Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Which to choose?

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This page provides you a way to apply my research on managing APIs.

I provide here a structure and approach for wisely selecting from among several vendors.

Click content link:

  1. Total points for each choice (sample recommendation: what’s best for you)
  2. Relative Importance of each criteria
  3. Ratings for each choice
  4. Features Evaluated
  5. Non-Functional Criteria
  6. Variation among raters

But before opening your checkbook, consider the Why and how:

Business Model Why


PROTIP: While public APIs get a lot of press (due in part to marketing spend), implementing thru partners achieves indirect monitization

After Netflix opened their API, they identified partners and new channels they didn’t anticipate.

  • increase brand image

Implementing private APIs among employees only may achieve cost savings from control, and standardization.

  • Improve discoverability (for reuse and greater agility)
  • Present uniform facade

Major logical components


  1. API Publisher portal (for use by admins)

  2. API Developer portal to learn system

  3. Proxy (API Gateway) does re-writing, format conversion, rate limiting (throttling).

The diagram for Amazon’s API Gateway summarizes the challenge:

  • Calls come from a variety of sources (mobile and IoT apps, AJAX websites, services from customer servers)
  • Traffic comes through public cellular and internet networks
  • Load balancing is necessary to distribute load across many servers.
  • Caching is important for speed.

Lifecycle functionality

PROTIP: Attend webinars by leading vendors to see how they justify their higher prices with features that cover the full lifecycle:


The diagram above from MuleSoft presents names for the range of functionality that you may not know you need, and then later realize their products are needed to avoid extra costs and effort.

Different strategies over time

QUESTION: What are the benefits of discoverability, collaboration, ease of integration, etc. and other advanced features offered by vendors?

PROTIP: Consider the strategy of getting going quickly with a vendor which offers low-cost start-up costs. Then your organization can gain the experience needed to more wisely evaluate the value of additional features among all vendors.

Total points for each option

The vendors and their product, ranked by total points averaged among raters:

The order of this list is for a particular organization. Yours will differ.

Each link may go to text lower in this document, to another page on this site, or the home page of the vendor:

  1. CA (acquired Layer 7), on-prem only, but vaulted to the top of Gartner’s “Ability to Execute” in 2016.
  2. Apigee Edge Microgateway + hosting. Proprietary code. OEM’d by SAP. Leads in Gartner’s “Completeness of vision” scale.
  3. Mulesoft CloudHub, Anypoint Platform. Proprietary code. “Full featured”.

  4. Microsoft API Management in the Azure cloud is SaaS-only and proprietary. Advanced features limited. For Microsoft shops. No SOAP or RAML support yet. Dropped off Gartner’s report in 2016.
  5. Amazon’s API Gateway. SaaS-only proprietary code. Seems flexible. Dropped off Gartner’s report in 2016.

  6. IBM’s API management offering is IBM API Connect (previously known as IBM API Management). Has an “Essentials” level (StrongLoop) for free use by developers and “Enterprise” on-premises option.

  7. WSO2 open-source
  8. apinf.com from Finland (@APInf_io) open-source in on GitHub
  9. Kong (previously Mashape) is an open-sourced API proxy which runs in front of any RESTful API, and extended through Plugins. It’s built on top of NGINX and Apache Cassandra, but scalability still an issue?

  10. APIversity API Manager.
  11. Akana (formerly SOA Software)
  12. Axway (acquired Vordel)
  13. Mashery + Intel acquired + Tibco API Exchange CloudBus Aug. 2015
  14. Torry Harris mostly open-source API-o-Blocks, API Connect in EMEA, India and Latin America.
  15. Oracle
  16. Software AG
  17. RedHat (3Scale) - high cost Strongloop Node.js
  18. Dell Boomi
  19. Accenture
  20. HP (focused on large media and telcos)

Forrester, in their April 2015 report, classified the vendors this way: api vendors in forrester 2015

Forrester also illustrated the history of offerings with this timeline: api vendors timeline forrester 2015 This was adjusted for Tibco buying Mashery from Intel in August, 2015.

https://en.wikipedia.org/wiki/Comparison_of_api_management like https://en.wikipedia.org/wiki/Comparison_of_text_editors

Gartner Magic Quadrant



Importance of each criteria

This radar polar chart visually illustrates the relative importance of each criteria that can be used to evaluate each vendor offering.

If everything has the same importance, no trade-offs are considered.

These represent extent of risk and effort, and cost savings or earnings.

Semi-transparent layers are used so both layers can be seen clearly.

Ratings for each criteria

There is usually a trade-off between cost vs. speed vs. quality (the “Iron Triangle”). But here are more considerations:


TODO: The above is an example placeholder.

This is like the CAP Theorem.

Variation among raters

Each rating is the average of ratings among several raters.

Features Evaluated

Categories of featuers are detailed below:

API Publisher Portal Features

  • Define API schema
  • Import API schema (from Swagger, RAML, WADL, etc.)

  • Package APIs into products
  • Define Billing parameters
  • Create invoice and email
  • View Billing history to collection history

  • Manage users (add, update, delete)
  • Define policies like quotas or transformations on the APIs
  • Get insights from analytics

  • Collaboration among other publishers
  • Submission and update to aggregation platforms:

    • APIs-guru on GitHub is the “Wikipedia of REST API specs”.

    • Submission to Dash by Bogdan Popescu who aggregates 150+ APIs for access off-line (for $30).

    • apirest.com, the API search engine. @apirestcom

API Gateway Features

  • a secured channel between the API gateway and the backend.

  • gate access with API keys, certificates, JWT tokens

  • Enforce usage quotas and rate limits

  • detect DOS attacks by using throttling

  • use advanced security policies like JWT token validation.

  • track usage for billing

  • Transform API calls on the fly without code modifications (from V1 sent to V2 accepted)

  • Cache (queue in memory) backend responses (where set up)

  • Log calls to store metadata for analytics over time

  • Collaboration among other gateways
  • Integration with other APIs.

API Developer Portal Features

scr dev portal nutrition sample Major items of interest to developers are listed here, from 3Scale.net.

  • API documentation.
  • Communication about system availability history
  • Communication about change history
  • Announcements about hackathons and other events

  • Try out an API via the interactive console.
  • URL to download Swagger specs.

  • fast onboarding (signup via GitHub, Hotmail, AD, Google)
  • Create an account and subscribe to get API keys.
  • Access analytics on their own usage.

  • Internal API portal offers a centralized location for communication about the availability and latest changes to APIs,

  • gating access based on organizational accounts, all based on AD

  • API facade that decouples internal implementations not ripe for partner consumption.

  • Foster innovation?

  • Collaboration among other developers
  • Integration with other API developer portals.
  • Gamification

Non-Functional Criteriae

Each of these are a risk and an aspect of cost/benefit.

How does it save time and money, reduce risk, or earn more revenue?

How do “bells and whistles” benefit?

Initial Cost

Lower up-front cost is important for many.

  • 3scale, Apigee, and WSO2 have options for no-cost, unlimited duration use of their API management solutions (though support is typically limited or unavailable).

  • Amazon API Gateway has a free tier for one million API calls per month for up to 12 months.

  • Microsoft charges Developers $49/month and limits access to 10 users.

Cost over time

BLAH: Microsoft pricing bundles pre-defined amounts of calls, cache, and network services together in units for billing.

Amazon charges for different services separately:

  • API calls by the million received depend on location of servers: Amazon charges:
Locale per million
US $3.50
Ireland $3.50
Frankfurt $3.70
Asia Pac. $4.25
  • Data transfer out to internet. Amazon:
Volume per TB
0-10 TB $0.120
11-40 TB $0.085
41-100 TB $0.082
101-350 TB $0.080

Style / Ease of Use

  • The hipness of UI - default layouts inviting, clean, etc.
  • Familiarity

These are important because human UI are needed for:

  • Developer Sign-up
  • API key assignment
  • API public/private key creation
  • Provide documentation
  • Provide code samples
  • Discussion forums to provide support
  • Send emails to update
  • Report errors by user for each account


The need for an API Gateway is to avoid legacy point-to-point communications among computers.

  • Partner management
  • Traffic management

  • service coordinator, (android device hits one service instead of 100 micro services)
  • Billing
  • Emails about changes

  • Predictive analytics. Apigee illustrates their Insights service which yields a buying Propensity score salespeople use to prioritize efforts:

apigee predictive insights


Does the security mechanisms provided strong enough?

  • Transport security (TLS)
  • Authentication (passwords, two-factor cellphone)
  • Initial registration
  • Password recovery
  • KPI (public/private) certificates?
  • Identity and access management
  • Verify api keys

Apigee uses this illustration: apigee security

* No data at rest
* http://www.mashery.com/api/security prides itself on being certified on PCI, HITRUST CSF, SSAE, Safe Harbor, SOC 2, etc.


How flexible is it? Are we sacrificing too much flexibility for ease-of-setup?

  • Redirect calls to API’s URIs
  • Auto-detect new services added

  • Support for steaming API protocols WebSocket and XMPP
  • Support for two-legged or three-legged OAuth and OpenID Connect authentication
  • Onboard SAML security token service for federation and credential translation
  • Support for external SSO (Single Sign-On)
  • LDAP user provisioning for services like Web applications and social networks


What maintenance is needed?

  • Manual work: Annual, monthly, weekly, daily, hourly, etc.
  • Adding additional languages

  • Logging (AWS CloudWatch monitoring)

    Item US Cost/Mo. Note
    Dashboards $3.00 -
    Detailed Monitoring for Amazon EC2 Instances $3.50 per instance 1-minute frequency
    Custom Metrics $0.50  
    Alarms $0.10  
    API Requests $0.01 per 1,000 GetMetricStatistics, ListMetrics, or PutMetricData requests
    Logs ingested $0.50 per GB
    Logs archived $0.03 per GB
    Custom Events $1.00 per million


How quickly, easily, and safely can the system expand to meet capacity needs?

  • Load balancing (AWS CLoudFront)
  • DDOS (Distributed Denial of Service) attack detection and mitigation (at DNS level)
  • Traffic Throttling based on user’s plan
  • Traffic Throttling for capacity limitations
  • The “Actor” model of Microsoft Service Fabric
  • Caching

Microsoft Azure routes traffic to a region providing the least latency for each user:


  • Cache
  • International end-points

  • Cache memory per hour. Amazon:
Volume per hr.
0.5 TB $0.028
1.6 TB $0.054
6.1 TB $0.245
13.5 TB $0.290
28.4 TB $0.560
58.2 TB $1.100
118.0 TB $2.200
237.0 TB $4.400

I18N (Internationalization)

  • UI Language
  • Data centers
  • Currencies


  • Partial deployment
  • Fault tolerance


How well supported is it?

This is part of the cost. Support costs money.


How quickly and deeply can people get up to speed on the technology?

How easy is to to learn/maintain?

This is a consideration of costs and risks.

  • Document generation


  • Amazon API Gateway can generate client SDKs in a number of programming languages, including JavaScript, iOS, and Android.

  • Mock server generation
  • Test script generation


How easy is it to switch among competing vendors? Is there vendor lock-in?

  • Switch from Azure to AWS, other PaaS is not possible because Azure is a pure SaaS running on Azure
  • How to extract data?

Vendor prospects

What is the sentiment about the vendor?

  • History of product cancellations
  • Investment advisory financial ratings
  • Consumer ratings by JD Power
  • Glassdoor ratings by employees

API Tool Vendors

Vendors are in alphabetical order:


  • https://www.youtube.com/channel/UC3hr1MuhpS11dMxTdo1rHQw


  • http://www.ca.com/us/products/api-management/solutions/api-management-comparison.aspx


  • https://www.youtube.com/channel/UCJqekyyjX78qmzoOK_wZ2lw

Microsoft API Management

“Publish, manage, secure, and analyze your APIs in minutes” is the tag line at Microsoft’s API Management home page (Service Overview).

Microsoft’s service is based on its October 23, 2013 acquisition of APIphany (based in Wash. DC).

Documentation is published from markup text in this GitHub which directs people to the classic portal. NOTE: There is no Issues tab in their GitHub.

  • The roadmap is not public.

  • Issues with the API service where each public can allocate 25 voting points among proposals.

    The top request (May 2016) is Web Hooks in ASP.NET, a set of Nuget packages for web apps to send and receive WebHooks from external services using a common HTTP pattern. http://neelbhatt2015.blogspot.in/2015/12/webhooks-in-aspnet-visual-studio.html This won’t get the scale, performance, or analytics Azure Event Hubs provides, though.

  • The pricing page states there is no on-premises deployment option available at this time.

Create Publisher portal

  1. Get a Microsoft Azure account
  2. Create a Resource (Free trial)
  3. Specify Scale: Developer or Standard.

    Standard tier can go up to 4 instances to handle 800 million calls/month. QUESTION: No auto-scaling?

  4. Custom SSL cert
  5. Custom domain (developer.xyz.com)

Create service

  1. Select service:


  2. Click Create.
  3. Specify the prefix to .azure-api.net (such as itw1).
  4. Select subscription (Free Trial, etc.).
  5. Select Region.

  6. Specify Organization name.
  7. Specify Administrator Email.
  8. Click check icon.

  9. Use browser to visit the page, such as https://itw1.portal.azure-api.net

  10. Edit look and feel by clicking on the edit icon at the upper left.

Create Gateway

  1. Click Import API in publisher portal dashboard.
  2. Select From URL.
  3. Select Specification format: Swagger (no RAML).
  4. In Specification document URL field, paste http://calcapi.cloudapp.net/calcapi.json.
  5. Provide a Web API URL suffix, e.g. ‘calc’.
  6. Type ‘Starter’ in the products field to add your API to the ‘Starter’ product.



  7. Click Save.
  8. Click Operations tab.

    Notice the GET Add, Divide, Multiply, Substract two integers.

Policy scope

  • Policy statements
  • Allow cross domain calls
  • Authenticate with Basic
  • Authenticate with client certificate
  • Check HTTP header
  • Control flow
  • Convert JSON to XML
  • Convert XML to JSON
  • CORS
  • Find and replace string in body
  • Forward request to backend service
  • Get from cache
  • Get value from cache
  • Limit call rate per key
  • Limit call rate per subscription
  • Log to EventHub
  • Mask URLs in content
  • Remove value from cache
  • Restrict caller IPs
  • Return response
  • Rewrite URL
  • Send one way request
  • Send request
  • Set backend service
  • Set body
  • Set context variable
  • Set HTTP header
  • Set query string parameter
  • Set request method
  • Set status code
  • Set usage quota per key
  • Set usage quota per subscription
  • Store to cache
  • Store value in cache
  • Validate JWT
  • Wait for…

Open the developer portal

  1. Click on APIs.
  2. Pick Calculator API from the list on the left.
  3. Click on Open Console for any API.
  4. In the console, enter values for the parameters and hit the HTTP button.

  5. Search

    NOTE: API Management is in category “Web + Mobile”.

“Take any API and publish it to developers and partners in minutes

  • Provide API documentation and an interactive console
  • Throttle, rate limit and quota your APIs
  • Monitor the health of your APIs and quickly identify errors
  • Bring modern formats like JSON and REST to existing APIs
  • Connect to on-premises systems and publish globally
  • Gain analytic insights on how your APIs are being used

http://azure.microsoft.com/marketplace/partners/microsoft/apimanagement/ marketplace

  • Service Overview
  • Getting Started
  • Documentation
  1. Click Create to open a new window.

When created, the Echo API is created as a sample.




Delegating User Authentication and Product Subscription to a 3rd Party




  • Hide response data based on product name.policy.xml
  • Pre-authorize requests using validate-jwt.policy.xml
  • Send context information to the backend service.policy.xml
  • Set cache duration using cache control header.policy.xml

Developer Portal Setup

  1. Add discussion board and ratings

Swagger import

A Swagger 2.0 doc can be imported, but the doc MUST contain Host, BasePath, Schemes properties. Otherwise, it won’t get imported: No message. It just hangs with “working..”.


In the Summary graph, detail for a point in time can be obtained with mouse-over:

  • Response time (in ms)
  • Bandwidth usage KB
  • Successful? Popular === Volume of calls.
  • Errors === Number of calls blocked due to limits?

Notice the pre-defined filters for Today, yesterday, Last 7 Days, Last 30 Days, Last 90 Days

Activity chart provides reports that drill down on the specific activity by developer, product, API, and operation.

What about:

  • Specific translations performed
  • Specific policies violated
  • metrics by geography
  • Correlation of two metrics (response time vs bandwidth scattergram)

  • Issues over time


My recommendation for the sequence to view videos about API Management

  1. Introducing Azure API Management TechEd North America 2014 by Josh Twist (@joshtwist)

    • Business models
    • Engaging developers: Time to First Successful call success metric
    • Make legacy API (SOAP XML) and modern (REST JSON)
    • Understand their behavior with monitoring

  2. Introduction to API Management on Microsoft Azure at TechEd Europe 2014

  3. Microsoft Azure API Management Master Class: In Depth for Fun and Profit at TechEd North America 2014 by Anton Babadjanov | antonba@ | @antonbaa | https://www.linkedin.com/in/anton-babadjanov-44501b9 and Vlaimir Vinogradsky | vlvinogr@

    This explores the end-to-end workflow of launching a “treasure hunt” API and play a game with it. We’ll also take a peek at what the future holds for this exciting new Azure service.

  4. Azure Api Management by Ajay Solanki

  5. API Management Overview (cartoon) 03-25-2015 Overview video of the Azure API Management service

  6. Adding Developer Portal functionality using Templates in Azure API Management by Matt Farmer

    uses Contoso API:

    Response: { “statusCode”: 404, “message”: “Resource not found” }

  7. Configure your API Management instance using Git 03-12-2016 by Anton Babadjanov | @antonbaa | https://www.linkedin.com/in/anton-babadjanov-44501b9 Access and modify the configuration of your API Management instance using Git. Configure Security > Configuration: This enables scenarios:

    • Managing multiple configuration versions
    • Syncing the configuration of multiple tenants
    • Utilizing the Git workflow for collaborative editing
    • Text-file based configuration for flexibility
  8. API or No API - On Cloud Feb 23, 2016 By: Lachezar Arabadzhiev, Jef King Take reads off data store. Have a worker rule read out From a SQL database every 30 secs to stick into blob storage with CDN fed to users.

  9. API Management in under 5 minutes 06-16-2014 Shows the classic portal to https://wellmark1.portal.azure-api.net/ This video shows how Wellmark Blue Cross & Blue Shield use Azure API Management to accelerate their partners in adopting the Wellmark API,

  10. Episode 177: More API Management Features with Vlad Vinogradsky 06-12-2015 42 min, 07 sec

    In this episode Chris Risner is joined by Vlad Vinogradsky, Principal Program Manager on the Azure API Management Team. Vlad joins us to talk about some of the latest features…

  11. Episode 176: Logic Apps with Stephen Siciliano 05-29-2015

    In this episode Chris Risner and Haishi Bai are joined by Stephen Siciliano, Program Manager on Azure App Service. Stephen joins us to demonstrate Logic Apps.

  12. Getting Started with Azure API Management REST API 12-01-2014 Azure API Management provides a REST API for performing operations on selected entities, such as APIs, users, groups, products, and subscriptions. The API can be used fo…

0. Integrate Azure API Management with Event Hubs Nov 09, 2015 at 2:01PM By: Miao Jiang This video demonstrates how to use the log-to-eventhub policy to build a custom dashboard with Azure Stream Analytics and PowerBI.

  1. Azure API Management Update BizTalk360

Social media:

  • @AzureAPIMgmt

  • Mailto: apimgmt@microsoft.com

  • https://social.msdn.microsoft.com/Forums/en-US/home?sort=relevancedesc&brandIgnore=True&searchTerm=api+management Microsoft forum topics


#integrate2016 conference

















Jorge Arteiro

  • http://aka.ms/melgabdev4
  • jorgearterio@hotmail.com
  • @jorgearteiro
  • @Azuretar
  • Azuretar.com

Visual visualstudio

https://jetbloom.visualstudio.com/?account=first 90 day trial

App Fabric

Microsoft Service Fabric (in GA April 2016) has several free “party” clusters that last for less than 4 hours each.

In order to build and run Azure Service Fabric applications on your development machine, you need to install the runtime, SDK, and tools. You also need to enable execution of the Windows PowerShell 3.0 scripts included in the SDK.

To use Service Fabric PowerShell cmdlets on Windows 7, which includes Windows PowerShell 2.0 by default, download the Windows Management Framework 5.0 which includes PowerShell 3.0 as well as Desired State Configuration (DSC), Windows Remote Management (WinRM), Windows Management Instrumentation (WMI). See http://go.microsoft.com/fwlink/?LinkID=717903

The Party Cluster is created by code at https://github.com/Azure-Samples/service-fabric-dotnet-management-party-cluster

Not AzurePS

The local cluster manager :

“C:\Program Files\Microsoft SDKs\Service Fabric\Tools\ServiceFabricLocalClusterManager\ServiceFabricLocalClusterManager.exe”

Pin this to the taskbar.

Microsoft Service Fabric is about more than API management. Its features and patterns for application development, including:

  1. Stateful Reliable Services with Reliable Collections.
  2. Dependency injection and unit testing with Reliable Services.
  3. How to use Service Fabric configuration packages, both the built-in Settings.xml config and custom JSON configuration, with rolling updates without restarting services.
  4. How to encrypt sensitive data in Service Fabric configuration packages.
  5. Inter-service communication using the Service Fabric remoting stack.
  6. Diagnostics with Elastic Search through ETW event sources.
  7. How to write a stateless Web API front-end service.

https://azure.microsoft.com/en-us/documentation/services/service-fabric/ videos

https://azure.microsoft.com/en-us/documentation/samples/?service=service-fabric Sample apps

Service Fabric programming model that they focus on:

  • Reliable Actors,
  • Reliable Services,
  • custom application orchestration, and
  • Service Fabric management tasks.


  • PowerShell Deployment Toolkit (PDT) is a set of scripts and knowledge for automated deployment of System Center 2012 SP1/R2, including SQL and all prerequisites, and all automatable post-setup integration.

Matthew Snider [masnider@MSFT]

  • Human factors in decisions: Thinking, Fast and Slow by Daniel Kahneman

  • [You Are Not So Smart](http://youarenotsosma

More on API Microservices

This is one of a series: