Slides from my talk at APIDays Paris 2020 on building APIs in a Cloud Native Era. This discusses the challenges in building APIs in the Cloud and how we need to address them smartly.

1. Building APIs in a Cloud Native Era
December 10, 2020

2. Hello!
Nuwan Dias
VP and deputy CTO for API Management and Integration - WSO2
@nuwandias
Co-Author of Microservices Security in Action

3. "By 2021, over 75% of midsize and large
organizations will have adopted a multi-cloud and/or
hybrid IT strategy."
- Gartner
3

4. ● APIs connect systems together.
● APIs are built by connecting systems together
APIs….
4

5. A simple Order Processing API
5
Order Processing API
Purchase order request
Save order in database
Purchase order response

6. An actual Order Processing API
6
Order Processing API

7. Python code that calls the Twilio Send SMS API
Initializing the Twilio
client with credentials
Sending Message

8. cURL request to send an SMS from Twilio
curl -X POST
https://api.twilio.com/2010-04-01/Accounts/$TWILIO_ACCOUNT_SID/Mess
ages.json
--data-urlencode "Body=Hi there$EXCLAMATION_MARK"
--data-urlencode "From=+15017122661"
--data-urlencode "To=+15558675310"
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
Basic Auth Header
Message Payload

9. That was the happy path!!
9
Wait! What? There’s an unhappy path too? It’s Twilio, what could possibly go wrong?

10. ● How to deal with credentials securely
⦿ How to obtain credentials?
⦿ How to store credentials securely?
⦿ How to propagate credentials through CI/CD pipelines of the app?
● How to handle application errors.
⦿ When the phone number is invalid or disconnected
⦿ When the credentials are invalid or expired.
● How to handle connectivity issues.
⦿ Network connectivity issues.
⦿ APIs being retired.
⦿ Expired certificates.
What problems did you not see above?
10

11. ● Lots of boilerplate code.
● The need for developers to learn things outside the scope of their business.
⦿ Learning how to use the APIs/SDKs (if available).
⦿ Learning how to obtain and manage credentials securely.
⦿ . . . .
● Risk of mistakes and the need of a good governance model to avert them.
● Developers having to keep up with the new versions of the endpoints
⦿ For security and other important updates.
● A repetition of all drawbacks above as more developers start connecting to the
same endpoints.
Drawbacks of writing code to connect well known endpoints
11

12. Introducing Integration APIs to solve the problem
12
Orders
Microservice
Products
Microservice
Cloud Services
Integration APIs Utility APIs

13. ● Can be implemented using low-code/no-code tooling.
● Flexible enough to be extended using code (doesn’t stop at low/no code).
● Has all characteristics of a proper cloud-native microservice
⦿ Atomic execution.
⦿ Lightweight in distribution and resource utilization.
⦿ Supports GitOps based CI/CD flows.
⦿ Observable.
⦿ . . . . .
● Has a rich family of connectors to well known cloud APIs.
● Provides rich value for connecting to any endpoint (even non-SaaS)
● Has rich constructs for well known integration needs (data mapping, error
handling, etc)
Important characteristics of Integration APIs
13

14. Q: Isn’t this what a Service Mesh is for?
14
A: No

15. ● The primary goal of a service mesh is to solve problems in a MSA when service
communicate with each other.
⦿ Service discoverability
⦿ Transport level security
⦿ Circuit breaking
⦿ Message tracing and observability
What is a service mesh and what problems does it solve?
15
Orders Microservice Shipping Microservice

16. We now have a functional API. What does it take to
run this in production?
16

17. ● Granting secure access to the API.
⦿ Standard protocols such as OAuth2.0/OIDC.
⦿ Security federation across cloud IDPs.
⦿ Security context propagation to upstream microservices.
● Updating the API with no downtime and client impact.
⦿ API versions and revisions.
⦿ Seamless migration of clients to newer versions of the API.
● Supporting different styles of APIs and protocols
⦿ Regular, request/response type APIs
⦿ Event driven APIs
⦿ HTTP, gRPC, GraphQL, WebSockets, SSEs, WebHooks.
● Setting up automated tests for the API.
● Hybrid deployment patterns.
Running an API in Production in a Cloud Native Era
17

18. API Management
18
Orders
Microservice
Products
Microservice
Integration APIs Utility APIsEdge APIs - API Gateways
Control Plane

19. API Management - Expanded
19
Orders
Microservice
Products
Microservice
Integration APIs Utility APIsEdge APIs - API Gateways
API Governance
Policy Management
Business Insights
Developer Portals
Low code tooling
Connector Governance
Artificial Intelligence
CI/CD and deployment mgt
Observability
CI/CD and deployment mgt
Observability

20. wso2.com
Thanks!