Secure API Manager has four components: Analytics, API Gateway, Database Service, and Lifecycle Manager. Each component performs a different function for Secure API Manager. For more information, see Understanding the Secure API Manager Components. In a test environment, you can deploy all components on one appliance. In a production environment, there are some restrictions and limitations. Use the following information to plan your deployment configuration.
Determining how to deploy the components depends on many different variables:
Network environment
Number of APIs stored in the API Gateway
Number of API calls
Number of people adding APIs and creating applications
Analytics usage
Location of Deployment
IMPORTANT:We recommend as a best practice that you deploy each component on its own appliance in a production environment.
If you do not deploy each component on its own appliance, you must still adhere to the following requirements for deploying the different components.
Database Service: The Database Service component must run on its own appliance. Do not combine any other components with the Database Service component. The Database Service component keeps track of configuration information and user accounts. Running other components with the Database Service can cause corruption of the configuration files.
Lifecycle Manager and API Gateway on separate appliances: To ensure data integrity, you must deploy the Lifecycle Manager and the API Gateway on separate appliances. You must use the same NFS server but you must define and use separate mount points.
IMPORTANT:Once you have installed the Lifecycle Manager and API Gateway components on separate appliances, if you want to deploy additional Lifecycle Manager and API Gateway components in your environment at a later time, you must again deploy them on separate appliances. Attempting to use different configurations of the Lifecycle Manager and the API Gateway will result in database corruption on the NFS mount point.
The Analytics and Database Service components use a lot of disk space and processing power. Running the Analytics component on its own appliance greatly increases the performance of the overall system.
You can deploy all four components on one appliance but this configuration is only for testing purposes. Running all of the components on one appliance drastically reduces the performance of the entire Secure API Manager system. You cannot cluster a test system. You can run a test system on-premises or in Amazon Web Services (AWS).
IMPORTANT:Deploying all four components on one appliance is supported only for testing purposes. It is not supported in a production environment.
The following on-premises deployment scenario provides guidance on how to deploy the different components of Secure API Manager and where we recommend that you deploy those components. For enterprise environments, we recommend that you deploy each component on a separate appliance and that you cluster each component for load balancing and high availability. For more information, see Enabling High Availability and Load Balancing.
To cluster components, use an L4 switch. Clustering provides redundancy, high availability, and load balancing. We also recommend that you place the L4 switch for the API Gateway and Lifecycle Manager in the DMZ to allow external applications, services, and API developers access to Secure API Manager. You must ensure that the API Gateway component or the L4 switch for the API Gateway component can communicate with the Identity Provider in Access Manager. You must also ensure that API developers can communicate with the Lifecycle Manager.
WARNING:All components must have direct access to the primary database without going through an L4 switch or database corrupt can occur.
The following graphic depicts the recommended on-premises deployment scenario for enterprise environments. In this scenario, all of the components are deployed on separate appliances.
Figure 2-2 Enterprise Secure API Manager Deployment On-Premises
The appliances are clustered using an L4 switch for high availability and load balancing. The L4 switches for the API Gateway and the Lifecycle Manager are in the DMZ to allow external applications, services, and API developers access to Secure API Manager. The L4 switch for the API Gateway component can communicate with the Identity Provider in Access Manager, and API developers can also communicate with the Lifecycle Manager.
The following Amazon Web Services (AWS) deployment scenario provides guidance on how to deploy the different components of Secure API Manager and where we recommend that you deploy those components. For enterprise environments, we recommend that you deploy each component on a separate appliance and that you cluster each component for load balancing and high availability. For more information, see Enabling High Availability and Load Balancing.
To cluster components, use an L4 switch. Clustering provides redundancy, high availability, and load balancing. You must ensure that the API Gateway component or the L4 switch for the API Gateway component can communicate with the Identity Provider in Access Manager. You must also ensure that API developers can communicate with the Lifecycle Manager.
WARNING:All components must have direct access to the primary database without going through an L4 switch or database corrupt can occur.
The following graphic depicts the AWS deployment scenario for an enterprise environment. In this scenario, all of the components are deployed on separate appliances.
Figure 2-3 AWS Enterprise Deployment for Secure API Manager
Secure API Manager must have access to the Access Manager Identity Server in order to work properly. You must ensure that the API Gateway and the Identity Server can communicate with each other.