional API. What does it take to
run this in production?
16
- 17. ● Granting secure access to the API.
⦿ Standard protocols such as OAuth2.0/OIDC.
⦿ Security federation across cloud IDPs.
⦿ Security context propagation to upstream microservices.
● Updating the API with no downtime and client impact.
⦿ API versions and revisions.
⦿ Seamless migration of clients to newer versions of the API.
● Supporting different styles of APIs and protocols
⦿ Regular, request/response type APIs
⦿ Event driven APIs
⦿ HTTP, gRPC, GraphQL, WebSockets, SSEs, WebHooks.
● Setting up automated tests for the API.
● Hybrid deployment patterns.
Running an API in Production in a Cloud Native Era
17
- 19. API Management - Expanded
19
Orders
Microservice
Products
Microservice
Integration APIs Utility APIsEdge APIs - API Gateways
API Governance
Policy Management
Business Insights
Developer Portals
Low code tooling
Connector Governance
Artificial Intelligence
CI/CD and deployment mgt
Observability
CI/CD and deployment mgt
Observability