Basically, security is a big part of the API Gateway. We had a breach 12 months or so ago. So security's very, very important.
Also, the actual management of APIs is fundamental to us, as we're a heavy API user. So, obviously, a centralized management platform is important.
Improvements to My Organization:
We've got all sorts of threat protection in the API Gateway, from DDoS through to SQL injection and things like that. So, those are all part of the standard features we use within policies that we drive out the Gateway.
We've got a security policy that we know is consistent across the APIs we expose through it. Also, as it's a fragment, we can add to it and update it, and it impacts all policies that use it, and it helps with speed.
Room for Improvement:
Certainly we have cases open around the SQL injection capabilities and things like that, that need improvement. Cross-origin resource sharing policies need to be made a common assertion in the Gateway. That's not there at the moment.
Other improvements such as SQL injection are important too. You can't make it node-specific. It gets to the point where CA are having to try and perform an implementation for us. The same applies to script injection and XML injection assertions and cross-origin resource sharing.
I'd certainly say if the developer portal fully supported SOAP services, it would certainly push it much higher.
Use of Solution:
We have been using the solution for over a year now.
We've not had any problems with stability.
Well it's been scaled at quite a high throughput. Apparently it's scaled for 11,000 transactions per second but we're not doing that. It's the cluster struggling a little bit, but no, I'd say scalability is generally okay.
We have a few cases open. I'd say I'd give an average rating of around 7/10 for technical support. Some people have been very helpful and others not quite so.
We use Microsoft IIS in other areas to expose services against a load-balanced cluster. So we have these bulk security components within it. They've never been compromised but we thought we'd just go with an off-the-shelf security implementation that also comes with API management capabilities, as the Microsoft version doesn't really have that built-in.
The setup was complex, definitely complex. I don't think that's a problem with the product, per se. But any sort of high-availability, high-scalability sort of setup is complex in nature.
Cost and Licensing Advice:
I think there has a been a lot of confusion with pricing and licensing, about the core. You know, licensing by cores and things like that, but I'm not involved in that.
Other Solutions Considered:
I don't remember all the evaluated options. We reviewed, it must have been six or seven, maybe more, API management vendors.
I would say that, although the Gateway is geared up for managing SOAP services, the developer portal isn't. It's a gap for us, which means the developer portal isn't quite as good as we thought it was going to be for managing SOAP services, which we have quite a lot of. They're not discoverable in the portal, as are RESTful services.
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.