Checklist: What to Check for When API Monitoring

The editors at Solutions Review take you through an API Monitoring checklist to ensure you’re getting the most out of your API performance.

API Monitoring Guide

APIs (application performance interface) make modern digital services run, allowing companies to automate the process of querying data sets from disparate sources and transforming the results into practical information or action. Whether programmatically pulling data into your workflows, exposing your data to others, or both, APIs are thoroughly baked into modern applications. So much so that when problems with APIs crop up, they can have devastating consequences— disrupting user experiences, supply chains, and even the basic functioning of the business itself.

To capture the complete picture of API performance, you’ll want to test each element individually, as well as end-to-end workflows in aggregate. By checking the health of long, complex query processes across the full transactional flow, you can see how real users and applications experience your APIs. And by pulling metrics from all the disparate components involved, you can quickly zero in on the source of problems when something goes wrong. To understand API performance thoroughly, make sure you cover the following core areas.

API Monitoring Checklist

Infrastructure

Ops teams already capture granular details about the performance of infrastructure elements. By synthetically replicating API calls and measuring how they affect infrastructure, you can capture an accurate baseline of how different user journeys translate to actual costs per transaction.

Verify infrastructure health. Check the health of every element in the data path, including servers, databases, firewalls, and load-balancers. Capture typical infrastructure metrics (CPU, memory, disk, network) to baseline performance and ensure you have the necessary capacity. Verify the health of cloud and software-as-a-service (SaaS) elements. Track metrics like input/ output operations per second (IOPS), transactions per second (TPS), and SaaS licenses. Perform network route path tests for transitory networks: Make sure you’re capturing metrics from the many transitory network elements that affect API performance that you don’t own. That can include transport provider infrastructure (routers, firewalls, load-balancers), caches, content delivery systems (CDNs), and edge distribution devices. Test things like link Internet Control Message Protocol (ICMP), traceroutes, and lookups of Border Gateway Protocol (BGP) statistics on the edge. If you don’t understand how all those pieces interrelate, you can’t get an accurate picture of your API infrastructure health.

Front-End

On the front-end, validate DNS health. DNS is the first step in any user journey. If it can’t resolve a hostname, the workflow and everything depending on it break down. Yet most API monitoring checks still don’t include DNS. Make sure to continually verify that DNS is returning the correct responses and hasn’t been hijacked. Monitoring should include DNS Security (DNSSec) and GSLB functions and the entire tree of DNS entries that may need to be publicly accessible. Validate that SSL/TLS certificate and host information is correct/valid. To protect your business, make sure your API or the API you’re connecting to isn’t being spoofed. Validate API front-end accessibility with login-checks. They sound simple, but login checks, especially involving multi-factor authentication (MFA) or credentials accessed via a shared secret directory, are extremely difficult for conventional monitoring tools. Additionally, make sure those credentials pass through if your front-end includes MFA checks that don’t go through the API. You can’t validate that with a simple front-end check; you need to examine the application set to verify that this handoff occurs. Perform basic object queries for highly accessed objects. Thoroughly monitor the performance of the front-end itself, which typically handles cached objects. Check for response time metrics such as time to last byte, which can baseline API health.

Middle-Tier and Database

Most businesses still don’t do advanced testing of middle-tier and database components or synthetically test performance accessing different levels of archival information in storage. This means they don’t know whether any API-dependent data service meets its SLA. This becomes a bigger problem as businesses use APIs for storage optimization—such as automatically moving colder data to Glacier cloud storage to reduce costs. If users can’t restore data sets within SLA parameters, your optimization project can end up costing more than if you’d never bothered at all. When using API-driven automation for optimization efforts like these, you must continually validate their functionality to ensure they’re not breaking things.

Craft API logic to access multiple back-end systems, and check for interactions between different API elements such as multiple databases or multiple API data feeds. Craft API logic to test data resiliency of tiered storage systems. Make sure you know how long it takes to access archived data versus cached data. Craft queries to test third-party data sources. Make sure you’re simulating queries to every external dataset your system relies on.

Full User Journey Test

Understanding the end-to-end user journey is as essential as monitoring the component pieces of your API workflow, and often far more complex. Application teams need to participate in developing these tests, as they have a much clearer understanding of what the user journey entails. By ensuring cross-team collaboration in developing user journey tests, Ops teams will quickly connect the dots when something goes wrong.

Test the whole transaction. Simulate the end-to-end transaction with all APIs and other application elements, including dynamic information such as inventory data. Undo the whole transaction: Testing systems must first do no harm. You should be able to undo an end-to-end synthetic transaction as easily as generating it not to disrupt the business. Test your most important user journeys: Replicate the known user journeys of critical customers to verify that their use cases function correctly. That can include transport provider infrastructure (routers, firewalls, load-balancers), caches, content delivery systems (CDNs), and edge distribution devices. Test things like link Internet Control Message Protocol (ICMP), traceroutes, and lookups of Border Gateway Protocol (BGP) statistics on the edge. If you don’t understand how all those pieces interrelate, you can’t get an accurate picture of your API infrastructure health.

Conclusion

A web of APIs is at the core of many of today’s applications. Actively monitoring them for speed, load capacity, and reliability is critical to get a complete view of your users business journeys through your applications. As more critical business processes depend on APIs, it’s becoming more important to verify that they’re continually working as they should.

Read the full API Monitoring Guide from Apica for free.