TPG Telecom reduces API delivery time by 50% with Apigee

TPG Telecom is a rising star in Australian telecommunications with a strategy based on extensive mergers and acquisitions (M&A) and organic growth. Our brands, including Vodafone, TPG, iiNet and AAPT, service five million mobile customers and 2.2 million fixed broadband customers through extensive mobile and fiber networks.

APIs are integral to our business on three levels. On the customer experience level, integration-based APIs focus on customer-related journeys, while we also use APIs for network and payment-related activities. However, our M&A-based growth strategy meant we were working with multiple technology stacks and systems with API capabilities. We needed to move to a modern API management platform for a range of reasons, including realizing the benefits of our existing and acquired businesses through cross-selling. The current customer relationship management (CRM) and billing systems provide APIs in different formats and protocols. As such, support for diverse API delivery platforms and visibility across APIs is essential to the business. Having Apigee as the API gateway allows TPG to expose APIs to the digital consumers system in a consistent format so that these digital systems can concentrate on the digital experience, rather than focus on implementing the complexities that support multiple API protocols. This helps ease the integration to the various backend systems.

API governance is important at TPG as we need to understand how they are being consumed and how they’re performing so that we can continuously evolve our API experience based on the feedback we get out of the APIs consumed. We use API metrics to trigger alarms that help us proactively identify and resolve issues in our downstream systems.

We wanted to replace what was a primarily on-premises API management solution with a decentralized, cloud-native platform to align with our broader business direction. We also sought to move from an outsourced, diverse development model to an agile, centralized DevSecOps, so we could deliver APIs in a seamless, consistent manner.

Working with another cloud provider, we needed a solution that would enable us to build APIs in a range of languages or frameworks and expose functionality consistently for consumption. It had to support the integration of a range of back-ends and enable runtimes within our preferred partner while ensuring seamless integration between accounts to our on-premises and partner cloud offerings. In addition, we had to put all our APIs under a common governance platform for visibility.

Why we selected Apigee

We evaluated several API management platforms and selected Apigee. It was the best fit for us for several reasons, including the fact it was a market leader due to its intuitive design and comprehensive feature set. The Apigee licensing model also enables us to better predict how much we would spend on licensing.

Also, it took us considerably less effort to expose and secure APIs and enable an automated CI/CD pipeline for faster, more efficient deployment. Finally, Google Cloud’s investments and proficiency in technologies such as AI, Kubernetes and service mesh, all technologies with rich applications to our business, helped prompt our selection.

Further, Apigee offered flexible deployment options and we selected Apigee hybrid to enable runtimes and integrations across multi-cloud and on-premises environments. Apigee also enabled us to establish a common governance platform for all APIs across our business.

We went live on Apigee with our first set of APIs at the end of 2022, and TPG Telecom is now on a multi-year journey to connect six platforms with up to 300 underlying systems. We’ve had a consistent experience consuming APIs exposed by TPG both for internal and external consumers. In addition, the security built into the Apigee platform ensures that the APIs being consumed do not have vulnerabilities in them, and are being monitored real time to pick up any performance or availability issues. As a result, we’re seeing a much faster integration.

Rather than enforce its use centrally, we are growing adoption across TPG on the basis of demonstrating value internally, which means looking for opportunities to work with teams to onboard APIs to Apigee.

Below are images of our current state Apigee architecture, and how we integrate APIs with external service providers:

Current state architecture - Apigee

Overcoming API visibility and duplication challenges

Apigee is helping us overcome a range of challenges we face by leveraging APIs within our business. For example, we had limited visibility of APIs and their consumption, which made creating policies hard, delayed fixing vulnerabilities and slowed the testing and release of APIs, which greatly reduced time-to-market speed. Additionally, there was extensive duplication of API-based products and services across our various businesses and brands due to a lack of visibility across business units. Without a single platform to expose APIs, external consumers leveraging our services resulted in API requests traversing multiple integration points and delaying response times. We also needed to refine our documentation approach to standardize and clarify our processes and implementation rules as well as provide a unified repository to store API artifacts relating to rules, patterns, and integration styles.

With Apigee and API Hub, we now have a central location from which to design and publish APIs, which are well documented with clear specifications available, and we are moving towards a single API format to reduce complexity and creation time.

Prior to Apigee, duplication also extended to security controls. Because we did not have a unified API management and API solution to provide an abstraction layer to API consumers, we had to engage disparate pentesting and security teams to independently test our back-end systems, network and customer experience applications. Reducing the time needed to implement the same controls on different platforms was a priority as pentesting cycles ran for two sprints. The first sprint involved recommending security measures for an application and the second sprint was to verify that those measures had been implemented.

We now use Apigee’s Advanced API Security as a single control plane to manage security across the hundreds of published APIs. The security control recommendations and remediations provided by Apigee’s Advanced API Security solution also streamline the process for enforcing critical security controls consistently.

Prior to implementing Apigee, our API management landscape was fragmented and complex. With multiple solutions, it was difficult to invest in platform engineering best practices, including CI/CD, observability and governance. We could not implement observability through New Relic, Splunk or other products, and we did not have active monitoring in place to identify any issues and notify the right people to respond. Without automated CI/CD, many of these platforms required highly manual build-deploy processes, which made it difficult to maintain and manage code versioning, as well as delaying the deployment of solutions to production, often by weeks.

Also, Apigee has enabled us to standardize logging and monitoring so all our APIs follow a common pattern and our Apigee logs go into Splunk for observability across the platform. We have also now configured some alerting and monitoring systems to identify if any of our systems are experiencing issues such as timeouts or delays, which enables us to promptly engage the relevant teams to resolve those problems.

Under our previous platform, execution logic was tightly coupled between API development and deployment, meaning our developers had to understand a considerable amount of business logic before they could deliver API services to external customers. Bringing these developers up to speed added unnecessarily to our overheads. Now with Apigee, we’ve implemented a loosely-coupled architecture and created a central API team, focused on deployment, standards, and runtime operations, reducing development overheads and accelerating the release cadence.

With Apigee we’ve been able to implement standardization, security, and consistent integration processes for our APIs. When planning for special events and promotions such as the launch of a new phone, we capture the volume of requests and expected launch traffic, and record other business metrics to determine the auto-scaling characteristics of our EKS cluster. Apigee Hybrid scales extremely well without any impact on performance or availability.

Onboarding APIs to production two times faster

We are now onboarding APIs to production in just two weeks, including integration, observability and associated automation. It used to take up to four weeks with our previous API management platform. Apigee Advanced API Security enables us to evaluate the security scores of each API and identify and fix a lot of issues prior to running penetration tests, providing a good degree of confidence that foundational security controls are protecting our production APIs.

We are now poised to step up the adoption of Apigee across the enterprise, for both internal and external API consumers, as well as realize the potential of APIs to unlock cross-sell and upsell opportunities within the TPG Telecom umbrella.