book

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

October 2022

Beginner to intermediate

286 pages

8h 3m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Foreword
Preface
Why Did We Write This Book?Why Should You Read This Book?Who This Book Is ForDeveloperAccidental ArchitectSolutions/Enterprise ArchitectWhat You Will LearnWhat This Book Is NotConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsJames GoughDaniel BryantMatthew Auburn
Introduction
The Architecture JourneyA Brief Introduction to APIsRunning Example: Conference System Case StudyTypes of APIs in the Conference Case StudyReasons for Changing the Conference SystemFrom Tiered Architecture to Modeling APIsCase Study: An Evolutionary StepAPI Infrastructure and Traffic PatternsRoadmap for the Conference Case StudyUsing C4 DiagramsC4 Context DiagramC4 Container DiagramC4 Component DiagramUsing Architecture Decision RecordsAttendees Evolution ADRMastering API: ADR GuidelinesSummary
I. Designing, Building, and Testing APIs
1. Design, Build, and Specify APIs
Case Study: Designing the Attendee APIIntroduction to RESTIntroduction to REST and HTTP by ExampleThe Richardson Maturity ModelIntroduction to Remote Procedure Call (RPC) APIsA Brief Mention of GraphQLREST API Standards and StructureCollections and PaginationFiltering CollectionsError HandlingADR Guideline: Choosing an API StandardSpecifying REST APIs Using OpenAPIPractical Application of OpenAPI SpecificationsCode GenerationOpenAPI ValidationExamples and MockingDetecting ChangesAPI VersioningSemantic VersioningOpenAPI Specification and VersioningImplementing RPC with gRPCModeling Exchanges and Choosing an API FormatHigh-Traffic ServicesLarge Exchange PayloadsHTTP/2 Performance BenefitsVintage FormatsGuideline: Modeling ExchangesMultiple SpecificationsDoes the Golden Specification Exist?Challenges of Combined SpecificationsSummary
2. Testing APIs
Conference System Scenario for This ChapterTesting StrategiesTest QuadrantTest PyramidADR Guideline for Testing StrategiesContract TestingWhy Contract Testing Is Often PreferableHow a Contract Is ImplementedADR Guideline: Contract TestingAPI Component TestingContract Testing Versus Component TestingCase Study: Component Test to Verify BehaviorAPI Integration TestingUsing Stub Servers: Why and HowADR Guideline: Integration TestingContainerizing Test Components: TestcontainersCase Study: Applying Testcontainers to Verify IntegrationsEnd-to-End TestingAutomating End-to-End ValidationTypes of End-to-End TestsADR Guideline: End-to-End TestingSummary
II. API Traffic Management
3. API Gateways: Ingress Traffic Management
Is an API Gateway the Only Solution?Guideline: Proxy, Load Balancer, or API GatewayCase Study: Exposing the Attendee Service to ConsumersWhat Is an API Gateway?What Functionality Does an API Gateway Provide?Where Is an API Gateway Deployed?How Does an API Gateway Integrate with Other Technologies at the Edge?Why Use an API Gateway?Reduce Coupling: Adapter/Facade Between Frontends and BackendsSimplify Consumption: Aggregating/Translating Backend ServicesProtect APIs from Overuse and Abuse: Threat Detection and MitigationUnderstand How APIs Are Being Consumed: ObservabilityManage APIs as Products: API Lifecycle ManagementMonetize APIs: Account Management, Billing, and PaymentA Modern History of API Gateways1990s Onward: Hardware Load BalancersEarly 2000s Onward: Software Load BalancersMid-2000s: Application Delivery Controllers (ADCs)Early 2010s: First-Generation API Gateways2015 Onward: Second-Generation API GatewaysCurrent API Gateway TaxonomyTraditional Enterprise GatewaysMicroservices/Micro GatewaysService Mesh GatewaysComparing API Gateway TypesCase Study: Evolving the Conference System Using an API GatewayInstalling Ambassador Edge Stack in KubernetesConfiguring Mappings from URL Paths to Backend ServicesConfiguring Mappings Using Host-based RoutingDeploying API Gateways: Understanding and Managing FailureAPI Gateway as a Single Point of FailureDetecting and Owning ProblemsResolving Incidents and IssuesMitigating RisksCommon API Gateway Implementation PitfallsAPI Gateway LoopbackAPI Gateway as an ESBTurtles (API Gateways) All the Way DownSelecting an API GatewayIdentifying RequirementsBuild Versus BuyADR Guideline: Selecting an API GatewaySummary
4. Service Mesh: Service-to-Service Traffic Management
Is Service Mesh the Only Solution?Guideline: Should You Adopt Service Mesh?Case Study: Extracting Sessions Functionality to a ServiceWhat Is Service Mesh?What Functionality Does a Service Mesh Provide?Where Is a Service Mesh Deployed?How Does a Service Mesh Integrate with Other Networking Technologies?Why Use a Service Mesh?Fine-grained Control of Routing, Reliability, and Traffic ManagementProvide Transparent ObservabilityEnforce Security: Transport Security, Authentication, and AuthorizationSupporting Cross-Functional Communication Across LanguagesSeparating Ingress and Service-to-Service Traffic ManagementEvolution of Service MeshEarly History and MotivationsImplementation PatternsService Mesh TaxonomyCase Study: Using a Service Mesh for Routing, Observability, and SecurityRouting with IstioObserving Traffic with LinkerdNetwork Segmentation with ConsulDeploying a Service Mesh: Understanding and Managing FailureService Mesh as a Single Point of FailureCommon Service Mesh Implementation ChallengesService Mesh as ESBService Mesh as GatewayToo Many Networking LayersSelecting a Service MeshIdentifying RequirementsBuild Versus BuyChecklist: Selecting a Service MeshSummary
III. API Operations and Security

5. Deploying and Releasing APIs
Separating Deployment and ReleaseCase Study: Feature FlaggingTraffic ManagementCase Study: Modeling Releases in the Conference SystemAPI LifecycleMapping Release Strategies to LifecycleADR Guideline: Separating Release from Deployment with Traffic Management and Feature FlagsRelease StrategiesCanary ReleasesTraffic MirroringBlue-GreenCase Study: Performing Rollouts with Argo RolloutsMonitoring for Success and Identifying FailureThree Pillars of ObservabilityImportant Metrics for APIsReading the SignalsApplication Decisions for Effective Software ReleasesResponse CachingApplication-Level Header PropagationLogging to Assist DebuggingConsidering an Opinionated PlatformADR Guideline: Opinionated PlatformsSummary
6. Operational Security: Threat Modeling for APIs
Case Study: Applying OWASP to the Attendee APIThe Risk of Not Securing External APIsThreat Modeling 101Thinking Like an AttackerHow to Threat ModelStep 1: Identify Your ObjectivesStep 2: Gather the Right InformationStep 3: Decompose the SystemStep 4: Identify Threats—Taking This in Your STRIDEStep 5: Evaluate Threat RisksStep 6: ValidationSummary
7. API Authentication and Authorization
AuthenticationEnd-User Authentication with TokensSystem-to-System AuthenticationWhy You Shouldn’t Mix Keys and UsersOAuth2Authorization Server Role with API InteractionsJSON Web Tokens (JWT)Terminology and Mechanisms of OAuth2 GrantsADR Guideline: Should I Consider Using OAuth2?Authorization Code GrantRefresh TokensClient Credentials GrantAdditional OAuth2 GrantsADR Guideline: Choosing Which OAuth2 Grants to SupportOAuth2 ScopesAuthorization EnforcementIntroducing OIDCSAML 2.0Summary
IV. Evolutionary Architecture with APIs
8. Redesigning Applications to API-Driven Architectures
Why Use APIs to Evolve a System?Creating Useful Abstractions: Increasing CohesionClarifying Domain Boundaries: Promoting Loose CouplingCase Study: Establishing Attendee Domain BoundariesEnd State Architecture OptionsMonolithService-Oriented Architecture (SOA)MicroservicesFunctionsManaging the Evolutionary ProcessDetermine Your GoalsUsing Fitness FunctionsDecomposing a System into ModulesCreating APIs as “Seams” for ExtensionIdentifying Change Leverage Points within a SystemContinuous Delivery and VerificationArchitectural Patterns for Evolving Systems with APIsStrangler FigFacade and AdapterAPI Layer CakeIdentifying Pain Points and OpportunitiesUpgrade and Maintenance IssuesPerformance IssuesBreaking Dependencies: Highly Coupled APIsSummary
9. Using API Infrastructure to Evolve Toward Cloud Platforms
Case Study: Moving the Attendee Service to the CloudChoosing a Cloud Migration StrategyRetain or RevisitRehostReplatformRepurchaseRefactor/Re-architectRetireCase Study: Replatforming the Attendee Service to the CloudRole of API ManagementNorth–South Versus East–West: Blurring Lines of Traffic ManagementStart at the Edge and Work InwardCrossing Boundaries: Routing Across NetworksFrom Zonal Architecture to Zero TrustGetting in the ZoneTrust No One and VerifyRole of Service Mesh in Zero Trust ArchitecturesSummary
10. Wrap-up
Case Study: A Look Back on Your JourneyAPIs, Conway’s Law, and Your OrganizationUnderstanding Decision TypesPreparing for the FutureAsync CommunicationHTTP/3Platform-based MeshWhat’s Next: How to Keep Learning About API ArchitectureContinually Honing the FundamentalsKeeping Up-to-Date with Industry NewsRadars, Quadrants, and Trend ReportsLearning About Best Practices and Use CasesLearning by DoingLearning by Teaching
Index
About the Authors

Content preview from Mastering API Architecture

Chapter 4. Service Mesh: Service-to-Service Traffic Management

In the previous chapter you explored how to expose your APIs and manage associated ingress traffic from end users and other external systems in a reliable, observable, and secure way using an API gateway. Now you will learn about managing traffic for internal APIs, i.e., service-to-service communication, with similar goals.

At a fundamental level, service mesh implementations provide functionality for routing, observing, and securing traffic for service-to-service communication. It is worth saying that even this choice of technology is not a slam dunk; as with all architectural decisions, there are trade-offs; there is no such thing as a free lunch when you are performing the role of architect!

In this chapter you will evolve the case study by extracting the sessions-handling functionality from the legacy conference system into a new internally facing Session service. As you do this you will learn about the communication challenges introduced by creating or extracting new services and APIs that are deployed and run alongside the existing monolithic conference system. All of the API and traffic management techniques you explored in the previous chapter will apply here, and so your natural inclination may be to use an API gateway to expose the new Session service. However, given the requirements, this would most likely result in a suboptimal solution. This is where the service mesh pattern and associated technologies ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492090625Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

Chapter 4. Service Mesh: Service-to-Service Traffic Management

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.