Microservices Require Robust API Management
As the microservices approach is becoming more prevalent in application development, API operations, or API Ops, is increasingly being recognized as a requisite skill amongst enterprise and startups.
Microservices architecture breaks down services and assets into discrete, composable units. And they use APIs to communicate and connect with each other. Which in turn means dev teams are needing to build up their API design and creation skills (which requires testing and other ops tasks), as well as outsource functionality like security.
It also requires an API gateway service to manage the flow of APIs between and from an internal-to-external environment, and all of this needs testing tools that can map how the APIs call and respond to make sure there are no glitches in the flow of the microservices composability.
So API Ops emerges to allow the enterprise to focus on the API design, drop in external functionalities, run the workflow tests, and manage gateway tasks.
API Ops and External Functionalities
Alex Salazar, CEO of identity and user management service Stormpath, has said that in the past six months, he is increasingly hearing customers ask about microservices. Stormpath offers identity access and user management services via an API that can be integrated directly into an application.
“To our customers it is really straightforward,” Salazar said. “They are building modern applications. Which means they pretty much always have to build APIs. They are either exposing services via APIs in their mobile application or rolling out their app as a series of microservices bundled into APIs.”
In a sophisticated application development, Salazar said, dev teams don’t want to cultivate complex security skills in-house.
“If you get your API wrong the first time around, it is really expensive to fix it” — Alex Salazar.
“Development teams are asking, how do you secure the endpoints, how do you do rate monitoring? Most programmers in a microservices architecture are facing the need to have to do this from scratch, so they are looking for tools that they can just drop in,” Salazar said. “They are trying to move faster; teams are scared of getting this stuff wrong. Large infrastructure companies like Google or Facebook can afford to do this themselves, but for everyone else, building out your own authentication and user management system is a huge expense.”
Salazar said that dev teams working with microservices and APIs know the focus needs to be on their API design: “If you get your API wrong the first time around, it is really expensive to fix it,” he said. Which is why interest in outsourcing the security provisions is growing.
Salazar said that the global move towards microservices has meant that dev teams across all industries have to learn how to build and manage APIs: “What happened with us, a year ago, people were wanting just to plug us into their applications,” he said. “They just wanted a typical login to their user interface. But about fifteen months ago, we started getting asked, well, you have a great API, what can you tell us about building APIs? Now in the last six months, the conversation has shifted to people asking us for a reverse proxy, which we knew meant they were looking for an API gateway.”
Chris Richardson, one of the original founders of CloudFoundry and author of the Microservices.io website, writes that the microservices design pattern requires an API gateway.
“The granularity of APIs provided by microservices is often different than what a client needs,” he explained. “Microservices typically provide fine-grained APIs, which means that clients need to interact with multiple services. For example, a client needing the details for a product needs to fetch data from numerous services.” An API gateway creates a single entry point for all clients.
Above: API gateway pattern from http://microservices.io/patterns/apigateway.html by Chris Richardson
And that is where the API Ops issue comes into play. Seeing the growth of how Stormpath is used as the identity and user authentication process in a microservices architecture, Salazar has worked to create a new partnership with 3scale, an API gateway and management service provider. Their new partnership means there is now a simple code snippet available on Github to allow developers to integrate a complete identity layer into their web and mobile applications.
Salazar said the main change he has seen across the industry in the past three years was the move from Public APIs to the growing use of internal APIs. “The difference now is that everyone across all sectors is building software to take their business service or their products online to interact with their customers.”
Jarkko Moilanen, one of the organizers of the upcoming Nordic APIdays, to be held in Tampere Finland on May 18 – 19, said this sort of example is exactly why API Ops is one of the themes of the conference. (Full disclosure: I contribute to the APIdays Medium blog.)
“Currently, any evolving service business is based on almost effortlessly scalable solutions which are connected to each other via APIs,” Moilanen said. “DevOps helped to automate service development but required a lot of self-installed and maintained services. Currently, the trend is towards fully API-based service design, deployment and maintenance. API Ops is a community with an aim to identify best practices and tools. Eventually, all stages from design, update, and management, to the retirement of any API can be automated, and good API Ops will help make that possible.”
API Ops for Full Microservices Workflow Testing
Over the past six months, Abhinav Asthana has seen this rise of external and internal API use as part of a microservices architecture. As CEO and Founder of the API Ops tool Postman, he steered their product from a browser plug-in to a more fully fleshed out lifecycle tool aimed at helping developers better understand how APIs are consumed in an application workflow.
The tool has been taken up by internal teams who want to group their APIs-as-microservices usage, by external developers who want to test API products before integrating them, and — according to Abhinav — has even allowed businesses to define the borders of microservices components better within their architectural map.
“Postman evolved from a REST testing tool in the browser to something that fits into the whole API lifecycle,” said Asthana. “Developers often want to integrate a whole bunch of internal and external APIs, but there are a ton of inefficiencies.”
Postman allows users to run API queries with parameters to understand better what data response they will receive.
Postman most recently created a feature called “Collections” which allows users to collate all the information they need about the APIs they are consuming in one place. Asthana said that API consumers often need to consult a variety of media when creating their workflow that may include an API call, some transformation of the data, and then the use of that in the a subsequent API query.
“Every API publisher provides tutorials, blog posts, and documentation. It is not that these workflows are not created, it is just that the workflow design is not published in a shareable form,” Asthana said.
One banking architect I spoke to recently described this sort of situation when using Amazon’s API Gateway, Lambda and DynamoDB. While he lauded the documentation from Amazon, the difficulty came when he was trying to integrate a workflow that moved data amongst the three services. He points to an example of using the console in Amazon API Gateway and importing the API he had created using Lambda. But then when trying to call the API, Lambda returned an error message. The knowledge gap occurred with integrating two Amazon services and not realizing he needed to add the Lambda token to the console workflow.
That is exactly the sort of problem that Postman can help solve, by letting end users bundle all the documentation and testing tools from a variety of APIs into the one collection, including their notes, so that can be shared with their internal teams who might be building applications of such a proof of concept.
“There is so much friction in creating a workflow,” said Asthana. Again, he points to the dominance of microservices influencing the API integration and workflow needs of developer teams. “In some cases, dev teams are using public APIs combined with internal: we don’t insist that it just be private or public or using just one type of specification format. We suggest that you can have any combination of APIs, it is completely up to their team. We see teams combine Slack with ElasticSearch, Github to Jira: all of this we can test inside Postman. The goal is to get people to move fluidly from public to private. For us, the unit is a collection: a group of requests. This is the format that expands to all use cases.”
API Ops Improves External Developer Relations
Tools like Postman are also being used to encourage API consumers to be a part of the API Ops community. Postman, for example, has the “Run in Postman” button that helps API providers integrate the testing tool directly into their documentation pages, in the same way that consumers are encouraged to track API changes using the API Changelog widget, or clone an API using the StopLight button.
“Our senior product manager brought the ‘Run in Postman’ button to our group for a potential trial,” said Anna-Maria Bliss, associate product manager on Best Buy’s API team. “It seemed a minimal effort, and we thought it would be in line with our developer strategy.”
Bliss is quick to acknowledge the need for developer-consumers to use API Ops tactics when assessing their API. “Our query syntax is a little quirky — it’s not standard,” she explains. “You can structure different kinds of queries to get at different product details, and we have been trying to focus on how we do documentation and encourage parsing that out and breaking the API query into top level information. Now with Run in Postman, developers see something more in-depth, this is like query sample code, and sample code is more in-depth and engaging than documentation.”
Bliss said there was “some uptick” in developer engagement on the day of launching the “Run in Postman,” but it is too early to see a huge rise in interaction.
“What we are hoping to do with Postman is have a collection of queries that provide new developers with a set of queries all around, for example, building your perfect home theater or game room in your house,” Bliss said. “So what is the best way you could get product and store information, so if you wanted to set up a page, you would have access to a package selection of queries so you can see how we have adapted those queries and applied them to that use case.”
Meanwhile, startups like Cronofy are also offering Run in Postman on their developer pages. Cronofy offers an API that lets users maintain any calendar app in a bi-directional, always-synced, realtime integration. CEO and founder Adam Bird said they wanted to see whether improving API Ops opportunities for their developer-consumers could increase conversion.
Bird is thinking through how API Ops tools like Postman can be used in conjunction with documentation to improve developer uptake. “Copying and pasting sample code is the way many developers start getting to grips with an API,” Bird said. “By having our error reporting recognize when documentation placeholders for things like security tokens were being used, we could more effectively guide new developers as to how to become successful with our API.” Bird said they have seen a “significant improvement” in developers moving from a trial account to making successful integrations thanks to the tool’s availability.
API Ops Helps Define the Microservices Architecture
While microservices architecture is leading the demand for more internal and external APIs, at the same time, the use of API Ops can help an enterprise better foster a microservices mindset.
Abhinav said that using Postman collections is helping many businesses to understand better the natural domain borders for various services and how they should be bundled together as a set of microservices. “To date, enterprises keep their documentation separate, they keep their code samples separate, and a lot of these tools are scattered. Collections put that all together. It is definitely helping enterprises think through their microservices, and helps developers think about how to organize both the microservices and the machines to run them.”
Salazar said this organizational feedback loop around microservices design has made APIs essential, but at the same time has lessened their conceptualization as the endgame in itself. “Because of mobile and the benefit of microservices, which focuses on building and managing small components instead of a monolithic application, you see teams really struggling with how they are going to integrate their APIs with their mobile products, or between their microservices,” he said.
“APIs have become more ubiquitous for mobile and microservices. They are no longer the goal; they are a stepping stone to releasing an application.”