Introducing Apigee API Management for Istio
Hundreds of companies rely on Apigee to create and deliver strong API programs to developers both inside and outside their organizations. At the same time, Istio has been gaining rapid acceptance as a way to bring control to networks of services.
Since joining Google Cloud in late 2016, the Apigee team has been working to make our products work more closely with other Google technologies. One of the first teams that we collaborated with was the Istio team.
It quickly became clear that both Istio and Apigee provide complementary capabilities to teams building APIs and services in today’s world. We agreed that our customers would benefit if we could ensure that Apigee and Istio work well together.
Today, we’re announcing the integration of API management with Istio so that microservices can be exposed as APIs and more easily shared with developers inside and outside your organization.
What Istio and Apigee bringIstio simplifies the life of organizations contemplating a “microservices” approach, or who are simply deploying many services that communicate with each other. Istio creates a “service mesh” that routes traffic between interrelated services in a secure and robust way so that the developers of each individual service can focus on what a service does rather than the details of how it communicates.
Apigee is built around the realization that, in order to be successful, modern organizations must create APIs and share them with other developers who might be part of the organization or who might be external, or even unknown. API teams using Apigee achieve this by combining APIs into “API products” that offer different capabilities and levels of service.
This enables them to control who consumes each API product, and how much is consumed. Theteam gets the ability to open an API to third-party developers without worrying about seeing precious API capacity monopolized by a single developer without permission.
Bringing microservices and APIs togetherWhen a group of developers builds a system composed of many individual microservices, a service mesh like Istio adds an essential layer of reliability and security to the whole mesh.
However, when those developers wish to share their services with another group, or with developers entirely outside the organization, a service mesh isn’t enough—it’s time for the service to be exposed as an API.
But a successful API needs to be easily consumed and that's where Apigee API Management comes in. Without it, developers who use the API have no easy way to discover what an API does, or how to sign up and start using it. The team producing the API has no mechanism to control how the API is used and how resources are allocated.
Adding API management to IstioPreviously, developers could add API management capabilities to Istio by simply deploying Apigee Edge outside the Istio mesh and configuring it to treat Istio like any other target service.
With this new capability, an Istio user can now expose one or more services from an Istio mesh as APIs by adding API management capabilities via Istio’s native configuration mechanism.
Furthermore, Apigee users can now take advantage of Istio to bring API management to a large set of services by adding an Istio mesh to their existing Apigee installation, and then moving services into the mesh. These users may find this to be a more scalable alternative than today’s approach of deploying a large number of Apigee Edge proxies, or deploying many instances of Apigee Edge Microgateway.
This is all possible because Istio includes a component called Mixer that runs as a central part of every Istio mesh. Mixer's plugin model enables new rules and policies to be added to groups of services in the mesh without touching the individual services or the nodes where they run.
Once Apigee integration is enabled within an Istio mesh, the operator can simply use Istio’s native configuration tools to apply Apigee's API management policies and reporting to any service. Once enabled, management policies such as API key validation, quota enforcement, and JSON web token validation can be easily controlled from the Apigee UI.
Likewise, the Apigee user may view and report on API analytics, just as they expect to today. There is no need to create or deploy additional API gateways or proxies—Apigee’s integration with Mixer ensures that policy configuration changes take effect across the whole mesh, without any additional steps.
Because Mixer adds API management features to the native configuration of an Istio mesh, it greatly reduces the amount of work required to turn a large number of services into APIs. For instance, with Istio it is possible to ensure that a valid API key is required for a single service, or for a group or services, or for all services in the mesh, all using the same configuration mechanism.
Is there more?Apigee users are accustomed to employing a richer set of features that enable API producers to customize API requests and responses to simplify internal APIs for external consumption and help transform legacy systems into consumable APIs. None of this changes because of Istio—the existing Apigee Edge product is still powerful as a facade in front of services in an Istio mesh.
Furthermore, as the Istio community grows and the project adopts new capabilities, we hope to make some of these other Apigee features equally straightforward to add to an Istio mesh, so that we can bring the best of both products to our customers.
Thanks to Scott Ganyo and Will Witman for their invaluable help with this post.