BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Cloud API management services make it easier for developers to secure, version, monitor and analyze API usage. In the public cloud, AWS, Azure and Google all offer API management engines that feature tight integration with their own back-end services.
The biggest strength of each of these services -- Amazon API Gateway, Azure API Management and Google Cloud Endpoints -- is their native support for their respective provider's ecosystem of tools and services. That said, they differ in terms of monitoring, authentication, testing and other capabilities that developers look for in a cloud API management service. In addition, developers who build applications for a multi-cloud architecture must ensure that the service they ultimately choose can work across cloud platforms.
Here's a rundown of the key capabilities of the API management services from the major public cloud providers.
General strengths and drawbacks
One of the features that make Amazon API Gateway unique is its ability to act as a front end to dynamically call a collection of Lambda functions. This enables developers to spin up functions as they need them and not have to continuously run an application when it's not needed. On the flip side, developers using this model need to put in more work for APIs on private clouds to set up private connections.
Azure API Management has strong reliability and governance, and, because it's an extension of Apiphany, the API management technology Microsoft acquired in 2013, it does offer support for outside services. Azure is also the only provider to offer a service-level agreement for its cloud API management service.
Developers should also consider Azure Function Proxies, a lightweight alternative to Azure API Management, that lets developers separate API functionality across multiple serverless functions.
Google Cloud Endpoints supports application coding for the Google Cloud ecosystem. However, Google continues to work on how the service will support complex governance scenarios or dynamically call Google Cloud Functions.
Cloud developers might want to consider Google's Apigee API management service -- based on the technology it acquired from Apigee in 2016 -- for API management in hybrid and multi-cloud scenarios.
Each of these cloud API management services uses different administration tools that help developers set policies for their APIs.
Amazon offers a variety of tools to manage the services behind Amazon API Gateway, such as Elastic Beanstalk for scalability, as well as AWS CodeDeploy, CodeCommit and CodePipeline for code management. Unlike Azure, which provides a developer portal to complete tasks such as API testing, AWS developers need to use a reference implementation in GitHub.
Azure API Management uses the Azure portal as an administrative interface and, as mentioned above, there is an Azure developer portal that simplifies API testing and developer onboarding. Developers can create API management policies in XML and C#, as well as set up access control lists and developer subscriptions.
Google enables developers to customize their management experience via the OpenAPI specification. The cloud provider also has a developer portal that includes a variety of tools, including those for API management.
Developers and quality assurance teams should test API functionality before they push a new application into production. An API simulation -- also called a mock -- enables developers to test the functionality before it deploys.
Amazon API Gateway supports mock integrations that enable developers to generate API responses before the back end is completed. Microsoft Azure includes testing tools to dynamically set policies on an API to return a mocked response.
Google does not include built-in mocking capabilities to test Google Cloud Endpoints' behavior, but developers can use Google Cloud Emulators to set up the equivalent of a mock, which deploys on Docker containers. Google Cloud Emulators contains components to emulate communications with Google Cloud Pub/Sub, Google Cloud Datastore and Google Cloud Bigtable data sources via the gcloud beta emulators command.
Authentication and access control
Authentication capabilities ensure that only authorized users and applications can access cloud APIs and data.
In AWS, a developer can configure API access with a variety of tools, including standard AWS roles, Amazon Cognito and AWS Identify and Access Management via custom OAuth tokens written in Lambda functions.
Azure uses Active Directory to manage access control, and the service can validate developers, as well application service calls, using OAuth, JSON Web Tokens and IP filtering.
In Google, JSON Web Tokens and Google API keys manage Google Cloud Endpoint access. Both of these can integrate with OAuth and Firebase authentication management infrastructure.
Monitoring is a key component of a cloud API management service, as developers need to track API performance, functionality and availability.
CloudWatch is the main application monitoring tool in AWS. It provides an overall view of resources and performance, and makes optimization suggestions based on metrics and logs. The service captures various metrics, such as 4XXErrors for client-side errors and 5XXErrors for server-side errors. CloudTrail audits and logs resources, API calls and user access.
Microsoft offers Azure Monitor to track the number of API calls, bandwidth and response times and manage behavior via Azure Event Hub. Like AWS, the tool also provides metrics and logging information, such as Failed Gateway Requests.
Google developers, meanwhile, use the Cloud Platform Console to monitor APIs, and can further analyze performance through Stackdriver Trace and Logging.
API management in multi-cloud
For developers who work within a multi-cloud architecture, there are a few other considerations to keep in mind.
If an application, for example, is predominantly hosted on AWS but accesses a single Google service, it makes sense to use Amazon API Gateway. For more complex multi-cloud scenarios, however, developers are likely to benefit from third-party cloud API management engines that work across multiple clouds.