Mastering API Architecture - Helion

ebook

Autor: James Gough, Daniel Bryant, Matthew Auburn
ISBN: 9781492090588
stron: 288, Format: ebook
Data wydania: 2021-03-19
Księgarnia: Helion

Cena książki: 228,65 zł (poprzednio: 265,87 zł)
Oszczędzasz: 14% (-37,22 zł)

Osoby, które kupiły tę książkę, wybierały także »

Most organizations with a web presence build and operate APIs; the doorway for customers to interact with the company's services. Designing, building, and managing these critical programs affect everyone in the organization, from engineers and product owners to C-suite executives. But the real challenge for developers and solution architects is creating an API platform from the ground up.

With this practical book, you'll learn strategies for building and testing REST APIs that use API gateways to combine offerings at the microservice level. Authors James Gough, Daniel Bryant, and Matthew Auburn demonstrate how simple additions to this infrastructure can help engineers and organizations migrate to the cloud; and open the opportunity to connect internal services using technologies like a service mesh.

Learn API fundamentals and architectural patterns for building an API platform
Use practical examples to understand how to design, build, and test API-based systems
Deploy, operate, and configure key components of an API platform
Use API gateways and service meshes appropriately, based on case studies
Understand core security and common vulnerabilities in API architecture
Secure data and APIs using threat modeling and technologies like OAuth2 and TLS
Learn how to evolve existing systems toward API- and cloud-based architectures

Osoby które kupowały "Mastering API Architecture", wybierały także:

Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
DevOps w praktyce. Kurs video. Jenkins, Ansible, Terraform i Docker 190,00 zł, (39,90 zł -79%)
Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)

Spis treści

Mastering API Architecture eBook -- spis treści

Foreword
Preface
- Why Did We Write This Book?
- Why Should You Read This Book?
- Who This Book Is For
  - Developer
  - Accidental Architect
  - Solutions/Enterprise Architect
- What You Will Learn
- What This Book Is Not
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
  - James Gough
  - Daniel Bryant
  - Matthew Auburn
Introduction
- The Architecture Journey
- A Brief Introduction to APIs
- Running Example: Conference System Case Study
  - Types of APIs in the Conference Case Study
  - Reasons for Changing the Conference System
  - From Tiered Architecture to Modeling APIs
  - Case Study: An Evolutionary Step
    - Northsouth traffic
    - Eastwest traffic
  - API Infrastructure and Traffic Patterns
  - Roadmap for the Conference Case Study
- Using C4 Diagrams
  - C4 Context Diagram
  - C4 Container Diagram
  - C4 Component Diagram
- Using Architecture Decision Records
  - Attendees Evolution ADR
  - Mastering API: ADR Guidelines
- Summary
I. Designing, Building, and Testing APIs
1. Design, Build, and Specify APIs
- Case Study: Designing the Attendee API
- Introduction to REST
  - Introduction to REST and HTTP by Example
  - The Richardson Maturity Model
- Introduction to Remote Procedure Call (RPC) APIs
- A Brief Mention of GraphQL
- REST API Standards and Structure
  - Collections and Pagination
  - Filtering Collections
  - Error Handling
  - ADR Guideline: Choosing an API Standard
- Specifying REST APIs Using OpenAPI
- Practical Application of OpenAPI Specifications
  - Code Generation
  - OpenAPI Validation
  - Examples and Mocking
  - Detecting Changes
- API Versioning
  - Semantic Versioning
  - OpenAPI Specification and Versioning
- Implementing RPC with gRPC
- Modeling Exchanges and Choosing an API Format
  - High-Traffic Services
  - Large Exchange Payloads
  - HTTP/2 Performance Benefits
  - Vintage Formats
- Guideline: Modeling Exchanges
- Multiple Specifications
  - Does the Golden Specification Exist?
  - Challenges of Combined Specifications
- Summary
2. Testing APIs
- Conference System Scenario for This Chapter
- Testing Strategies
  - Test Quadrant
  - Test Pyramid
  - ADR Guideline for Testing Strategies
- Contract Testing
  - Why Contract Testing Is Often Preferable
  - How a Contract Is Implemented
    - Producer contracts
    - Consumer-driven contracts
    - Case study: Applying CDC
    - Contracts methodology overview
    - Contract testing frameworks
    - API contracts storage and publishing
  - ADR Guideline: Contract Testing
- API Component Testing
  - Contract Testing Versus Component Testing
  - Case Study: Component Test to Verify Behavior
- API Integration Testing
  - Using Stub Servers: Why and How
  - ADR Guideline: Integration Testing
  - Containerizing Test Components: Testcontainers
  - Case Study: Applying Testcontainers to Verify Integrations
- End-to-End Testing
  - Automating End-to-End Validation
  - Types of End-to-End Tests
  - ADR Guideline: End-to-End Testing
- Summary
II. API Traffic Management
3. API Gateways: Ingress Traffic Management
- Is an API Gateway the Only Solution?
- Guideline: Proxy, Load Balancer, or API Gateway
- Case Study: Exposing the Attendee Service to Consumers
- What Is an API Gateway?
- What Functionality Does an API Gateway Provide?
- Where Is an API Gateway Deployed?
- How Does an API Gateway Integrate with Other Technologies at the Edge?
- Why Use an API Gateway?
  - Reduce Coupling: Adapter/Facade Between Frontends and Backends
  - Simplify Consumption: Aggregating/Translating Backend Services
  - Protect APIs from Overuse and Abuse: Threat Detection and Mitigation
  - Understand How APIs Are Being Consumed: Observability
  - Manage APIs as Products: API Lifecycle Management
  - Monetize APIs: Account Management, Billing, and Payment
- A Modern History of API Gateways
  - 1990s Onward: Hardware Load Balancers
  - Early 2000s Onward: Software Load Balancers
  - Mid-2000s: Application Delivery Controllers (ADCs)
  - Early 2010s: First-Generation API Gateways
  - 2015 Onward: Second-Generation API Gateways
- Current API Gateway Taxonomy
  - Traditional Enterprise Gateways
  - Microservices/Micro Gateways
  - Service Mesh Gateways
  - Comparing API Gateway Types
- Case Study: Evolving the Conference System Using an API Gateway
  - Installing Ambassador Edge Stack in Kubernetes
  - Configuring Mappings from URL Paths to Backend Services
  - Configuring Mappings Using Host-based Routing
- Deploying API Gateways: Understanding and Managing Failure
  - API Gateway as a Single Point of Failure
  - Detecting and Owning Problems
  - Resolving Incidents and Issues
  - Mitigating Risks
- Common API Gateway Implementation Pitfalls
  - API Gateway Loopback
  - API Gateway as an ESB
  - Turtles (API Gateways) All the Way Down
- Selecting an API Gateway
  - Identifying Requirements
  - Build Versus Buy
  - ADR Guideline: Selecting an API Gateway
- Summary
4. Service Mesh: Service-to-Service Traffic Management
- Is Service Mesh the Only Solution?
- Guideline: Should You Adopt Service Mesh?
- Case Study: Extracting Sessions Functionality to a Service
- What Is Service Mesh?
- What Functionality Does a Service Mesh Provide?
- Where Is a Service Mesh Deployed?
- How Does a Service Mesh Integrate with Other Networking Technologies?
- Why Use a Service Mesh?
  - Fine-grained Control of Routing, Reliability, and Traffic Management
    - Transparent routing and service name normalization
    - Reliability
    - Advanced traffic routing: Shaping, policing, splitting, and mirroring
      - Traffic shaping
      - Traffic policing
  - Provide Transparent Observability
  - Enforce Security: Transport Security, Authentication, and Authorization
  - Supporting Cross-Functional Communication Across Languages
  - Separating Ingress and Service-to-Service Traffic Management
- Evolution of Service Mesh
  - Early History and Motivations
  - Implementation Patterns
    - Libraries
    - Sidecars
    - Proxyless gRPC libraries
    - Sidecarless: Operating system kernel (eBPF) implementations
- Service Mesh Taxonomy
- Case Study: Using a Service Mesh for Routing, Observability, and Security
  - Routing with Istio
  - Observing Traffic with Linkerd
  - Network Segmentation with Consul
- Deploying a Service Mesh: Understanding and Managing Failure
  - Service Mesh as a Single Point of Failure
- Common Service Mesh Implementation Challenges
  - Service Mesh as ESB
  - Service Mesh as Gateway
  - Too Many Networking Layers
- Selecting a Service Mesh
  - Identifying Requirements
  - Build Versus Buy
  - Checklist: Selecting a Service Mesh
- Summary
III. API Operations and Security
5. Deploying and Releasing APIs
- Separating Deployment and Release
  - Case Study: Feature Flagging
  - Traffic Management
- Case Study: Modeling Releases in the Conference System
  - API Lifecycle
  - Mapping Release Strategies to Lifecycle
  - ADR Guideline: Separating Release from Deployment with Traffic Management and Feature Flags
- Release Strategies
  - Canary Releases
  - Traffic Mirroring
  - Blue-Green
- Case Study: Performing Rollouts with Argo Rollouts
- Monitoring for Success and Identifying Failure
  - Three Pillars of Observability
  - Important Metrics for APIs
  - Reading the Signals
- Application Decisions for Effective Software Releases
  - Response Caching
  - Application-Level Header Propagation
  - Logging to Assist Debugging
  - Considering an Opinionated Platform
  - ADR Guideline: Opinionated Platforms
- Summary
6. Operational Security: Threat Modeling for APIs
- Case Study: Applying OWASP to the Attendee API
- The Risk of Not Securing External APIs
- Threat Modeling 101
- Thinking Like an Attacker
- How to Threat Model
  - Step 1: Identify Your Objectives
  - Step 2: Gather the Right Information
  - Step 3: Decompose the System
  - Step 4: Identify ThreatsTaking This in Your STRIDE
    - Spoofing
    - Tampering
      - Payload injection
      - Mass assignment
    - Repudiation
    - Information disclosure
      - Excessive data exposure
      - Improper assets management
    - Denial of service
      - Rate limiting and load shedding
    - Elevation of Privilege
    - Security misconfiguration
      - TLS termination
      - Cross-Origin Request Sharing (CORS)
      - Security directive hardening
  - Step 5: Evaluate Threat Risks
  - Step 6: Validation
- Summary
7. API Authentication and Authorization
- Authentication
  - End-User Authentication with Tokens
  - System-to-System Authentication
  - Why You Shouldnt Mix Keys and Users
- OAuth2
  - Authorization Server Role with API Interactions
  - JSON Web Tokens (JWT)
    - Encoding and verifying JSON Web Tokens
  - Terminology and Mechanisms of OAuth2 Grants
  - ADR Guideline: Should I Consider Using OAuth2?
  - Authorization Code Grant
    - Authorization Code Grant (+ PKCE)
    - Case Study: Accessing Attendee API with the Authorization Code Grant
  - Refresh Tokens
  - Client Credentials Grant
    - Case Study: Accessing Attendee API from the CFP system with Client Credentials Grant
  - Additional OAuth2 Grants
  - ADR Guideline: Choosing Which OAuth2 Grants to Support
  - OAuth2 Scopes
    - Case Study: Applying OAuth2 scopes to the Attendee API
  - Authorization Enforcement
- Introducing OIDC
- SAML 2.0
- Summary
IV. Evolutionary Architecture with APIs
8. Redesigning Applications to API-Driven Architectures
- Why Use APIs to Evolve a System?
  - Creating Useful Abstractions: Increasing Cohesion
  - Clarifying Domain Boundaries: Promoting Loose Coupling
- Case Study: Establishing Attendee Domain Boundaries
- End State Architecture Options
  - Monolith
  - Service-Oriented Architecture (SOA)
  - Microservices
  - Functions
- Managing the Evolutionary Process
  - Determine Your Goals
  - Using Fitness Functions
  - Decomposing a System into Modules
  - Creating APIs as Seams for Extension
  - Identifying Change Leverage Points within a System
  - Continuous Delivery and Verification
- Architectural Patterns for Evolving Systems with APIs
  - Strangler Fig
  - Facade and Adapter
  - API Layer Cake
- Identifying Pain Points and Opportunities
  - Upgrade and Maintenance Issues
  - Performance Issues
  - Breaking Dependencies: Highly Coupled APIs
- Summary
9. Using API Infrastructure to Evolve Toward Cloud Platforms
- Case Study: Moving the Attendee Service to the Cloud
- Choosing a Cloud Migration Strategy
  - Retain or Revisit
  - Rehost
  - Replatform
  - Repurchase
  - Refactor/Re-architect
  - Retire
- Case Study: Replatforming the Attendee Service to the Cloud
- Role of API Management
- NorthSouth Versus EastWest: Blurring Lines of Traffic Management
  - Start at the Edge and Work Inward
  - Crossing Boundaries: Routing Across Networks
- From Zonal Architecture to Zero Trust
  - Getting in the Zone
  - Trust No One and Verify
  - Role of Service Mesh in Zero Trust Architectures
    - Augmenting Service Mesh with Network Policies
- Summary
10. Wrap-up
- Case Study: A Look Back on Your Journey
- APIs, Conways Law, and Your Organization
- Understanding Decision Types
- Preparing for the Future
  - Async Communication
  - HTTP/3
  - Platform-based Mesh
- Whats Next: How to Keep Learning About API Architecture
  - Continually Honing the Fundamentals
  - Keeping Up-to-Date with Industry News
  - Radars, Quadrants, and Trend Reports
  - Learning About Best Practices and Use Cases
  - Learning by Doing
  - Learning by Teaching
Index