MuleSoft's New API Platform: An Interview with Ross Mason
MuleSoft recently announced their Anypoint Platform supporting the development, deployment and integration of cloud and on-premise services. InfoQ caught up with MuleSoft CTO Ross Mason during his global Mule Summit tour to talk about the new platform. Ross founded the open-source Mule project.
InfoQ: MuleSoft has just announced a number of new products related to Service and API management: Service Registry (GA), APIKit (currently in beta) and API Manager (beta). Can you tell us a bit about each of these products?
RM: APIkit is a design toolkit for developers to implement consistent APIs that follow API best practices. APIkit is an open-source, declarative model designed to build REST API and a framework that enforces good API design practices - such as consistent URI schemes, versioning, security - helping you to code faster, test more efficiently, and document your API. APIkit promotes an API-first development approach. It separates the Interface definition from the implementation making it easy to quickly put together an API design and try it with a mock implementation, then gradually add the back-end code. This approach means that the API itself can be tested independently of the back-end code.
Interesting fact: we used APIkit to build the Anypoint Service Registry API. Because we had the API first we were doing functional demos months before we had a working UI.
Anypoint Service Registry is the first SOA governance platform designed for the New Enterprise. Built from the ground up to support hybrid environments, it governs any service or API including REST, SOAP and legacy artifacts, Now you can manage all of your service assets, whether they're internal or external, behind the firewall or on the cloud, on a single platform. Anypoint Service Registry makes it easy to catalogue and discover services, manage them throughout their lifecycle, analyze consumption metrics, and enforce policies, and contracts
Anypoint API Manager enables enterprise-class APIs to be deployed quickly and at scale. It can manage your cloud-based APIs, either running on CloudHub or locally in your private data center using the Anypoint API Gateway. To drive developer engagement and adoption of your APIs, you can create customized developer portals using APIhub, the world's largest API directory and publishing platform.
InfoQ: The Anypoint platform includes these new products as well as folding in existing products/services such as Mule ESB, Cloudhub and API Connectors. Does the Anypoint Platform branding represent a demarcation between on-premise and cloud or is there a continuum?
RM: The Anypoint platform enables end-to-end connectivity of legacy systems, packaged apps, SaaS applications and mobile/devices through APIs. It is a platform for connecting on-prem and cloud where the integration can run on-prem with Mule ESB or in the cloud on CloudHub or both for hybrid scenarios. The platform has been built for a continuum of integration scenarios spanning old and new. You can pick which parts you want to use. We have customers doing fully on-prem integration, hybrid integration and cloud-only integration. The key differentiator is that the Anypoint Platform allows developers to choose where they integrate their apps and enable hybrid integration architectures on a single platform.
InfoQ: In the past we saw UDDI-based Service Registries supporting only SOAP web services and the new generation of API managers mostly align with REST and JSON based services. Where does Service Registry fit between these extremes?
RM: UDDI was very SOAP centric but its biggest problem was that it was largely unusable for most people. We've taken a very different approach from other registry products with Anypoint Service Registry (ASR). ASR was designed from the ground up with a focus on usability and zero friction to users. ASR is run-time focused with the ability to attach meta-data and artefacts to live endpoints. The management of live endpoints means that behaviour can be added to endpoints at runtime. These behaviours are called policies and can control everything about an endpoint request such as throttling, security (authentication and authorisation), SLAs, translation and virtualisation. Another unique facet of ASR is that it is a cloud-based governance platform that enables enterprises to manage any type of service (not just web services), whether on-premise or in the cloud. All enterprises have a mix of old, new and bizarre, we respect that and built a solution that works in heterogeneous environments.
InfoQ: Service Registry is only available as a SaaS offering. How does this work with policy enforcement and service analytics for on-premise services? Can you tell us a bit about the Anypoint internals? Is it agent or proxy based?
RM: Anypoint Service registry is a hybrid architecture with the management and repository delivered as a secured multi-tenant cloud; each customer gets an isolated schema containing their metadata and policies. And the runtime lookup, policy and contract enforcement, collection of metrics and execution all occurs on-premise through an agent. The application of policies, tracking and processing is also done by agents in the Mule servers on-premise, or on CloudHub workers with communication with agents routed by a unique token. This hybrid agent approach enables great scale and performance over other approaches since calls are not routed through a central proxy. The agent also provides a caching layer to improve latency and provides a safe mechanism to work offline if connectivity for the cloud is lost.
InfoQ: And how does this work for service virtualisation?
RM: Instead of hardcoding endpoint URLs within applications, they can query the Registry at runtime to obtain the location based on metadata, this information can be cached and new policies can be pushed out when changes are made in Anypoint Service Registry. Caching and push notifications are used to unsure there is no unnecessary network chatter.
InfoQ: APIKit includes Swagger. If I use APIKit, what does Swagger give me out of the box?
InfoQ: API contracts for REST services have always been a hot ideological issue. Do you think that Swagger is the last word in this debate over other approaches such as WADL or not using contracts at all?
RM: We think Swagger is a good spec to get behind. Its headed in the right direction, has an active team and community and isn't run by a committee of vendors. We have adopted Swagger both for APIkit and the APIhub publishing platform. While all specs have their pros and cons, we felt Swagger has progressed well and provides enough value today not to go and re-invent it. The Mule team is engaged with the Swagger folks, working out some of the rough edges of the specification to cover some of the common requirements around API definition.
We looked at WADL and had been practicing the no-contract approach in the past, but you realise as the number of APIs explode that a more structured but low friction approach is really needed. With APIkit you design your API around RESTful conventions and under the covers we take care of versioning, URL formation, security, Swagger generation and more. We've taken a 'rails' approach to APIs.
InfoQ: API Manager is due for release later this year. What new capabilities will it add? Do API Manager and Service Registry complement each other, or do they address completely different requirements?
RM: There is a common set of similarities between Anypoint Service Registry and Anypoint API Manager, but API management is focused more on externalised APIs i.e. open APIs to the public, partner communities or just built with external consumption in mind. Externalized APIs provide a developer portal to allow users to discover, test and use the API. As such Anypoint API Manager has the integrated ability to create public or private developer portals using the APIhub publishing platform.
API Manager is built on top of Service Registry and supports the same capabilities for governance, virtualisation and policy enforcement. Increasingly, we see the enterprise wanting to create all APIs as though they are external APIs. This promotes good hygiene by forcing architects and developers to think through the APIs they build through the lens of the consumer. We believe APIkit and Anypoint API Manager provide a blueprint for where enterprise APIs are going.