This document discusses serverless API management on AWS. It begins with an overview of serverless API management and describes a sample timelapse service use case. It then covers the basics of API management on AWS including validation, transformation, throttling, caching, security and monetization. It also discusses DevOps practices for serverless APIs such as CI/CD pipelines and infrastructure as code. Finally, it briefly mentions event-driven "AsyncAPI" management and concludes.

1. Serverless
API Management
b y S a m u e l V a n d e c a s t e e l e & S t e f a n D e W a n d e l e i r
C o n t a c t u s
• LinkedIn: www.linkedin.com/in/samuelvandecasteele/
• Mail: samuel.vandecasteele@i8c.be
• Company: www.i8c.be

2. 3. Serverless API Management on AWS
The AWS reference architecture
Use case - Timelapse Service
The basics - Validation | Transformation | Throttling | Caching | Security
Monetization
DevOps
API Portal
5. Event ‘AsyncAPI’ Management
1. Enterprise Integration
What is Enterprise Integration and who are we?
4. What about other Vendors?
2. API Management
APIs – API Management – API Management platforms
6. Conclusions

3. 1.Introduction
IntegrationArchitectures
E n t e r p r i s e A p p l i c a t i o n I n t e g ra t i o n ( E A I )
S e r v i c e O r i e n t e d A r c h i t e c t u r e s ( S O A )
A P I M a n a g e m e n t
B 2 B I n t e g ra t i o n
Io T
Re a l - t i m e e v e n t p r o c e s s i n g
When we talk about integration

4. 1.Introduction
IntegrationArchitectures Once upon a time…
… a corporate IT landscape

5. 1.Introduction
IntegrationArchitectures Once upon a time…
… a corporate IT landscape
Ownership?
Duplicates?
Change Management?

6. 1.Introduction
IntegrationArchitectures Enterprise Application Integration (EAI)
Integration Server
https://www.enterpriseintegrationpatterns.com
• Management of point-to-point
• Management of pub/sub
• Domain-Model
• B2B: management of partners
• Transformations
• Mediation through adapters
• Messaging (queue, pub/sub)
Integration Server

7. 1.Introduction
IntegrationArchitectures Service-Oriented Architecture
Enterprise Service Bus
• Reusable Services
• Management of services (SOA registry)
• Domain-Model
• Governance (layering, lifecycle)
• Transformations
• Security
• Aggregations
• Messaging (queue, pub/sub)

8. 1.Introduction
IntegrationArchitectures API Management
API Management Platform
• Reusable APIs
• Management of APIs
• Management of Consumers (Self-service)
• Externalize functionality/data
• Transformations
• Security
• QoS
• Monitoring
• Async?

9. 1.Introduction
IntegrationArchitectures Internet of Things
IoT Management Platform
• (Time-based) events
• Device management
• Data capturing (ingestion)
• Transformations
• Security
• Filtering/Analysis
• Monitoring

10. We build the bridges to your core IT systems

11. We cover all aspects of building the bridges
Consultancy
Assessments
Architectural Blueprinting
Software Selection
Implementation
Design
Build
Test
Deploy
Managed Services
Support & Monitoring
Outsourcing
Hosting
Training & Lectures

12. APIManageent
TheforestofAPI
153/09/19
API ?

13. uService
Monetizing
APIManageent
TheforestofAPI
163/09/19
Errors
JSON
XML
Resources
Versioning
Throttling
Threat
protection
Caching
OData
OpenID
connect
OAuth2
API-Key
Security
protobuf
MQTT
Hitch
Open
Data
Jekyll
Portal
API
RESTfull
HTTP
GraphQL
REST like
Swagger
OpenAPI
RAML
HAL
JSONP
Web
hooks
APIBlueprint
SOAP
Gateway

14. Monetizing
APIManageent
TheforestofAPI
173/09/19
Errors
JSON
Resources
Versioning
Throttling
Threat
protection
Caching
OpenID
connect
OAuth2
API-Key
Security
Portal
API
HTTP
REST like
Swagger
OpenAPI
Gateway

15. Our solutions facilitates comunication and exchange of information in your business processes.
1 186 299 438 593 865 1263 1546
2026
2418
3422
5018
7182
9011
10302
11138
13099
15589
17330
-1000
1000
3000
5000
7000
9000
11000
13000
15000
17000
19000
Jun-05 Mar-06 Oct-06 May-07 Dec-07 Jul-08 Feb-09 Sep-09 Apr-10 Nov-10 Jun-11 Jan-12 Aug-12 Mar-13 Oct-13 Jan-14 Jan-15 Jan-16 Jan-17 Jan-18
APICount
Month
API Growth since 2005
18
APIS ARE EVERYWHERE
APIs are currently reshaping the web and disrupting complete industries

16. API AS A PRODUCT

17. PARTNER INTEGRATION

18. UNLOCK DATA
Data.Vlaanderen.be

19. Our solutions facilitates comunication and exchange of information in your business processes.
24
API MANAGEMENT
“API Management is the process of publishing, promoting and overseeing
APIs in a secure, scalable environment”
(techtarget.com)

20. Our solutions facilitates comunication and exchange of information in your business processes.
25
API MANAGEMENT
“API Management is the process of publishing, promoting and overseeing
APIs in a secure, scalable environment”
(techtarget.com)
Continuous Integration/Delivery
API Registration
Monitoring
Analysis
Security
Access Management
Quality of Service

21. Provision Publish
API Management
API MANAGEMENT TOOLSET
26
API Gateway
Security Transform
Quota
Protocol
Switching
Caching
Metrics
Collection
Analytics
API
Endpoints
µService
Collect
APP
Java AS
Creates
Registers
Uses Invokes
Manages
Manage
User
Developer API Manager
API
Portal
API
Manager
fn(..)

22. OpenAPI –
specification file
• Most APIs are
REST(like)/json
• The API can be described
through a standardized file:
openAPI
• Latest version is v3, but v2 is
still more commonly used
(aka swagger)

23. https://www.slideshare.net/AmazonWebServices/accelerate-innovation-and-maximize-business-value-with-serverless-applications-srv212r1-aws-reinvent-2018/7

24. API Management
API Gateway on prem
Identity
Provider
Cognito
Okta
AWS API Gateway
AWS
ElastiCache
Portal

25. AWSServerlessAPIManagement
OVERVIEW

26. ServerlessAPIManagement-usecase
TIMELAPSESERVICE
Connect to your cameras
IoT Device management
Solution API
for mobile & integration
API Management + IAM
Serverless implementation
Cloud native & cost optimized
DevOps delivery
CI/CD & IaC methodologies

27. ServerlessAPIManagement-usecase
TIMELAPSESERVICE

28. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Define your API
Manual via AWS Console
Via
and/or Cloudformation

29. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Validation
Validates query parameters, headers & body (JSON Schema v4)
• Lambda only invoked with valid requests
• More Secure
• Cost-effective
• Currently no ‘SQL injection’, ‘Document depth detection’, ‘non
json-based validations’, …

30. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Security
Open ID Connect (implicit) flow
1. Authenticate against Cognito
2. ID token and access token creation
3. API Call using token
4. Validate token
5. Verify oauth scope
6. Route request with JWT Token
1
2
3
4
5
6

31. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Security
Cognito
• User pool
• Federated identities (Social, SAML, OIDC)
Lambda Authorizer
• To any IdP service
IAM
(API Key)

32. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Transformation
Request/Response transformation
• Apache Velocity Template Language (VTL)
Transformation in Lambda
• Advanced transformation (REST to SOAP)

33. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Caching
Customize Caching Key
• Resource id, header, query param, …
Customize (TTL) Time to live
Not Serverless
Offload your backend!

34. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Throttling
API Key level Method level Account level
Protect your backend!
and your costs!

35. S e r v e r l e s s A P I M a n a g e m e n t - T h e b a s i c s
Monetize your API

36. Go the extra mile!
Go the extra secure mile with WAF integration
XSS
DDoS SQL injection
IP filtering

37. AWSServerlessAPIManagement
DEVOPS

38. CI/CD & INFRASTRUCTURE AS CODE
S e r v e r l e s s A P I M a n a g e m e n t - D e v O p s

39. S e r v e r l e s s A P I M a n a g e m e n t - D e v O p s
Versioning
AWS API Gateway does not dictate your Versioning Strategy
but does not provide a guidance neither!
https://v2.i8c.be/timelapse/*
https://timelapse.i8c.be/v2/*
https://api.i8c.be/timelapse/v2/*
…
Custom domains, base
path mappings & stage
variables
Major version = new API definition in API Gateway = own CD pipeline

40. ( o u t o f t h e b o x ) REAL-TIME MONITORING
S e r v e r l e s s A P I M a n a g e m e n t - D e v O p s

41. Organization
Service teams are now able to manage all aspects of API Management
but what about enterprise compliance enforcement?
CloudFormation & OpenAPI analysis tools to verify if all
required enterprise policies are applied?
Internal auditing of API by central architecture team?
S e r v e r l e s s A P I M a n a g e m e n t - D e v O p s

42. AWSServerlessAPIManagement
OVERVIEW

43. AW S S e r v e r l e s s A P I M a n a g e m e n t
API Portal

44. AW S S e r v e r l e s s A P I M a n a g e m e n t
API Portal - gi t hub.c o m/aw sl abs/aw s-api -gat eway-devel o per-po r t al

45. Vendorlandscape
GARTNER ON AWS API MANAGEMENT
STRENGTHS
• Low-cost, efficient and performs at any
scale.
• Great integration with AWS PaaS offerings.
• High levels of user satisfaction
CAUTIONS
• Needs to extend its set of operational
policies
• Lacks ready-to-use developer API portal
WE ON AWS API MANAGEMENT
STRENGTHS
• Strong API Gateway offering. (for use-cases
where Portal is less/not important)
• Strong entry-point for event-driven
architectures
CAUTIONS
• Hybrid scenario’s
• Not for all enterprise scenarios
(SOAP/XML)
https://www.gartner.com/en/documents/3873383/magic-quadrant-for-full-life-cycle-api-management

46. ServerlessAPIManagement-usecase
TIMELAPSESERVICE
(mostly) ASYNCSYNC

47. Event ‘AsyncAPI’ Management

48. Event ‘AsyncAPI’ Management

50. Event ‘AsyncAPI’ Management

51. Serverless
API Management
G et i n t o uc h!
s a m u e l . v a n d e c a s t e e l @ i 8 c . b e
s t e f a n . d e w a n d e l e i r @ i 8 c . b e
i n f o @ i 8 c . b e