Now that SAP API Management is available on HCP Trial we already can see quite a lot of people using it, which is good.
So far we have covered topics like Policy handling, URL masking and much more content is on its way. You can always refer back to this living document SAP API Management - Overview & Getting started in order to keep up to date on what is available.
This blog will serve as a companion to the Policy handling blog mentioned above, as an explanation of how an API Proxy runs through policies, and how to decide where a policy will therefore live in that "Flow". For explanation about what a policy is or what it does, please refer to the blogs specifically written to explain that.
When a policy is added to an API Proxy, it is added to a specific point in the data stream, thus providing highly granular control. This is broken down into 2 "Endpoints":
There are certain classes of policies which are best applied to the API Proxy Endpoint, like Authentication, Data Throttling, Threat Protection, as these will be handled by API Management before any routing to the backend has been initiated. Additionally Statistics and Analytic collections should be done on the API Proxy Endpoint (response) to gather data only after the entire process has been completed. Policies that deal with specific routing should be placed on the Target Endpoint to trigger only after the destination has been determined. Some policies can be applied in either segment, and are determined by the use case.
After determining the appropriate Endpoint placement for a policy, and whether it should execute in the request or response, the next step is selection of the subdivision of flow, which defines in what order policies are executed. Each request and response path in a proxy endpoint and target endpoint is broken down into the following flows:
At first this sounds complex, but after working with policies for a little bit, it becomes second nature, and becomes a powerful tool to controlling interactions. There are many ways to visualize this, but I like to think of it as 4 quadrants, each of which allow controls on data behavior.
The Client initiates a request, which connects to the API Proxy endpoint (Incoming Request), following PreFlow, Conditional Flow, PostFlow, and then traverses the diagram to the right, hitting the Target Service, which is then processed, and returned to the Target Endpoint (Outgoing Response), traversing to the left until it is returned to the Client. A policy could be placed in any of the 12 Flow points.
Inside of the API Management Portal this is all managed in the Policy Designer page:
By selecting the appropriate flow (shown in boxes above), then choosing incoming request or outgoing response, a policy is placed at the right point in the API Proxy flow. One thing to note is that when multiple policies are placed in the same flow area, they are processed sequentially, in the same order as shown in the first diagram (Left to Right for requests, Right to Left for responses).
Some people say, that's great theory and all, but I would like an example, so here is a simple (and lightly contrived) example of flow in action.
A high level example of what this could look like in action – We have an example API proxy called “SalesOrder” which exposes an OData resource, from an EPM backend, as a single part of a Sales Order process. More specifically let’s look at the flow for reading a specific OData resource called “Products” which returns a list of available Products.
Client Request calls the API-Proxy, specifying the Products resource. This triggers the following sequence:
1) Proxy Endpoint Incoming Request
2) Target Endpoint Incoming Request
3) Target Endpoint Outgoing Response
4) Proxy Endpoint Outgoing Response
We see here then the flow that our API Proxy processes, as well as some simple examples of Policies living in Pre-Flow, Conditional Flow, and Post-Flow. Depending on the specific need, some of these policies could have been placed in a different part of the flow cycle, the API Proxy and Policy design provides for a great deal of flexibility and control over what happens in a request made to a backend resource.
This Products Request example could also have many more Policies depending on need, for example, if the product listing were part of a catalog which only was exposed to employees, there might be an OAuth verification Policy. If the Proxy needed to provide a CSRF security token, there might be a Service Callout policy to make a Fetch token request to the backend, followed by an Extract Variable policy to get the Token response value, and an Assign Message Policy to add that Token value to the message Header being sent to the Backend, and more. Hopefully this example explains the basics of flow however.
Please continue to check back for more informational content surrounding SAP API Management !
For questions, feedback, concerns, feel free to leave a comment, or send us an E-Mail.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
26 | |
22 | |
19 | |
13 | |
10 | |
9 | |
9 | |
8 | |
7 | |
7 |