requests traverse into inner APIs as well as microservices. Rarely is there
one gateway unless it is a monolithic design or enterprise service bus type
deployment. Harvest telemetry from your API gateways to improve your
monitoring capabilities and create amplifying effects for your non-security
and security initiatives.
2.
Mediate APIs to enforce access control:
API gateways
are foundational for
providing traffic management, authentication, and authorization
mechanisms. Traffic management functions map to well-known network
security controls such as rate limits or IP address allow and deny lists. API
gateways are also an ideal place to enforce authentication and
authorization for APIs, such as OpenID Connect OIDC and OAuth2
respectively. Typically, API gateways are paired with external identity and
access management IAM systems to share the load of storing all types of
user or machine identities, authenticating identities, authorizing identities,
and maintaining audit trails of all activity. Plan with the notion that machines
consuming your APIs (such as in automation use cases or partner
integration) can be just as dominant as traditional end user consumption
using client front-ends.
3.
Adopt API management for non-security use cases:
organizations
sometimes reach a tipping point where they have too many APIs or too
many API gateway deployments that lack standardization and
centralization. To bring order to the chaos, organizations will often opt for
an APIM offering that brings a broader range of lifecycle capabilities
including features to support monetization of APIs, partner enablement,
developer self-service, quote management, access control policies,
operational workflow, publishing control, and centralized logging. The APIM
offering enables and enforces these features via API gateway deployments.
4.
Dostları ilə paylaş: 
