Table of contents
1.
Introduction
2.
Apigee Architecture
3.
Services available via Apigee
4.
Security in Apigee
4.1.
Securing an API by requiring API keys
4.2.
Securing an API by using OAuth
5.
Frequently Asked Questions
5.1.
What languages are supported by the Apigee platform?
5.2.
Can Apigee run on AWS? 
5.3.
What are the alternatives to Apigee? 
6.
Conclusion
Last Updated: Mar 27, 2024

Apigee X

Author Vidhi Singh
0 upvote

Introduction

Apigee is basically a platform for the development and management of APIs. Apigee offers an abstraction or facade for the user’s backend service APIs and ensures security, quotas, rate limiting, quotas, and much more. It does this by fronting the services with a proxy layer. 

So, in this article, we will discuss Apigee in detail. 

Apigee Architecture

Apigee has the following primary components:

  • Apigee runtime: All API traffic passes via and is processed by these services. It is a set of containerized runtime services in a Kubernetes cluster that Google maintains. 
     
  • Apigee services: The APIs that are used to create, manage and deploy the API proxies.


A few other components include:

  • Back-end services: They are used by the apps to offer runtime access to data for your API proxies.
     
  • GCP services: It offers identity management, analytics, logging, metrics, and project management functions.
Apigee architecture

During provisioning, components are created and configured such that there is bidirectional communication between a VPC network managed by Apigee and a VPC(Virtual Private Cloud) network managed by the user. After the first few provisioning steps are completed, the two VPCs exist but cannot communicate with each other. Some more configuration is needed to allow bidirectional communication. 

Services available via Apigee

Apigee enables users to offer secure access to the services with a well-defined API that is consistent across all of the services, regardless of the implementation of the service. 

Features of a consistent API are:

  • Easy consumption of the services for app developers.
     
  • Enables changing the backend service implementation without affecting the public API.
     
  • Offers services such as analytics, developer portal, and other features built into Apigee.


How Apigee actually handles the requests from client apps to your backend services can be understood in a better way from the following figure:

Apigee handling requests

 

Application developers, rather than consuming user services directly, access an API proxy created on Apigee. The API proxy behaves as a mapping of a publicly available HTTP endpoint to the user’s backend service. By generating an API proxy, users can let Apigee handle the authorization and security tasks needed to protect the user’s services, as well as to monitor and analyze those services.

As the app developers post HTTP requests to an API proxy rather than directly to the user’s services, developers do not need to know anything about the implementation of the user's services. Developers just need to know the following things:

  • API proxy endpoint’s URL.
     
  • Any of the query parameters, body parameters, or headers passed in a request.
     
  • Any needed authorization and authentication credentials.
     
  • The format of the response, along with the response data format, such as JSON or XML.

Security in Apigee

High-level security and safety can be achieved in APIs on the Apigee platform in the two following ways: 

  • Requiring the API keys 
     
  • Using OAuth  


Let us discuss these in detail. 

Securing an API by requiring API keys

For securing the API using API keys, the following primary steps are required:

  • Creating an API proxy that needs an API key.
     
  • Creating an API product, a developer, and a developer app.
     
  • Calling the API with an API key.


Again, it is very important to protect the API from any kind of unauthorized access. The API key is one way to achieve it.

Whenever any application makes a request to an API proxy that is configured to check an API key, the application should supply a valid key. At runtime, the Verify API Key policy verifies that the supplied API key has the following three properties:

  • It is valid
     
  • It has not been revoked.
     
  • It matches the API key for the API product that exposes the requested resources. 


If these conditions are satisfied, the request is allowed. Otherwise, the request results in an authorization failure. 

Securing an API by using OAuth

This method requires the following steps to be followed:

  • Downloading and deploying a sample API proxy.
     
  • Creating an OAuth-protected API proxy. 
     
  • Creating a product, an application, and a developer.
     
  • Exchanging credentials for an OAuth access token.
     
  • Calling an API with an access token. 


OAuth is basically an authorization protocol that enables applications to access information on behalf of users without needing the users to enter their username and password.

With OAuth, security credentials like username, password or key, and secret are exchanged for an access token. 

The OAuth 2.0 specification follows different mechanisms, known as "grant types," for distributing access tokens for applications.  

One such grant type defined by OAuth 2.0 is client credentials. In this grant type, OAuth access tokens are created in exchange for client credentials, which are consumer keys or secret consumer pairs.

In Apigee, the client credentials grant type is implemented using policies in API proxies. A typical OAuth flow has the following two steps:

  • Calling API proxy 1 for generating an OAuth access token from client credentials. It is handled by an OAuth v2.0 policy on the API proxy.
     
  • Calling API proxy 2 for sending the OAuth access token in an API call. The access token uses an OAuth v2.0 policy by the API proxy. 

Frequently Asked Questions

What languages are supported by the Apigee platform?

It mainly supports Java, Python, and JavaScript.

Can Apigee run on AWS? 

Yes, it runs n AWS EC2 instances.

What are the alternatives to Apigee? 

A few alternatives to Apigee are:

  • Postman API Platform.
     
  • Amazon API Gateway.
     
  • MuleSoft Anypoint Platform.
     
  • Microsoft Azure API Management 

Conclusion

This article extensively discusses the topic Apigee X in depth. It covers its introduction, architecture, and security features. Also, it explains the services available via Apigee.  

To hold a tighter grip on the topic, we recommend reading more blogs related to it like : API Introduction API Testing, and API Testing Interview Questions.

We hope that this blog has helped you enhance your knowledge regarding the topic discussed, and if you would like to learn more, check out our articles on Coding Ninjas Blogs
You can refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSQLSystem Design, and many more!

See more, Spring Boot Architecture

If you want to test your competency in coding, you may check out the Mock Test Series and participate in the Contests organized on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must look at the ProblemsInterview Experiences, and Interview Bundle for placement preparations.

Nevertheless, you may consider our Courses to give your career an edge over others!

Do upvote our blog to help other ninjas grow. 

Happy Coding!
 

Live masterclass