Apigee + Hasura: Data APIs at Enterprise Scale — Part 1

Originally published at hasura.io on April 25, 2023.

Enterprises typically are well aware that API Management platforms like Apigee are key to the success of their application modernization strategies. What we find is less known is that API Management is only one piece of the puzzle when beginning your “API-first” and cloud-native development journey. These platforms address many of the challenges with operationalizing APIs for consumption both inside and outside of your organization, but solving for a lack of skills on the development side and an ever evolving set of API specifications to work with data is something that industry leading API Management vendors generally do not address.

How do organizations scale their ability to both deliver and develop better APIs and digital products?

Data API platforms are commonly deployed in enterprise architectures within the same data flow as an API management platform in order to scale the development and integration side of an enterprise’s overall API strategy. While API management solutions like Apigee are primarily focused on managing the life cycle of APIs, with an established history of working with REST and SOAP/XML services, Data API platforms such as Hasura are leading efforts on generating APIs in both GraphQL and REST specification from underlying databases and data sources.

When working in parallel, solutions like Apigee and Hasura form the backbone of a complete enterprise API strategy.

Let’s quickly have a look at a high-level breakdown of each solution’s responsibilities in an enterprise-ready production environment:

Apigee
Apigee is an API Management Platform that provides a layer of governance, security, engagement, and analytics for your existing APIs. The key feature areas for Apigee are publishing your API products to Apigee’s developer portal, controlling API traffic with routing policies, detecting security threats with machine learning, and analyzing your API performance and adoption. Apigee also tracks API usage and billing, enabling enterprises to monetize their API products, and critically supports GraphQL API routing and TLS termination.

Hasura
Hasura is a Data API Platform that automatically generates GraphQL or REST APIs from an underlying database’s schema and can merge existing GraphQL and REST APIs into a single, unified GraphQL endpoint. Federating data in this way dramatically improves the frontend developer experience and productivity without placing a burden on backend engineering teams. Hasura provides a simple and fast way to create APIs that are tightly coupled with your data models on popular supported databases like PostgreSQL, MySQL, Snowflake, and Oracle.

Hasura + Apigee: Tying Together Your Organization’s API Architecture

Let’s go a bit deeper into a typical enterprise architecture, and how Hasura and Apigee work together to bring velocity, governance, and scalability to an organization’s API architecture:

TLS Termination and Routing
Apigee can serve as the TLS termination point and also act as an intelligent routing layer for Hasura generated APIs. It's worth noting that Hasura does not terminate its own TLS, and a load balancer is typically included in a standard Hasura reference architecture implementation. However, using API Management solutions such as Apigee efficiently perform these tasks.

API Auto-Generation and Granular Authorization
Hasura offers Apigee customers the advantage of GraphQL's effective, developer-friendly query language without the burden of creating and maintaining GraphQL APIs by hand. In most cases, where Apigee is the chosen API Management platform for an organization, Hasura sits below the Apigee layer, handling API generation, authorization, and data federation tasks, while Apigee manages the resulting Hasura generated APIs.

This architecture allows for efficient, seamless integration between your data producers and your data consumers (often developers and other external APIs), streamlining the API development process, and enabling faster time-to-market for digital products and services.

Developer Portal
Joint customers can take advantage of Apigee's developer portal to easily discover and access these new Hasura-generated APIs within their organization. Since GraphQL APIs are self-documenting, developers can quickly understand what each endpoint is capable of by simply examining the API itself in the portal.

This streamlined approach improves overall developer experience for large enterprises, increases adoption of new Hasura-generated API endpoints, and ensures that all APIs are properly governed and secured to organizational standards.

Apigee Advanced API Security (AAS): Apigee's Advanced API Security (AAS) functionality, offered as an add-on for current customers, assists in mitigating the common attack vectors that leave enterprises vulnerable to fraud and abuse across their API architecture.

  • API misconfigurations are one of the leading causes of security incidents and data breaches. Apigee AAS comes with the ability to identify and resolve misconfigurations for REST APIs. REST APIs are often connected to Hasura federated data layers in a joint architecture. These APIs may include external data sources that provide stock market transaction data, weather data, or data from SaaS services like Salesforce or Zendesk. Apigee AAS enables large enterprises to detect misconfigurations and reduce security risks associated with the sensitive information transmitted through the API architecture.

  • Apigee's AAS also provides configurable rules to identify and block malicious bot attacks, enabling API teams to quickly detect unusual traffic patterns from a single IP address and categorize it as bot traffic. This helps reduce the risk of identity theft and automated denial-of-service (DoS) attacks. In addition, AAS speeds up the identification of data breaches by identifying bots that have successfully obtained HTTP 200 OK success status response codes.

BOLA (Broken Object Level Authorization) Attack Protection
According to OWASP, broken object level authorization (AuthZ) or BOLA, topped their ubiquitous “Top 10” list as the number one application security risk in 2021.

To prevent BOLA attacks on GraphQL and REST APIs, model-based AuthZ – most often embedded in custom business logic of backend codebase – is the most secure and flexible method for AuthZ. But it can be challenging to implement this in a performant manner. Hasura provides one of the most mature and optimized ways to implement model-based AuthZ on your APIs in the entire API ecosystem.

The engine enables AuthZ to extend across multiple pieces of an application’s architecture, with AuthZ models automatically extended to things like locally cached resources (common API queries that Hasura caches in our local Redis or a customer’s managed Redis instance). Hasura's model-based Authz also extends to GraphQL queries, mutations, and subscriptions, and can be extended to existing GraphQL endpoints that organizations wrote by hand prior to plugging Hasura into their architecture.

The easy-to-use authorization engine in Hasura enables developers to add new AuthZ rules as needed, and in a way that extends beyond what is possible leveraging Apigee alone.

Monetization
Organizations are actually creating revenue streams by metering and monetizing the utilization of their APIs. Apigee is well-known as one of the leading solutions to streamline and manage API monetization. Using Apigee and Hasura together enables you to easily monetize and adjust billing for your API consumers on Hasura generated API endpoints.

Apigee allows you to create policies to record and define transactions on all of your organization’s API products. These policies define what Apigee should look for in an API transaction to calculate billing and any revenue sharing necessary. The monetization engine in Apigee also allows you to define what the gross price of a particular transaction type should be. Finally, Apigee enables API product managers to actually group and package multiple API endpoints into different product packages, and create rate plans around these packages.

You can choose to monetize any APIs in your organization, whether written by hand or generated by Hasura, in any number of ways with Apigee sitting in front of your API architecture. Possible ways include something as straightforward as charging a flat monthly rate for API access, a more nuanced, metered per transaction fee, fees based on both the size and number of transactions, or a combination of all of these.

Conclusion

Ultimately, the combined use of Apigee and Hasura streamlines an organizations API design, development, and operations processes, enabling faster time-to-market for digital products and services.

Monetization and billing for Hasura generated API utilization is easily achieved using Apigee, and the addition of Apigee's developer portal makes discovery and access of Hasura APIs more accessible to developers.

By leveraging both solutions, enterprises can build a business around a more performant and secure API architecture than DIY solutions can provide.

To take Apigee for a test drive, Google offers a free trial of the platform from its pricing page here. Hasura Cloud can be tested and developed on our free Cloud tier here.

Upgrading for production use is a seamless process once Hasura sales and engineering are involved, so please reach out to us with questions and/or to simply take things forward with your Hasura Cloud initiative.

To test Hasura Enterprise in your own environment, download Hasura OSS, and follow the instructions found here for a 30 day upgrade to Hasura Enterprise Edition.

Originally published at hasura.io on April 25, 2023.