Application programming interfaces (APIs) are key to agile integration and delivering business value in a digital world. APIs support innovation, enable cross-enterprise agility, and simplify the creation of new products and revenue streams.
The Red Hat OpenShift API Management service makes it easy to manage your APIs. Share, secure, distribute, and control your APIs on an infrastructure platform built for performance, customer control, and future growth.
Available as an add-on to OpenShift Dedicated, Red Hat OpenShift API Management is a fully Red Hat managed API traffic control and API program management solution that includes analytics, access control, developer workflows, and more. It is based on the Red Hat 3scale API Management platform.
The API management service also includes an implementation of the Red Hat Single Sign-on to secure and protect your APIs. This service is intended solely for use within API Management (e.g., restricting access to your APIs and the 3scale Developer Portal) and not as a company-wide SSO solution.
Advanced API Management Service Configurations
Customer OpenShift Dedicated IDP
Because many of the development and notification procedures of the API management service are based on email correspondence, it is important that your identity provider (IDP) contains a valid email address for each enabled developer.
With your subscription, in addition to the primary tenant that is preconfigured, you can request up to 3 additional tenants. To request these tenants, please file a ticket with Red Hat Support.
More information about multi-tenancy can be found in the 3scale on-premise documentation: Multi tenancy in Red Hat 3scale API Management.
NOTE: The configuration of multiple tenants does not affect the total number of messages available through your subscription.
This feature has been supplanted by the products and backends feature in 3scale. More information on this feature can be found in the Getting Started: Product and Backends documentation.
Staging and Production Managed APIcast
Included in the OpenShift API Management service and managed by Red Hat are two managed APIcast instances: Staging and Production. These are preconfigured by Red Hat and are ready for your consumption right away. Both of these are installed in a single cluster and are intended for code promotion in 3Scale.
Self Managed APIcast & Custom Policies
In the event you need to manage your custom APIs (e.g., in a different region or data center from your Red Hat OpenShift API Management service deployment), your subscription includes the ability to install and self-manage localized APIcast instances.
Note that in order to use custom policies, you must install them in self-managed APIcast instances.
Commercially reasonable support is included with your subscription and can be accessed by filing a ticket with Red Hat Support. It is the customer's responsibility to monitor and maintain any deployed self-managed APIcast instances.
More information can be found in the APIcast self-managed Red Hat 3scale API Management documentation.
At this time we do not support Billing Settings. This restriction is currently in place as we can not support storing credit card information until we have completed PCI compliance and certification.
3scale Invite Feature
All users can access the 3scale API Management Admin Portal through the Red Hat OpenShift API Management service. To add users to the 3scale API Management Admin Portal you must add users by configuring the identity provider for your OpenShift Dedicated cluster. For more information, see Configuring identity providers. Although the 3scale Admin Portal appears to have the capability to invite new users to access the Admin Portal, this feature is not currently supported in OpenShift API Management.
Red Hat OpenShift API Management service is available only on the AWS versions of OpenShift Dedicated. For more information, see the OpenShift Dedicated Service Definition documentation.
OpenShift Dedicated can be configured to be private, public, or public/private. Red Hat OpenShift API Management is available in all of those configurations; however, the visibility of the clusters determines which APIs can be managed. It is critical to test your configuration before releasing to production to validate that the routes are available and working as expected.
Environment Isolation for Development, Testing/Staging, and Production
Red Hat recommends separating different environments into distinct OpenShift Dedicated clusters with automated build and deploy pipelines that are used to migrate development or testing clusters to staging and production clusters.
This separation ensures that software in development does not impact your production workloads. In addition, you will have the ability to test newer versions of both OpenShift and the API Management service on pre-production clusters.
Security and Compliance
As a Red Hat managed service, the included components and services are installed in protected namespaces (
redhat-managed-api prefix). These namespaces are monitored and managed by our certified Red Hat SRE teams. Default customer access to these namespaces is restricted; users of the
dedicated-admins group are given read access for monitoring. Note that if the customer has requested the OpenShift Dedicated
cluster-admin access, the customer does have the ability to modify settings in these namespaces. If that happens, then there is no longer a guarantee of service availability until the namespaces have been restored to the base Red Hat configuration.
The Red Hat managed services inherit the security and compliance protocols from the OpenShift Dedicated environment. As such, ISO 27001 and PCI certifications are in process, with future work planned for FedRAMP.
Logging & Metrics
If you enable the optional OpenShift Dedicated logging stack, the Red Hat OpenShift API Management service logs will be available in the cluster logging stack. Retention and visibility are maintained in the OpenShift Dedicated logging stack. For more information, please refer to the OpenShift Dedicated Service Definition.
Red Hat OpenShift API Management specific metrics are retained for a maximum of 45 days or up to 50GB of storage - whichever is reached first. At this time, there is no way to extend this time period or storage limit.
When you install and configure the Red Hat OpenShift API Management service it is automatically distributed to your OpenShift Dedicated compute nodes. Currently, there is no way to control to which nodes the service is distributed.
If you have purchased a Multi-AZ OpenShift Dedicated cluster instance, the managed service will automatically be spread across multiple availability zones to minimize service disruptions. For more information on Multi-AZ please refer to the Availability section.
Table 1: AWS resource requirements for Single-AZ
|18 Reserved||26GB Reserved||50GB Reserved|
Table 2: AWS resource requirements for Multi-AZ (presumes 3 zones) - total
|18 Reserved||26GB Reserved||50GB Reserved per AZ|
|27 Recommended*||39GB Recommended*||150GB|
* The additional vCPU and memory for 3 availability zones are to ensure total throughput in the event of a zone loss. The remaining two zones need enough resources to fulfill the demand for the API service.
NOTE: If you install the API Management service on a cluster, it is configured to take resource priority over other customer workloads. Specifically, other pods will be a lower priority and can be stopped to free space for the API Management service according to the table above. To avoid this, please ensure that you have allocated enough compute resources to your OpenShift Dedicated cluster.
If you are a Customer Cloud Subscription (CCS) user, it is important to note that Red Hat leverages AWS Multi-AZ services for Redis and Postgres, including the associated backups. These are required and consume resources from your AWS Account as follows:
- Red Hat creates a new VPC and peers it to the cluster default VPC. This VPC contains Red Hat's AWS service instances. The CIDR range for this VPC can be specified at installation.
- 3 cache.t3.micro instance (2 AZs Enabled)
- 3 db.t3.small instances for Postgres (2 AZs Enabled)
- 20GB of AWS Storage by default auto-scaling to 100 GB (3 RDS 20GB each across 2 AZ = 120GB)
- S3 buckets for metrics/backups - Size dependent on consumption
For CCS consumers, Red Hat reserves the right to increase the resources required to meet the SLAs of our service. It is expected that the customer will be notified of the increase.
Scalability and Service Levels
There are a number of subscriptions with associated message quotas available to meet your needs. At this time, you can deploy a single Red Hat OpenShift API Management service on each cluster and must choose a single subscription accordingly. You cannot add multiple subscriptions to increase the quota on an individual cluster.
While the subscription levels are purchased based on a daily total request rate, each subscription is monitored and the quota is based on the number of calls per minute. Please refer to the following table for the breakdown:
Table 3: Subscription levels and associated quotas
|Subscription level||Maximum throughput|
|1M API calls per day||695 API calls per minute|
|5M API calls per day||3473 API calls per minute|
|10M API calls per day||6945 API calls per minute|
|20M API calls per day||13889 API calls per minute|
|50M** API calls per day||34723 API calls per minute|
** At the highest levels of API call consumption, the Red Hat OpenShift API Management user may encounter 503 errors. This is a known issue and is expected to be resolved in an upcoming release.
Red Hat has specified the compute resources based on an average payload size of 1kB. Your APIs can have different payload sizes which will impact your overall performance and throughput. You are encouraged to run performance tests to validate actual throughput based upon your specific APIs and custom API payloads.
You will be notified via email as you approach the maximum throughput for your subscription, as defined in Table 3: Subscription levels and associated quotas.
It is important to note that API calls routed through self-managed APIcast instances also count towards the total quota.
The benchmark is based on the following:
- Lightweight customer-like application (no heavy computation)
- 10% of requests are for authentication
- 45% of requests are GETs against 3scale APIcast
- 45% of requests are POSTs against 3scale APIcast
- POST requests payload up to 1MB
- Use of production APIcast server
NOTE: Red Hat does not support an equivalent load on the staging APIcast. Performance testing should use the production APIcast.
Updates and Upgrades
Upgrades of the Managed API product will be scheduled with the customer and rolled out by our SRE team.
Non-customer impacting upgrades and Critical CVEs to our management platform will be automatically rolled out to clusters by our SRE team.
Red Hat maintains a 99.95% availability for its managed services, including the underlying OpenShift Dedicated managed environment. For more information, refer to Appendix 4 (Online Subscription Services) of the Red Hat Enterprise Agreements.
Multi-AZ High Availability (HA) deployments are supported if the underlying OSD cluster is configured to be Multi-AZ. In order to support a Multi-AZ HA deployment, the Red Hat OpenShift API Management service is deployed with multiple replicas of the pods that make up the service. These pods are given a set of pod anti-affinity rules that influence the Kubernetes scheduler and should avoid scheduling them on nodes within the same AZ. Additionally, Red Hat has raised the priority of these pods using pod priority, to ensure the Kubernetes scheduler takes the managed service scheduling needs into consideration ahead of other non-infrastructure pods on the cluster.
Backups and Disaster Recovery
In addition to the daily backups that occur in the OpenShift Dedicated environment, additional snapshots are taken of the managed API service, including its data and configurations. In the event of a catastrophic failure, Red Hat SREs will use a commercially reasonable approach to first recover your OpenShift Dedicated environment, and then your Managed API service.
You can remove Red Hat OpenShift API Management from your OSD cluster via the standard add-on deletion flows. Once this operation is invoked, this action is non-reversible and cannot be undone. Deletion includes the automatic removal of all Red Hat OpenShift API Management add-on data and backups.
As a premium offering by Red Hat, you have full access to the Red Hat Customer Portal with 24x7 production and developer level support. To achieve the best resolutions, file a ticket whenever you have a question or issue. When opening a support case for the Red Hat OpenShift API Management Service, select the product named “Red Hat OpenShift API Management Service”.
Refer to the Support Matrix for more information.