In this article, we’re going to take a look at Gravitee API Management, the Apache 2.0 solution with Enterprise support for API management from the company Gravitee.io. We’ll provide a brief introduction to the world of API management and explain how the Gravitee solution adapts itself to the varying needs of this interoperability layer.
We’ll follow this table of contents:
1. API vs API Management vs API Gateway vs API Manager
An API (Application Programming Interface) is a set of definitions and protocols (also known as a contract) used to define the interoperability mechanism for a given application. This is key to integrating multiple applications within a governance framework. For this definition, the specification OpenAPI specification is typically used, making use of the tools provided by the Swagger stack for its graphical representation.
Figure 1. Architecture Layers
The API Management layer, included within the interoperability group, provides us with the functionalities that enable us to support the entire life cycle of an API, thus facilitating its management and governance.
Although it’s able to work autonomously, the API Gateway usually comprises a component of the API Management layer. The API Gateway is in charge of the API execution runtime, acting as a proxy between the consumers and the services exposed within the API definition.
Lastly, the concept of API Manager refers to a product that is responsible for providing specific API Management functionalities to a specific architecture. In this article, we’ll focus on the Gravitee API Management product.
|API||specification of an interface|
|API Management||management and governance of an API|
|API Manager||product in charge of providing API Management capabilities to an architecture|
|API Gateway||final API execution runtime|
2. API Management & API First approach
Figure 2. API First Development
2.1 Main API Management functionalities
Depending on the API Manager (product) selected, the API Management layer can offer the following functionalities:
2.1.1 API SECURITY
Within the Security capabilities in the API Management layer we can find:
- Authentication and authorization of the different APIs and exposed resources, by using procedures such as API-KEY, JWT, and/or OAuth2, among others.
- Ensure responsible use of APIs based on the different types of consumers, by applying different access policies or limiting the number of requests that a consumer is able to make to the system in different time slots.
2.1.2 API GOVERNANCE
Among the Governance capabilities within the API Management layer we can find:
- Catalogue of the different APIs available in the different Gateways, access to their documentation, and specifications.
- API lifecycle management and automated deployment using continuous integration (CI) and continuous deployment (CD) tools.
- Access to the documentation and specification of an API, both from the perspective of the API Owner (publisher) and from the perspective of the API Consumer (external developers). This facilitates the adoption of knowledge by consumers, thereby speeding up the adoption of the APIs by the applications consuming them.
2.1.3 API ANALYTICS
Among the Analytics capabilities within the API Management layer we can find:
- Dashboards related to the use of the different deployed APIs.
- Traceability of inbound and outbound requests coming through the different Gateways, thus assisting administrators with the debugging of the traffic managed by the API Management layer.
- Alerts in the event of certain situations that occur within the API Management layer, enabling proactive maintenance of the deployed APIs.
2.1.4 API MONETIZATION
Among the Monetization capabilities within the API Management layer we can find:
- Enable companies to implement a monetization strategy for their services by exposing them through different governance APIs, allowing the definition of different access plans with their corresponding monetary conditions.
3. Gravitee API Management
3.1 What is Gravitee API Management?
Gravitee API Management is a complete Open Source solution for the API Management layer under Apache 2.0 license, with the feature of having optional Enterprise support from the vendor (Gravitee.io).
3.2 Gravitee API Management components
Gravitee API Management consists of four main components:
Figure 3. Global Architecture by Gravitee
- APIM Gateway, in charge of the API execution runtime. It is responsible both for ensuring compliance with security policies and for managing the transformation of incoming and outgoing requests via the Gateway (smart proxy).
- APIM API, is responsible for providing a central communication interface via a RESTful API for all the administrative tasks required by the product. It is consumed by the management console and the User Portal.
- APIM Console, responsible for the product administration and lifecycle management of the APIs deployed in the corresponding Gateways. The user interface for the roles of Administration and API Publisher. APIM Portal, provides application developers who consume APIs with an operations interface from which they can view API documentation, subscribe, and carry out tests.
3.2.1 Gravitee API Management: Security
From a security perspective, Gravitee API Management offers the following functionalities:
Figure 4. Gravitee Access Management
- Validation policies for requests: a set of rules that enable us to apply validations to our requests, both in the headers, the body of the request and in the input parameters.
- Request transformation: a set of rules that enable us to modify requests by adding or removing multiple components such as headers or parts of the body of the request.
- JSON validation: a set of rules that enable us to validate the JSON schemas that form part of the body of a request.
- IP address filtering: a set of rules that enable us to assign, by means of a blacklist, the IP addresses authorized for the consumption of certain APIs.
- Quotas: a set of rules that enable us to define different consumption plans, restricting the number of calls that can be made in a certain period of time.
- Request throttling: a set of rules that enable us to restrict the number of requests that will be sent to our services from the API Management layer.
- API-KEY: a set of rules that enable us to force the verification of an API-key during the processing of requests, allowing access to our APIs only to those consumers subscribed to them using a correct API-key.
- OAuth2: a set of rules that enable us to force the verification of an OAuth2 token during the processing of requests, enabling access to our APIs only to those consumers subscribed with a correct token. This requires a Resource Owner in charge of generating and validating the access tokens (Keycloak, Gravitee Access Management, etc.).
- JSON Web Token (JWT) validation: a set of rules that enable us to validate a JWT token before sending the request to our services. Just as with OAuth2, a Resource Owner is required to validate these JWTs.
3.2.2 Gravitee API Management: Governance
- API Designer (Enterprise only): a tool that enables us to define our API in real-time, from an API-First paradigm, allowing automatic validation and documentation of our API.
Figure 5. API Designer
- API Catalog (API Owner perspective): from the “API Owner” perspective, the administration console is available through which we can list and manage the multiple APIs deployed in Gravitee API Management.
Figure 6. API Catalog (API Owner Perspective)
API Catalog (API Consumer perspective): from the “API Consumer” perspective, we provide a Portal to access the list of authorized APIs in our profile. From this portal, we are able to consult all the documentation related to the API as well as subscribe to them.
Figure 7. API Catalogue (API Consumer perspective)
- API Documentation: accessibility to all the documentation of our APIs from a common Portal, facilitating their implementation by multiple consumers.
Figure 8. API Documentation
- Importing an API: Gravitee API Management enables us to import an API into the platform from an OpenAPI specification or directly from a WSDL (SOAP) definition.
Figure 9. Importing an API
- API Lifecycle: Gravitee API Management enables us to manage the lifecycle of our APIs, from their definition and creation to their publication and removal (deprecated).
Figure 10. Danger Zone
- Categorization: Gravitee API Management enables us to categorize the various APIs deployed on our platform, allowing consumers to discover and better visualize them.
Figure 11. Categorization
3.2.3 Gravitee API Management: Analytics
From an analytics perspective, Gravitee API Management offers the following functionalities:
- Metrics: Within the administration console, Gravitee API Management has a real-time analytics dashboard that provides access to the various usage metrics of our APIs, from a global perspective or for a particular API. It also offers the possibility to create customized dashboards (User dashboards). All these metrics are maintained and indexed in Elasticsearch and can be consulted by administrators using specific tools such as Kibana.
Figure 12. Metrics
- Cockpit (Enterprise only): For distributed environments, Gravitee API Management provides a tool for managing the lifecycle of our APIs across the different environments of the consumer, providing a global view of each of our APIs and their distribution across the different platforms deployed.
Figure 13. Cockpit
- Log management: Gravitee API Management enables us to trace the requests that go through the different Gateway’s, being able to persist the headers of the requests and response of the services themselves, speeding up the support and debugging process of our APIs.
Figure 14. Log Management
- Traceability: Gravitee API Management enables us to configure and send the traces following the OpenTracing specification, thus enabling us to fully trace each request, linking the API Management layer logs with the balancing and integration layer logs (Load Balancer > API Management > Integration).
Figure 15. API Management Gateway
3.2.4 Gravitee API Management: Monetization:
From a monetization perspective, Gravitee API Management offers the following functionalities:
- Plans: Through the segmentation of access plans, Gravitee API Management enables the exposure of different capacities of our APIs according to different consumers, providing full traceability of consumption according to the various segments.
Figure 16. Plans
- Documentation: It facilitates the documenting of the different plans made available to consumers, defining their characteristics as well as their associated costs.
Figure 17. Documentation
- Billing metrics: This enables us to assign a billing policy for a specific API, facilitating its subsequent analysis and integration with billing platforms.
Figure 18. Billing Metrics
- Billing Analytics: Gravitee API Management allows us to create customized dashboards through which we can display the information related to the plans and their corresponding billing, offering a comprehensive overview for said departments. However, since the preservation of all this information resides in Elasticsearch, external tools can be used to integrate this information into specific platforms according to each use.
Figure 19. Billing Analytics
4. Chakray and Gravitee.io
As an official Gravitee.io Partner, Chakray has the necessary knowledge and tools to tackle any API Management project, providing the comfort of having a team specialized in its deployment, development, and subsequent maintenance, in addition to joint support with the manufacturer for Enterprise environments. We will be happy to evaluate your use case and discuss the best APIfication strategy to implement the API Management layer in your organization. Contact us today!