5 Tips for Choosing an API Management Tool Posted in Platforms Art Anthony October 29, 2024 APIs are everywhere now. They power the apps we use every day, facilitate contact between some of the world’s largest services, and have entire businesses built around them. According to a 2018 State of the Internet report by Akamai, API requests comprised around 83% of all web traffic. The world practically runs on APIs, which is great news for those of us in this space. But it also means that managing and securing APIs effectively, without compromising their usability, is more important than ever. Not least, wherever your API fails, a comparable API may well exist that can do the job more efficiently. At our 2024 Austin API Summit, Traefik Labs’ Sudeep Goswami joined us to discuss characteristics of modern API management solutions, when it might be time to consider implementing such a solution, and some common API management pitfalls. Outlining what he calls the five critical pillars of API management, Goswami highlights a range of key criteria that you should be looking for in an API management tool. Here are some things to consider when scouring the API management solutions market. Watch Sudeep Goswami present at the Austin API Summit. Below, we’ll cover some of his talk’s actionable advice. 1. Freedom of Choice Goswami suggests that freedom of choice “goes up and down the stack, and that starts with being able to support multiple protocols.” REST, for example, and GraphQL, gRPC, and so on. You also, he continues, shouldn’t be forced to deploy a particular gateway or an ingress controller. “You should have that modularity in your architecture,” he says. This allows you to pick best-of-breed products if you want to mix and match solutions from different providers. “If you love Postman, for example,” says Goswami, “you shouldn’t be forced to use a design tool from a vendor that’s trying to sell you the whole API management solution.” You should be able to deploy the solution in any cloud or Kubernetes environment, whether on the edge or on-premise. He concludes that freedom of choice often comes from embracing open standards like OpenAPI and OpenTelemetry. “This should,” he suggests, always “be built into your evaluation when it comes to API management.” 2. Security-First Mindset Echoing something we’ve said time and time again, Gowsami reminds us that “security should not be an afterthought.” That’s true not just when looking at API management solutions but throughout the design, development, and deployment of any API product. The first level of security in developing an API, he says, might look like using an API gateway for authentication and authorization or other types of schemes to secure that API first and foremost. But, as you iterate on your product, the story will unlikely end there. The security standpoint is another area in which Goswami highlights the importance of picking the best-of-breed solutions. Pairing role-based access control and integration with the right identity and access management tool, for instance, is especially paramount. He suggests keeping the OWASP top ten for APIs in mind when considering security. The headline here, however, is that we need to take a proactive approach to API security throughout this entire process. “You can’t,” Goswami asserts, “expect one API management vendor to be your security vendor as well.” 3. DevOps-first Mindset In addition to a security-first mindset, API management solutions must have a DevOps-first mindset, too. “Expressing everything as code should be a first primitive object when you’re looking at an API management solution,” says Goswami. “None of these concepts should be remote to that solution.” For instance, can you bake it into your CI/CD solution? Can you do GitOps with this solution? “API management as code,” Goswami continues, “should be a design choice that the vendor you’re looking at has made.” A solution, in other words, that complements your existing workflows and the methodologies you’ve adopted for developing APIs. He goes on to talk about things like the presence of linters, being able to do infrastructure as code (IaC) with Terraform, and being able to automate more of the deployment aspects with tools like Flux and ArgoCD being good indicators that vendors are up to the task. You probably want to avoid any solution that threatens to lock you into very rigid workflows. 4. Kubernetes Native When looking at API management platforms in 2024, Kubernetes-native attributes are essential. This can enable you to keep your processes lightweight without reinventing the wheel. “And by Kubernetes-native,” says Goswami, “I mean, it should be really deeply integrated with it. It should be able to speak to the Kubernetes API and inherit all the value by querying it for all the intelligence that the Kubernetes API holds.” The benefits of this include autodiscovery and eliminating the concept of phantom services, so you have full visibility from the get-go. He adds that being Kube native means that “everything can be expressed as code, and as YAML at the end of the day.” 5. Quick Time to Value “The point of all of this,” Goswami concludes, “is to make sure that we’re able to deliver value quickly.” He talks about the dual operating model of “being able to configure things on the UI just to get started, then being able to go into code to scale and deploy in mass.” In other words, making it simple to get started without limiting flexibility for more advanced users. “Then,” he says, “you can really leverage the scripting and automation capability because everything is expressed as code.” A seamless transition between setup and what comes after. Is It Time For An API Management Platform? Before grabbing a piece of API management, it’s good to take a step back to look at your foundations, which might influence the type of platform you require. Goswami outlines a typical API lifecycle journey, describing a few different solutions that developers might turn to after launching (and when iterating on) a cloud-native product: Application proxy: Simplify and automate the discovery, routing, and load balancing of microservices and virtual machines. API gateway: As security and centralized control become priorities, teams upgrade to an API gateway. API management: As API lifecycle management becomes a priority, teams need additional capabilities beyond what API gateways can provide. Quick aside: in many cases, descriptors related to this topic are used interchangeably. Our post on understanding API management, API gateways, and API managers is a useful primer for this post if you want a quick refresher on these terms. There are, Goswami suggests, a few questions that can help identify a need to move beyond an API gateway into a more rigorous approach to API management: Do you sell APIs as a product? Is there a high rate of change with new and existing APIs? Do you have multiple API stakeholders? (e.g., internal developers, external customers) Answers in the affirmative demonstrate a need to engage with some of the critical capabilities offered by effective API management solutions. They can be helpful when it comes to things like API governance (discovery, collection, versioning, linters, SLAs, etc.), security measures such as granular access control or web application firewall (WAF), and monitoring and observability. API Management Should Help, Not Hinder In today’s day and age, Goswami argues, the typical all-in-one solution is a broken model. And if you look at these solutions, they tend to have one or more of these attributes: Large, proprietary monolithic systems: Written when microservices were not the design pattern, with an “all or nothing” mindset and a heavy tech stack. Misaligned with DevOps operating model: Still very much point and click (i.e., you are forced into the UI), with limited scripting. Limited deployment flexibility: Tightly coupled to environments, i.e. “highly opinionated where they can run”, not optimized for Hybrid, MC, and Edge. He also highlights a trait that all of these characteristics have in common: a high total cost of ownership (TCO). These conditions can dampen the enthusiasm a team might have for implementing API management and underscore the importance of choosing the right API management solution. We’ve seen above how a more analytical approach to API management might help to shape an organization’s approach to the API lifecycle in a way that has tangible benefits. Companies that fail to get on board with this pragmatic approach risk being left behind. Many of us are guilty of embracing the status quo for longer than we should, reluctant to give up on the manual tweaks and workarounds that we’ve relied on for years. Regarding proper API management, that’s a mistake that’s not just time-consuming but could be costly as well. Choosing an appropriate tool, Goswami rounds out, is really a combination of features: those are table stakes and the operating model. “The combination of those two things has shaped our thinking behind these pillars.” In other words, considering not just the what but also the how. Choosing an API management solution that you will potentially be tying yourself to for many months or even years isn’t an easy task. However, viewing your options through the lens of these pillars could help you rule out a few providers that aren’t well-suited to your needs. The latest API insights straight to your inbox