This session was Delivered at API Strat 2018. The session covered considerations for why you would want to expose External Services as internal APIs in your business.

1. September 24-26, 2018
Music City Center
Nashville, Tennessee
#apistrat
Turning External Services
into Internal APIs -
Strategies to consider
Chris Phillips
1 10/2/2018

2. 2 10/2/2018
Chris Phillips
• IBM Master Inventor
• 12 Patents (ish)
• IBM SWAT Integration
Architect
• Wife & Two Kids
https://medium.com/@cminion/
https://www.linkedin.com/in/chrisjphillips/
https://github.com/ChrisPhillips-cminion

3. 3 10/2/2018
IBM Hursley, UK

4. Africa
© FreePowerPointMaps.com
South
America
Europe
North
America
Asia
Middle
East
Oceania
World by FreeVectorMaps.com

5. 5 10/2/2018
Agenda
• What is an API Platform
• Case Study
• Security
• Performance
• Caching
• Migration
• Summary
• Questions / Discussion

6. 6 10/2/2018
An API Platform

7. 7 10/2/2018
An API Platform
Analytics
API
Gateway
(Runtime)
Portal
Management

8. 8 10/2/2018
Scenario
📲

9. 9 10/2/2018
Scenario

10. 10 10/2/2018
Scenario

11. 11 10/2/2018
Scenario
API
Gateway

12. 12 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Security

13. 13 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Security

14. 14 10/2/2018
A N Other MicroService
Username: Fred
Password: *****
Pays For
Security
MicroService for Mobile
Username: Fred
Password: *****

15. 15 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
A N Other MicroService
Username: Fred
Password: *****
Pays For
Security
Unauthorized
MicroService
Username: Fred
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm

16. 16 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
A N Other MicroService
Username: Fred
Password: *****
Security
Unauthorized
MicroService
Username: Fred
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm

17. 17 10/2/2018
MicroService for Mobile
Username: Mia
Password: *****
A N Other MicroService
Username: Fred
Password: *****
Security
Unauthorized
MicroService
Username: Fred
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm

18. 18 10/2/2018
MicroService for Mobile
Username: Mia
Password: *****
A N Other MicroService
Username: Mia
Password: *****
Security
Unauthorized
MicroService
Username: Fred
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm

19. 19 10/2/2018
MicroService for Mobile
Username: Mia
Password: *****
A N Other MicroService
Username: Mia
Password: *****
Security
Unauthorized
MicroService
Username: Mia
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm

20. 20 10/2/2018
MicroService for Mobile
Username: MS4Mob
Security Type: OIDC
A N Other MicroService
Username: ANOMS
SecurityType: User/Password
Security
Unauthorized
MicroService
Username:
ANOMS
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm
API
Gateway
Contains the
Credentials for the
Weather Company

21. MicroService for Mobile
Username: MS4Mob
Security Type: OIDC
A N Other MicroService
Username: ANOMS
SecurityType: User/Password21 10/2/2018
Security
API Gateway
Manages Credentials
to the Weather
Company
Each MicroService can
consumption can be
tracked individually
Unauthorized
MicroService
Username:
ANOMS
Password: *****
https://www.freepik.com/free-vector/young-
anonymous-hacker-with-flat-design_2753360.htm
API
Gateway
Each MicroService has
its own credentials to
the API Gateway

22. 22 10/2/2018
Security
By exposing External Services as APIs
• One username and password to change if it is
compromised
• Can block access to specific MicroServices if
credentials are compromised.
• Tracks usage to ensure everyone pays their
share
• Tracks where passwords may have been
exposed
• Allows for different security mechanisms then
those on offer

23. 23 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Performance Test

24. 24 10/2/2018
50 000 Calls free
Each additional 10 000 Calls $1000
MicroService for Mobile
Username: Fred
Password: *****
Performance
Test

25. 25 10/2/2018
50 000 Calls free
Each additional 10 000 Calls $1000
MicroService for Mobile
Username: Fred
Password: *****
Performance
Test
STUB

26. STUB
26 10/2/2018
50 000 Calls free
Each additional 10 000 Calls $1000
MicroService for Mobile
Username: Fred
Password: *****
Performance
Test
Performance Test Started

27. 8 Hour Soak Run, What does it cost?
𝑇𝑃𝑆 = 100
LoT = 8 hours
No of Transactions = 100 * 60 * 60 * 8
= 2 880 000
Cost = (2 880 000 – 50 000) / 10 000 * $1 000
= $283 000

28. 28 10/2/2018
50 000 Calls free
Each additional 10 000 Calls $1000
MicroService for Mobile
Username: Fred
Password: *****
Performance
Test
STUB

29. 29 10/2/2018
50 000 Calls free
Each additional 10 000 Calls $1000
MicroService for Mobile
Username: Fred
Password: *****
Performance
Test
Routing can be
controlled by the API
Gateway
API
Gateway
API Gateway Rate
Limits all traffic to the
Weather Company
STUB

30. 30 10/2/2018
https://hackernoon.com/how-we-spent-30k-usd-
in-firebase-in-less-than-72-hours-307490bd24d

31. 31 10/2/2018
Performance Test
By exposing External Services as APIs
• Reduce the risk of performance testing
against an expensive API
• Control the routing from outside the
MicroService
• Removes the responsibility form the
Developer for selecting which endpoint to use

32. 32 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Caching Strategy

33. 33 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Caching Strategy

34. 34 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Caching Strategy Six months
Later

35. 35 10/2/2018
MicroService for Mobile
Username: Fred
Password: *****
Caching Strategy
API
Gateway
Caching Is not a
responsibility of the
Micro Service developer
When it is enabled for
one API it is used by all
Consumers

36. 36 10/2/2018
Caching Strategy
By exposing External Services as APIs
• Abstracts caching away from the microservice
• Allows all external calls to follow the same
caching strategy

37. 37 10/2/2018
Migration

38. 38 10/2/2018
Migration
MicroService
for Mobile

39. 39 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other

40. 40 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other

41. 41 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other

42. 42 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other

43. 43 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other
API
Gateway

44. 44 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other
API
Gateway

45. 45 10/2/2018
Migration
MicroService
for Mobile
MicroService
for Desktop
MicroService
for Other
API
Gateway

46. 46 10/2/2018
Migration
In the event of a Major
Change interface can be
transposed in the API
GatewayMicroService
for Mobile
MicroService
for Desktop
MicroService
for Other
Interface do not need to
change at the API
Gateway until new
function is desired
API
Gateway
The API in the Gateway
can select which Version
to route to.

47. 47 10/2/2018
Migration Summary
• MicroServices do not need to be upgraded
when the interface changes
• Version Change can be seemless to the
MicroService layer
• Reduces the evergreening risk

48. 48 10/2/2018
Other Reasons
• Developer Portal for sharing documentation
• Controlling the interface to reduce complexity
of the microservice
• Many others….

49. 49 10/2/2018
Summary – Take Away
Just about every reason to have an API Layer
for exposing internal services externally can
be applied to having an API Layer for
exposing external services
Treat All APIs Equally

50. 50 10/2/2018
Come see me again
http://sched.co/FTQP

51. 51 10/2/2018
Thank You
Email: Chris.Phillips@uk.ibm.com
Medium: https://medium.com/@cminion/
Linkedin: https://www.linkedin.com/in/chrisjphillips/
GitHub: https://github.com/ChrisPhillips-cminion
Twitter: @cminion
@teddyconsulting