Debora Elkin has over 20 years experience working in the IT industry in a variety of technical pre-sales and consulting roles encompassing almost all aspects of systems architecture, design and development. She has participated in, as well as led, several large projects in the finance, telecommunications and government industries, where she architected, designed and implemented innovative solutions.She is recognised as an expert in Middleware, with in-depth technical knowledge of API Management, SOA, Business Process Management, Cloud Technologies, Integration, Application Servers, J2EE, In-Memory Data Grids, SOA Monitoring and Management Tools.View the profile
I am a strong technologist with an eye toward enabling strategic change. I enjoy helping to define business solutions and optimize the technology stack to meet business needs. I enjoy new challenges and have a natural curiosity to learn new things.I appreciate working with a wide range of individuals from business leaders to system engineers and developers to create and inspire a shared vision. Working toward any shared vision generally involves problems along the way, either with the vision or with current solutions and processes. I love troubleshooting an issue as much as anyone.View the profile
About the talk
Enterprises are increasingly adopting microservices, APIs, hybrid, and multi-cloud strategies to modernize existing applications, build new ones, and run them anywhere. Anthos is an open application modernization platform that enables you to modernize applications and enable new levels of IT agility, scale, and innovation.
This session covers how to use Apigee API management for workloads built on Anthos. Watch a demo on how to build and deploy services on Anthos GKE, manage them with Anthos Service Mesh, and securely expose them as APIs with full life cycle API management. Learn from demonstrations on how to secure these API with OAuth and end-to-end TLS and cover latest trends in security including BOT detection, anomaly reporting, etc.
Speakers: Debora Elkin, Greg Kuelgen
Google Cloud Next ’20: OnAir → https://goo.gle/next2020
Subscribe to the GCP Channel → https://goo.gle/GCP
product: Anthos, Kubernetes Engine; fullname: Debora Elkin, Greg Kuelgen;
event: Google Cloud Next 2020; re_ty: Publish;
Hello, my name is Craig Coogan, architect with the empty team at Google Cloud. Very excited to be here today with my friend calling later on. Amazing demo of some of this functionality that we talked about today. Let's get into it. read this agenda slide but there's a key takeaway in a pudgy as a means for deploying, secure API, What's set this up just a little bit? A company's Innovation day. Jelly Bean jelly bean counting contest just by posting a photo
ID, this app is amazing and we need to make it available to all our employees. If I knew she was a wizard on or off steam, Maria said I've just the thing for the new technology called gke for Developers. Traffic to me. So we want to head to play my app to read. He's pretty basic. But outside of following the app, Usage through the roof. I use this as an opportunity to recruit some team members. We were getting lots of requests to the back lot since you saw a proliferation of services we quickly realized that we needed a way to help us manage and secure all of these Services,
back to Maria. Rihanna ever again there's a reason I keep going her. In this case, we can use a service to help us understand. Traffic. The great news is already available as part of a service mesh to get through without worrying about managing all of the TLs Access Control. Which is a little helper. All the sudden the Enterprise access to the services we were building is but we didn't want to take a bunch of I'm sure no one is surprised to learn another solution this time and the
documentation discoverable. Don't need to talk to anyone on my team. More success. At this point Teresa one of the execs took notice, he said we needed to add a few more apathy capabilities such as threat protection rate-limiting in oid. See, we also need to ensure that we can handle the load in TCP to ensure that we could scale. That's all great. But as I stated developer, that wants to deliver business value. Deborah might be able to make it very easy to expose. It is standard practice when working with services to use CI CD pipeline to
automatically build, but also makes it easy to ensure best practices of Fallout when you code is checked into a repository management cloudsource Rico Citrus cocktail tree that's in new built. This will generate a new container image. Check it in the cloud container Ridge Street. we can use a similar approach for making it very easy to build an API service when the service did the generation of a new API proxy and deployed to check the new generate an API that incorporates the best practices adopted by the company,
providing a secure The demo, we are going to see these from the point of view of a service developer well-versed in software development. That's so sweet or secret is used for cold sores control. Also use a local editor on their workstation to work on the source, code check to their local repository and push the changes to the remote report. Top 10, the registry is used to store all the container images that are generated during the development process. The services are deployed to
An Answer space and cluster. In this case it is a development plaster City hybrid run time has been deployed I'm looking cloudsource. Repository is generated automatically from Project is created which best practices in software development. It's cities in action editor, that would make changes to the code. And what's the ready? We committed to the local Repository. They would then push those changes to the remote Repository. When the change switch, the remote with Portia Tree
in you, build easy started. This is managed by Cloud build. Let's look at what happens to Windsor built. The first dip builds the new container image. Pushes it to container registry. After. It is deployed to the answers cluster. Tell assistant very fast at all the artifacts have been deployed and that they are successfully working. Let's go back to Cloud Source, repositories, and have a look in more detail as to the structure of the Repository. We can see that there is an
API folder station with me. Five steps necessary to expose the service API, we need to provide a couple of API configuration data and also talked to Repository All the developer needs to know, in order to expose the service as an API. The developer decides to go ahead and do this. So once again, we switched to the local editor and see face, but this is worthy and we also need to provide the back and it would be connected to Once again. Which is two changes
to the remote Repository. Create a new tag. And finally pushed changes including the neuter to the remote Repository. once again, the street by cloudfield First Step generate generates only Associated, be safe. Phenix. Statista tapi has been successfully deployed, its a couple of request with an API key. The next few steps code generated for the API back into the source code repository, it is worth mentioning that the old best practices that a centralized API team Demas. Necessary for instance
etcetera, decentralized API team will be in charge of managing the temperature used and we continually update them with best practices. Let's now take a look under the hood and explore titis for that. We will switch to the Apple Genius or interface When will you get the API proxies that have been fun? We can see. Now, we have anyone related to our hello service. When we look into the details of the proxy, we can see that it is connected. To our hello service, which is available on the hello and point in the answers clustering. It's a look at the
policies implemented biting his proxy. Remember that first one doesn't exist. What makes East it'll just make sure to remember it so that I can get it back in the response, it'll apply some threat protection policies to ensure that an API key is provided on the schools. And finally, we don't apply Jason threat protection policies on the payload of the API. It takes a successful World Service. Want to be back. It will inject a correlation of the one that was sent
in the request. Let's Mouse edipi notch. Expected, we get the 401 unauthorized response because there was no API key included in the request. I was sick of test button, including API key Either. it's just about, That's expected with Kevin because it dipi has detected a threat in one of the head. I mix test its request. It is a requested that includes an API key. Ice expected. We get a successful response and by the way, this is the new version of the service. That was deployed at the beginning of the demo.
You don't think Chris has a correlation ID that was automatically generated because I will request it include one. I will next test. Include a correlation ID in the request. When we executed, we can see that the response that include that correlation ID plate back. Let's now send a few more requests. If we send them a quick succession, we will at some point. She tagged order limit and that's when the API we returned and ever. Mitzi. You handled all of this request. The first one. It's the one that's
in this case. I stopped any further processing. The next few requests are the ones that were successful. We can see that all of the policies were successfully executed and it was forwarded to the client Can you request? It's the one that failed because we had exceeded our quarterly meeting. And again, any further processing was stopped, This demo, we have seen more than software development practices that are commonly adopted by the developer Community
leverage. These practices to iskra solve, the problem of exposing these services to consumers in a secure way to study corporate-owned practices. I hope you have enjoyed your day. Thank you for watching it. I have a question. When did General see customers set something like this up? Different customers with larger Enterprises and mature. Programs are the ones who set this up in order to be a creation is not concentrated in a small team of experts. Okay, got it,
but we all know the security requirements are going to fall sometimes. Madison Security across these distributed areas. That's when we generally see a centralized team that is responsible, not just for the creation of this automated templates, but also of the shed flows that they use with the chef low, you can, he still needs to update some of these security measures air flow, only Pious, making use of this shirt, flow will automatically applied the latest and
greatest security measures. Yeah. Okay, that's a good plan. I think it's time to wrap up today together to secure apis using best practices that appear that by Nature Center or similar team developer. Concentrate on delivering. I want to thank you for watching this conversation Deborah and I have some expert one-on-one sessions over the next couple of weeks for this session.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.