book

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

October 2022

Beginner to intermediate

286 pages

8h 3m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Foreword
Preface
Why Did We Write This Book?Why Should You Read This Book?Who This Book Is ForDeveloperAccidental ArchitectSolutions/Enterprise ArchitectWhat You Will LearnWhat This Book Is NotConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsJames GoughDaniel BryantMatthew Auburn
Introduction
The Architecture JourneyA Brief Introduction to APIsRunning Example: Conference System Case StudyTypes of APIs in the Conference Case StudyReasons for Changing the Conference SystemFrom Tiered Architecture to Modeling APIsCase Study: An Evolutionary StepAPI Infrastructure and Traffic PatternsRoadmap for the Conference Case StudyUsing C4 DiagramsC4 Context DiagramC4 Container DiagramC4 Component DiagramUsing Architecture Decision RecordsAttendees Evolution ADRMastering API: ADR GuidelinesSummary
I. Designing, Building, and Testing APIs
1. Design, Build, and Specify APIs
Case Study: Designing the Attendee APIIntroduction to RESTIntroduction to REST and HTTP by ExampleThe Richardson Maturity ModelIntroduction to Remote Procedure Call (RPC) APIsA Brief Mention of GraphQLREST API Standards and StructureCollections and PaginationFiltering CollectionsError HandlingADR Guideline: Choosing an API StandardSpecifying REST APIs Using OpenAPIPractical Application of OpenAPI SpecificationsCode GenerationOpenAPI ValidationExamples and MockingDetecting ChangesAPI VersioningSemantic VersioningOpenAPI Specification and VersioningImplementing RPC with gRPCModeling Exchanges and Choosing an API FormatHigh-Traffic ServicesLarge Exchange PayloadsHTTP/2 Performance BenefitsVintage FormatsGuideline: Modeling ExchangesMultiple SpecificationsDoes the Golden Specification Exist?Challenges of Combined SpecificationsSummary
2. Testing APIs
Conference System Scenario for This ChapterTesting StrategiesTest QuadrantTest PyramidADR Guideline for Testing StrategiesContract TestingWhy Contract Testing Is Often PreferableHow a Contract Is ImplementedADR Guideline: Contract TestingAPI Component TestingContract Testing Versus Component TestingCase Study: Component Test to Verify BehaviorAPI Integration TestingUsing Stub Servers: Why and HowADR Guideline: Integration TestingContainerizing Test Components: TestcontainersCase Study: Applying Testcontainers to Verify IntegrationsEnd-to-End TestingAutomating End-to-End ValidationTypes of End-to-End TestsADR Guideline: End-to-End TestingSummary
II. API Traffic Management
3. API Gateways: Ingress Traffic Management
Is an API Gateway the Only Solution?Guideline: Proxy, Load Balancer, or API GatewayCase Study: Exposing the Attendee Service to ConsumersWhat Is an API Gateway?What Functionality Does an API Gateway Provide?Where Is an API Gateway Deployed?How Does an API Gateway Integrate with Other Technologies at the Edge?Why Use an API Gateway?Reduce Coupling: Adapter/Facade Between Frontends and BackendsSimplify Consumption: Aggregating/Translating Backend ServicesProtect APIs from Overuse and Abuse: Threat Detection and MitigationUnderstand How APIs Are Being Consumed: ObservabilityManage APIs as Products: API Lifecycle ManagementMonetize APIs: Account Management, Billing, and PaymentA Modern History of API Gateways1990s Onward: Hardware Load BalancersEarly 2000s Onward: Software Load BalancersMid-2000s: Application Delivery Controllers (ADCs)Early 2010s: First-Generation API Gateways2015 Onward: Second-Generation API GatewaysCurrent API Gateway TaxonomyTraditional Enterprise GatewaysMicroservices/Micro GatewaysService Mesh GatewaysComparing API Gateway TypesCase Study: Evolving the Conference System Using an API GatewayInstalling Ambassador Edge Stack in KubernetesConfiguring Mappings from URL Paths to Backend ServicesConfiguring Mappings Using Host-based RoutingDeploying API Gateways: Understanding and Managing FailureAPI Gateway as a Single Point of FailureDetecting and Owning ProblemsResolving Incidents and IssuesMitigating RisksCommon API Gateway Implementation PitfallsAPI Gateway LoopbackAPI Gateway as an ESBTurtles (API Gateways) All the Way DownSelecting an API GatewayIdentifying RequirementsBuild Versus BuyADR Guideline: Selecting an API GatewaySummary
4. Service Mesh: Service-to-Service Traffic Management
Is Service Mesh the Only Solution?Guideline: Should You Adopt Service Mesh?Case Study: Extracting Sessions Functionality to a ServiceWhat Is Service Mesh?What Functionality Does a Service Mesh Provide?Where Is a Service Mesh Deployed?How Does a Service Mesh Integrate with Other Networking Technologies?Why Use a Service Mesh?Fine-grained Control of Routing, Reliability, and Traffic ManagementProvide Transparent ObservabilityEnforce Security: Transport Security, Authentication, and AuthorizationSupporting Cross-Functional Communication Across LanguagesSeparating Ingress and Service-to-Service Traffic ManagementEvolution of Service MeshEarly History and MotivationsImplementation PatternsService Mesh TaxonomyCase Study: Using a Service Mesh for Routing, Observability, and SecurityRouting with IstioObserving Traffic with LinkerdNetwork Segmentation with ConsulDeploying a Service Mesh: Understanding and Managing FailureService Mesh as a Single Point of FailureCommon Service Mesh Implementation ChallengesService Mesh as ESBService Mesh as GatewayToo Many Networking LayersSelecting a Service MeshIdentifying RequirementsBuild Versus BuyChecklist: Selecting a Service MeshSummary
III. API Operations and Security

5. Deploying and Releasing APIs
Separating Deployment and ReleaseCase Study: Feature FlaggingTraffic ManagementCase Study: Modeling Releases in the Conference SystemAPI LifecycleMapping Release Strategies to LifecycleADR Guideline: Separating Release from Deployment with Traffic Management and Feature FlagsRelease StrategiesCanary ReleasesTraffic MirroringBlue-GreenCase Study: Performing Rollouts with Argo RolloutsMonitoring for Success and Identifying FailureThree Pillars of ObservabilityImportant Metrics for APIsReading the SignalsApplication Decisions for Effective Software ReleasesResponse CachingApplication-Level Header PropagationLogging to Assist DebuggingConsidering an Opinionated PlatformADR Guideline: Opinionated PlatformsSummary
6. Operational Security: Threat Modeling for APIs
Case Study: Applying OWASP to the Attendee APIThe Risk of Not Securing External APIsThreat Modeling 101Thinking Like an AttackerHow to Threat ModelStep 1: Identify Your ObjectivesStep 2: Gather the Right InformationStep 3: Decompose the SystemStep 4: Identify Threats—Taking This in Your STRIDEStep 5: Evaluate Threat RisksStep 6: ValidationSummary
7. API Authentication and Authorization
AuthenticationEnd-User Authentication with TokensSystem-to-System AuthenticationWhy You Shouldn’t Mix Keys and UsersOAuth2Authorization Server Role with API InteractionsJSON Web Tokens (JWT)Terminology and Mechanisms of OAuth2 GrantsADR Guideline: Should I Consider Using OAuth2?Authorization Code GrantRefresh TokensClient Credentials GrantAdditional OAuth2 GrantsADR Guideline: Choosing Which OAuth2 Grants to SupportOAuth2 ScopesAuthorization EnforcementIntroducing OIDCSAML 2.0Summary
IV. Evolutionary Architecture with APIs
8. Redesigning Applications to API-Driven Architectures
Why Use APIs to Evolve a System?Creating Useful Abstractions: Increasing CohesionClarifying Domain Boundaries: Promoting Loose CouplingCase Study: Establishing Attendee Domain BoundariesEnd State Architecture OptionsMonolithService-Oriented Architecture (SOA)MicroservicesFunctionsManaging the Evolutionary ProcessDetermine Your GoalsUsing Fitness FunctionsDecomposing a System into ModulesCreating APIs as “Seams” for ExtensionIdentifying Change Leverage Points within a SystemContinuous Delivery and VerificationArchitectural Patterns for Evolving Systems with APIsStrangler FigFacade and AdapterAPI Layer CakeIdentifying Pain Points and OpportunitiesUpgrade and Maintenance IssuesPerformance IssuesBreaking Dependencies: Highly Coupled APIsSummary
9. Using API Infrastructure to Evolve Toward Cloud Platforms
Case Study: Moving the Attendee Service to the CloudChoosing a Cloud Migration StrategyRetain or RevisitRehostReplatformRepurchaseRefactor/Re-architectRetireCase Study: Replatforming the Attendee Service to the CloudRole of API ManagementNorth–South Versus East–West: Blurring Lines of Traffic ManagementStart at the Edge and Work InwardCrossing Boundaries: Routing Across NetworksFrom Zonal Architecture to Zero TrustGetting in the ZoneTrust No One and VerifyRole of Service Mesh in Zero Trust ArchitecturesSummary
10. Wrap-up
Case Study: A Look Back on Your JourneyAPIs, Conway’s Law, and Your OrganizationUnderstanding Decision TypesPreparing for the FutureAsync CommunicationHTTP/3Platform-based MeshWhat’s Next: How to Keep Learning About API ArchitectureContinually Honing the FundamentalsKeeping Up-to-Date with Industry NewsRadars, Quadrants, and Trend ReportsLearning About Best Practices and Use CasesLearning by DoingLearning by Teaching
Index
About the Authors

Content preview from Mastering API Architecture

Chapter 1. Design, Build, and Specify APIs

You will be presented with many options when designing and building APIs. It is incredibly fast to build a service with modern technologies and frameworks, but creating a durable approach requires careful thought and consideration. In this chapter we will explore REST and RPC to model the producer and consumer relationships in the case study.

You will discover how standards can help to shortcut design decisions and navigate away from potential compatibility issues. You will look at OpenAPI Specifications, the practical uses for teams, and the importance of versioning.

RPC-based interactions are specified using a schema; to compare and contrast with a REST approach, we will explore gRPC. With both REST and gRPC in mind, we will look at the different factors to consider in how we model exchanges. We will look at the possibility of providing both a REST and RPC API in the same service and whether this is the right thing to do.

Case Study: Designing the Attendee API

In the Introduction we decided to migrate our legacy conference system and move toward a more API-driven architecture. As a first step to making this change, we are going to create a new Attendee service, which will expose a matching Attendee API. We also provided a narrow definition of an API. In order to design effectively, we need to consider more broadly the exchange between the producer and consumer, and more importantly who the producer and consumer are. The producer is ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492090625Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

Chapter 1. Design, Build, and Specify APIs

Case Study: Designing the Attendee API

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.