Apigee

Google Cloud Apigee Named a Leader for the 10th Consecutive Time in the Gartner® Magic Quadrant™ for API Management

Tue, 14 Oct 2025 18:30:00 +0000

We are excited to share that Google has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for API Management, positioned highest for our Ability to Execute — marking our tenth consecutive recognition.

Google was positioned highest in Ability to Execute of all vendors evaluated. We believe this reflects our commitment supporting traditional API use cases, but also in providing a bridge for our customers to AI and agentic AI management, using the same familiar platform and native controls.

Extending API management to gen AI and agentic AI

The rise of AI and agentic workloads is powered by an API nervous system. While AI tools create powerful possibilities, organizations often hit roadblocks moving from pilot to production. At issue are managing, securing, and scaling these solutions — especially with LLMs and the agents that leverage them in highly regulated environments.

Apigee, Google Cloud's native API management platform, bridges this gap. We are extending our proven capabilities directly to your AI initiatives, helping them deliver real, measurable business value.

Apigee functions as the intelligent, secure proxy for all your AI agents, tools, and backend models, enhancing their security, scalability, and governance. By serving as this crucial gateway, Apigee helps secure agentic workloads against risks, ensures operations are on governed data, and helps control costs.

Managing, governing, and securing agentic AI

A variety of Apigee capabilities help enterprise API and AI platform teams move AI initiatives into production. These capabilities include:

AI productization
API products are the the center of the Apigee platform, enabling platform teams to bundle discrete API operations into a product, manage access and quota, and make it available for consumption. Today, Apigee is helping teams move toward AI productization, bundling tools including third-party integrations (from Application Integration), agentic tools such as MCP servers, and of course APIs, into an AI product. This promotes developer reuse, granular access control, and monetization, so organizations can unlock new revenue streams.

Agent-ready tools
Apigee’s new API specification boosting capability (currently in Private Preview), based on a multi-agent tool built by Google DeepMind, automatically enhances existing API specifications to make them more discoverable by agents. It does so by including comprehensive examples, error scenarios, and business logic derived from your organization's API patterns.

AI cost management
Customers use Apigee’s native quota policies to enforce token limits at the API or AI product level. Our integration with Looker Studio (a free Google Cloud service) provides API platform teams with the ability to create custom reports on AI token usage that can be shared externally with stakeholders.

Centralized tool catalog and observability
Apigee API hub provides a centralized catalog in which to store information about their APIs, MCP servers, and third-party integrations. Built-in semantic search capabilities powered by Gemini help teams discover and reuse tools. Thanks to the Apigee API hub toolset for Agent Development Kit (ADK), developers building custom agents using ADK can easily give agents access to tools from Apigee API hub with a single line of code. API traffic and performance data is integrated into the catalog for access by humans and agents. Further, these same semantic capabilities drive emerging use cases for semantic tool identification.

Tool security and compliance
Apigee’s 60+ policies include security policies to help keep tools protected and safe, including native policies for AI safety using Model Armor. Additionally, Apigee Advanced API Security integrates natively with Apigee’s runtime, providing enhanced security capabilities like dynamic API security posture management and abuse detection powered by Google-engineered machine learning models. Finally, Apigee’s enhanced data residency capabilities help support compliant workloads worldwide.

Multi-cloud model routing
Apigee serves as a proxy between agents and backend LLM models, connecting agents with tools and providing routing to backend LLM models hosted on and off Google Cloud. Apigee’s circuit-breaking capabilities help ensure that AI and agentic applications remain highly available.

Apigee: Trusted by global leaders

Global leaders trust Apigee to manage mission-critical APIs at scale, even in highly regulated industries. We are committed to continuously investing in Apigee to ensure it remains a world-class, trusted service that meets the evolving needs of our customers. In our opinion, this recognition from Gartner reinforces our commitment to continuous innovation and the delivery of an exceptional developer experience.

Thank you to our customers and partners

We're incredibly grateful to our community of customers, developers, and partners for your continued support and trust in Apigee. Your feedback and collaboration are invaluable in driving our product roadmap and helping us deliver reliable API management experience.

Download the full report to learn more.

Google Cloud Apigee named a Leader in the 2024 Gartner® Magic Quadrant™ for API Management

Thu, 24 Oct 2024 16:00:00 +0000

We're excited to announce that Google Cloud’s Apigee has been named a Leader in the 2024 Gartner® Magic Quadrant™ for API Management for the ninth consecutive time! We believe this consecutive recognition highlights our dedication to providing a comprehensive and innovative API management platform. Apigee empowers businesses to lead in the cloud era by harnessing its increased capacity, security, and scalability, all increasingly powered by generative AI.

Your partner in digital transformation

In today's digital-first world, APIs are essential for businesses to thrive. That's why industry leaders like General Mills, Nationwide Insurance, PUMA, Freightos, Tieto and Veolia trust Apigee to manage their API ecosystems. We value their confidence in our ability to help them deliver better customer experiences, drive innovation, secure their infrastructure, and unlock new revenue opportunities.

aside_block: <ListValue: [StructValue([('title', 'Try Google Cloud for free'), ('body', <wagtail.rich_text.RichText object at 0x7ff784acbb20>), ('btn_text', 'Get started for free'), ('href', 'https://console.cloud.google.com/freetrial?redirectPath=/welcome'), ('image', None)])]>

Navigating the API landscape with confidence

The API landscape is constantly evolving — generative AI offers an unprecedented opportunity for productivity, while increasing security demands add new layers of complexity. Apigee is designed to help you navigate these challenges with confidence. Apigee provides:

Comprehensive API lifecycle management: Streamline your entire API lifecycle from design and development to deployment and monitoring.
Robust security features: Protect your APIs and data with advanced security policies and threat protection.
Scalability and performance: Handle high volumes of API traffic with ease, ensuring optimal performance and reliability.
Gen AI-powered insights: Gain valuable insights into API usage and performance to optimize your API strategy.

Our commitment to continued innovation

Apigee is dedicated to providing the essential capabilities developers need to succeed. We're committed to investing in Apigee to ensure it remains a world-class service that meets the evolving needs of our customers. This recognition from Gartner, in our opinion, reinforces our commitment to continuous innovation and the delivery of an exceptional developer experience.

This year, we've focused on key areas such as:

Gen AI integration: We’re empowering developers to leverage the power of gen AI to build, secure, and manage all their APIs with ease using the power of Gemini Code Assist to generate new APIs from a combination of prompts and your own enterprise context. LLM-enabled search simplifies API discovery and understanding interconnections.
Enhanced security and compliance: We've strengthened our platform with robust measures to combat threats and meet changing requirements. Developers can gain more control with the ability to flag or automatically block malicious consumers. Enhanced data-residency capabilities further support compliant workloads worldwide.
Improved developer experience: Developers can accelerate API development with intuitive tools and workflows such as VS Code leveraging Gemini Code Assist.
Accelerated API delivery: Quickly generate new APIs from existing specs, and easily create mock backends that can be run locally or deployed to Cloud Run for rapid prototyping.

Thank you to our customers and Partners

We're incredibly grateful to our thriving community of customers, developers, and partners for their continued support and trust in Apigee. Your feedback and collaboration are invaluable in driving our product roadmap and helping us deliver reliable API management experience.

Download the report

Download the full report here (requires an email address) or learn more.

^{Gartner, Magic Quadrant for API Management, Shameen Pillai, John Santoro, Nicholas Carter, Andrew Humphreys, Mark O'Neill, 16 October 2024.}^{Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.}^{This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Google.}^{GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.}

From gRPC to RESTful APIs: Expose your gRPC services to the REST of the world

Wed, 14 Aug 2024 16:00:00 +0000

When designing a modern microservice architecture, performance is obviously key. Even outside of high-frequency trading and near-real time systems, extra milliseconds in inter-service communication matter a lot for the overall user experience. In this environment, gRPC has emerged as a high-performance communication protocol and is widely adopted for its low latency, efficient serialization and strongly typed messages.

On the other hand we need to acknowledge that most of the inter-service communications across system boundaries still heavily rely on HTTP APIs. That’s because the APIs largely serve as a contract between decoupled entities in the form of API producers and consumers, and changing them to gRPC would introduce a lot of friction. Additionally, not all developers are equipped or experienced enough to consume gRPC services. API providers would therefore risk missing out on a potential audience by limiting themselves to exposing gRPC services only.

In this blog we demonstrate how to easily bridge the gap between the highly-performant gRPC services and the widely adopted ecosystem of RESTful HTTP APIs. We propose a solution that leverages an automatically generated gRPC gateway that can be deployed alongside the existing gRPC service to handle the protocol translation that will provide an HTTP interface. Finally, we introduce Apigee as the enterprise API management platform to expose a clean RESTful API facade in a secure and self-service manner.

gRPC-to-HTTP gateway

Let’s assume that over the course of its operation, a fictitious company operating an e-commerce site realized that some of the components could provide value on their own and be included in their strategic API economy efforts. Our example is based on a sample microservices architecture that is composed of a range of sub-components written in different programming languages. The first service that they want to explore onboarding on to their API platform is the currency service. It provides two gRPC methods that lets clients list the supported currencies and perform a currency conversion from one currency to another.

As mentioned in the introduction, gRPC services are a popular choice for internal or so called "east-west" service-to-service communications. While gRPC exhibits superior performance characteristics, a significant number of APIs currently utilize HTTP as their primary communication protocol. Migrating these APIs to gRPC would require a substantial investment of resources, particularly considering that not all developers are familiar with the gRPC framework.

To overcome this challenge, we want to provide an adapter layer that provides a more traditional JSON HTTP-based API for the service. Instead of manually writing the protocol translation ourselves, we decided to use the open-source gRPC gateway project to automatically generate an adapter for our use case. The gateway is based off of a .proto file that specifies the services and messages. It serves as the single source of truth — or contract — between the service producer and consumers. To simplify generating the gateway, we created a convenience wrapper that allows us to generate the gateway by providing it a reference to the .proto file.

code_block: <ListValue: [StructValue([('code', './generate-gateway.sh --proto-path ./examples/currency.proto'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7842bc9d0>)])]>

The above command parses the supplied .proto file and generates the go module for translating an incoming HTTP REST request to gRPC and sending it to the specified endpoint. Finally, it wraps the gateway in a go module that can be deployed independently.

For the final architecture we’ll want to build a container image and deploy to a target runtime such as Cloud Run. To understand how the gateway works we can also run it locally:

code_block: <ListValue: [StructValue([('code', '(cd generated/gateway && docker build . -t gateway:latest)\r\ndocker run -p 8080:8080 -e GRPC_SERVER_ENDPOINT=localhost:9090 gateway:latest'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7842bc880>)])]>

The GRPC_SERVER_ENDPOINT environment variable here points to the gRPC endpoint that the gateway should send traffic to. In this case, we've already got the gRPC currency service running locally on port 9090. With the gateway started up, you can now send a regular JSON HTTP request to the gateway’s endpoint:

code_block: <ListValue: [StructValue([('code', 'curl -X POST localhost:8080/hipstershop.CurrencyService/Convert -d \'{"from": {"units": 3, "currency_code": "USD", "nanos": 0}, "to_code": "CHF"}\''), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7842bc400>)])]>

As we can see, we’ve made our gRPC currency service available as a JSON HTTP API that can be easier to use within a wider API ecosystem. However, there's still room for improvement when we consider how this new API aligns with the company's well-established API strategy:

The API doesn’t follow the widely accepted RESTful API design principles and still largely reflects the structure of the original .proto specification.
The API doesn't support API management features such as authentication, centralized logging and monitoring, error handling, or monetization.
Developers don’t have access to a self-service option that allows them to discover new APIs and onboard themselves as API consumers.

Lower entry barriers with API management

To achieve some of these capabilities and ultimately drive adoption of the API, we can leverage an API management layer in the form of an Apigee API Proxy facade. While Apigee can natively expose gRPC services in pass-through mode, here we operate on the previously converted protocol that allows us to apply a range of useful policies and configurations for:

Method, path and payload translations that allow us to provide a proper RESTful facade and abstracts the underlying message format of gRPC
Collection of metrics and rich analytics data to measure the operational performance and success of the API program
Consistent API security, error handling and traffic management controls to protect other systems and impose quotas on clients

To build on top of our gRPC gateway, we first need the API proxy to securely access our gRPC gateway, which could be deployed to Cloud Run where authentication can be enforced with Cloud IAM. With this security mechanism, our API proxy must be configured to use Google Cloud authentication itself, or forward on the credentials received from the API client.

Apigee's flexible and comprehensive approach to managing routes with an API proxy allows us to expose a RESTful path to API consumers and rewrite the path at runtime to what our gRPC gateway expects.

code_block: <ListValue: [StructValue([('code', 'curl -X POST "https://$APIGEE_HOSTNAME/currency/v1/convert" -d \'{"from": {"units": 3, "currency_code": "USD", "nanos": 0}, "to_code": "CHF"}\''), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7804e9070>)])]>

Proxying our currency service through an Apigee API proxy results in the automatic collection of API metrics and analytics data, providing us with rich insights into the health and success of our APIs. We can also build on our API proxy by attaching additional traffic management, security, mediation and even code extension policies.

To introduce and promote this API to a new audience, we can leverage Apigee's developer portal to publish an API product for developers to discover, explore and experiment with the API, opening up new opportunities. To build on this further, we can optionally monetize an API product to unlock additional revenue streams with a variety of different strategies, such as usage-based pricing or subscription plans.

Conclusion and next steps

In conclusion, we have demonstrated how gRPC services can be easily exposed to new audiences as HTTP APIs, while also leveraging the benefits of a comprehensive API management platform like Apigee. By combining the performance of gRPC with the familiarity and tooling of REST APIs, we can unlock new possibilities for our services and data, reaching a wider range of developers and applications. By embracing this hybrid approach, we can bridge the gap between gRPC and REST when building out an API ecosystem, so you can leverage the best of both worlds.

If you're interested, you can now put this to the test by carrying out the steps in the Apigee DevRel example.

Google Cloud (Apigee) named a Leader in the 2023 Gartner® Magic Quadrant™ for API Management

Mon, 16 Oct 2023 21:00:00 +0000

Google Cloud (Apigee) has been recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for API Management, the eighth time in a row we’ve been recognized. We believe we are consistently recognized for our ability to support a diverse range of use cases and the comprehensive capabilities we offer in API Management for organizations of all sizes. Google Cloud (Apigee) has been recognized again for its Ability to Execute and Completeness of Vision in this year’s report.

In the last couple of years, we have seen a surge in the adoption and a sprawl of APIs across organizations. The infusion of generative AI and ML capabilities across existing application architectures is elevating the need for APIs to ensure secure data access for these models. In parallel, developers are shouldering an increasing burden, tasked with not only enhancing security measures but also quickly adapting to changing security and compliance requirements.

Apigee API Management is helping customers around the globe like Lean Business Services, City of Zurich, and Conrad Electronics build APIs for use cases ranging from modernization to monetization, whether on premises, hybrid, or cloud based environments — and all at incredible scale. As organizations increasingly rely on APIs to fuel digital interactions and embrace emerging technologies like AI/ML, the complexities in API Management also evolve rapidly. Addressing these dynamic challenges is a responsibility we hold in high regard, and we are deeply honored by the acknowledgment and trust we receive from our customers, users, and community.

Selecting an API Management vendor is more than a mere technological choice — it’s a decision with profound business implications. We believe the Gartner Magic Quadrant for API Management is an instrumental tool because of its incisive insights into the efficacy of providers — both in terms of how well they address current market problems and execute on their product vision.

We believe Gartner has recognized us for the investments we make day in and day out, but we’re just getting started when it comes to Apigee product innovation. This year, we continued to invest in a few key areas:

Commercial flexibility – In response to the positive reception of the Pay-as-you-go pricing introduced in August 2022, we’ve since seen an increased desire for even more flexibility, and introduced further simplifications to align our pricing attributes across all models and provide increased granularity in Pay-as-you-go pricing. These changes are designed to help you on-board into Apigee at a lower cost and meticulously align your expenses with actual usage.

Versatility – Apigee addresses a diverse range of API use cases operating at any scale, and with backend services hosted in any public cloud or on-premises. Developers even have the flexibility to deploy their API proxies to any environment using Apigee Hybrid. This year, we also introduced the ability to deploy a lightweight API proxy (Standard API Proxy) to orchestrate traffic at 1/5th the cost of traditional API proxies deployed in Apigee. With this capability, API proxies built in Apigee become more multifaceted, be it just orchestrating application traffic or even turning into products that monetize transactions.

Gen AI innovation – To reduce toil for developers, we introduced Duet AI in Apigee API Management in private preview at Google Cloud Next ‘23. Duet AI in Apigee API Management allows developers to build API specifications with natural language prompts, and even use these specifications to create extensions that provide secure, real-world data access for tools like ChatGPT and Vertex AI. We also incorporated large language models trained on a corpus of Google traffic to automatically detect security anomalies.

API security - APIs have become a common target for attackers, as they provide direct access to application functionality and data. Last year, we launched Advanced API Security to detect API misconfigurations and bot attacks. This year, we added machine learning models to detect business logic attacks. We also recently added the ability to be notified of anomalies and take proactive action, such as flagging, redirecting, or blocking traffic. These capabilities are accessible via the Google Cloud console or specialized APIs, simplifying security management and integration into your existing systems.

Developer experience - We are dedicated to simplifying the developer experience, especially as the demand for API development and security intensifies. With ever-growing API portfolios, developers can automatically catalog API specifications that they designed anywhere into API Hub, a universal catalog. Finally, we made Application Integration generally available, helping practitioners bolster interoperability between Google Cloud and third-party applications. We aim to reduce the burden on developers ensuring they are not being overwhelmed by "shifting down" workloads to platforms.

We believe that the Gartner Magic Quadrant is a good source for vendor evaluations, and we’re delighted that our ongoing investment in supporting our customers is being recognized within the industry. Most importantly, we’re thankful to our customers for the support and for sharing our belief that for Apigee, the best is yet to come.

Download the full report here (requires an email address) or learn more.

_{Gartner, Magic Quadrant for API Management, Shameen Pillai, Kimihiko Iijima, Mark O’Neill, John Santoro, Paul Dumas, Andrew Humphreys, Nicholas Carter, 11 October 2023. This Magic Quadrant report was previously published as Magic Quadrant for Application Services Governance (2015) and previously published as Magic Quadrant for Full Life Cycle API Management (2016; 2018-2022)}

_{Previously recognized as Google (Apigee) in 2018-2022 and as Apigee in 2015-2016. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Apigee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed, or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.}

_{GARTNER is a registered trademark and service mark of Gartner Inc. and/or its affiliates in the U.S. and internationally and MAGIC QUADRANT is a registered trademark of Gartner, INc. and/or its affiliates and are used herein with permission. All rights reserved.}

Adding pricing and accessibility granularity for Apigee API Management

Mon, 02 Oct 2023 15:00:00 +0000

Today’s application and integration landscape has ushered in an unprecedented proliferation of APIs. Already, more than 90% of developers use APIs with everything from small-scale apps to mission-critical operations. As a result, organizations often find themselves juggling multiple API gateways, leading to operational, security, and maintenance overhead. So it’s no surprise that a one-size-fits-all approach API management doesn’t meet most organizations’ needs.

To better address customer needs, we introduced Pay-as-you-go pricing for Apigee in August 2022, allowing customers to flexibly manage their API management costs. While adoption has been strong, customers also tell us they would like to onboard at a lower cost and have more flexibility to rightsize their ongoing expenses with their usage.

Today, we're excited to announce updates to our pricing models, which will ensure:

Consistent pricing attributes across Apigee Pay-as-you-go and Subscription models
Increased granularity in Pay-as-you-go pricing

With these enhancements, you can now accurately tailor your expenses according to your Pay-as-you-go usage and easily shift to Subscription pricing as your needs scale.

Consistent pricing attributes across Pay-as-you-go and Subscription

Going forward, we'll use the same pricing attributes for both Pay-as-you-go and Subscription pricing models. With both, you’ll be charged based on your precise use of:

API calls, on the volume of API calls processed by the runtime
Environments, on the usage of deployment environments per hour per region
Proxy deployments, on the number of API proxies deployed to an environment, charged per hour per region
Add-on capabilities: Choose and pay for additional capacity or capabilities per your requirements
Ancillary Google Cloud services: Transparent charges for the use of Google Cloud's network infrastructure or support

In the Pay-as-you-go pricing model, you incur charges based on your consumption of the above pricing attributes. For Subscription pricing, you receive varying levels of capacity for a given pricing attribute determined by which pricing tier (Standard, Enterprise, or Enterprise Plus) you use.

Pay-as-you-go pricing granularity

We are also refining our Pay-as-you-go pricing to offer greater granularity. This means you can start small and rightsize your ongoing expenses to align with your actual usage. Instead of a blanket charge for a full suite of API management capabilities, you'll only pay for the subset of functionality that you actually use. Specifically, we are enabling this across two key pricing attributes:

API calls

The cost is determined by the type of API proxy that is processing an API call. We are introducing two distinct API proxies:

Standard API proxy: A lightweight proxy that operates at 1/5th the cost of Extensible API Proxy and accesses a subset of Apigee’s policies. The Standard API proxy is a fit for:

Proxying traffic to a backend service, with minimal transformation
Operating traffic that is low in complexity, at a fraction of the cost of Extensible API proxy (see below)

Extensible API proxy: A fully programmable proxy with unrestricted access to Apigee’s policies and capabilities. The Extensible API proxy is designed for:

Building API products that manage traffic from multiple consumers across multiple backend services
Simplifying intricate configurations and enforcing standards using shared flows
Operating traffic that requires complex transformations and precision control

Calls made through the Standard API Proxy are priced at 1/5th of those made via the Extensible API Proxy.

Environments

An Apigee environment is a software environment within an organization that lets developers create and deploy an API proxy. The environment cost is determined by the type of environment an API proxy is deployed to. Today, we are introducing three distinct environments that have access to varying degrees of Apigee capabilities.

Base: Allows you to onboard into the Apigee platform at a low cost to manage low-complexity APIs. The Base environment provides:

The ability to deploy Standard API Proxies
API Monitoring
API Hub and Apigee’s development tools
Access to other Google Cloud services

The Base environment is ideal for API use cases that require basic traffic orchestration such as prototyping, internal development, or small-scale applications

2. Intermediate: Enables you to manage a portfolio of APIs with access to various add-on functionality. The Intermediate environment provides:

All capabilities included in the Base environment type
The ability to deploy Extensible API Proxies
Support for building shared flows, API products, or developer portals
The ability purchase Analytics as an add-on capability

The Intermediate environment is a good fit for API use cases that require building and publishing API products to developers, managing a portfolio of APIs whose adoption is growing, and handling complex transformations and mediations in API traffic.

3. Comprehensive: Supports mission-critical apps and unexpected traffic spikes with high reliability and unparalleled performance. The Comprehensive environment provides:

All capabilities included in the Intermediate environment type
The ability to deploy to multiple regions
The ability to purchase additional proxy deployments per environment
Support for autoscaled QPS, Confidential and high performance computing (HPC)

The Comprehensive environment is designed for API use cases that require supporting mission-critical applications that need high reliability and performance, as well as precise control of API operations.

You can now tailor your pricing by using multiple or mixing and matching different environment types within a single Google Cloud project. You can even change between different environment types based on your needs. Here is an overall view of Apigee’s new Pay-as-you-go pricing model:

Get started with Apigee API Management

With these changes, Apigee stands out as the only solution in the market that lets you start at a lower cost and provides a clear path to full lifecycle API management. For detailed information on the new pricing models, please visit our pricing page or technical documentation. If you are not using Apigee yet, get started here.

How Apigee can help government agencies adopt Zero Trust

Thu, 25 May 2023 16:00:00 +0000

Securely sharing data is critical to building an effective government application ecosystem. Rather than building new applications, APIs can enable government leaders to gather data-driven insights within their existing technical environments. With the help of APIs, agencies can bring application-based information together to support their objectives.

U.S. government agencies are now encouraged to adopt a Zero Trust security architecture to detect and defend against cyber attacks. API protection is a core principle to implement Zero Trust architecture. As Gartner® said in its Innovation Insight for API Protection report, “By 2026, 40% of organizations will select their web application and API protection provider based on advanced API protections, and web application security features — up from less than 15% this year”.

Our post walks you through how Google Cloud’s Apigee can help build API protections with Zero Trust principles.

How Apigee helps government adopt a Zero Trust architecture

Apigee is a full lifecycle API management platform that helps government security leaders adopt a platform approach to managing APIs securely. Agencies can start their Zero Trust architecture journey with Google Cloud's Web and API Protection (WAAP) as shown in Figure 1. WAAP uses Cloud Armor, reCAPTCHA Enterprise and Apigee to protect government websites, mitigate bots and fraud risk for immediate results and help mature security practices. Apigee, with its out-of-the-box policies for security, traffic management, visibility, automation and governance integrates the key pillars required for Zero Trust compliant Architecture.

Figure 1 : High-level architecture of Google Cloud Web and API Protection

Features of Apigee Zero Trust solution

A high-level reference architecture of Apigee’s capabilities as policy administration and enforcement point while seamlessly integrating with web application firewalls, consumer behavior/intent-based trust algorithms, IAM, analytics, logging, and monitoring systems is shown in Figure 2. This architecture provides the foundation for improving system observability to mature the Zero Trust architecture incrementally based on access data telemetry.

Figure 2 : NIST 800-207 use cases, Enterprise with contract workforce and multiple cloud providers, secured with Apigee as policy administration and enforcement point to enforce Zero Trust architecture

Multi-cloud API gateway: Apigee is a cloud-hosted Policy Configuration and Enforcement point mitigating the enforcement engine resiliency risks and can manage consistent control of APIs in any public or private cloud environment. Apigee provides advanced cloud first authentication and authorization of resources with out of the box policies to enforce OIDC, Oauth 2.0, SAML, and JWT’s enforcing SSO, MFA, Context Aware Access Policies and Passwordless access features.

Automated threat protection: Apigee’s Advanced API Security can identify misconfigured APIs, detect bots, provide a security score, protection recommendation and automate the security healing for an API environment. Advanced API Security uses specific API traffic patterns which represent any unusual traffic, such as a large number of calls from a single IP address, defending from DDoS and OWASP Top 10 threats.

Seamless integration: Apigee provides advanced threat protection through its ability to integrate with trust algorithms like reCAPTCHA to detect malicious consumer behavior but also with a WAF like Cloud Armor to protect against OWASP Top 10 attacks.

Identity and Access Management (IAM): Apigee integrates with existing identity providers, such as Google Cloud Identity, Okta, or Active Directory to simplify identity management and can enforce advanced security policies in alliance with ICAM systems like Multi Factor Authentication, Privileged Access, Identity Federation, Behavioural Pattern Detection, Biometric Signal Processing and building a continuous and contextual authentication and authorization environment for APIs implementing time bound access using Oauth 2.0, JWT or SAML tokens.
Analytics and monitoring: Apigee Analytics provides a unified view of API performance and security, enabling organizations to monitor and optimize their APIs in real-time. This includes deep insights into API usage, performance, and security. Apigee can also seamlessly integrate with various SIEM systems like Google’s Chronicle.
Governance, compliance, and auditing: Apigee's API hub enables you to consolidate and organize information on all APIs in your organization. It includes APIs at all stages of their lifecycle, from design and implementation through deprecation and retirement to proliferate consistent design standards and governance checks.

Take the next step

Apigee provides a platform-based approach to implementing mission lifecycle management through Secure API Management. Our approach includes offering capabilities to address time-bound access provisioning and termination, unlocking data while protecting sovereignty, and providing automation and deeper visibility into the governance of enterprise resources, all of which can help promote Zero Trust architecture maturity.

Get started with Apigee on Google Cloud by exploring the best practices for securing your APIs and Applications. Take your next step to start a free trial, explore pricing, or contact Apigee Sales to help evaluate your API Management use cases.

Unifying government platforms with API management

Fri, 07 Apr 2023 12:11:00 +0000

Government organizations around the world such as Hawaii's Department of Human Services and Italy's Veneto Region use APIs to modernize their legacy systems, create interoperability between departments and municipalities, and strengthen their own security posture. Apigee is a leading API management platform that can help government agencies do just that: build, manage, and secure APIs.

Many government agencies still deal with data silos and isolated platforms, resulting in inefficient and fragmented digital experiences. With Apigee, agencies can easily share access to applications and data in a secure and pragmatic fashion. In addition, Apigee allows developers to create modern web and mobile experiences that citizens and government employees can utilize.

Using APIs to securely connect government systems

It’s no accident that data in governmental systems is protected by a plethora of security measures such as firewall rules and authentication protocols. Data security is the highest priority for government agencies, and this is a good thing. However, this security shouldn’t come at the cost of inaccessibility. Data in government should be confidently secure as well as easy to access, understand, and share.

To access data safely, your organization can leverage Apigee API Management to provide consistent and secure APIs. The API layer sits in front of your backend systems, removing the complexity of connecting to it directly. By using Google Cloud networking services such as Cloud Interconnect or Cloud VPN, you can create a connection between Apigee and your backend systems that is private and secure. Since the authentication and networking orchestration happens in the API layer you can easily share data internally, as well as establish external connections with partners or nearby municipalities.

Apigee architecture

A unified government platform

Because Apigee can enable interoperability between data systems, government agencies have more freedom to improve and modernize their services and technology. Consider the fragmented experiences that people often encounter while navigating digital government services. Government leaders can improve constituent experiences by using APIs to share data and build connected applications.

A unified government platform can improve the user experience and help reduce strain on call center and help desk support services. Instead of a sprawl of department applications spread out across many websites, we want to help you create a platform that unifies department capabilities into a single intuitive application.

In addition to improving external user experience, API Management can also improve the experience and productivity of government employees. Inefficient processes created by data inaccessibility can be common in government and are typically solved with manual, time-consuming efforts. With API-enabled interoperability between systems, the problem of data inaccessibility is solved. Developers can use these APIs to create solutions that unify segmented systems, digitize manual processes, and expand operational capabilities.

Administering access to an API ecosystem

Even with connectivity enabled between data silos, there remains the responsibility of administering access to the APIs. Without a centralized API management system this can be a challenging task, but Apigee makes it easy to publish secure APIs through the use of API products and apps. API products bundle up API proxies into useful services, while apps provide the access keys needed to utilize API products. These resources are used to segment your APIs and restrict usage based on desired level of access.

Once API products are created, you can utilize an Apigee developer portal to confidently expose APIs using an OpenAPI specification & administer them for consumption. These portals are simultaneously flexible in capabilities offered and incredibly easy to deploy. They also play a large role in increasing your speed of development by making it easy for developers to explore, understand, and test APIs directly within the portal.

Getting started

With Apigee, state and local agencies can modernize their digital presence and create an ecosystem around their data and services. You can try out Apigee API management today with Pay-as-you-go pricing offering or with a 60-day free trial. These videos will help you get started. To learn more about Apigee and its offerings, contact us to speak with a sales specialist.

Responding to changes in cloud resources with Eventarc and Cloud Run

Tue, 10 Jan 2023 17:00:00 +0000

Responding to changes in cloud resources with Eventarc and Cloud Run

In this post we explore how to use Eventarc to asynchronously react to cloud events that signal changes in cloud infrastructure. We also walk through an implementation of a basic Cloud Run service that can react to such an event and perform downstream operations. In this example we use audit logging events for Apigee to trigger events in Eventarc. Because the trigger mechanism is based on the generic GCP audit log, this example can easily be applied to any other GCP service that supports audit logging.

What is Eventarc?

When thinking about cloud computing one of the first things that comes to mind is the dynamic nature of the infrastructure and that even complex architectures can be provisioned with ease at the click of a button or arguably better by merging a PR in a GitOps pipeline.

By democratizing the process of creating infrastructure and reducing the provisioning time from days to minutes, we created new requirements for processes and governance. Higher degrees of automation and resilience are mandatory such that you can react appropriately to changes in infrastructure. This is where Eventarc comes into the picture. Eventarc lets you asynchronously deliver events from a range of different event sources and respond to them in a number of serverless event handlers.

Eventarc is able to react to a range of types of events including:

Directly exposed events such as changes in Cloud Storage, Firebase Alerts or Firebase Remote Config
Audit Log entries for a large number of GCP services
Generic Pub/Sub Messages
Partner Sources

Please refer to the full list of supported events here.

These events can be handled by Cloud Run, a Kubernetes Service or a Workflow. As there are many different combinations of event source and event handlers, this demonstration will focus on Audit log events and how to handle them in Cloud Run. The available documentation and open source examples should allow for a straightforward transfer of these concepts to other combinations of the available options.

Defining an Eventarc handler

The basic architecture for this example looks as follows:

Refer to this link for an editable version of the diagram above.

We use Apigee issued audit logs as the source for the events that we want to handle with Eventarc. The events are then added to the Evenarc-managed Pub/Sub toic and handled by a Cloud Run Node.js service.

Cloud Run Event Handler

First we create a sample application of a simple Cloud Run service to react to the audit log events. For this we create a folder called eventarc-handler and a package.json and index.js file in it. We also create a gcloudignore file such that the node modules aren’t sent to cloud build when we later build this as a container for Cloud Run.

code_block: <ListValue: [StructValue([('code', 'mkdir eventarc-handler && cd eventarc-handler\r\n\r\ncat >package.json <<EOF\r\n{\r\n "name": "eventarc-handler",\r\n "description": "Eventarc Demo",\r\n "version": "1.0.0",\r\n "private": true,\r\n "main": "index.js",\r\n "scripts": {\r\n "start": "node index.js"\r\n },\r\n "engines": {\r\n "node": ">=12.0.0"\r\n },\r\n "author": "danistrebel",\r\n "license": "Apache-2.0",\r\n "dependencies": {\r\n "express": "^4.17.1",\r\n "@google/events": "^3.1.0",\r\n "cloudevents": "^4.0.1"\r\n }\r\n}\r\nEOF\r\n\r\ncat >index.js <<EOF\r\nconst { HTTP } = require(\'cloudevents\');\r\nconst express = require(\'express\');\r\nconst {toLogEntryData} = require(\'@google/events/cloud/audit/v1/LogEntryData\');\r\n\r\nconst app = express();\r\napp.use(express.json());\r\n\r\napp.post(\'/\', async (req, res) => {\r\n try {\r\n const cloudEvent = HTTP.toEvent({ headers: req.headers, body: req.body });\r\n const logEntryData = toLogEntryData(cloudEvent.data);\r\n console.info(\'Received EventarcEvent:\', logEntryData.protoPayload.methodName);\r\n console.info(logEntryData);\r\n\r\n res.status(200).send(\'OK\');\r\n } catch (error) {\r\n console.error(\'Error in handing Eventarc Event\');\r\n console.error(error);\r\n res.status(500).send(\'Internal Error\');\r\n }\r\n});\r\n\r\nconst port = parseInt(process.env.PORT) || 8080;\r\napp.listen(port, () => {\r\n console.log("eventarc-handler: listening on port", port);\r\n});\r\nEOF\r\n\r\ncat >.gcloudignore <<EOF\r\nnode_modules\r\nEOF'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1520>)])]>

To enable the required Google APIs and deploy the event handler above as a Cloud Run service we run run the following code within the eventarc-handler folder

code_block: <ListValue: [StructValue([('code', 'export PROJECT_ID=my-project\r\nexport REGION=europe-west1\r\n\r\ngcloud services enable run.googleapis.com \\\r\nartifactregistry.googleapis.com \\\r\ncloudbuild.googleapis.com --project $PROJECT_ID\r\n\r\ngcloud run deploy eventarc-handler --region $REGION --project $PROJECT_ID --source . --no-allow-unauthenticated'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b13a0>)])]>

Once the service is deployed we can test it with a sample cloud event. For this we have to obtain the Cloud Run service URI and store it in a SERVICE_URI (format: https://eventarc-handler-some-hash.a.run.app) and send an example event payload. This example event has the request and response details removed for readability. An actual cloud event would contain additional information.

code_block: <ListValue: [StructValue([('code', 'SERVICE_URI=$(gcloud run services describe eventarc-handler --region $REGION --format="value(status.url)") --project $PROJECT_ID\r\n\r\necho $SERVICE_URI\r\n\r\ncurl -X POST "$SERVICE_URI" \\\r\n-H "Authorization: Bearer $(gcloud auth print-identity-token)" \\\r\n-H \'Content-Type: application/json\' \\\r\n-H "ce-id: 1" \\\r\n-H "ce-source: //pubsub.googleapis.com/projects/my-apigee-org/topics/my-topic" \\\r\n-H "ce-specversion: 1.0" \\\r\n-H "ce-type: google.cloud.audit.log.v1.written" \\\r\n-H "ce-dataschema: type.googleapis.com/google.logging.v2.LogEntry" \\\r\n-H "ce-subject: apigee.googleapis.com/organizations/my-org/developers/somedeveloper@example.com" \\\r\n-H "ce-methodname: google.cloud.apigee.v1.SampleResource.SampleMethod" \\\r\n-d \'{\r\n "resource": {\r\n "labels": {\r\n "service": "apigee.googleapis.com",\r\n "project_id": "my-apigee-org",\r\n "method": "google.cloud.apigee.v1.SampleResource.SampleMethod"\r\n },\r\n "type": "audited_resource"\r\n },\r\n "insertId": "1de11nde7ys3b",\r\n "timestamp": "2022-08-04T14:56:05.729242115Z",\r\n "protoPayload": {\r\n "authenticationInfo": {\r\n "principalEmail": "someone@example.com"\r\n },\r\n "authorizationInfo": [],\r\n "response": {},\r\n "serviceName": "apigee.googleapis.com",\r\n "serviceData": {},\r\n "request": {},\r\n "requestMetadata": {},\r\n "resourceName": "organizations/my-apigee-org/developers/somedeveloper@example.com",\r\n "methodName": "google.cloud.apigee.v1.SampleResource.SampleMethod"\r\n },\r\n "receiveTimestamp": "2022-08-04T14:56:05.729242115Z",\r\n "logName": "projects/my-apigee-org/logs/cloudaudit.googleapis.com%2Factivity"\r\n}\''), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1a30>)])]>

We can check the log statement from the cloud event in the Cloud Run logs from either the cloud logging UI for with the following gcloud command:

code_block: <ListValue: [StructValue([('code', 'gcloud logging read "resource.type=cloud_run_revision AND resource.labels.service_name=eventarc-handler" --project $PROJECT_ID --limit 25 --format "value(textPayload)"'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1940>)])]>

Which should contain the following log entry:

code_block: <ListValue: [StructValue([('code', 'Received EventarcEvent: google.cloud.apigee.v1.SampleResource.SampleMethod'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1130>)])]>

Now that we have the event handler ready we can move on to the events that we would like to capture.

Audit Logs Event Source

Eventarc is able to react to events that are written to the Cloud Audit Log. In this example we want to react to a specific method of the Apigee Management API so we need to enable Audit Logging for the Apigee service. This can be done either in through the API as described here or in the GCP UI:

To validate that the audit logging is working as intended we can open the Apigee UI and open a proxy. We then run the following command to validate that there are audit logs created for this action:

code_block: <ListValue: [StructValue([('code', 'gcloud logging read "logName : projects/$PROJECT_ID/logs/cloudaudit.googleapis.com AND protoPayload.serviceName: apigee.googleapis.com" --project=$PROJECT_ID --limit 25 --format "value(protoPayload.methodName)"'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1580>)])]>

Eventarc to route the audit logging events to the eventhandler

Now that we have both the event source and the event handler configured, we can create the eventarc to combine the two components into an asynchronous event delivery pipeline.

For this we need to enable the eventarc API through either the GCP Console or the following gcloud command:

code_block: <ListValue: [StructValue([('code', 'gcloud services enable eventarc.googleapis.com --project $PROJECT_ID'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1c10>)])]>

Once the service is enabled, we can create a new eventarc trigger. In the cloud console we create a new trigger with the following information (and follow the suggested role assignments for the service accounts for pub/sub and the compute):

Trigger name: apigee-developer-app
Event Provider: Apigee
Event: google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp
Resource: Any resource
Region: global (because the Apigee control plane is a global service)
Service Account: Compute Engine default service account
Event Destination: Cloud Run
Cloud Run Service: eventarc-handler
Service URL Path: /

Or if you prefer the gcloud version:

code_block: <ListValue: [StructValue([('code', 'PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")\r\n\r\ngcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:service-$PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com --role=roles/iam.serviceAccountTokenCreator\r\n\r\ngcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com --role=roles/eventarc.eventReceiver\r\n\r\ngcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com --role=roles/run.invoker\r\n\r\ngcloud eventarc triggers create apigee-developer-app \\\r\n--location=global \\\r\n--service-account=$PROJECT_NUMBER-compute@developer.gserviceaccount.com \\\r\n--destination-run-service=eventarc-handler \\\r\n--destination-run-region=$REGION \\\r\n--destination-run-path="/" \\\r\n--event-filters="type=google.cloud.audit.log.v1.written" \\\r\n--event-filters="serviceName=apigee.googleapis.com" \\\r\n--event-filters="methodName=google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp" \\\r\n--project $PROJECT_ID'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1b50>)])]>

We can the look at the the Pub/Sub subscription that was automatically created for the eventarc

code_block: <ListValue: [StructValue([('code', 'gcloud pubsub subscriptions list'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1c40>)])]>

And see that the push endpoint is listed as the Cloud Run application we created and specified before.

End to End Validation

From the Apigee UI for the same Apigee organization we can create the following resources:

Create an App Developer under Publish > Developers
Create an API Product under Publish > Products
Create an APP for the Product and Developer under Publish > Apps

We can check the log statement from the cloud event in the Cloud Run logs from either the cloud logging UI or with the following gcloud command:

code_block: <ListValue: [StructValue([('code', 'gcloud logging read "resource.type=cloud_run_revision AND resource.labels.service_name=eventarc-handler" --project $PROJECT_ID --limit 25 --format "value(textPayload)"'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1f40>)])]>

Which should contain the following log entry:

code_block: <ListValue: [StructValue([('code', 'Received EventarcEvent: google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7852b1d00>)])]>

We can also explore the eventarc executions in the eventarc UI or the corresponding explorer UI:

Apigee-specific use case ideas for Eventarc

Based on the example above the Cloud Run service can now be extended to trigger more useful downstream actions that can be used to asynchronously react to changes in cloud architectures or other resources that are governed by Google APIs.

Within the context of Apigee the following non-exhaustive list can give some ideas on where such an eventarc trigger could be applied.

Approval Flows for Developer Apps
Apigee has the concept of optional approvals for Applications. With the Eventarc architecture described before one could implement a workflow to trigger an approval process for newly registered developer applications that require manual approval by the API product owner. The necessary steps could be kicked off via cloud logging alerts, email, chatbot or by creating an issue in an issue tracking tool. A description of this approach can be found in this community post.
Dynamically register Applications and/or Developers
The Apigee mechanism for managing applications and developers can be easily integrated with third party identity providers (IdP). This allows for instance for the creation of access tokens that can be used for both Apigee and backend services. By using eventarc events on newly created DeveloperApps the Apigee credentials can be synchronized with the external IdP such that the Apigee analytics data semantics can be preserved even if the external access token is used.
Automatically publish and update API products in a Developer Portal or the API Hub
Publishing APIs is an important aspect of an API program. In Apigee the published API artifacts in a developer portal are based on API products but loosely coupled. To keep the published APIs in the developer portal and in the products API in sync we can leverage the eventarc and automatically register, update and delete APIs in the portal. The same mechanism can also be applied for publishing APIs on the Apigee API Hub.

Conclusion

Eventarc is a powerful service to trigger workflows based on changes in infrastructure. The supported trigger events and event handlers make it an ideal tool to implement a range of automation or governance processes and complements the dynamic nature of cloud infrastructure.

To get started, check out our quickstart for a step-by-step guide on creating an Eventarc for a number of different event types and targets.

Announcing MongoDB connector for Apigee Integration

Tue, 08 Nov 2022 17:00:00 +0000

MongoDB is a developer friendly application data platform that makes it easy for developers to access a wide variety of data using a unified language interface, simplifying the data handling process. MongoDB Atlas , MongoDB's fully managed cloud database, enhances MongoDB’s capabilities even further with full-text search and real-time analytics, as well as event-driven and mobile experiences.

Google Cloud’s Apigee is an industry-leading, full lifecycle API management platform that provides businesses control over and visibility into the APIs that connect applications and data across the enterprise and across clouds.

MongoDB and Apigee have already partnered to provide a solution to ease and secure access to siloed data for internal developers or partners. Today, we are further simplifying this solution by announcing a new connector between Apigee and MongoDB.

How is it simpler?

It can be complex to connect data and applications. Developers need to create and maintain custom transactional code between cloud apps to create the connection between the data source and application:

This code is often the first one to break
It is not cost effective as it is not reusable.

Last year, Google Cloud announced Apigee Integration, a solution that helps enterprises easily connect their existing data and applications and surface them as accessible APIs that can power new experiences, expand digital ecosystems and protect access to critical assets.

Apigee provides a secure facade between the frontend application and data source to speed up the development process using standard interfaces and a simplified developer experience.

Apigee Integration now includes an out-of-the-box MongoDB connector. With this connector, developers can perform CRUD operations on a MongoDB database.

The need for setting up the programming modules and exposing them using the RESTful interface is eliminated. The connection to MongoDB Atlas can be set up directly using the Apigee UI with support for advanced MongoDB connection settings.

As the connector is part of Apigee Integration it also provides the ability to transform the data using the transformation engine from Google Cloud.You can easily design your transformation logic using a drag-and-drop interface, manage variables in different formats (Json, String, Arrays..) and conditional flows.

A concrete example

A Healthcare company needs to share datasets with external partners. They chose MongoDB Atlas as it is fully managed and for its dynamic schema that is ideal for building modern applications. Their partners can only consume the data through an API. For security reasons, they will not be able to access the database directly.

Fig.1 shows how simple it is to implement a “plug and play” approach for this scenario, with built in security at the edge of Google Cloud to prevent attacks using Cloud Armor and Apigee as well as providing fine grained governance for the partners.

Figure 1: High level architecture that illustrates how to expose MongoDB Atlas through a Apigee platform without code

Fig.2 shows how easily the MongoDB connector can be deployed in the Integration designer, without maintaining any infrastructure. The business logic, like sensitive data approval, can be added to the connector, before the data is returned to the partner.

In this example :

The flow is triggered by an API call exposed by Apigee
The MongoDB connector retrieves the data
If the DataClass retrieved is A, an approval will be requested on the UI.
If the DataClass retrieved is B, only the necessary fields will be sent back to the consumer using the filtering capabilities.

Figure 2: Designer example to call MongoDB connector from Apigee Integration and implement an approval workflow and data mapping

Developers Save Time in a Secure Environment

With this new integration between Apigee and MongoDB Atlas, developers now have a simpler experience for accessing relevant data.Instead of wasting time building transactional code, they can focus on implementing business scenarios in a secure and scalable environment.

Next Steps

Introduction to Apigee X.
Learn more about MongoDB Atlas.
Learn about Apigee connectors.
Learn how to set up an Apigee MongoDB connector.
Extend your data to new uses with MongoDB and Apigee - blog.

^{We thank the many Google Cloud and MongoDB team members who contributed to this collaboration.}

How to manage your GraphQL APIs with Apigee

Thu, 02 Dec 2021 17:00:00 +0000

Over the past two decades REST APIs have emerged as a lightweight and flexible standard for enterprise data and backends get exposed to external, partner, and internal applications. Google Cloud’s Apigee is a leader in API Management, allowing users to manage REST APIs — define rate limits, enforce authentication and authorization, block clients that attempt to misuse an API, and ensure APIs work seamlessly as they are updated.

GraphQL is fast emerging as a paradigm for building developer-friendly and flexible APIs. It supports application developers requesting exactly the data they want from the backend data sources. Now with both REST and GraphQL as powerful API options, API providers face the challenge of building and managing this next generation of APIs. With this launch, Apigee makes it easy to use REST and GraphQL together. So developers don’t have to choose – adding GraphQL to your stack and leveraging existing investments in REST are both possible.

Apigee has added a new GraphQL policy to its rich suite of policies that let you control traffic, enhance performance, and enforce security without requiring you to write any code or modify any backend services. By adding the GraphQL policy into a proxy created in Apigee, a developer can validate that a GraphQL query and response conforms to a specific schema, and then can chain this policy in their standard Apigee proxy pre-flow to perform other validations and management functions against that backend API.

Apigee partners with StepZen to deliver these GraphQL capabilities. StepZen is an enterprise GraphQL provider, built on a foundation of low-code building blocks and connectors that speed up API development. In this blog, using a project you can clone from GitHub, which includes a GraphQL API built on StepZen, we’ll demonstrate how the policy works.

The high-level architecture looks like this:

What does our scenario do?

Our scenario is eCommerce personalization. A single GraphQL endpoint joins multiple APIs and is proxied through Apigee. Imagine an eCommerce experience that returns the city of the user and the cost, in the user’s local currency, of 3 US Dollars (USD) worth of goods. In just a few steps, you can query a single GraphQL endpoint, which joins multiple APIs. The GraphQL endpoint is protected by Apigee GraphQL policies.

How does Apigee Help

Apigee checks that the query conforms to the schema, ensures that the API key is valid, and collects analytics on the GraphQL call. Using Apigee’s API Product and GraphQL support, you can add a quota or even restrict access to certain GraphQL operations.

This simple setup validates against a single GraphQL schema. Furthermore, by leveraging Apigee’s support for flows, it is possible to have different versions of the schema available to different users. We can block requests for schemas outright while still allowing queries. Finally, we can publish access to the GraphQL endpoint in a developer portal enabling developers who consume APIs in a self-service fashion to subscribe and fetch their own unique credentials to access the new endpoint.

How does StepZen Help

StepZen executes the GraphQL call against the backends. Specifically, StepZen

Calls api.ip-api.com to get the city, country, and currency of the user based on IP address.
Uses the currency information from the first call to fetch the cost of a specified amount and currency worth of goods from the currency exchange API - api.frankfurter.com - using the current exchange rate.

Here’s an example GraphQL request and response that illustrates the scenario:

GraphQL Query:

code_block: <ListValue: [StructValue([('code', '{\r\n location(ip: "8.8.8.8") {\r\n city\r\n continent\r\n country\r\n countryCode\r\n priceInCountry(amount:100 from:"EUR")\r\n }\r\n}'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799460>)])]>

GraphQL Response:

code_block: <ListValue: [StructValue([('code', '{\r\n "data": {\r\n "location": {\r\n "city": "Ashburn",\r\n "continent": "North America",\r\n "country": "United States",\r\n "countryCode": "US",\r\n "priceInCountry": 114.44000000000001\r\n }\r\n }\r\n}'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799e80>)])]>

The query above retrieves both location information and currency information in a single request. Two REST APIs are called to generate the appropriate response. The StepZen schema adds a “priceInCountry” field to the location response, using a currency conversion API. Developers don’t need to worry about combining those APIs themselves, and they can choose which fields they want to retrieve and therefore shape the response to suit their needs.

Because both StepZen and Apigee have management APIs, you can automate the process of creating Apigee proxies for StepZen endpoints. And we’ve created an open source utility that does this for you! The utility provisions an account with StepZen if you do not have one. It deploys StepZen schemas and automatically builds Apigee proxies for them. The proxies are configured to require an API key to call them, and they automatically verify the GraphQL request against the StepZen schema.

Let’s get your environment up and running

Make sure that your account has sufficient privileges in Apigee to create and deploy: proxies, API Products, developers, apps, and property sets.
git clone git@github.com:apigee/stepzen.git
Change into the directory where you just cloned the repository, and run the following command:
./apizenSetup -o <your_org> -e <your_env> -t $(gcloud auth print-access-token) -i $(gcloud auth print-identity-token) -z
Though the script can take a number of optional parameters (explained in the README in the repo) by default you simply need to specify only:

-o <your organization/project name for your apigee setup>
-e <your environment name>
-t <a gcloud token with access to deploy and create needed apigee artifacts>
-i <a gcloud generated identity token>

StepZen uses this to generate a single, but unique StepZen account.

-z

This is optional but if supplied the script will output your StepZen credentials. Useful if you’d like to use StepZen tooling later.

The script runs through a number of steps and outputs progress along the way:

Calls a StepZen endpoint to fetch details of your StepZen account
Creates or updates an Apigee PropertySet to store your StepZen credentials
Deploys an Apigee API Proxy that’s preconfigured with your StepZen account as a southbound target (relies on the property set configured above)
Create or Update Developer, API Product, and App with credentials to secure the endpoint

When the script has completed it displays an example curl command (see below) and shows the API Key created during the setup.

If you’ve provided the options `-z` options, as suggested above, the script outputs your StepZen account, admin key, and API key. (Note those down somewhere, and keep them safe from leaking.) You may save these details as YAML (they’re outputted as YAML in fact) to be used later with the StepZen tooling.

Testing the Endpoint

After the script completes you are shown an example curl command that looks something like this:

code_block: <ListValue: [StructValue([('code', "curl -X POST 'https://<apigee_environment_host>/graphql/stepzample?apikey=<APIKEY>' \\\r\n-H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/json' -H 'Accept: application/json' \\\r\n --compressed -d @gql-query.json"), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff7697996d0>)])]>

This curl command is referencing a file named `gql-query.json` that contains the same GraphQL query listed above in the example. Running this curl command yields precisely the same output listed above as well. Feel free to update the query in that file or copy it and create your own query files.

Add Google Maps to the API

For extra credit, let’s add Google Maps to this API. Now our eCommerce app can show the user the closest physical store where they can pick up an order that was made online (and decide whether it is easier for them to get delivery or pickup).

1. You’ll need an API key to call the Google Maps API from StepZen. Get one by following the instructions here: Getting started with Google Maps Platform

2. We have a sample schema prepared for you in the repository. StepZen Maps Sample - In this folder rename the file config.yaml.sample to config.yaml

3. Edit the config.yaml file to replace <apikey> with your key.

code_block: <ListValue: [StructValue([('code', 'configurationset:\r\n - configuration:\r\n name: google-maps\r\n key: <apikey>'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799790>)])]>

4. Run the script with the new StepZen schema. The script should find and reuse the StepZen account which was created the previous time.

code_block: <ListValue: [StructValue([('code', './apizenSetup -o <your_org> -e <your_env> -t $(gcloud auth print-access-token) -i $(gcloud auth print-identity-token) -S stepzen-maps-example -m maps'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799610>)])]>

5. Now let’s test this new setup with your curl command like you did before.

This time we will point to a GraphQL query stored in the `stepzen-maps-example` directory. So your new curl command looks something like this (Update the apikey and hostname for your own endpoint of course):

code_block: <ListValue: [StructValue([('code', "curl -X POST 'https://<apigee_environment_host>/graphql/stepzample?apikey=<APIKEY>' \\\r\n-H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/json' -H 'Accept: application/json' \\\r\n --compressed -d @stepzen-maps-example-gql-query.json"), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799a00>)])]>

The query we’re executing in this case looks like the following:

code_block: <ListValue: [StructValue([('code', 'query MyQuery {\r\n\t\tlocation(ip: "8.8.8.8") {\r\n\t\t\tfindNearby(keyword: "Target") {\r\n\t\t\t\tname\r\n\t\t\t\tvicinity\r\n\t\t\t}\r\n\t\t\tcity\r\n\t\t\tcountryCode\r\n\t\t\tregionName\r\n\t\t}\r\n}'), ('language', ''), ('caption', <wagtail.rich_text.RichText object at 0x7ff769799c10>)])]>

What did this do?

The query looks for the nearest Target location relative to the Lat/Long for whatever IP is returned by the initial location query for Google DNS.

This is then passed down to the embedded `findNearby` as lat,lon resolved from that initial lookup. StepZen then uses the Google Maps API and key that we provided to StepZen when we configured our schema.

Combining this with the ability to query for api-ip-api.com we can enhance our experience and get the closest physical store that is a Target store in a single GraphQL query. (For a minute assume that is where the pickup experience is, but feel free to try other stores.)

Next Steps

See the following resources for more information about Apigee policies and building and running a StepZen GraphQL endpoint.

Apigee announcement for GraphQL Support - How to manage GraphQL APIs in Apigee
Apigee GraphQL policy - Using GraphQL | Apigee X
Getting started with StepZen - https://stepzen.com/docs/quick-start
Designing a GraphQL Schema https://stepzen.com/docs/design-a-graphql-schema

Google named a leader in the 2021 Gartner® Magic Quadrant® for Full Life Cycle API Management

Fri, 01 Oct 2021 19:00:00 +0000

We’re excited to share that Gartner has recognized Google Cloud’s Apigee as a Leader in the 2021 Magic Quadrant for Full Life Cycle API Management, marking the sixth time in a row we’ve earned this recognition. We believe this achievement is a testimony to Google Cloud’s differentiated vision for API management and strong track record of delivering continuous product innovation. In this year’s report, Apigee is placed highest among all the vendors for the ability to execute. We want to take this opportunity to thank our thriving community of customers, developers and partners for voicing their opinion.

APIs are one of the key mechanisms through which organizations bring digital-first strategies to life in the form of new experiences and applications for partners and customers. To get the most out of these APIs in an efficient and scalable manner, API management is a must and partnering with the right API management vendor is critical to building and scaling a successful API program. Research from industry analyst firms like Gartner can help enterprises evaluate and choose the right solution.

Many enterprise customers like Nationwide Insurance, ABN Amro, Bed Bath & Beyond, and Pizza Hut chose Google Cloud’s Apigee as their API management partner. Our mission is to help our customers make the leap to digital excellence - the ability to rapidly and repeatedly deploy and scale, and to consistently deliver on digital programs. We want to support our customers in building profitable API-based platforms and delivering measurable business outcomes.

“APIs allow Veolia to access new ecosystems and partners that will bring new innovation opportunities for us. Apigee helps us quickly and easily deliver great customer experiences. It abstracts away the backend IT complexity, and helps us provide information and data to our customers quickly, consistently and securely,” - Pascal Dalla-Torre, Group CTO at Veolia.

As part of this vision, we are focused on delivering continuous innovation.

Achieve hyperscale - To help customers scale globally, connect their distributed workforce, and collaborate with regional partners using APIs, we announced Apigee X earlier this year. It’s a major release of our API management platform that seamlessly weaves together Google Cloud’s expertise in AI, security and networking to help enterprises efficiently manage the assets on which digital transformation initiatives are built.
Developer efficiency - Developers today are using multiple tools to address their API and integration needs. Adding to the complexity is the proliferation of newer API styles and software development tools. Therefore, we recently announced Apigee Integration, a unified platform for API and integration needs, Apigee Adapter for Envoy to support microservices needs, support for new API styles like GraphQL, flexibility of using existing SDLC tools to manage APIs, and fulfilment solutions for conversational AI.
Democratizing application development - Across industries, tech savvy employees outside of the IT teams are increasingly using no-code development tools like AppSheet to build internal applications. To help organizations extend their API management investments to these tech savvy employees, we continue to invest in integrations between Apigee and AppSheet platforms.
AIOps for APIs - In a digital excellence strategy, APIs take the center stage acting as the central nervous system for connecting various customer and employee facing applications. Therefore, ensuring APIs are always available and performing as expected is critical. To overcome monitoring challenges of hyperscale API programs, we harness the power of Google’s industry-leading machine learning capabilities to equip API operators with capabilities such as anomaly detection.
Industry-specific solutions - To reduce the time to market of new digital programs and address specific industry requirements, we delivered a robust set of API industry accelerators such as Open Banking, Health APIx, eCommerce modernization, and Contact Center AI fulfilment for Telco.

We are honored to be a Leader in the 2021 Gartner Magic Quadrant for Full Life Cycle Management and look forward to continuing to innovate and partner with you on your digital transformation journey. Download the full report here (requires an email address). To learn more about Apigee, visit the website here.

^{Gartner Magic Quadrant for Full Life Cycle API Management, Shameen Pillai, Kimihiko Iijima, Mark O'Neill, John Santoro, Akash Jain, Fintan Ryan,28th September 2021.}

^{Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.}

^{This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Google(Apigee).}

Arab Bank: Accelerating application innovation with Anthos and Apigee

Mon, 14 Jun 2021 16:00:00 +0000

Founded in 1930 and headquartered in Jordan, Arab Bank is one of the oldest banks in the Middle East. Operating out of 28 countries, we’ve earned our customers’ trust with a prudent approach to operations and respect for the cultures and customs in the region.

With a few exceptions where cloud providers have hosted their datacenter in a Middle Eastern or North African country, the banking sector, in general, in the region has been slow to adopt cloud technology for a number of reasons, including concern about data security, maturity and security controls of cloud services (PaaS and SaaS), and regulations in place. But on the other hand, we saw the opportunity to accelerate our development and testing using the cloud, as well as to partner with the fintech community and digital service providers to integrate their solution in the banking ecosystem. We needed more flexibility to connect with the outside world, and a more open architecture to help us drive our internal innovation at a faster rate with the help of the fintech industry. By collaborating with Google Cloud, we reached those goals and accelerated app development and testing through products like Apigee and Anthos. We’re now offering innovative apps and services to our customers and employees that leverage new technological capabilities to give more agility and flexibility, and to optimize our workloads.

Embracing the cloud in a regulated industry

To get started with the cloud, we needed to create internal awareness about cloud technology, the API layer, containers and their benefits amongst our leaders and staff. Google helped us educate and get buy-in from key functions by organizing open technology demonstration sessions and discussion panels. When considering potential cloud providers we had four decision criteria: maturity of security controls, ease of use, cost, and scalability / agility for new deployments and continuous innovation. This last factor was critical, and we were impressed by Google Cloud’s innovation roadmap, both via direct conversations and at Google’s Next conference, where we met a lot of people passionate about technology, innovation and building something new.

Going back to our journey, given the above-mentioned regional limitations, we started to develop a hybrid cloud approach. This helped us continue to operate on-premises for a number of services in production, particularly those that have personally identifiable information (PII) or other sensitive data attached, and to leverage the cloud for development, testing and production workloads that don’t contain customer data.

In the short term, we didn’t anticipate that our many jurisdictions would allow data to be transported to other countries. But cloud tools will allow us to tokenize or anonymize customer data while maintaining customer data on-premises. This applies to many digital journeys such as customer onboarding, credit facility online applications, or marketplace navigation. In the coming years, we predict our API integration with partners will accelerate and enrich the overall digital value proposition of our business segments, namely consumer banking, small and medium-size businesses and large corporate and institutional clients.

Building connections and cornerstones in the cloud

The first move in our digital transformation was to implement Apigee, Google Cloud’s API management platform, to connect to the world’s digital banking ecosystem. Apigee provides the security, sharing, mediation policies, and developer portal capabilities for us to successfully meet Open Banking standards while focusing on innovation.

On the back of the Apigee implementation, we created an accelerator program to incubate Fintech ideas that can, in turn, integrate into our digital platforms and be offered to our customers. We also developed various banking APIs, all designed and documented in accordance with PSD2 and Open Banking regulations, and made them available to our partners. These APIs exposed on our API development portal offer the needed code structure for fintech companies to design creative solutions around them.

Next, we adopted Anthos, Google Cloud’s managed application platform. Anthos has become a cornerstone of our operations because it works across hybrid cloud, offering integration of microservice containers and fueling collaborative opportunities with external parties. Our current Anthos infrastructure includes several hundreds of microservices now running on containers in Google Kubernetes Engine (GKE) and on-premises. We now use the cloud for collaboration, development and testing, but not for production, which is done on-premises.

Along the way, Google Cloud’s Professional Services Organization (PSO) helped us through the entire cloud setup process, and with the adoption of Anthos. We originally built on the cloud tools through an iterative process, learning from our successes and errors along the way. Now that we have a better sense of how Anthos operates, we’re building a fresh infrastructure atop a sound, stable, and resilient foundation that will let us scale easily as we work to transform Arab Bank into a digital-first enterprise, that is our ambition.

Currently products running on Anthos include customer acquisition and onboarding via mobile apps, and our Arabi-Pay app, which allows customers to instantly pay each other via WhatsApp or other messaging platforms. Leveraging Anthos, our instant loan service for Arab Bank salaried employees can grant and disburse loans up to $7,000 in less than seven minutes.

In addition, we’ve built a number of digital journeys for our Small and Medium Enterprise (SME) customers, such as our SME client digital onboarding process and paperless SME lending platform.

While some may think that digital adoption in this part of the world can be slow, as customer contact remains anchored in our customs, the recent COVID-19 pandemic has accelerated the adoption of digital banking services and electronic payments, inspiring more confidence to buy and pay online. Thanks to our rich and user-friendly banking app that relies on Apigee and Anthos for critical customer journeys, over 90% of new-to-bank customers are using our mobile apps. Within the next 18 months, we predict that number will be closer to 100%.

Of course, with higher customer adoption comes the challenge of potential service interruptions. A single moment of downtime can be highly visible to many digital customers. But Google Cloud’s Anthos and Apigee give us the flexibility to resume processes at a fast rate, so any interruptions are almost invisible to our customers. In fact, when the COVID-19 pandemic hit, though our branches could be open only for limited hours each day, our consumer clients in particular were able to take advantage of our digital services in a very self-sufficient manner. Being well positioned with Google Cloud, we could also keep our internal teams and external partners connected and productive. Without Google Cloud, continuing the digital transformation of the bank at the pace we wanted would have been a big challenge.

Collaborating across borders and time zones

With Google Cloud, our ability to collaborate and partner has transformed significantly. We operate 24/7 now because our developers are scattered across multiple geographies and different time zones. Because testing and deployment can run around the clock, including on weekends, we currently deploy a new digital journey in a few weeks, faster than ever before. This has given our organization a spirited mindset that prioritizes innovation, and raised the bar in terms of our operating model.

Another consideration about Google Cloud tools is the elimination of inefficient processes typically seen in a software development lifecycle. We now build in a completely agile manner, from design squads until deployment in production. Compared to where we were two years ago, when we had an annual maximum of two systems releases in production, we now have close to monthly releases of our digital packages. In addition, we also supplement those monthly releases with additional ad-hoc releases and fixes in between. As a result, we have removed internal silos and improved tremendously the collaboration between the product and sales teams, operations, IT Dev Factory and Infrastructure, as well as our supporting functions.

Through the agile process facilitated by APIs, we introduced Design Thinking workshops involving external customers and prospects early on to understand their true pain points better and emotions during the existing journeys and how to make new digital journeys frictionless. As a result, the relevance of our products for various customer personas has improved tremendously.

Transcending banking

With Google Cloud, we can offer our customers so much more than just banking. We’ve become more digitally relevant to their lives. For example, we recently launched a mortgage app that helps customers all the way from home selection through mortgage negotiations and closing, and even to getting the home decorated. It’s an end-to-end journey in which API integration with key regional players was a cornerstone to our success.

For other digital products, we have an extensive roadmap of lifestyle-based solutions relevant to each segment and age group. We’ve only scratched the surface of the services we can provide, and we see the cloud as the future for everything we want to do.

Read more about Google Cloud’s Open Banking solution to learn how you can simplify and accelerate the process of delivering open banking as required by PSD2. You can also view our video on Open Banking, powered by Apigee API Management.

Simplifying API operations with AI as you scale your API programs

Mon, 24 May 2021 16:00:00 +0000

APIs are the backbone of digital transformation. Via APIs, you can securely share data and functionality with developers both inside and outside of your organizational boundaries, letting you build applications faster, seamlessly connect and interact with partners, and drive new business revenue.

Because APIs encompass business-critical information, any downtime or performance degradation can lead to significant loss in revenue, customers, and brand value. Therefore, there’s mounting pressure on operations teams to ensure that APIs are always available and performing as expected. If the APIs go down, so too do the services that fuel customer experiences and on which the organization relies for collaboration and business processes.

However, as you build and scale your API programs, it becomes practically impossible for API operators to manually monitor and manage all your APIs. To help, we brought the power of industry-leading AI and ML technologies to API operations via Apigee X, a major release of our API management platform. Apigee X seamlessly weaves together Google Cloud’s expertise in AI, security and networking to help you efficiently build and manage APIs at scale.

Put your API data into action

Apigee applies machine learning to your API metadata and provides you the required tools that simplify various aspects of API operations. A great example of AI for APIs is anomaly detection:

AI-powered rules trigger alerts based on a set of predefined conditions that are determined by applying Google’s industry-leading machine learning models to your historical API data.
Auto-thresholds adjust the monitoring criteria of your APIs and set them to pattern-based values.
Reduce overhead results because operators don’t have to manually monitor anomalies or adjust the monitoring thresholds on APIs.

“By applying AI and ML models to our historical API data, these advanced features are able to alert us about scenarios we haven’t thought of. Such automation capabilities significantly reduce our upfront efforts. And from a security perspective, the actionable insights help us ensure that our proxies are exposed only over secure HTTPs ports and adhere to compliance requirements. We’re also able to closely monitor user activity and quickly pull out reports during audits.” - Adam Brancato, Sr. Manager, Global Technology and Security at Citrix

As our customers scale their API programs, they find it extremely useful to harness AI-powered capabilities. In our recent State of the API Economy 2021 report, we found a 230% increase in enterprises’ use of anomaly detection, bot protection, and security analytics features.

To learn more about Apigee X, and see AI and machine learning in action, check out this video, and to try Apigee X for free, click here.

API design 101: Links to our most popular posts

Sat, 15 May 2021 16:00:00 +0000

APIs play a critical role in helping software connect and communicate, as well as making the lives of developers a little easier. Over the years we’ve published a number of posts to help developers design APIs to get the most from them.

Below is a list of our most popular API design posts you can read now or bookmark for later.

Getting started with API design

Designing and managing APIs: Best practices & common pitfalls

API Design Guide [documentation]

Different approaches: REST, RPC, and GraphQL

Best practices

Want to keep reading? Find more of our API related content on the Cloud blog here.

How DueDil leverages Apigee API-first approach to deliver data insights at scale

Fri, 14 May 2021 16:00:00 +0000

As their name reflects, DueDil provides due diligence services ranging from customer-specific risk evaluations and selections to customer onboarding and real-time risk monitoring for leading financial services, high-growth tech and insurance companies. Founded in 2009, the company helps more than 3,000 enterprise users from over 400 clients to not only understand with whom they’re doing business, but to do so with increased efficiency and in compliance with regulatory requirements.

Due diligence services have evolved in recent years, both because of new regulations and new technologies supplanting legacy systems and processes, many of which relied until recently on pen-and-paper workflows or exhaustive spreadsheet work. DueDil knew this technology transformation represented an opportunity to replace manual processes with automation--but it also recognized a second opportunity: to not merely process data but also activate it by connecting information in disparate IT systems and generating data-driven insights delivered at scale.

To capitalize on this opportunity, the company built its Business Information Graph, or B.I.G., a platform that maps approximately 300 million connections among companies. B.I.G. ingests billions of data points, and is refreshed multiple times per day, to surface unique insights about business’s relationships, such as fraud risks. The results that B.I.G. drives often speak for themselves: some DueDil customers onboard partners up to 80% faster, perform risk verification up to 18 times faster, and reduce time spent on manual portfolio checks by up to 80%.

What powers all of this transformation? Application Programming Interfaces (APIs).

“From a go-to-market standpoint, our product is an API,” said Denis Dorval, DueDil COO, in a recent webcast, explaining that customers can directly tap B.I.G.’s resources for themselves, and build atop them for their own needs, via DueDil’s API.

Choosing an API management platform to deliver fast, secure, and scalable APIs

To execute on their vision of connecting B2B ecosystems for better insights and efficiency, DueDil looked for a cloud provider that could fulfill several specific criteria. They needed robust management for the APIs with which their internal developers leverage different systems for new use cases and process automations, as well as for the productized API they offer to customers. They needed sophisticated analytics and abundant processing power to crunch through billions of data points. And, they needed enterprise-grade security, scalability, and agility to underpin it all. Last but not least, the company prioritized a smooth transition; DueDil did not want the user experience to suffer as it switched providers.

“The stability of Google Cloud’s Apigee API management platform and the strength of its services stood out”, said DueDil’s Engineering Manager, Robert Cicero.

“Apigee is a resilient and agile platform, fulfilling our need to build APIs quickly, safely, and at scale,” he remarked, noting that he appreciated that many of Apigee’s API security defense tools and policies work out-of-the-box. For instance, Apigee’s JSON threat detection policies, custom policies, and authentication and authorization processes can be deployed instantly and add minimal latency, meaning DueDil can stop security threats before they enter its network while still avoiding the risk of service lags.

Today, DueDil has five internal services that facilitate business due diligence, all exposed via Apigee. They also use Apigee’s monetization feature to drive API consumption. This said, because DueDil’s go-to-market strategy is fast-paced and client-oriented, they most often use Apigee to rapidly prototype APIs for their clients, so they can understand what a specific API would look like and how it would behave. This allows DueDil, its partners, and its customers to spend more time delivering value from insights rather than getting bogged down in building backend systems.

Moreover, Apigee made it simpler to also connect to other Google Cloud services, such as BigQuery, Google Data Studio, and Google Cloud Storage. Apigee acts as a central nervous system among systems, giving DueDil not only the ability to connect systems and automate processes but also insight and visibility into how its B.I.G. services are being used by partners and customers.

Plus, added Cicero, “the migration to Apigee was seamless, with arguably our biggest win being that no one knew that we had switched API management providers to Apigee.”

Leveraging APIs to provide self-service while enforcing security and governance policies

Moving forward, DueDil plans to leverage Apigee to give staff members and clients more privileges, visibility, and opportunity to create and edit apps in a self-service manner, without needing to rely on an IT department or endure long approvals processes. Harnessing APIs to open up B.I.G. and other capabilities to more teams across the company will also allow DueDil to move faster and include more people in the innovation process. Leveraging Apigee API management capabilities, DueDil also intends to dive deeper and experiment with other Google Cloud products and services, including Cloud Function, Cloud Pub/Sub, and more.

“At the end of the day, every company goes about due diligence a little differently. The only way that we at DueDil are able to provide something that is configurable and dynamic to diverse businesses is if we use platforms that can adapt, too,” said Cicero. “Apigee gives us the agility required to create and deliver for a wide variety of businesses.”

Google Cloud, today, works across banking, capital markets, insurance, and payments worldwide to solve their most challenging problems. Click here to learn more about how Google Cloud Apigee API management can help you design, secure, analyze, and scale APIs anywhere with visibility and control. To try Apigee API management for free, click here.

Better protect your web apps and APIs against threats and fraud with Google Cloud

Thu, 22 Apr 2021 16:00:00 +0000

With web applications and public APIs becoming increasingly important to how organizations interface with their customers and partners, many are turning to dedicated tools that can help protect these assets. As research firm Gartner notes in its 2020 report “Defining Cloud Web Application and API Protection Services,” “By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine DDoS protection, bot mitigation, API protection and web application firewalls (WAFs). This is an increase from fewer than 10% today.”¹ Currently, most of these services come in the form of different point solutions for different types of threats. This leads to gaps in protection and increased acquisition and operational costs.

To tackle these challenges, Google Cloud has launched a security solution, Web App and API Protection (WAAP), which provides comprehensive threat protection for your web applications and APIs.

Google Cloud WAAP is based on the same technology Google uses to protect its public-facing services against web application exploits, DDoS attacks, fraudulent bot activity, and API targeted threats. It represents a shift from siloed to unified application protection, and can deliver improved threat prevention, greater operational efficiencies, and consolidated visibility and telemetry. It also provides protection across clouds and on-premises environments.

Google Cloud WAAP combines three leading products to provide comprehensive protection against threats and fraud:

Google Cloud Armor, which is part of Google Cloud's global load balancing infrastructure, provides WAF and anti-DDoS capabilities, protecting applications against the Open Web Application Security Project (OWASP) Top 10, sophisticated application exploits, and both volumetric and layer 7 availability attacks.

Apigee, Google Cloud’s API management platform, provides API lifecycle management capabilities, with a heavy focus on security. The solution verifies API keys, generates and validates OAuth access tokens, rate limits traffic, enforces quotas, and provides analytics on API trends.

reCAPTCHA Enterprise provides transparent protection from fraudulent activity, spam, and abuse like scraping, credential stuffing, automated account creation, and exploits from automated bots.

Google Cloud WAAP solution high-level architecture

“I’ve seen our customers benefit greatly from each part of Google Cloud WAAP, and now that it’s a packaged solution, we can bring a more comprehensive security solution to a broader set of clients much faster.” said Miles Ward, CTO of SADA Systems. “SADA is excited to partner with Google to bring this outstanding security solution to our customers’ mission critical projects.”

How WAAP is helping customers today

The following two scenarios showcase how a bank and an airline are using Google Cloud’s WAAP solution to address their heightened security needs.

Balancing security requirements with ease of use
A bank is launching a new microservices based payment app and, due to the architecture of the application, it exposes several APIs which need to be protected. Three different teams are involved and have different priorities that need to be balanced.

Google Cloud’s WAAP solution allows different teams at the bank to collaborate closely to fulfil their requirements using one solution and one vendor.

Managing OWASP Top 10 Web Application Security Risks
An airline needs to protect its reservation website from OWASP Top 10 Web Application Security Risks. Preventing attackers from utilizing leaked or stolen email addresses and passwords to gain unauthorized access (credential stuffing) is a priority. Their APIs are used by 3rd party travel sites for making reservations, therefore the airline also needs to be able to manage authentication and authorization of their public APIs.

The airline uses the Google Cloud WAAP solution, implementing Cloud Armor as a WAF, Apigee as the API management layer, and reCAPTCHA Enterprise to defend against credential stuffing.

Google Cloud WAAP solution workflow

Let’s take a look at the workflow of this request with the Google Cloud WAAP solution.

The first point of contact on the WAAP solution is Cloud Armor. Cloud Armor protects against OWASP Top 10 vulnerabilities like cross-site scripting (XSS), SQL Injection (SQLi) etc and also provides protection against L3, L4, and L7 DDoS attacks.
If none of the above rules are triggered on the Cloud Armor policies, a request is sent to the reCAPTCHA Enterprise API to evaluate whether the incoming traffic is a legitimate request or not [Machine bot vs. Human]. If it is a legitimate request, then the request is forwarded to the airline’s backend. If the request is not a legitimate one, then Cloud Armor has the ability to deny the request by sending a 403 response code to the user. Further, Cloud Armor can take more intelligent actions like redirecting to a different page or forwarding the request to a honeypot.
For any API requests, once the Cloud Armor OWASP rules and DDoS protection has been evaluated, the request is then forwarded to Apigee to check the validity of the API request. Apigee is now able to determine if the API keys or access tokens used in the request are valid and that the consumer has access to the API or not. If Apigee determines the request to be a non-legitimate one, Apigee can serve a 403 response code to the end user otherwise, Apigee will forward the request to the Airline’s backend.

For all requests being made to the airline’s reservation website, the WAAP solution is the first point of contact and can detect and mitigate bad actors at the edge before the request even reaches the airline’s backend.

As more and more organizations accelerate their digital transformation journey, and as business processes and commerce rely more on digital interactions, the need for heightened levels of security and protection has risen significantly. Moving to a unified application protection like Google Cloud’s WAAP solution can help organizations deliver improved threat prevention, greater operational efficiencies, and consolidated visibility and telemetry, in record time.

Get started using WAAP today

For more details on how Google Cloud can help with comprehensive web app and API protection, check out our WAAP solution page, watch our on-demand webinar on App Modernization and Protection, and read our whitepaper written by Enterprise Strategy Group on Meeting the challenges of securing modern web applications with WAAP.

^{1. Gartner, Defining Cloud Web Application and API Protection Services, Jeremy D'Hoinne and Adam Hils, Refreshed 20 May 2020.}

GraphQL: Building a consistent approach for the API consumer

Thu, 01 Apr 2021 16:00:00 +0000

Developers use application programming interfaces, or APIs, to assemble data and functionality for new mobile or web apps, but when it comes to interacting with APIs, developers are often faced with two popular options: REST or GraphQL.

In this article, we’ll explore how these approaches compare, and we’ll offer REST API best practices that can be applied to build a more consistent experience for GraphQL API consumers. One option is not better than the other, and both can be used within the same teams if not the same projects--but regardless of what kind of APIs a project entails, a more consistent experience will help developers do more, faster.

REST and GraphQL compared

REST is a software architectural style to which APIs conform so developers can interact with services in a standard way. GraphQL is a query language for APIs and a runtime for fulfilling those queries. REST and GraphQL are similar in that they identify resources as URLs through which the app can fetch data or functionality—but there are many differences:

GraphQL exchanges data at a single endpoint whereas REST often involves several endpoints. GraphQL resolvers retrieve the data for fields, and if one resolver fails, the rest of the query can still retrieve and return useful data. This interaction paradigm mirrors what’s expected from doing multiple REST queries, and as such, one GraphQL query frequently replaces multiple REST queries.
GraphQL prevents over-fetching and under-fetching of data—that is, an endpoint responding to a call with too much or too little information, respectively, compared to what the app needs. REST APIs are offered in various levels of resolution. Some retrieve more data, and some retrieve less data. This means an app might receive too much data, such as the whole employee profile when all that was needed was the employee name and ID number. Likewise, it might receive too little data, forcing the app to make several API calls instead of just one.
REST uses HTTP verbs, and generally uses JSON in order to exchange payload data, but in GraphQL, the HTTP POST verb is most frequently used, and the different query types are specified inside the protocol. GraphQL also uses a custom query format called Schema Definition Language (SDL), and even though that custom query language is used for the request, JSON is returned, which makes it easier for clients to leverage the response. GraphQL client libraries feature native integration with the ReactJS UI framework, and are also available for other other languages and paradigms, making them accessible to many developers today.
The developer’s discovery perspective differs. To understand how REST APIs work, the developer typically uses a portal as the storefront to discover and interact with the APIs. In GraphQL, the portal is a built-in playground that also accommodates development. It's almost like an integrated development environment, allowing developers to explore new queries on the fly, assisted by features like tab completion. Documentation is also different. REST usually uses OpenAPI specs and portals. Some extensions to OpenAPI exist. For example, Apigee SmartDocs builds interactive documentation from those OpenAPI specifications. GraphQL developers typically use schema-based interactive documentation, such as Graphiql to develop and interact with GraphQL endpoints.

These qualities make GraphQL popular for an increasing number of use cases but can point to possible adoption challenges. For projects involving interoperability and decomposition of internal infrastructure, GraphQL is a useful tool for creating a few APIs for many disparate legacy systems. But it can also be leveraged in self-service developer programs and related growth strategies, which typically involve enterprises encouraging internal and external innovation by making REST APIs available via an API management platform.

These programs differ from traditional infrastructure-centric API projects in that the APIs may be used by many people outside the team that built it, for many uses that team never imagined. This reiterates the importance of a consistent, reliable, intuitive developer experience--and it also raises one of the obstacles to adapting GraphQL: it is relatively easy to glance at a group of REST APIs and intuit what they do and how they work, but we’re not yet as close to that with GraphQL.

Using REST-based practices in GraphQL

You should be open to using the best tools for the job, which may include both GraphQL and REST. To work more productively with GraphQL, we recommend adopting some of the REST-based best practices we’ve developed over years of experience building developer programs.

Think of APIs as digital products that let enterprises take their assets and, in order to increase the leverage of those assets, put them in the hands of developers, whether those developers are internal employees, partners, or external customers. Because APIs are digital products, developers need a consistent experience in order to understand how to use them, and to bring compelling experiences to market. Developer friction is a huge challenge in adoption of APIs and in growth strategies of digital companies, so just as with REST, consistency is key for GraphQL.

Treat the graph as a data-driven hierarchy defined by plural nouns
One of the key tenets of the REST architectural style is to create a simplified, consistent interface that rationalizes infrastructure complexity. One would never expect a well-formed REST query to be GET/listEmployeesByDepartment––that looks more like a Java function. Rather, a well-formed REST resource would use plural nouns: GET /Employees, then POST /Employees, etc. By reliably conforming to predictable expectations, REST APIs directly affect the speed at which developers are able to consume resources and build new experiences––and time is money.

GraphQL’s schema uses a graph hierarchy to define relationships between entities, such as the titles and authors of books in a catalog. This is a fundamentally data-driven hierarchy but we sometimes see it treated as a functional hierarchy that looks like a Java function––and this can introduce friction by disrupting predictable, intuitive, consistent experiences.

A well-formed GraphQL should look like a well-formed REST. If you can GET from /Books, it should be assumed you can POST to /Books. Compare that to a more Java-like construction, defined by a verb-based function instead of a data-based noun, such as GET listBooksByGenre. How can you POST? To /BooksByGenre? To /Books? To /listBooks? Who knows. Our advice is to be data-driven, and to treat the graph as a data-driven hierarchy.

Don’t force GraphQL when REST makes more sense
In REST, users often request and submit data from different URLs, especially when using patterns such as Command Query Responsibility Segregation (CQRS), a design pattern first identified by Martin Fowler that separates the model that reads the data from the model that updates the data. Developers often use CQRS in REST to retrieve data from multiple services in microservices architectures.

In GraphQL, mutations (the way a GraphQL developer submits data) can get very complex very quickly, especially when there are a lot of different data types or when very little data is submitted. We recommend using a style similar to CQRS that separates retrieving data from submitting data. This may be particularly useful to large enterprises, especially those that already have a REST-based API layer. GraphQL can retrieve data on top of or instead of the API management layer, but data can still be submitted through the existing REST APIs. This demonstrates a developer should not want to force GraphQL when REST makes sense.

Optimize for re-usability
Large enterprise GraphQL deployments often encounter challenges when many different types of backends need to be made available to developers. Different business units develop different aspects of the schema, which is then presented to developers as one comprehensive graph, frequently through schema stitching of schema federation. The challenges arise when the behavior of the queries returns different data or behaviors from different parts of the graph, because there’s no consistency in the representation of the data. Variable names that look the same in the SDL should not return different values or formats just because they resolve to different data sources.

Further, Relay cursor connections and input hints should all present uniform behavior regardless of the portion of the graph being requested.

This is particularly a problem with mutations, because if a developer submits data to one part of the schema one way, and it gets recorded one way, they may not realize that when they submitted it in another part of the schema, it was recorded another way. Since mutations are a particular challenge when optimizing for re-usability and API productization, we recommend being particularly conscientious of the way you develop and design them in GraphQL.

Lastly, let’s look at field names. It is developer-hostile to have field names with the same name provide different data and behavior because they are in different parts of the schema. For example, when there is a name field in one part of the schema that expects first, middle, last name, and a name field in another part of the schema that expects last name.first name, this incongruence can lead to developer abandonment.

In GraphQL, it's easy to optimize for query efficiency, but be intentional about optimizing for re-usability. Avoiding situations in which APIs confuse developers will pay dividends.

Whether REST or GraphQL, API is a product that needs to be managed

Most of these best practices, from treating the graph as a data-driven hierarchy to optimizing for re-usability and developer consumption, reinforce a central idea: APIs that are useful for growth strategies are products for developers, so the developer’s experience using the API is among the most important determinants of whether the API is adopted or not. With the help of Apigee API Management, developer programs have been embracing this idea for years with REST APIs, and as enterprises apply it more broadly to GraphQL, those API programs will only become more adept at empowering developers to innovate.

To learn more about GraphQL vs. REST, check out our video from Google Cloud Next. You can also view this community post for useful links to a reference implementation, along with links to a GitHub repo that provides tooling to enable GraphQL query authorization in Apigee.

Delivering high-performing global APIs with Apigee X and Cloud CDN

Wed, 31 Mar 2021 16:00:00 +0000

Organizations are increasingly investing in digital businesses ecosystem strategies to foster innovation and operate efficiently. These ecosystems connect various stakeholders--such as partners, developers, and customers--via application programming interfaces, or APIs. APIs allow various software systems to interface, and are thus the primary mechanism of value exchange within these ecosystems.

For example, Bank BRI, one of the largest banks in Indonesia, drove over $50 million in new revenue by creating an online marketplace with more than 50 monetized open APIs that let over 70 ecosystem partners leverage the bank’s credit scoring, business assessment, and risk management capabilities. Similarly, AccuWeather, the world’s leading weather media and big data company, makes APIs available to more than 70,000 registered developers who’ve used the company’s data and functionality to create over 30,000 apps.

Scaling up digital business ecosystems can unlock new markets, grow regional partnerships, and connect distributed workforces--but all of this starts with scaling up the API program. To help customers globally scale API programs, we are pleased to bring the power of Google’s networking capabilities to API management.

Expand global reach and deliver high performance with Apigee and Cloud CDN

Apigee X, the latest release of Google Cloud’s full lifecycle API management platform, makes it simple and easy to apply Cloud Content Delivery Network (CDN) to APIs. Working in tandem, the two solutions let enterprises not only secure and manage their APIs but also make them available across a global ecosystem of stakeholders.

Specifically, Apigee lets enterprises apply security to APIs, control how and by whom they’re used, publish them for consumption, monitor and analyze their usage, monetize them, and perform other aspects of API product management. Cloud CDN helps these APIs and the services they support to be performant, regardless of how many ecosystem participants are calling the API or where those ecosystem participants are located.

Cloud CDN runs on Google Cloud’s globally-distributed edge network and lets organizations serve content globally. This reduces latency both by leveraging Google’s massive network infrastructure, which supports services such as Gmail and Google Search, and by caching content closer to the users, improving performance and availability for peak traffic seasons. Because digital assets can be served from Google's global edge instead of an organization’s backend systems, web pages and apps can run even faster and offer a smoother experience.

By caching often-accessed data at the network edge, as close to the customers and end users, as quickly as possible, Cloud CDN also helps organizations seamlessly handle seasonal spikes in traffic, such as those that may occur during the holiday or back-to-school seasons. In addition to improving ecosystem experiences and reliability, this approach to caching can also minimize web server load, compute usage, and ultimately costs.

Better digital experiences lead to bigger digital ecosystems

Whether it’s interacting with customers, partners, or third-party developers, an enterprise’s ability to expand its digital ecosystem is limited by the quality of the digital experiences it creates. If apps load too slowly or services are not consistently available, ecosystem participants will leave. If APIs and the apps they power are not secure, participants will leave. Each link in the digital ecosystem value chain relies on API management and network management to keep interactions flowing--and with the combined power of Apigee X and Cloud CDN, we’re pleased to help our customers meet these challenges and expand their businesses. To try Apigee X for free, click here, and to learn more about Cloud CDN, click here. Check out our latest demo of Apigee and Cloud CDN working together in the below video.

Multi-layer API security with Apigee and Google Cloud Armor

Mon, 15 Mar 2021 16:00:00 +0000

Information security has become headline news on a daily basis. You have probably heard of security risks ranging from malicious bots used in schemes both big and small, to all-out "software supply chain attacks" that involve large-name enterprises and their customers, and that ultimately affect numerous governments, organizations, and people.

As businesses expand their digital programs to serve their customers via online channels and to operate from anywhere with a global remote workforce, such security attacks are expected to become more common. Because application programming interfaces (APIs) are fundamental components of an enterprises’ digital programs, connecting the data and functionality that power various apps and services, they are also vectors of malicious attacks--as well as sources of insights that enterprises can use to better understand attack patterns and how to thwart them. Our State of the API Economy 2021 report found a 172% rise in abusive traffic and a 230% increase in enterprises’ use of anomaly detection, bot protection, and security analytics features.

As agile, smart, and proactive digital security mechanisms have become the cost of doing business, API security has become an indispensable part of an enterprise’s IT security portfolio--and as this article explores, our recent release of Apigee X makes API security even more powerful.

Multi-layer API security with Apigee and Google Cloud Armor

APIs are the doors to various digital assets--and every door needs a lock to keep what’s behind it safe and protected from unauthorized access. Therefore, to help organizations secure APIs to the highest level, Google Cloud has brought together Apigee and Cloud Armor, combining industry-leading API management and web application firewall technologies. With Apigee X, the latest release of Google Cloud’s full lifecycle API management platform, customers can easily and seamlessly apply Cloud Armor web application firewall (WAF) to APIs, adding another layer of security to ensure that corporate digital assets are accessed only by authorized users.

For companies such as AccuWeather, a global leader in weather data and forecasting, APIs have been essential to both building new applications and monetizing data and functionality for outside developers, so those communities can innovate with AccuWeather assets as well. With this new expanded surface area from their APIs, AccuWeather needed robust security to manage and secure its digital assets.

“Over the last decade, AccuWeather has continued to transform as a digital solution for serving business customers with the most accurate and useful weather information using APIs. With Apigee’s strategic partnership and comprehensive API management platform, we were able to design, develop, and launch our industry-leading APIs in a few short weeks.” said Chris Patti, Chief Technology Officer at AccuWeather. “Today, we serve over 50 billion API calls per day. As many organizations embrace their own digital solutions, they are increasingly adopting API-first strategies for accelerated transformation. With the new Apigee X release, we can foresee furthering our API programs with the best of Google capabilities like reCaptcha, Cloud Armor, and Content Delivery Network (CDN) for global scale, performance and security.”

Apigee and Cloud Armor together help secure your APIs at multiple levels.

Click to enlarge

While Apigee X includes OAuth (Open Authorization), API keys, role-based access and many other API-level security features, Cloud Armor offers network and application security such as DDoS (Distributed Denial of Service) protection, geo-fencing, mitigation of OWASP (Open Web Application Security Project) Top 10 risks, and custom Layer-7 filtering. With Apigee X and Cloud Armor, developers enjoy integrated, out-of-the-box security capabilities to protect their APIs at multiple levels.

Click to enlarge

Customers can also easily leverage Cloud Identity and Access Management (IAM) for authenticating and authorizing access to the Apigee platform as well as to gain more control over encrypted data with customer-managed encryption keys (CMEK).

Apigee X and Cloud Armor deliver powerful protection for applications and APIs against threats and fraud. These products are also available as part of our WebApp and API Protection (WAAP) solution that adds anti-bot and anti-abuse measures from reCAPTCHA Enterprise.

Security is a moving target, with attackers and new vulnerabilities emerging all the time--but with a multi-layer approach to API security, enterprises can trust that they can quickly leverage APIs for new digital services and experiences without compromising security along the way. To learn more about Apigee X, and see Apigee and Cloud Armor in action, check out this video

The time for digital excellence is here—Introducing Apigee X

Thu, 04 Feb 2021 17:00:00 +0000

Digital transformation has been a top enterprise priority for years, and in the wake of the global pandemic, that urgency has only increased. Many industries have had to manage in weeks or months what previously would have taken years. According to surveys conducted for our “State of the API Economy 2021” report, three-quarters of enterprises remained focused on digital transformation in 2020, and two-thirds of those companies actually increased their investments.

APIs are the backbone of digital transformation, and to help organizations navigate today’s challenging landscape, we’re announcing Apigee X. A major release of our API management platform, Apigee X seamlessly weaves together Google Cloud’s expertise in AI, security and networking to help enterprises efficiently manage the assets on which digital transformation initiatives are built.

“APIs have become one of the most crucial steps for enterprises to achieve digitalization. APIs are key to adopting modern architecture patterns such as microservices, EDA, serverless or hybrid/multicloud,” wrote research & advisory firm Gartner in its July 2020 report “Gartner Market Share Analysis: Full Life Cycle API Management, Worldwide, 2019.” “As enterprises reopen post-COVID-19, they will have to find their own path to the new normal. The most successful will have started rescaling and reinventing themselves during the crisis, but the bulk of them will start at reopening. Rescaling and reinventing goes through a decomposition and a recomposition of their operating practices, and the role of an API platform in those activities is paramount. The more effective and extensive the API platform is, the quicker and easier rescaling and reinventing will be.”

Because APIs are how software talks to software and how developers leverage data and functionality at scale, APIs are not just a component in the software stack, but rather products that developers use to execute business strategies and achieve innovation at scale. Like all products, APIs need to be managed, and as Apigee turns 10 this month, we bring a decade of deep expertise and experience from working with over a thousand customers globally.

“Apigee provided guidance on how we should roll out our API strategy and how we can think strategically about digital transformation using APIs,” said Rick Schnierer, Vice President, Annuity Technology, at Nationwide Insurance. “What used to take us two to three months to develop as a monolithic service now takes days as a microservice. Apigee has also allowed us to federate development, meaning our developers are empowered to create and share APIs on their own rather than going through a centralized model. We have business connections coming through the Apigee API management platform that we wouldn't have even thought to initiate on our own.”

“At Deutsche Bank we are looking forward to using Apigee X as we design and implement API solutions integrated into our ecosystem,” said Shaun Cotter, Managing Director, Corporate Bank Technology at Deutsche Bank. “The effective and secure use of API-led integration is a key component of our Google Cloud partnership, and will enable the bank to better connect services internally, innovate with third parties and offer our products to a broader client base.”

Achieving digital excellence with Apigee X

As increased digital transformation investments may suggest, competitiveness is increasingly less about transformation ambitions and more about actual transformation. It’s not enough to simply use the cloud, have APIs, or even adopt API management. Rather, the requirement is digital excellence: the ability to rapidly and repeatedly deploy and scale, and to consistently deliver on digital programs. It involves adopting digital as a core enterprise strategy for building profitable API-based platforms and delivering measurable business outcomes. Helping customers make this leap--from gradual transformation and API-based programs to digital excellence and API-based platforms--has been our core goal for Apigee X.

“At Pitney Bowes we are always looking for ways to provide the best experience for our clients and Apigee’s technology helps us make this possible. We are very excited about the launch of Apigee X, as it can help businesses elevate API-led programs, and accelerate digital transformation even more,” said James Fairweather, Chief Innovation Officer at Pitney Bowes. “During these uncertain times, organizations worldwide are doubling-down on their API strategies to operate anywhere, automate processes, and deliver new digital experiences quickly and securely. By powering APIs with new capabilities like reCAPTCHA Enterprise, Cloud Armor (WAF), and Cloud CDN, Apigee X makes it easy for enterprises like us to scale digital initiatives, and deliver innovative experiences to our customers, employees and partners.”

What Differentiates Apigee X

Let’s take a closer look at Apigee X.

Global reach, high performance & reliability
With shifting market conditions and dynamic work environments, organizations are scaling API programs for global expansion and supporting distributed workforces. Apigee X makes it easy for customers to harness the power of Cloud CDN to maximize the availability and performance of APIs globally. Customers can now deploy their APIs across 24 Google Cloud regions and enhance caching at more than 100 locations.

Multi-layer security & privacy
Scaling API programs also opens up more doors for fraudulent activities, both internally and outside of the organizational boundaries. As our “State of the Economy 2021” report elaborates, in the past year, Apigee saw an increase in abusive API traffic of over 170%. Apigee X offers an integrated approach for applying capabilities like Cloud Armor web application firewall for enhanced API security and Cloud Identity and Access Management (IAM) for authenticating and authorizing access to the Apigee platform. It gives businesses more control over encrypted data with CMEK while allowing them to store data in the region of their choice and control the network locations from which users can access data by using VPC Service Controls.

AI-powered automation
With the increasing adoption of APIs for powering enterprise business-critical applications, there’s growing pressure on operations and security teams to ensure they’re always available, secure and performing as expected. Apigee X applies Google’s industry-leading AI and machine learning capabilities to historical API metadata to autonomously identify anomalies, predict traffic for peak seasons, and ensure APIs adhere to compliance requirements. This helps API operators and security admins focus on programs that really matter to their business, rather than spending time on trivial tasks.

Being an industry leader in the space of API management, and having worked across customers for a decade, we’ve seen how enterprises can truly transform their businesses by leveraging APIs to build new digital experiences, more powerful and intelligent automations, and more impactful data-driven applications. Today’s launch continues to expand what API management can do, and it offers businesses an onramp to achieve digital excellence over the next decade. We can’t wait to see what you’ll do next with us. Click here to try the new release of Apigee for free.

^{Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.}

Apigee

Google Cloud Apigee Named a Leader for the 10th Consecutive Time in the Gartner® Magic Quadrant™ for API Management

Extending API management to gen AI and agentic AI

Managing, governing, and securing agentic AI

Apigee: Trusted by global leaders

Thank you to our customers and partners

Google Cloud Apigee named a Leader in the 2024 Gartner® Magic Quadrant™ for API Management

Your partner in digital transformation

Navigating the API landscape with confidence

Our commitment to continued innovation

Thank you to our customers and Partners

Download the report

From gRPC to RESTful APIs: Expose your gRPC services to the REST of the world

gRPC-to-HTTP gateway

Lower entry barriers with API management

Conclusion and next steps

gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design

Google Cloud (Apigee) named a Leader in the 2023 Gartner® Magic Quadrant™ for API Management

Adding pricing and accessibility granularity for Apigee API Management

Consistent pricing attributes across Pay-as-you-go and Subscription

Pay-as-you-go pricing granularity

API calls

Environments

Get started with Apigee API Management

How Apigee can help government agencies adopt Zero Trust

How Apigee helps government adopt a Zero Trust architecture

Features of Apigee Zero Trust solution

Take the next step

Unifying government platforms with API management

Using APIs to securely connect government systems

A unified government platform

Administering access to an API ecosystem

Getting started

Responding to changes in cloud resources with Eventarc and Cloud Run

Responding to changes in cloud resources with Eventarc and Cloud Run

What is Eventarc?

Defining an Eventarc handler

Cloud Run Event Handler

Audit Logs Event Source

Eventarc to route the audit logging events to the eventhandler

End to End Validation

Apigee-specific use case ideas for Eventarc

Conclusion

Eventarc brings eventing to Cloud Run and is now GA

Announcing MongoDB connector for Apigee Integration

How is it simpler?

A concrete example

Developers Save Time in a Secure Environment

Next Steps

How to manage your GraphQL APIs with Apigee

What does our scenario do?

Let’s get your environment up and running

Testing the Endpoint

Add Google Maps to the API

Next Steps

Google named a leader in the 2021 Gartner® Magic Quadrant® for Full Life Cycle API Management

Arab Bank: Accelerating application innovation with Anthos and Apigee

Embracing the cloud in a regulated industry

Building connections and cornerstones in the cloud

Collaborating across borders and time zones

Transcending banking

How banks can build resilience into core systems and accelerate a return to innovation in 2021

Simplifying API operations with AI as you scale your API programs

Put your API data into action

The time for digital excellence is here—Introducing Apigee X

API design 101: Links to our most popular posts

Getting started with API design

Different approaches: REST, RPC, and GraphQL

Best practices

How to develop secure and scalable serverless APIs

How DueDil leverages Apigee API-first approach to deliver data insights at scale

Choosing an API management platform to deliver fast, secure, and scalable APIs

Leveraging APIs to provide self-service while enforcing security and governance policies

The time for digital excellence is here—Introducing Apigee X

Better protect your web apps and APIs against threats and fraud with Google Cloud

How WAAP is helping customers today

Get started using WAAP today

Multi-layer API security with Apigee and Google Cloud Armor

GraphQL: Building a consistent approach for the API consumer

REST and GraphQL compared