How to use F5 Distributed Cloud for API Discovery

In today’s digital landscape, the efficiency and effectiveness of software development often rely on the seamless integration of various applications and services. This integration is made possible through Application Programming Interfaces, or APIs. APIs act as the bridge between different software systems, enabling them to communicate and share data, functionalities, and services with each other.

 

What is API Discovery?

API discovery refers to the process of finding, exploring, and understanding APIs that are available for use. This is crucial because APIs are diverse and abundant, ranging from public APIs offered by tech giants to specialized APIs developed by smaller organizations or startups. API discovery involves identifying APIs that meet specific requirements, understanding their functionalities, and determining their suitability for integration into new or existing applications.

 

Challenges in API Discovery

In recent months, I've had extensive conversations with organizations facing a common challenge: the lack of clarity around their APIs. Many companies struggle to pinpoint the location and functionalities of their APIs because different teams or departments develop APIs for specific purposes. These teams operate with distinct development processes, utilize separate source control platforms, and follow different release cycles. These disparities create a fragmented landscape, making it challenging to gain a comprehensive overview of all existing APIs within the organization.

 

API Discovery With F5 Distributed Cloud

F5 Distributed Cloud (XC) offers a comprehensive SaaS solution for security, networking, and application management across multicloud, on-premises, and edge environments. API Discovery stands out as a crucial capability. One effective architecture for API discovery involves deploying Distributed Cloud inline with the traffic flow. This approach not only provides visibility into the APIs within your environment but also simplifies the implementation of robust security controls around these APIs.

However, integrating Distributed Cloud inline may pose challenges depending on existing infrastructure and internal processes. Therefore, let's explore a streamlined approach that offers visibility into the APIs present in your environment.

 

API Discovery For Out-of-Band Traffic Flow

Although F5 is a major player in the proxy market, there are many proxy solutions available. This streamlined approach described offers flexibility, requiring only that the proxy used supports mirroring traffic to the Distributed Cloud load balancer. In this setup, the F5XC Load Balancer acts as the receiver for incoming traffic, facilitating the collection of security and performance metrics. Importantly, the load balancer itself does not process traffic; it simply responds with direct 200 responses.

For proxies like BIG-IP, an irule directs traffic to Distributed Cloud. Alternatively, with NGINX, the "ngx_http_mirror_module" is utilized for this purpose. These capabilities ensure that regardless of the proxy solution chosen, visibility into APIs through Distributed Cloud remains ridiculously easy.

 

The ideal flow would look like the following:

• From the client we need to send the traffic to the Distributed Cloud load balancer
• API Discovery run and processes the traffic
• Distributed Cloud then responds with HTTP code 200

 

Once Distributed Cloud has discovered the APIs, you get a visualization like the following:

 

You can also see this in list form and you can determine if sensitive data is being exposed in the API request:

Conclusion

It’s important to note that the approach discussed earlier is designed to simplify the process of API discovery within your environment, offering a quick and straightforward method. However, it’s crucial to recognize that this solution does not encompass a comprehensive approach to API security. One limitation is that it does not capture response data from the application. Additionally, because it only observes one side of the transaction, performance statistics are also not available.

It’s worth mentioning that the F5 Distributed Cloud platform can provide comprehensive data, including response details. But the above is a direct result of not seeing the complete API transaction. Despite these limitations, this approach provides an easy way to begin visualizing and gaining insights into the APIs utilized within your environment.