API gateway evaluation checklist

api mocking with nodejs and amokjs

API Gateway pattern

Adoption of microservices architecture allows technology teams to split software components into the smaller, independently deliverable chunks.

And adopt continuous delivery across independent teams.

However, the use of multiple data access points creates the uncertainty among client application developers.

How to maintain the common conventions, versioning, structure across array of services in most cases owned by multiple independent teams?

API gateway architecture pattern is recognised as the most efficient way of addressing the above challenges.

Common, edge layer functionality like API versioning, API security, access control, caching etc. is maintained in the API gateway layer.

API gateway then maintains a specification contract with client applications.

Why evaluation checklist?

Many organisations who choose to implement API first technology strategy, have to answer the important questions.

Should we build or buy? How do various API platform vendors compare?

The checklist we have created at PopularOwl Labs will help you to collect and evaluate the relevant information.

Its based on the experience we gained while helping multiple technology organisations with API first platform design and implementation.

We cover the most common questions and pointers which have to be assessed before making final decision and choosing API gateway for your stack.

Business Cost

In order to extract the value from technology, it's important to evaluate the ownership costs of technology solution.

  • Initial Cost.
    • Initial cost to setup and start using the product?
    • For on-premise products this is usually the license cost.
    • Cloud based API gateway products mostly are offering monthly / annual payment options. However, they might still charge the initial setup
  • Cost over time.
    • Medium to long term cost of running the API gateway product.
    • Maintainability
    • The cost of the upscaling and running the engineering team to maintain / support the product.
    • On premise based installations would require dedicated team / resources with cost allocations.
    • On premise based installations will have infrastructure component costs.
  • Portability. Vendor Lock-in.
    • How easy it will be to switch the vendors if required?
    • Migration process, complexity and cost.
  • Documentation and Training.
    • Availability of the active developer community around the specific API gateway product.
    • Availability of talent pool with relevant skill-set for hiring.
    • Quality of available documentation, training courses / materials and workshops.

Technical Product Capabilities

  • Operating model
    • Is API gateway product provided as SaaS only?
    • Does it support on-premise and private cloud deployments?
    • Which operating model is the most suitable for purchasing organization.
  • Secure connectivity between API gateway and the backend systems
    • What security mechanisms are available within the API gateway product to protect the underlying backend infrastructure?
    • Examples include: Mutual Authentication, VPN connectivity, etc.
    • Its very important requirement, specially for SaaS product candidates.
  • Scalability
    • How scalable is the API gateway product? Will it scale with number of API requests increasing?
    • Can vendor company provide example performance test data / results?
  • API Security
    • Support for the use of client side certificates.
    • Does API gateway support OpenID Connect, OAuth 2.0, OAuth 1.0 specifications and flows?
    • Native connectors to popular Identity providers? (for example, ForgeRock, Ping Identity etc.)
    • Can it securely store the authorisation tokens?
    • In addition, does it allow to revoke auth tokens? or or the group of auth tokens related to the specific user?
    • Support for rate limiting per authorised application?
    • Native support for JWT?
  • Orchestration and Transformation
    • Support for conditionally orchestrated backend system callouts during a single API request.
    • Native transformations and mediation of API request or response payloads and metadata.
    • Support for conversions between common request / response payload formats like JSON, XML
  • Caching
    • Does API gateway support API resource caching?
    • How configurable is caching strategy?
  • Quotas
    • Support for different API quotas for different authorised applications.
  • Logging / Analytics
    • Does API gateway provide UI interface for tracing transactions?
    • What are data analytics capabilities?
    • In addition, does it support custom reporting and report building.
    • How long analytics data is retained?
    • Support for logging analytics data to external storage or processing systems
  • API documentation
    • Support for publishing API documentation in industry standard formats? (for example OpenAPI, RAML)
  • Management APIs
    • Does API gateway product provide management APIs for automation?
    • Management APIs are mostly used to automate API development life cycles.
    • What is the proposed continuous integration / SDLC strategy by API gateway vendor?
  • Prebuilt integrations
    • What are the prebuilt integrations with common 3rd party systems?
    • Does API gateway support custom build plugins by 3rd party companies?

Similar posts: