WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
API Management Within a Microservices Architecture
1. API Management within a Microservices
Architecture
Nadeesha Gamage
Senior Lead Solutions Engineer
2. WSO2 At-A-Glance
2
$25m Sales in
2017
53% YoY
growth
450+
Customers,
175 New
Customers in
2017
Open
Source
Founded 2005,
Backed by
Cisco and Toba
Capital
Colombo
London
Mountain View, CA
New York, NY
São Paulo
Sydney
500+
Employees
(300 Engineers)
3. 3
#1
6th
Open Source Integration Vendor
Largest Apache Committer
Largest Open Source Vendor
5th
WSO2: Helping Digitally Driven Organizations
Become Integration Agile
4. OPEN TECHNOLOGY FOR AGILE DIGITAL BUSINESS
4
Build internal and
external developer
ecosystems with an
API marketplace.
Manage identity,
security, and
privacy across
your digital
business.
Create real-time, intelligent,
actionable business insights
and data products.
Platform enable your digital
business with “micro-services”
and “micro-integrations”.
5. All WSO2 PRODUCTS ARE
5
WSO2 PRODUCTS
Seamlessly Integrated
Comprehensive platform
Go to market faster
Flexible
Deploy on-premises, public or private
cloud, or hybrid environment
Easily migrate between on-premises and
in the cloud
100% Open source
Quickly build POC
Affordably scale out to production
systems
Backed by world class team
More than a decade of experience
helping companies realize digital
transformation goals
6. The WSO2 Subscription
Get the most from your WSO2 product with enterprise-grade services:
Open
source
technology
WSO2
Subscription
Options:
- WSO2 managed cloud
- Consulting services
- Managed services
6
7. WSO2 Training and Certification
Training material free online; learn at your own pace
7
WSO2 Provides
Certification a verifiable way to present skills to team, employers, customers, partners.
Standard training (onsite and online)
Customized training (on-site) in-depth, personalized training for your specific need
8. ANALYSTS SAY
8
“Strong Performer for Hybrid
Integration”
- The Forrester Wave™: Hybrid Integration for
Enterprises, Q4 2016 report, published November 18,
2016
“Leader in API Management
Solutions”
- The Forrester Wave™: API Management Solutions, Q4
2018 report, published November 1, 2018.
“Visionary”
- Gartner Cool Vendors in Internet of Things Analytics,
2016 report, published May 11, 2016.
“Strong Performer for Big Data
Streaming Analytics”
- The Forrester Wave™: Big Data Streaming Analytics,
Q1 2016 report1, published March 30, 2016.
- Gartner Magic Quadrant for Full Life Cycle API
Management, published October 27, 2016
“Cool Vendor”
10. Flagship Customers
Across every industry and geography
Financial Healthcare Governments Education Telecom Retail TechnologyTransport
10
11. Agenda
● APIs, the digital connector
● Microservices Architecture
● WSO2 API Manager
● Introduction to WSO2 API Microgateway
● Demo on WSO2 API Manager and Microgateway
● API Microgateway deployment patterns
11
12. It Is The Age Of The Consumer
12
Source: Forrester Research
14. API - “The Digital Connector”
● APIs are the interfaces that allows various
services to expose their functionality for
consumption.
● Enables platform independent, language
neutral way of integration.
● Enables Digital Transformation.
16. Why is it needed to manage APIs?
○ Open API access to consumers
○ Easy API discoverability
○ Protecting APIs
■ Securing for unauthorized access
■ Fine grained access control
■ Throttling
○ Metering and Monitoring
○ Monetization
○ Manage lifecycle and versioning
20. Monolithic Application (continued)
● Despite modularity, application is packaged as
a single monolith
● Packaging depends on the language
○ .war, .jar or directory structure
● Simple to test and deploy
● If simple, what is the issue?
○ Simple and easy only at the beginning
21. Problems with Monolithic applications
● Increasingly difficult to make code changes
Disrupts agile development
● Overtime, no single developer will understand the entire
code. Changes will be error prone
● CI/CD would become painful
● Scaling would be difficult
● An issue in one component could potentially bring down the
entire application
● Stuck with a single language
23. Microservices Architecture pattern
● An application written as small interconnected services,
each implementing distinct functionality
● Self contained, maintains its own datastores
● Each service may expose a REST API, a transactions
require interaction with multiple service.
● Services may also use other Inter-process-
communication methods to interact, such as queue etc.
24. Advantages with MSA
● Faster and focused development
● Easy deployment and thus easy CI/CD
● Demand based scalability and flexibility
● Reduced downtime due to modularity
● Reduce time to market for new features and
capabilities.
25.
26. Drawback of MSA
● Inherent complexity of distribution of systems
○ Handling transactions (partial failures)
● Multiple databases
● Need for advanced technology (service mesh,
service discovery, circuit breaker, container
orchestration etc)
27. Does MSA need API Management?
● Common misconception that Microservices
Architecture eliminates the need of API
Management.
● Rather it augments and works collaboratively
● Don’t we need control on what we expose as a
REST API in microservices?
● Its not a good practice to allow apps to directly
consume microservice
28. What API Management brings to MSA
● Control API access and security
● API portal and discoverability
● Monitoring usage
● API documentation and testing before adoption
● Versioning and lifecycle management
30. Microservices with an API Gateway
● API Microgateway for service
- Deploying Gateway closer to the microservice
API Gateways
MicroservicesProducts Orders
31. ● API Microgateway for each client
- The same API interface exposed to 3 types of Gateways. Each
optimized for the client type it serves.
Products
Orders
MobileWebPublic
Microservices with an API Gateway
32. WSO2 API Manager
Design, create, publish and manage APIs to
unlock the true value of your digital assets
35. 36
WSO2 API Manager
● Available as a single
downloadable package
● Available as a cloud / SaaS
solution
● Flexible deployment choices
● High performance gateway
● API governance, marketplace
solution
36. 37
Cloud First or Start On-Prem
● Multi-tenanted, shared
everything
● WSO2 Hosted and managed
● Pay as you go
● Multi-region availability
● VPN tunnel to private DC
● Guaranteed uptime
● Limited options in customizing
● Hybrid Cloud
● Privately hosted
● WSO2 managed
● Upgrades, patches installation
● Guaranteed uptime
● Full flexibility in customization
● Better control
● Self hosted
● Self managed
● Full flexibility
● Dev-ops learning curve
● Self managed upgrades
http://wso2.com/api-management/cloud/
https://docs.wso2.com/display/ManagedCl
oud/WSO2+Managed+Cloud+Documenta
tion
38. 39
● Start with an existing endpoint/contract or design and prototype a new API
● Exposing SOAP services (convert to REST or as a passthrough)
● Exposing streaming APIs (Websocket endpoints)
Creating APIs
39. 40
● API Design - Over the wizard & with swagger
Creating APIs
40. 41
● Point to a production backend or prototype at the gateway
Managed or prototyped
45. 46
● Encapsulate the client application
● Associates OAuth2 keys
● Support different integration
patterns for application security
through OAuth grant types
● Pre-generated access tokens for
testing
Client Application
46. 47
● Tier based simple model
○ Application developer selects the tier at app registration
○ Each tier is tied to a policy that describe the quota
○ Tiers can be applied at the application, API or at the API resource level
● Advance rule based models
○ Policies containing IP conditions, message attribute based conditions,
transport header based conditions
○ Complex real time pattern based conditions
Traffic Management
49. 50
● Manage stages of an API
● Manage associated states
● Create a new version from an
existing
● Audit changes to lifecycle
states
● Support for custom lifecycles
API Lifecycle Management
53. 54
● Analytics dashboard on API stats
○ API Usage / Response
times / Backend latency /
Geo-location etc
● Stats on Applications for
application owners (subscribers)
● Stats on subscriptions
API Analytics: Batch
54. 55
● Leverages real-time analytics streaming engine
● Used for various alerting use-cases
○ Fraudulent access token usage
○ Keeping API developers alerted on backend performance issues
○ Alerting on SLA violations
○ Alerting on tier crossing for subscriptions
● Detect trends
● Detect API call sequences that needs to be blocked
● Detect non-usage scenarios
API Analytics: Realtime
59. 60
API Gateway Performance
WSO2 API Manager all in one simple deployment performance
H/W config: 4 core cpu with 8GB memory / c4.xlarge ec2 equivalent
64. Introducing the WSO2 API Microgateway
● Designed to scale.
○ Immutable
○ Self validating tokens
○ Localized rate limiting
○ Offline analytics
● Native support for Docker/K8S.
● Dedicated gateway for microservices.
● First class support for lifecycle management across
environments.
● Low resource requirement (2 core, 256 MB RAM).
65. Characteristic of WSO2 API Microgateway
● Ability to execute in isolation without connection to other
components; key manager, traffic manager etc.
● Ability to manage a subset of APIs, instead of all.
● Offers a proxy that is capable of performing security validation,
in-memory (local) throttling and operational analytics.
● Immutability.
67. Microgateway Security - JWT/JWS
Microgateway Products
Orders
Request
Access
Token (with
scopes)
Provide
Signed
JWT
1
2
3
3
Microgateway
4
4
Client Application
sends Signed JWT
to Microgateways
68. Microgateway Security - Standard OAuth2.0
Request
Access
Token (with
scopes)
Provide
Opaque
Token
1
2
3
Microgateway
4
Client Application sends
Token to Microgateway
Validate
Token
69. Microgateway - Localized Rate Limiting
Rate limiting policies are burnt into the microgateway runtime
Microgateway
Products Orders
Apply 1000
req/min on
Products
microservic
e
Apply 500
req/min on
Orders
microservic
e
70. Microgateway - Offline Analytics
Microgateway
Microgateway
Accumulate data in files
and upload offline
71. Microgateway - Native Support for Docker/K8S
Microgateway Toolkit
Request
API
Definitions
Download
API
Definitions
(JSON)
Microgateway VM
Microgateway
Docker
Microgateway K8S
Provide relevant arguments in
build phase for desired output
73. API Gateway vs Microgateway
Feature API Gateway Microgateway
Self contained token based authentication No Yes
OAuth 2.0 token based authentication Yes Yes
Mediation extension support(in/out sequences) Yes No
Response Caching(GET and HEAD methods) Yes Yes
Javascript based mediation logic Yes No
Analytics support Yes Yes
Logging and monitoring support Yes Yes
74. When to use API Microgateway
● Run in lockdown or offline mode
● Cater to unusual traffic patterns of APIs (run in private
jet mode)
● Scaling a subset of APIs.
● When consumers and services reside in the same
network and a gateway is required in close proximity to
reduce latency.
● Running the gateway in sidecar mode.
75. When to use the traditional API gateway
● When there is requirement to throttle API calls based
on counters across all gateway nodes.
● Run API gateway as centralized gateway. Handle
requests for many different APIs and different backend
servers.
● Traditional SOAP architecture which requires Gateway
to perform mediations, orchestrations.