Implementing API monitoring for an efficient infrastructure
Infrastructures heavily rely on APIs nowadays. In order to maintain performance, avoid workflows disruption, and keep the maximum security of all the dependent services, testing and monitoring them is important.
What is API monitoring?
API stands for Application Programming Interface and allows two or more computers to communicate with each other. It is usually created together with software to enable expert users or other developers, internal and external, to use and build on the services offered by that software.
It goes without saying that API monitoring is the cumulative effort and practice of monitoring the smooth functioning of such an interface. API monitoring tools are designed to analyze the performance of your APIs and the correctness of the data they return. The last part is crucial, as other components or software rely on APIs to respond correctly and return the expected data. Otherwise, they fail to work or have unexpected results.
APIs are like building blocks of larger software structures. They must perform adequately well to be usable by numerous users, and must return the right type and quantity of data to be reliable. API monitoring ensures both are true.
What is API testing?
While API monitoring is focused on APIs in production state, API testing comes earlier. It is a process that is ideally integrated into the development of each API and accompanies its further refinement. API testing is not so much about stability and reliability, but more about ensuring that the new code does not interfere with functionality or that it does not have a major impact on overall performance.
It is also used to avoid bugs that would sneak into production later, verifying step by step that all the previously working functions and endpoints (each of the nodes that can be interfaced with) of the API are still returning valid data. API endpoint testing checks every point that can be called upon in an API to ensure that none are broken or returning unexpected results.
Once the API is considered stable and complete, it goes into production, and is checked by API monitoring tools. The testing phase has ended and with it API testing becomes API monitoring.
How API monitoring works
The easiest way to perform API monitoring is by calling each endpoint and checking that they reply, return the correct data, and are acceptably well-performing. In a nutshell, this is API endpoint monitoring, which makes up the majority of API monitoring. There are more advanced solutions for endpoint monitoring, though, like writing synthetic tests that emulate how users poll an API with custom-written robots. This is part of synthetic monitoring, which goes far beyond just monitoring APIs, but is often used to have a more automated and personalized method.
Regardless of the possibilities offered by your API monitoring tool of choice, there are a few important areas that need to be checked when performing API monitoring.
Availability: If one or more of the API endpoints stop responding, this is the most important issue to take care of. Alerts that are triggered as soon as an endpoint stops responding are essential for API endpoint monitoring.
Performance: Even if all the endpoints return calls correctly, an API is of little use if its performance is not up to standard. HTTP return codes should be verified to be correct, and response times should be monitored to ensure that there is no degradation that may signal a growing problem. Performance differences between development and production environments should also be considered, as they may provide insights on bugs.
Data validation: An API is of no use if the endpoints return different data than expected or show random behaviors. They must match what users and services that depend on the API expect. Validating the returned data with a set of valid data is easily done with most API monitoring tools, and can quickly be performed with synthetic tests as well.
Those are the basics of API monitoring. Whether you are monitoring a REST API or any other type of API, these three aspects should not be overlooked in any approach to proper API monitoring.
Benefits of API monitoring
API monitoring and its most common “child”, REST API monitoring, can help you not only with your own APIs, but also with integrations. API monitoring tools can give you insight into the APIs of third-party providers and partners, such as the cloud services you use or a payment system for your e-commerce website. This not only helps to identify problems that are not your responsibility, but also to hold your partners accountable.
Similarly, if you are using an external API and rely on it to provide you a specific set of data, API endpoint monitoring can identify changes in features immediately. If an endpoint of the API changes, replies to calls differently or is completely renamed, you will be informed and can act accordingly to avoid service disruptions. Multi-stage user journeys are often based on several APIs and chain one request after the other. If any of these APIs introduces changes or experiences a temporary disruption, business-critical workflows may be interrupted. Monitoring every API endpoint is the key to avoiding minor or major disruptions.
API security is an important topic as well. Malicious actors often take advantage of vulnerabilities and tamper with API endpoints, or listen to your calls to the API. With API monitoring, you can ensure that authentication is working and that the security of the APIs you are connecting to is not compromised by watching for abnormal behavior. If abnormal behavior occurs, there may already be a security breach, and you should be very careful about what data you transfer with the API.
Lastly, monitoring REST APIs is of particular importance for developers who need to create services that depend on others while ensuring that the API is efficient and fully functional so that these services continue to work. If you have developed such an API, you must ensure that there are no problems with it in order to preserve your reputation as an API provider.
Key API metrics to keep an eye on
Regardless of whether you are monitoring a REST API or another type of API, there are a few shared key metrics. We briefly touched on the subject earlier, but now we want to go into more detail.
Availability and uptime should be your first concern. An API must work, and monitoring its constant availability is the first key metric to check. At the same time, by monitoring the error rate of individual endpoints, you can determine how often an API fails to deliver the desired results due to authentication, network or code errors. This may indicate a problem with the API or with the services that the API accesses and must be investigated further.
Performance-related metrics are also crucial and need to be reviewed regularly to ensure the API is working appropriately. These are at least the CPU and memory usage of the servers receiving the API calls, and the response latency of the API as a whole. Large spikes of usage or latency should be checked as soon as possible to avoid growing problems.
It is also important to monitor the overall API consumption. It consists of the total number of requests per minute or second that the API handles. This is important for capacity as it lets you know if the API has enough resources to serve all calls or if there is a cyberattack underway that is, for example, causing a spike in requests.
Challenges of API monitoring
Monitoring APIs can become quite complex, posing an increasing challenge for IT administrators. Firstly, there are multiple types of APIs. REST API monitoring may be the most popular, but not the only one you need to consider. GraphQL is a newer addition that allows for more granular control of data requests, which introduces some additional issues when monitoring. The architecture of APIs can be monolithic or based on microservices or serverless computing, each of which poses a number of challenges for IT administrators. A monolithic API can become a bottleneck for the infrastructure if the performance is not closely monitored. However, it is also easier to monitor than hundreds of microservices, which may be more agile and scalable, but are also more complex.
Sometimes APIs are created so that they do not disclose some of their information, especially to protect proprietary data. Part of the infrastructure may not be available as an API at all or may not provide a complete picture of its performance. With API monitoring, you then have to consider how much you can check from the outside if the API you are monitoring is a third-party API.
Less common, but still possible, are monitoring solutions that take up too many resources or are not properly tailored to the requirements of the software. This can slow down the monitoring servers or overload the network that is also used by your API infrastructure.
API monitoring can detect a drop in performance that is not due to the APIs themselves, but merely affects them. It strongly depends on how your monitoring infrastructure is set up.
Siloed data is a more frequent challenge of API monitoring. It happens when different types of data are used from different parts of the system. If an API is trying to connect devices using a different format or type of data, errors may happen and trick the IT administrators into thinking that the API itself has bugs. These errors should be avoided or corrected before they reach the API monitoring phase, ideally in the API testing phase.
API monitoring and synthetic monitoring
API monitoring can be executed with a variety of tools, although it is mostly reactive monitoring: the endpoints of an API are recursively checked for availability, errors, and correctness. A more active method of monitoring API endpoints is to use synthetic tests that utilize the power of synthetic monitoring. With a capable solution like Checkmk Synthetic Monitoring, you can simulate requests and actions from around the globe to your API. Actual requests and operations normally made to an API by end users or developers can be simulated with tests performed by the API monitoring of your choice.
Synthetic monitoring helps in all phases of API development: both during API testing and later during API monitoring. The ability to develop your own tests, tailored to the intended use of the API, is invaluable for discovering bugs and improving the experience you provide with your API. You may also simply want to have more control over how you monitor a third-party provider on which your infrastructure depends.
Checkmk Synthetic Monitoring incorporates the flexibility of the Robot Foundation's testing framework, known in the open source community for writing synthetic tests, to enable efficient synthetic monitoring capabilities for API monitoring and more.
FAQ
SOAP (Simple Object Access Protocol) is a specification for a messaging protocol. It is used to exchange structured information across computers and networks. It is neither an API nor a guide to setting one up. REST (Representational State Transfer), on the other hand, is an architectural style for the design and development of software structures, including APIs. A REST API is an API built under the principles of REST. SOAP and REST are therefore completely different concepts that pursue completely different goals.
Both GraphQL and REST APIs are used to build web services, but with different approaches and characteristics. GraphQL is a complete language to query an API for data. Unlike with REST-based APIs, where endpoints are polled for data, with a GraphQL API a query is created to ask for multiple information, regardless of the endpoint. GraphQL uses a single endpoint but multiple, often rather complex queries to access the API. REST APIs, on the other hand, are endpoint-based, simpler to query, but with numerous available endpoints.