There has been some confusion about the architecture of AMPLIFY Central. We’ll try to shed some more light on AMPLIFY Central and answer some common questions. Is Central just a control plane (or a “control tower”) for customer APIs?
AMPLIFY Central IS a control plane, but it is not JUST that. For a quick refresher, take a look at AMPLIFY Central – Calling All Air Traffic Controllers.
Does Central also manage customer On-Prem API Gateways (and their APIs)?
Yes. Central is evolving beyond a control plane into a consolidating management plane where a customer can also connect and organize their API Gateways or API service collections together.
It is becoming more than just a control plane when you consider that it allows a customer to publish and organize APIs from a wide collection of traditional API Gateways, service mesh environments, and other API sources.
The following picture shows the API data plane integrations we are bringing to AMPLIFY Central for cloud-connected, service mesh support, and On-Prem gateway needs.
Does Central also have its own built-in API gateway?
Yes. The API Gateway is included in the list of API data planes above as API SaaS Gateway. We just updated it to improve its availability in AMPLIFY.
AMPLIFY Central has a built-in, SaaS-hosted, always-available, multi-tenant API Gateway. It has been part of API Central since day one (and continues now that we call it AMPLIFY Central).
We talk a lot about Central being a control plane, but it also includes the SaaS gateway as an always-on API data plane. This SaaS gateway is automatically used when you publish a connector from Application Integration or import an API into Central’s API Proxy Registry.
Let’s Explore the SaaS Gateway a bit more
To make this more visual, any API that is imported and visible here in the API Proxies list is potentially available to deploy to the Central SaaS Gateway to secure and monitor it.
And that operation to “deploy” an API proxy to the Central API Gateway is on the API Proxies Deployments tab for each proxy.
Any API that is deployed to the Axway Cloud Test or Prod “Runtime” is being hosted and “proxied” (i.e., secured and routed) by Central’s always-connected API Gateway.
Note: This will soon be updated to say Axway SaaS Gateway to match the updated AMPLIFY terminology we are moving to.
If your AMPLIFY account has the Central Admin role assigned, you also have access to the Central Topology menu where you can connect other API data planes to Central and you can see the proxied APIs active on the Central API Gateway here on the Axway Cloud environment.
Clicking into the Axway Cloud environment gives you a view of total APIs in the Proxy Registry and which proxies are active on each of the SaaS gateway’s virtual endpoints (the “Runtimes” we referred to above).
Some background and history
AMPLIFY Central was built from day one to include an API Gateway. Its very first use cases were around the import and securing of customer public APIs and providing monitoring of those authorized API transactions.
The integrated SaaS Gateway was used to do that: proxy, secure, authorize, and route.
In 2019, the next part of Central’s evolution was the introduction of the Mesh Governance feature that allows a customer to attach their Kubernetes based private (or On-Prem) environment to Central in a hybrid manner.
This allowed Central to manage APIs via the Central Proxy Registry for both the SaaS gateway and service mesh managed ingress gateway similarly exposing microservice APIs.
This enables any API Proxy to be governed and monitored and to also be optionally published to the Unified Catalog when the customer has additional consumers to share them with.
In 2020, we continued Central’s journey to becoming a multi-gateway control plane facilitating the connection, organization, and monitoring of other customer APIs from their cloud or On-Prem API Gateways.
- From API Manager v7…
- From AWS API Gateway…
- Unified Catalog just got more awesome!
So, AMPLIFY Central has evolved from just managing its own SaaS gateway to now where it is possible for Central to manage a wide range of cloud and On-Prem API sources that can be connected to it several different ways!
Back to the Central SaaS Gateway!
What security and policy options does the Central SaaS Gateway have?
API Proxy policy options are defined on the API Proxy Policies tab and any change generates a new proxy revision that must be re-deployed to apply that change to the SaaS gateway.
The default security mode for any API Proxy is Pass Through.
Client (inbound) security options include API Key, JWT Token, OAuth Token (with customer supplied IDP).
An optional Rate Limiting policy can be added to the Proxy for API traffic control.
Note that this policy is on the proxy, so it is effectively on the client-side and not directly on the proxy backend. This means that if you import the proxy definition more than one time, each of those proxies would have their separate policy limit on their client traffic and the combined amount would be allowed through to the proxy backend.
Routed (outbound) security options include: HTTP Basic Auth
Here is a combined view of the various Security and Policy options that can be applied to an API Proxy on the SaaS Gateway.
Does AMPLIFY Central include an API Gateway also?
Yes, it does! The Central SaaS Gateway.
How do I use the Central SaaS Gateway?
- Register your account email on the Axway Platform to join. After your email is validated, Select the Application Integration or Mesh Governance offerings, then import, secure, and monitor your favorite public APIs.
Where can I get more details to use the Central SaaS Gateway?
Check out the documentation for the general Central related use cases and features in the Axway doc portal.
And here is the AMPLIFY CLI topic with details of how to manage Central proxies and use the SaaS gateway: AMPLIFY CLI for Central proxy management.
Is a Runtime Group in Central a gateway or a full data plane?
Think of it as a virtualized endpoint that Central’s SaaS gateway provides to allow you to manage the promotion of an API from Test to Production which each potentially having different security or policy settings in effect.
Each Central runtime group can host all of the API Proxies deployed to it in a secure and isolated manner that segregates them from other API Proxies on other runtime groups that belong to other AMPLIFY organizations.
This same model is used by Mesh Governance to expose the mesh ingress gateway in the Central Proxy model as another runtime group that proxies (API discovered from that service mesh environment) can be deployed to; enabling the client ingress on the mesh environment to call into the managed microservices.
Note: Take a look again at the image above for a hint of a connected service mesh environment New Demo2 with a runtime group mbnewdemo.
Will the Central SaaS Gateway replace the API Manager/Gateway v7 Edge Gateway?
The API Manager/Gateway remains the primary “edge” API Gateway for customers to use in their On-Prem environments. The Central SaaS gateway is not a replacement or an upgrade.
There is not an upgrade case to move those locally secured APIs to the Central SaaS gateway. But there is a case for connecting those On-Prem gateways themselves to AMPLIFY Central and using it to help organize their APIs and manage which ones are published to the Unified Catalog for consumer search, download, and subscription.
See the link above in the “Central 2020” details for an example.
Can I sell the Central SaaS Gateway against other vendors?
We position it to complement AMPLIFY and to provide an API gateway when the customer does not already have a cloud gateway with basic security.
It is an available option for customers to use in AMPLIFY to import the public APIs that they may not already be securing or able to monitor otherwise.
The Central SaaS gateway will continue to be supported Central feature, but it will not be significantly updated until new customer use cases are identified. Let Product Management know when you have customer needs.
What is an environment and what is a gateway then?
The new Central Topology model is still evolving to provide support for lightly “connected” API sources… typically one-way synchronization to Central or the Unified Catalog via Agent, CLI, or API… to fully “managed” API servers — gateways — that have full agent synchronization in both directions.
And here is the AMPLIFY CLI topic with details of how Central manages hybrid environments and their API services: AMPLIFY CLI for Central topology.
Do the Central Proxy security/policy options apply to all connected gateways I see in the Topology view?
No, they only apply to the Central SaaS gateway today. They are discussed above.
The current Mesh Governance version does not honor them when setting on the Proxy Policies tab.
Mesh Governance policy is assigned more directly to the Service Mesh environment found in the Central Topology view.
But we are working on a new Mesh Governance update that will better use the service mesh native policies to control traffic flow and expose the native auth abilities of the service mesh.
The other “connected” gateway types in the Topology view — On-Prem/Cloud API Gateways connected via agents — will soon have their governance model possible to control via API/CLI and also eventually exposed to the Central Topology view.
A few links to some of our “alpha” demos of these connected gateway options are found in the “Central 2020” details above.
So, what does Central and the SaaS Gateway look like when we put it all back together?
One view is the AMPLIFY view of Central managing various customer connected API data planes including the built-in SaaS gateway. Those API sources can be agent connected API data planes or they can be CLI/API synchronized API repositories.
Another AMPLIFY view is of Central and the Unified Catalog together in the middle of various API data planes (including the Central SaaS Gateway), connected API sources, and integrations that a customer may have. The Central SaaS Gateway is one option to help secure and monitor traffic for public APIs or integrations that are not otherwise governed.
What is the future of AMPLIFY and AMPLIFY Central?
AMPLIFY continues to expand to support more solution sets and AMPLIFY Central is evolving from a multi-cloud hybrid control plane into management for more diverse customer On-Prem and cloud API sources.
Read more about setting up an API Gateway with AMPLIFY Central.