Heroku is one of the most popular platform-as-a-service (PaaS) systems used by many developers to deploy, manage, and scale their applications. Recently, Heroku and WSO2 worked together to add API gateway and management functionality to the platform. In this blog post we will look into what it is and how it works.

What Is API Management?

In today’s interconnected world, it is very rare that an app or a service exists by itself and is not part of a wider ecosystem of other applications. Services access other services, are part of wider ecosystems, serve as backends for web and mobile applications.

When this happen, the services are exposed as APIs (application programmable interfaces) and the API management layer that enables that typically includes:

• API publishing tools: ability to design, prototype, import, and test APIs, work on new versions of APIs and manage their lifecycle,
• Security and policies: define who can access the APIs, manage their OAuth keys, set roles and scopes, as well as throttling and rate-limiting tiers,
• Orchestration and on-the-fly transformation: your external API representation can be decoupled from your backend interfaces, and the gateway can transform the incoming calls and data formats into what your backend needs, as well as the other way around,
• Developer Portal: the API store website for your ecosystem developers to locate the APIs, try them, read the documentation, subscribe, manage their OAuth keys and so on,
• Monetization: ability to sell APIs and charged based on their usage,
• Analytics: reports and alerts to give you visibility into how your APIs are used and notifications when something is not right.

API Management Add-On in Heroku

API Management add-on is now part of the Heroku Elements marketplace and provides the fully functional API management wrapper around your Heroku services with all the features we mentioned earlier.

Today, we will discuss the scenario in which the gateway stays outside of the Heroku deployment working as an external layer securing the access and enforcing the policies:

Let’s explain how each of the components work:

• Backend services in Heroku: no big changes there, you run them just like you did before. What you would want to do is to protect the backend from direct access from the internet so API gateway can send traffic to the backend but no one can bypass it. You would typically do this with a combination of basic (or digest, or mutual SSL) authentication, and (if you have Heroku Private Spaces) VPC peering and IP restrictions.
• API Gateway: this can be run as a dyno or can stay external inside WSO2 API Cloud. You configure the gateway to get secure access to the backend, expose the APIs, set up the policies and transformations to be applied. Also, even when the gateway stays in API Cloud, you would typically want to pick the same AWS datacenter that your Heroku backend is using – this will minimize the network overhead and improve performance.
• User interfaces: these stay in API Cloud and require no deployment. Once you provision the add-on, you get single sign-on into the web UI for API management and analytics. You also get the Developer Portal that you brand and customize, and that becomes the web site that your subscribers use.

Getting Started

To enable the add-on for your Heroku application simply run the following Heroku command line:

heroku addons:create wso2apicloud

To open the API management configuration UI in your browser, run:

heroku addons:open wso2apicloud

You start at the free usage and can then upgrade to the tier that fits you best.

See Heroku API Management add-on documentation for detailed tutorial.