Thinking about your cloud strategy and wondering what are your API management options? Keep reading and give us a call if you need help or advice.
There are plenty of reasons why you might need it but if you’re still unsure, we suggest you take a look at our recent post. Gartner currently keeps its eye on 49 different API management products! Yes, we know it’s a lot. Therefore, we took a closer look into several popular API management solutions. IBM API Connect, Red Hat 3scale API management and MuleSoft Anypoint Platform are comprehensive solutions with commercial support. Spring Cloud Gateway on the other hand is (just an) open-source library suitable for rolling your own API management solution.
In this article, we will show you some of their similarities and differences that will hopefully help you choose your API management tool. We will concentrate on few things like installation details, supported standards (REST, SOAP), security and throttling.
Without further ado, let’s meet our contestants!
IBM’s offering for API management is called IBM API Connect. IBM is an established player in enterprise integration market and offers API management products for some time. By recent studies IBM is number one vendor in API management market.
Current version of API Connect is v2018. It is a modern API management platform that is available on the cloud (public, isolated or reserved) and also as on-premise installation. It offers API development capabilities, as well as runtime, management and security. This makes it unique platform across API management vendors.
API Connect is well suited for the enterprise environment with structures such as organizations and catalogs. Runtime component is IBM DataPower Gateway, a well-known edge appliance that offers high performance and broad security possibilities. Developer Portal and analytics capabilities are also included. With IBM API Connect you are covered from API development to API consumption phase.
Red Hat 3scale is an API management platform that delivers flexible, highly scalable solutions to package, distribute, control, and monetize users’ APIs, giving them the power to make the most of their API program.
It can be used for sharing company data, content, or services through Web or mobile applications and providing APIs to external organizations, internal teams, or both. It also helps users avoid the hassle and future maintenance when building a solution from the scratch.
Red Hat 3scale delivers centralized API management features through a distributed, cloud-hosted layer. The platform includes built-in features to help users build a more successful API program, including access control, rate limits, payment gateway integration and developer experience tools.
Mulesoft Anypoint Platform is a comprehensive solution that started off as an ESB and gradually added API creation, publishing and governance capabilities. The platform consists of proven Mule ESB complemented with several new API-related components: API Manager which implements gateway functionalities, API Portal which serves as self-service documentation portal for developers and API Designer for designing, documenting, and testing APIs.
Last year CRM giant Salesforce acquired Mulesoft for $6.5 billion, making it instrumental in its efforts to connect Salesforce platform with on-premise and legacy systems.
All of the previously mentioned products have quite a price tag. For companies on the budget there is another solution but it requires some additional work to implement all the features that other products offer out-of-the box.
Spring Cloud Gateway is a library built on top Spring Framework 5, Project Reactor and Spring Boot 2.0. It enables us to build an API Gateway on top of Spring MVC. It is important to understand that it’s not a complete solution but a framework to build upon. Spring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring, metrics and resiliency.
Installation details
IBM API Connect 2018 is itself implemented in microservices fashion with over 20 microservices. To deploy it we need Kubernetes/OpenShift environment or we can use OVA files. For testing purposes, it is much easier to use IBM Public Cloud offering. Just hop over to https://console.bluemix.net/registration?target=/apis/provision and create Free instance (up to 50k calls) of API Connect.
Red Hat 3scale is installed on-premise with OpenShift templates provided by Red Hat. Red Hat recommends installation on compute-optimized nodes in cloud environments. This means that installation will probably use about 8 vCPU and 15 GB of memory. Installation is pretty straightforward. We need to create an OpenShift project and after that create a new application from provided templates.
While Mulesoft Anypoint Platform can be installed on-premise, for the purpose of this demo we used available demo cloud instance. We didn’t have to install anything, except Anypoint Studio which is Eclipse-based tool so only unzip was needed. Anypoint Platform can be used online or installed as a cloud edition that uses Docker and Kubernetes. This installation requires 8 vCPUs and 32 GB of memory. It also needs more than 500 GB of storage and those are minimum requirements.
Spring Cloud Gateway doesn’t need any special installation. Just add the dependency to your existing Spring or Spring Boot Maven/Gradle project and you are good to go. Configuration can be done through Java configuration or using YAML configuration files.
Standards that are supported
IBM API Connect 2018 has good support for both REST and SOAP APIs. Of course, main focus are REST APIs. They are defined using standard Open API specification. In the documentation itself there is assembly diagram which offers broad transformation, invoke and security capabilities. In the end, we are left with just one YAML file which can then be easily versioned and propagated through the lifecycle. SOAP API support is also there and includes creation of SOAP proxies from existing WSDL documents or we can create REST proxies to SOAP services.
As Red Hat states, 3scale can manage any HTTP(S)-based APIs, both REST and SOAP. Exposing REST APIs is particularly straightforward as individual URL paths usually map quite nicely to operations. By operations, we mean fine-grained tasks and services which providers may wish to get visibility into and apply control access to.
With SOAP, there is more of a challenge as it is typical for multiple operations to share the same endpoint. Yet providers may still want to get the same visibility and control they get with REST and this is possible to achieve.
Mulesoft Anypoint Platform supports both REST and SOAP web services. It’s easy to create/expose both types of services using APIKit. This is simple drag&drop operation in Anypoint API Design Center or Anypoint studio. Also, Anypoint uses RAML specification to create REST APIs, so we can easily generate endpoints based on few RAML files.
Spring Cloud Gateway supports both REST and SOAP protocols. There is no OpenAPI or RAML support which is expected because it’s not gateways responsibility to process API specifications. There is however another Spring library that can be integrated with OpenAPI and that is Spring Cloud Contracts.
Security considerations
Security in IBM API Connect is really first-class citizen. Security concepts can be, and in most cases are, added in the API definitions. This includes type of security checks needed to use the API. In most cases those are client ids (for tracking purposes) and OAuth/OIDC token. When it comes to runtime environment, API Connect relies on the trustworthy DataPower Gateway. API Connect can be OAuth provider (so no need for external one), can generate and check JWT tokens as well as revoke already issued ones. When needed TLS client authentication can be used. This is especially useful in enterprise environment when working with trusted partners and outlawing others.
Red Hat 3scale supports the following authentication patterns out of the box: standard API keys, an application identifier, key pairs and OpenID Connect. Red Hat 3scale supports the Referrer Filtering feature that can be used to whitelist IP addresses or domain names from where an application can access the API. The API clients specify the referrer value in the Referer header.
Mulesoft Anypoint Security provides a layered approach to secure your application network. These layers work together to protect both the application network and the network’s individual nodes by controlling access to APIs, enforcing policies and proxying all inbound or outbound traffic to mitigate external threats and attacks. We won’t get into many details here, but you can look it up on https://docs.mulesoft.com/anypoint-security.
In Spring Cloud Gateway security can be managed with Spring Security module or implementing your own authentication and authorization modules. You can plug in any authentication provider and perform authentication before request is routed to your API. You can also pass authentication as a header if your application work in resource server mode.
Rate limiting and throttling policies
In IBM API Connect when we are making available API for consumption, we are always including a Plan. Plan is concept that will define rules for consumption. For example, a free tier plan might enforce a rate limit of 100 calls per hour, while a paid plan might permit up to 5000 calls per hour. In addition, you can apply burst limits to your Plans, to prevent usage spikes that might damage infrastructure. Multiple burst limits can be set per Plan, at second and minute time intervals.
In Red Hat 3scale Application Plans define different sets of access rights you might want to allow for consumers of your API. These can determine anything from rate limits, which methods or resources are accessible and which features are enabled. By default, when your 3scale account is created, you are given two plans: Basic and Unlimited. You can keep and edit these or create your own. You can create as many plans as you need.
Mulesoft Anypoint Platform uses policies to define rate limiting and throttling. The Rate Limiting and Throttling policies impose a limit on all requests or a specific resource. The service level access (SLA)-based Rate Limiting and Throttling policies add further granularity, limiting requests by the level of access granted to the requesting application.
There is limited support for rate limiting in Spring Cloud Gateway. You can use RedisRateLimiter to limit the number of requests per second. It also supports burst mode. However, if you want more complex features like support for different subscription plans you’ll have to implement your own limiter strategies based on RedisRateLimiter. Things can get ugly because RedisRateLimiter class wasn’t designed for extensibility.
Although all these tools are conceptually very similar with similar components and architecture, there are some implementation and functional differences. Your choice will in the end depend on precisely these differences. What is clearly visible is the trend of moving runtime environments to containers and cloud. Therefore, you should carefully think about your cloud strategy.
We enjoy talking about all things cloud and API management so do us a favor and contact us!
For more interesting content on API management and similar topics, please subscribe to our 0800-DEVOPS newsletter.