tl;dr Apigee can be used for management of external API access by enterprise internal IT systems for better visibility, control and potential cost reduction.

API management is typically thought of from North-South or East-West access scenarios. Management of APIs lets enterprises gain visibility and control of access to APIs and unlocks the potential of digital lifecycle management of API consumers. Access by internal apps are also similarly covered by the management layer delivering the same set of benefits to private APIs.

Another class of problems exist in enterprises from an API access perspective. Internal systems often access endpoints that are external to the organization. This could be to invoke partner systems to complete business processes or to call cloud hosted SaaS services that power staff applications and business processes.

Often such access is swept under “internet access” for internal applications and is only treated as such, network access to the internet. Such a design provides coarse grained security control and is usually implemented as a forward proxy and corresponding proxy authentication.

Several risks and missed opportunities arise from traditional outbound API access:

1. Internal applications requiring external access are not easily distinguished from one another, teams often share external access credentials for various reasons even in production systems.
2. A mapping of internal applications and allowed external endpoints is not enforced. Access is often granted to all of the Internet.
3. Ability to identify teams that depend on a given external API is not a simple exercise.
4. Traffic usage patterns of individual consuming systems are hard to assess.
5. Responding to security threats, for example rotating keys to external systems is often an elaborate process that invariably breaks internal systems.
6. Usage of paid and metered access to external systems cannot be easily measured and regulated when there are several internal systems that access a given API.

Enterprises with several IT teams, disparate systems and networks often run into these situations and end up managing it with guess work. Partial view of the world leads to inaccurate controls or overtly restrictive access, it is a trade off between weakened security posture or excessive bureaucracy for internal teams.

A full lifecycle API management system can be used for “outbound” API management as well.

Several capabilities can be turned-on in this layer to gain visibility and control of “outbound” traffic.

Wrapped API

External endpoints can be wrapped as APIs in Apigee to provide a pre-approved set of endpoints an internal system can connect to. This provides a simple translation of an external hostname to an internal approved hostname. Right away this brings consistency in access ensuring all systems connect to a well known target.

Going forward changes to external URL, hostname or API versions can be managed from this wrapped API making dependency tracking a breeze. When a change is due, consuming teams and systems may not need any updates to their code once they switch to the managed wrapper API.

Credential mediation

Enterprises are often provisioned a limited number of production credentials for all of their access to external systems. Such credentials can be safely held in Apigee (encrypted KVM policy) and used for external access without distributing it throughout the enterprise IT systems. All internal consuming systems can use an Apigee issued credential.

Any changes needed to external credential can be performed in one place. Internal changes to access can be performed within an enterprise without relying on external provider's processes.

Traffic mediation

The traffic generated from internal consuming applications can also be regulated in the API layer as required. Credential mediation discussed above comes in handy here, the credentials identify applications/systems and appropriate traffic quota can be assigned to them in Apigee(Quota policy).

This also helps in internal app development scenarios where an internal application in “dev” mode needs to be routed to the right external endpoint and with a smaller traffic quota before being promoted to production mode with a bigger traffic quota.

Cost management

With traffic regulation also comes cost management capability. When external endpoints are metered and monetized Apigee can restrict access to privileged operations and or expensive operations to pre-approved apps.

In cases where the provider of the external endpoint charges for usage and there is flexibility on data currency, Apigee cache (builtin distributed caching) can be used on outbound requests to limit the number of invocations of the external endpoint, resulting in cost savings for the consuming organization.

Analytics provided by Apigee can help in understanding usage numbers provided by external software providers and letting enterprises be on top of their expenditure.

Version management

External endpoints and APIs can go through version changes, deprecation or upgrades. An API friendly management layer for external access provides consistency and reliability in managing the dependency for the enterprise as a whole.

Older, compromised or unauthorized versions can be blocked and newer untested versions of external APIs can only be made available for non-prod experimentation purposes for example. The associated risk mitigation is sufficient to justify the investment in the management layer.

Privacy management

A checkpoint for sensitive and PII data can be created in the API layer providing a safety net to capture any accidental or malicious leak of data to external systems.

GCP offers Cloud Data Loss Prevention API that can be leveraged in Apigee to identity region specific sensitive or PII data that can be redacted on-demand.

External to external access

SaaS services are growing by the day. There is a new class of access that can arise from one SaaS service to another SaaS service and hence the entire call may run outside the enterprise network. Wrapping the target SaaS APIs with Apigee provides control over external consumers calling external providers.

In conclusion, access to external endpoints and APIs is fraught with risks. Management of third party APIs provides consistency in access and hands back the control to the enterprise.