Elastic Scaling of APIs in the Cloud

As an Enterprise Architect for Intel IT, I worked with IT Engineering and our Software and Services group on the elastic scaling of the APIs that power the Intel AppUp® center. Our goal was to scale our APIs to at least 10x our baseline capacity (measured in transactions per second) by moving them to our private cloud, and ultimately to be able to connect to a public cloud provider for additional availability and scalability. Here’s a quick set of practices we used to achieve our goal:

1. Virtualize everything.  This may seem obvious and is probably a no-op for new APIs, but in our case we were using a bare-metal installs at our gateway and database layers (the API servers themselves were already running as VMs). While our gateway hardware appliance had very good scalability, we knew we were ultimately targeting the public cloud and that our need for dynamic scaling could exceed our ability to add new physical servers.  Using a gateway that scales in pure software virtual machines without the need for special purpose-built hardware helped us achieve our goal here.
2. Instrument everything.  We needed to be able to correlate leading indicators like transactions per second to system load at each layer so we could begin to identify bottlenecks. We also needed to characterize our workload for testing – understanding a real-world sequence of API methods and mix/ordering of reads and writes. This allowed us to create a viable set of load tests.
3. Identify bottlenecks.  We used Apache jmeter to generate load and identify points where latency became an issue, correlating that against system loads to find out where we had reached saturation and needed to scale.
4. Define a scaling unit.  In our case, we were using dedicated DB instances rather than database-as-a-service, so we decided to scale all three layers together. We identified how many API servers would saturate the DB layer, and how many gateways we would need to manage the traffic. We then defined a collection of VMs that would provision all of these VMs together. We might have scaled each layer independently had our API been architected differently, or if we were building from scratch on database-as-a-service.
   

   Example collection for elastic scaling

5. Repeat. The above let us scale from 1x to about 5x or 6x without any problem. However, when we hit 6x scaling we discovered that a new bottleneck: the overhead of replicating commits across the database instances. We went back to the drawing board and redesigned the back end for eventual consistency so we could reduce database load.
6. Automate everything.  We use Nagios and Puppetto monitor and respond to health changes. A new scaling unit is provisioned when we hit predefined performance thresholds.
   

   Automation/Orchestration workflow

7. Don’t forget to test scaling down.  If you set a threshold for removing capacity, it’s important to make sure that your workflow allows for a graceful shutdown and doesn’t impact calls that are in progress.

The above approach got us to 10x our initial capacity in a single data center. Because of some of our architecture decisions (coarse-grained scaling units and eventual consistency) we were then able to add a GLB and scale out to multiple data centers – first to another internal private cloud and then to a public cloud provider.

Why are APIs so popular?

Kin Lane recently wrote a couple of blogs about why copyrighting an API is not common. I couldn’t agree more that copyrighting APIs is uncommon. First of all, the API definition is just an interface (It is the implementation detail that is important, and needs to be guarded), so it doesn’t make any sense to copyright an interface. (It is almost like copyrighting a pretty face ). Secondly, the whole idea of exposing an API is you are looking for others to finish the work you started by just providing the plumbing work. Why would anyone want to get involved with a copyrighted API and finish your work for you?

Kin Lane says, “API copyright would prevent the reuse and remix of common or successful API patterns within a space. We are at a point where aggregating common, popular APIs into single, standardized interfaces is emerging as the next evolution in web and mobile app development.”

http://apivoice.com/2012/12/08/api-copyright-would-restrict-api-aggregation/index.php (to read his complete blog).

We have gone from the services aggregation concepts to mashups, and now I am seeing the newer trend of API aggregation.

Keep in mind APIs are generally offered by vendors who want to expose a specific functionality or platform. If you need cross platform, cross provider, cross functionality options, you need to have API aggregations. Remember during the services days how much of a hard time we used to have in integrating and aggregating services from different vendors? I know some companies are making a good living by just building aggregated APIs.

One of the common usage patterns I see time and again is customers use the strongest points from vendors of their choice. This was not possible when you were building services. You ended up buying one vendor stack, and you were limited what was offered by them, unless you custom built the weak parts by yourself.

Now imagine the power of what you are getting now. You are cherry picking the best of breed platforms, best of possible functionalities from multiple vendors of your choice and liking.

I highly encourage you to check out the following solution brief that describes a composite API platform architecture where Intel® has packaged the market leading Mashery API sharing portal with Intel’s gateway security & integration technology to deliver Intel® Expressway API Manager.

 

 

Please contact me if you need more information. I’m more than happy to send you any additional information that you may need.

Andy Thurai — Chief Architect & Group CTO, Application Security and Identity Products, Intel

Andy Thurai is Chief Architect and Group CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Mobile, Big Data, Governance, Security, and Identity solutions for their major corporate customers. In his role, he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this role, he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Datapower), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 25+ years of IT experience.

He blogs regularly at www.thurai.net/securityblog on Security, SOA, Identity, Governance and Cloud topics. You can also find him on LinkedIn at http://www.linkedin.com/in/andythurai

 

 

Webinar: Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing (April 26)

Join us for what will be a very informative webinar on Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing

April 26th 2012 – Time: 10:00 AM PDT, 1:00 PM EDT

> Register Now

Employees love the convenience and utility of collaborative file sharing applications like Box. Sharing contracts, graphics/video files, or other corporate content using a cloud-based service empowers users to share information directly with external partners-outside traditional enterprise security controls.

While you want to encourage productivity, you also need a strategy that addresses how you’re going to control access to file sharing applications and inspect data before it leaves the enterprise.

In this webinar Intel, McAfee and Box join forces to discuss how your sensitive content can be protected throughout the collaboration life cycle—from access and upload to download and distribution.

You will learn:

• Overview of typical file sharing use cases and workflows
• Streamlining access for users
• Tying federated authentication to corporate ID stores
• Adding 2nd factor strong authentication for sensitive document security
• Blocking sensitive files from upload
• On-prem, 100% in the cloud, and hybrid SaaS access options

As a bonus, all attendees will be eligible to receive a free enterprise trial account from Box.

 

 

 

 

 

For additional information, please visit www.intel.com/go/identity

 

 

McAfee Adds Two New Solutions to Cloud Security Platform

We are excited to announce the latest additions to the McAfee Cloud Security Platform – McAfee Services Gateway and McAfee Cloud Identity Manager. Developed with Intel, these new products add breadth and depth to the McAfee Cloud Security Platform, extending McAfee security to Web Services and to SaaS access management.

McAfee Services Gateway provides a layer of security, control, and management for application-to-application traffic (e.g., SOA or REST). More than just middleware, an XML Gateway, or an XML firewall, Services Gateway delivers a unique set of features tailor-made to integrate, mediate, secure, and scale services in a dynamic application perimeter.

McAfee Cloud Identity Manager enables total control for the entire lifecycle of cloud-based applications. In addition to providing convenient Single Sign-on for users, it provides automated provisioning for SaaS applications, strong authentication based on policy, one-time password and two-factor authentication capabilities, as well as consolidated logging and audit trails for user SaaS access.

For more information on these products, check out www.mcafee.com/cloudsecurity.

CloudTweaks.com Discusses Expressway Cloud Access 360

Make sure to read the informative and insightful discussion about Intel Expressway Cloud Access 360 between Intel Director of Product Management for Application Security and Identity Products, Vikas Jain, and Anthony Park, from Cloudtweaks.com. Read the post and understand why Anthony calls Cloud Access 360 a “very impressive and elegant solution”.

Posting can be found here

Intel® Expressway Cloud Access 360 is a software product that enables federated access from the enterprise to the cloud and vice-versa. It bundles provisioning, federated single sign-on(SSO), strong authentication, and client aware access control – all into one packaged solution providing control, visibility and compliance to enterprises adopting cloud SaaS applications.

You can learn more about Expressway Cloud Access 360 and even download an evaluation of the software by visiting www.dynamicperimeter.com

Securing the Cloud with Intel(R) SOA Expressway

The Intel Cloud Builder program has launched a forum and discussion board today. I am not sure if you have seen it yet, but there is a great paper that outlines a number of cloud security use cases built around Intel(R) SOA Expressway. Grab the paper entitled “Intel® Cloud Builders Guide: Cloud Design and Deployment on Intel® Platforms.”

The paper shows how Expressway can be used as a control point for some interesting use use cases: (i) As a secure proxy for auditable virtual machine controls, (ii) single sign-on using an on-premise STS to map internal credentials to SAML assertions for a payroll application and (iii) secure credential federation for a hybrid cloud environment in a cloudburst scenario. The paper has a lot of detailed information on what some of these applications might actually look like once deployed on Expressway. You can request an evaluation copy of Intel(R) SOA Expressway at the dynamic perimeter microsite, located here.