Jump to Content
API Management

Introducing Shadow API detection for your Google Cloud environments

April 10, 2024
Nils Swart

Group Product Manager, Google Cloud

Shelly Hershkovitz

Product Manager, Google Cloud

Try Gemini 1.5 models

Google's most advanced multimodal models in Vertex AI

Try it

Enterprises operate a large and growing number of APIs — more than 200 on average — each a potential front door to sensitive data. Even more challenging can be figuring out which of these APIs are not actively managed “shadow APIs”. Born from well-intended development initiatives and legacy systems, shadow APIs operate without proper oversight or governance, and could be the source of damaging security incidents.

Today at Google Cloud Next, we are excited to announce shadow API detection in preview in Advanced API Security, part of our Apigee API Management solution. 

Securing your APIs with Apigee API Management

Apigee is Google Cloud’s turnkey API management solution that can help you build, manage, and secure APIs in the cloud and on-premises. Apigee helps ensure the reliability of your API transactions with fine-grained controls and more than 50 built-in security policies, including authentication and authorization.

Advanced API Security works proactively to identify misconfigured APIs, detect malicious bot and business logic attacks, and helps organizations take swift action to mitigate threats. Previously, this protection was only available for actively-managed APIs. Now, with the ability to discover shadow APIs in Advanced API Security, you can eliminate hard-to-find blind spots and close security gaps.

Detecting shadow APIs in Advanced API Security

Advanced API Security now integrates with Google Cloud regional external Application Load Balancers  to discover and identify API traffic in a specific region, to help support regulatory and performance requirements. 

In the following example, we show how this works in our Belgium region (europe-west-1).


Select your Google Cloud external Application Load Balancer’s region to discover the associated APIs.

Through examination of requests and responses flowing through your load balancers, Advanced API Security extracts the APIs and their relevant details such as API endpoints, platform, protocol, parameter names, and responses. You can access critical details on where the API is operating, the kind of operations that are running, and the latest activity on these APIs via an intuitive interface.


Advanced API Security catalogs and organizes all the APIs linked to the selected load balancer

Shadow API detection also looks at historical data to uncover new API calls, and can provide always-on awareness and detection of emerging shadow APIs. You can tag individual endpoints that need further attention to ensure comprehensive protection across your API surface.


Detailed information on shadow API endpoints associated with your load balancer

Upon detecting shadow APIs, you can collaborate with the API owners to establish management in accordance with company-wide security and API management standards. You can also implement missing security measures to help reduce the risk of compromise.

Get started tracking down shadow APIs

By detecting shadow APIs, Advanced API Security can help you strengthen your security posture and adopt a more proactive approach to finding vulnerabilities lurking in your application infrastructure. Sign up today to gain access to Advanced API security with shadow API detection.

Posted in