SlideShare a Scribd company logo

Building APIs in a Cloud Native Era

Nuwan Dias
Nuwan Dias

Slides from my talk at APIDays Paris 2020 on building APIs in a Cloud Native Era. This discusses the challenges in building APIs in the Cloud and how we need to address them smartly.

Related slideshows

[APIdays INTERFACE 2021] Now that we have K8s, can we stop re-inventing API p...
[APIdays INTERFACE 2021] Now that we have K8s, can we stop re-inventing API p...[APIdays INTERFACE 2021] Now that we have K8s, can we stop re-inventing API p...
[APIdays INTERFACE 2021] Now that we have K8s, can we stop re-inventing API p...
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
1 of 20
Download to read offline
Building APIs in a Cloud Native Era December 10, 2020
Hello! Nuwan Dias VP and deputy CTO for API Management and Integration - WSO2 @nuwandias Co-Author of Microservices Security in Action
"By 2021, over 75% of midsize and large organizations will have adopted a multi-cloud and/or hybrid IT strategy." - Gartner 3
● APIs connect systems together. ● APIs are built by connecting systems together APIs…. 4
A simple Order Processing API 5 Order Processing API Purchase order request Save order in database Purchase order response
An actual Order Processing API 6 Order Processing API
Python code that calls the Twilio Send SMS API Initializing the Twilio client with credentials Sending Message
cURL request to send an SMS from Twilio curl -X POST https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID/Mess ages.json --data-urlencode "Body=Hi there$EXCLAMATION_MARK" --data-urlencode "From=+15017122661" --data-urlencode "To=+15558675310" -u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN Basic Auth Header Message Payload
That was the happy path!! 9 Wait! What? There’s an unhappy path too? It’s Twilio, what could possibly go wrong?
● How to deal with credentials securely ⦿ How to obtain credentials? ⦿ How to store credentials securely? ⦿ How to propagate credentials through CI/CD pipelines of the app? ● How to handle application errors. ⦿ When the phone number is invalid or disconnected ⦿ When the credentials are invalid or expired. ● How to handle connectivity issues. ⦿ Network connectivity issues. ⦿ APIs being retired. ⦿ Expired certificates. What problems did you not see above? 10
● Lots of boilerplate code. ● The need for developers to learn things outside the scope of their business. ⦿ Learning how to use the APIs/SDKs (if available). ⦿ Learning how to obtain and manage credentials securely. ⦿ . . . . ● Risk of mistakes and the need of a good governance model to avert them. ● Developers having to keep up with the new versions of the endpoints ⦿ For security and other important updates. ● A repetition of all drawbacks above as more developers start connecting to the same endpoints. Drawbacks of writing code to connect well known endpoints 11
Introducing Integration APIs to solve the problem 12 Orders Microservice Products Microservice Cloud Services Integration APIs Utility APIs
● Can be implemented using low-code/no-code tooling. ● Flexible enough to be extended using code (doesn’t stop at low/no code). ● Has all characteristics of a proper cloud-native microservice ⦿ Atomic execution. ⦿ Lightweight in distribution and resource utilization. ⦿ Supports GitOps based CI/CD flows. ⦿ Observable. ⦿ . . . . . ● Has a rich family of connectors to well known cloud APIs. ● Provides rich value for connecting to any endpoint (even non-SaaS) ● Has rich constructs for well known integration needs (data mapping, error handling, etc) Important characteristics of Integration APIs 13
Q: Isn’t this what a Service Mesh is for? 14 A: No
● The primary goal of a service mesh is to solve problems in a MSA when service communicate with each other. ⦿ Service discoverability ⦿ Transport level security ⦿ Circuit breaking ⦿ Message tracing and observability What is a service mesh and what problems does it solve? 15 Orders Microservice Shipping Microservice
We now have a functional API. What does it take to run this in production? 16
● Granting secure access to the API. ⦿ Standard protocols such as OAuth2.0/OIDC. ⦿ Security federation across cloud IDPs. ⦿ Security context propagation to upstream microservices. ● Updating the API with no downtime and client impact. ⦿ API versions and revisions. ⦿ Seamless migration of clients to newer versions of the API. ● Supporting different styles of APIs and protocols ⦿ Regular, request/response type APIs ⦿ Event driven APIs ⦿ HTTP, gRPC, GraphQL, WebSockets, SSEs, WebHooks. ● Setting up automated tests for the API. ● Hybrid deployment patterns. Running an API in Production in a Cloud Native Era 17
API Management 18 Orders Microservice Products Microservice Integration APIs Utility APIsEdge APIs - API Gateways Control Plane
API Management - Expanded 19 Orders Microservice Products Microservice Integration APIs Utility APIsEdge APIs - API Gateways API Governance Policy Management Business Insights Developer Portals Low code tooling Connector Governance Artificial Intelligence CI/CD and deployment mgt Observability CI/CD and deployment mgt Observability
wso2.com Thanks!

More Related Content

Building APIs in a Cloud Native Era

  • 1. Building APIs in a Cloud Native Era December 10, 2020
  • 2. Hello! Nuwan Dias VP and deputy CTO for API Management and Integration - WSO2 @nuwandias Co-Author of Microservices Security in Action
  • 3. "By 2021, over 75% of midsize and large organizations will have adopted a multi-cloud and/or hybrid IT strategy." - Gartner 3
  • 4. ● APIs connect systems together. ● APIs are built by connecting systems together APIs…. 4
  • 5. A simple Order Processing API 5 Order Processing API Purchase order request Save order in database Purchase order response
  • 6. An actual Order Processing API 6 Order Processing API
  • 7. Python code that calls the Twilio Send SMS API Initializing the Twilio client with credentials Sending Message
  • 8. cURL request to send an SMS from Twilio curl -X POST https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID/Mess ages.json --data-urlencode "Body=Hi there$EXCLAMATION_MARK" --data-urlencode "From=+15017122661" --data-urlencode "To=+15558675310" -u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN Basic Auth Header Message Payload
  • 9. That was the happy path!! 9 Wait! What? There’s an unhappy path too? It’s Twilio, what could possibly go wrong?
  • 10. ● How to deal with credentials securely ⦿ How to obtain credentials? ⦿ How to store credentials securely? ⦿ How to propagate credentials through CI/CD pipelines of the app? ● How to handle application errors. ⦿ When the phone number is invalid or disconnected ⦿ When the credentials are invalid or expired. ● How to handle connectivity issues. ⦿ Network connectivity issues. ⦿ APIs being retired. ⦿ Expired certificates. What problems did you not see above? 10
  • 11. ● Lots of boilerplate code. ● The need for developers to learn things outside the scope of their business. ⦿ Learning how to use the APIs/SDKs (if available). ⦿ Learning how to obtain and manage credentials securely. ⦿ . . . . ● Risk of mistakes and the need of a good governance model to avert them. ● Developers having to keep up with the new versions of the endpoints ⦿ For security and other important updates. ● A repetition of all drawbacks above as more developers start connecting to the same endpoints. Drawbacks of writing code to connect well known endpoints 11
  • 12. Introducing Integration APIs to solve the problem 12 Orders Microservice Products Microservice Cloud Services Integration APIs Utility APIs
  • 13. ● Can be implemented using low-code/no-code tooling. ● Flexible enough to be extended using code (doesn’t stop at low/no code). ● Has all characteristics of a proper cloud-native microservice ⦿ Atomic execution. ⦿ Lightweight in distribution and resource utilization. ⦿ Supports GitOps based CI/CD flows. ⦿ Observable. ⦿ . . . . . ● Has a rich family of connectors to well known cloud APIs. ● Provides rich value for connecting to any endpoint (even non-SaaS) ● Has rich constructs for well known integration needs (data mapping, error handling, etc) Important characteristics of Integration APIs 13
  • 14. Q: Isn’t this what a Service Mesh is for? 14 A: No
  • 15. ● The primary goal of a service mesh is to solve problems in a MSA when service communicate with each other. ⦿ Service discoverability ⦿ Transport level security ⦿ Circuit breaking ⦿ Message tracing and observability What is a service mesh and what problems does it solve? 15 Orders Microservice Shipping Microservice
  • 16. We now have a functional API. What does it take to run this in production? 16
  • 17. ● Granting secure access to the API. ⦿ Standard protocols such as OAuth2.0/OIDC. ⦿ Security federation across cloud IDPs. ⦿ Security context propagation to upstream microservices. ● Updating the API with no downtime and client impact. ⦿ API versions and revisions. ⦿ Seamless migration of clients to newer versions of the API. ● Supporting different styles of APIs and protocols ⦿ Regular, request/response type APIs ⦿ Event driven APIs ⦿ HTTP, gRPC, GraphQL, WebSockets, SSEs, WebHooks. ● Setting up automated tests for the API. ● Hybrid deployment patterns. Running an API in Production in a Cloud Native Era 17
  • 18. API Management 18 Orders Microservice Products Microservice Integration APIs Utility APIsEdge APIs - API Gateways Control Plane
  • 19. API Management - Expanded 19 Orders Microservice Products Microservice Integration APIs Utility APIsEdge APIs - API Gateways API Governance Policy Management Business Insights Developer Portals Low code tooling Connector Governance Artificial Intelligence CI/CD and deployment mgt Observability CI/CD and deployment mgt Observability