By Rajesh Bavanantham, Veena Raja Rathna and Andrew Stiefel of F5

APIs are the connective tissue of the modern Internet, linking data from the edge back to the cloud and on premises data centers. According to F5's 2021 State of Application Strategy Report, leveraging APIs is the most popular of the various methods that organizations are using to modernize:

  • 58% of organizations are adding a layer of APIs to enable modern user interfaces
  • 51% are adding modern application components (for example, Kubernetes)
  • 47% are refactoring (modifying application code itself)
  • 40% are moving to public cloud (lifting and shifting) without modernizing

In an API driven economy, APIs must be 100% reliable. But as businesses and applications scale, operational complexity multiplies. Cloud native applications are increasingly distributed and decentralized by design - composed of dozens, hundreds, or even thousands of APIs deployed across cloud, on premises, and edge environments.

Recent research from F5's Office of the CTO identified continuous API sprawl as a significant threat to businesses undergoing digital transformation. But what does that mean?

What is API sprawl?

API sprawl describes two intertwined challenges that arise as organizations implement digital transformation: exponential growth in the number of APIs and the physical distribution of APIs across multiple architectures and teams.

The four key drivers of API sprawl are:

  • Hybrid infrastructure - Today 81% of enterprises operate across three or more architectures including public clouds, on premises data centers, and edge infrastructure.
  • Microservices architectures - The growing adoption of microservices architectures leads to the proliferation of API endpoints as new services come online.
  • Continuous software deployment - Developers can rapidly churn out dozens of APIs, or many versions of a single API, over a short period of time.
  • Abandoned APIs - As developers move on to support and work on other projects, they stop managing and maintaining the APIs they created.

API sprawl is a significant threat

Many businesses don't yet recognize API sprawl as a significant problem - but it is. Organizations that understand and address the root causes of API sprawl are the ones that will thrive in the coming decade.

API sprawl introduces significant operational and security challenges for enterprises. As API endpoints proliferate across multiple teams and environments, securing and governing APIs becomes a monumental challenge. For enterprises, API sprawl often results in hidden costs – lower developer productivity, increased rework, slower reviews – that are not easily measurable until it is too late.

Key challenges of API sprawl include:

  • Lack of visibility - Hybrid architectures make it extremely difficult to get a unified view into API traffic and configurations
  • No clear source of truth - Developers struggle to discover APIs and up-to-date documentation
  • Decreased reliability - Misconfigurations become more common, resulting in outages
  • Elevated security threats - Unsecured API endpoints are easy targets for attacks

How can you fight API sprawl?

The first step in building a resilient API infrastructure is getting a handle on API sprawl with a holistic API strategy that incorporates best practices around persistent API ownership and a central API or service catalog. Next, overlay API governance to streamline API lifecycle management in a practical and scalable manner.

At F5, we've built a management plane solution to reduce the complexity of managing APIs. API Connectivity Manager, part of F5 NGINX Management Suite, provides a single interface for connecting, governing, and securing your APIs, regardless of where they are located or who is building them.

API Connectivity Manager helps you execute the five tactics critical to fighting API sprawl and managing APIs at scale:

  • Implement an API governance strategy
  • Create a single source of truth for APIs
  • Ensure proper versioning and documentation
  • Provide metrics and visibility
  • Apply API security at scale

Tactic #1: Implement an API governance strategy

Centralized management and control makes it easier to discover, connect, and secure APIs within a single architecture or cluster. API sprawl forces you to adjust the way you think – from a purely hierarchical model to a distributed and autonomously scaling model.

How NGINX helps – With API Connectivity Manager you can implement a flexible governance model that balances global policies with fine‑grained controls so API owners can manage local policies. This helps accelerate time to market without sacrificing consistent oversight of security and compliance.

Platform and infrastructure teams can ensure API consistency across the enterprise with global policies for logging, error response codes, TLS configuration, and more. Developers building and managing APIs retain control of service‑level policies such as rate limiting, authentication, and authorization.

Tactic #2: Create a single source of truth for API discovery

As the number of APIs and the complexity of apps grow, it becomes very hard to discover and track which APIs are available and where they are located. If APIs are hidden within the infrastructure of a particular microservice and not registered, teams in charge of other microservices cannot find and integrate those APIs into their projects.

How NGINX helps – With API Connectivity Manager, you can create service catalogs and API portals where developers can discover and use your APIs. A good developer portal experience promotes the consumption of your APIs by providing a central location for information about what APIs are available and how to use them, plus tools for generating credentials.

Tactic #3: Ensure proper versioning and documentation

API portals are a good first step. Problems arise, however, when API specifications change during development cycles. The implication is that the remote service calling an API also needs to change. This approach might work if all microservices are being designed by the same team for the same application, but not when APIs are being published for consumption by third parties.

At the same time, maintaining documentation is a headache for developers. After an initial burst of activity, API portals often go stale, becoming ghost towns of unsupported APIs and outdated documentation, leaving stakeholders and API users lost and frustrated.

How NGINX helps – With API Connectivity Manager, you can integrate API publication and documentation into a seamless workflow for API developers. API owners can simultaneously publish APIs and generate documentation using the OpenAPI Specification, saving them time and ensuring that documentation stays current for everyone.

Tactic #4: Provide metrics and visibility into API traffic

Understanding where APIs are located and how they are configured is one of the most significant challenges facing enterprises. Without a consistent view into API traffic across environments, identifying performance issues and security threats is difficult, if not impossible.

How NGINX helps – With API Connectivity Manager, you can create a single platform that provides access to important metrics that help you enforce best practices and ensure performance and reliability. Infrastructure owners can monitor API traffic and configurations, enforce standardized log formats, and export data to their preferred monitoring solutions.

Tactic #5: Apply API security at scale

More than 90% of enterprises experienced an API security incident in 2020. Your organization's threat surface grows with every new API endpoint that comes online. At scale, security cannot be an add‑on feature – it must be built into the entire lifecycle from specification to code to deployment.

How NGINX helps – With API Connectivity Manager, you can protect APIs with two key components for API security: API access control and API protection. Enforce API access control by managing authentication and authorization with JSON Web Tokens (JWTs), API Keys, or OAuth2/OpenID Connect. In the coming months, API Connectivity Manager will add support for NGINX App Protect WAF so you can secure your API gateways and defend against common and advanced threats with out-of-the-box support for the OWASP API Security Top 10, schema validation, and more.

Technologies