Layer7 API Management Reviews

We have a full, classic, API gateway currently. We want to leverage it to use the microservices, with the help of micro API gateway, to support our business or e-commerce platform, the API traffic. That's our main our goal, to move further toward a microservice with a Docker container.

We implemented it in a non-prod and it is good. But we want to move into production going forward. Performance-wise it’s good, and we are not seeing any issues.

The benefit is maintaining the security of the APIs and securing the transfer volume of the enterprise for any business transactions.

The main feature is the security, and then the performance of the APIs is good. The monitoring part is also helpful.

We are looking for improvements related to integration. We want to see them add integration tools to the CA bundle. That would be helpful.

Stability-wise it's good. We are not really seeing any issues. We have had CA products for almost four years, and until now we haven't see any outage or any impact of the gateway.

Scalability is good. With the new/future version of the gateway, we can easily scale up or scale down the gateway instance in the Docker container.

Technical support, the CS support, is good. They respond promptly. They give guidance and they give recommendations to improve the platform performance.

We were previously using a different API gateway. We had some issues with those servers. We did some evaluation in the market. I evaluated server software and IBM DataPower and Intel products. Finally, based on all the features, like security, we decided that the CA product is the best suited to the needs of Motorola's business.

I was involved in the initial setup. We brought in CA Professional Services to help start the infrastructure in our installation.

It was not complex, documentation-wise it is good. CA maintains the documentation very nicely, so based in the documentation we were able to set up the environment. It is all straightforward.

The main thing we look at when selecting a vendor is what partners are using them and how successful they are in that business with the product. Then we'll look at industry ratings. Based on that we will consider if we need to go with that product or not.

I rate it a nine out of 10 because the product is not only one product, API Gateway. If I want to monitor the gateways, I need to go with other CA products. It's not like a package, it is multiple products. So if it was a complete bundle, then I would rate it better.

I would recommend going with it.

Security. We have a lot of APIs, a lot of web services inside Motorola, and we wanted to have a solution which can secure all our APIs.

So far it has been doing well. But we are looking towards microservices technology. And we heard here, at this CA World conference, that they are coming up with a microservices API gateway. That is something that we would be interested in looking into. 

But as far as far as the classic API gateway goes, I think it is definitely doing well. We were bought by Lenovo, and eventually Lenovo, which did not have this solution, has also been convinced to use it. So overall, as one company, both Lenovo and Mortola will be using this product.

It can be scaled, especially the current version. It can be scaled as we need. And it can be used in different regions. We have different data centers in the U.S. and Beijing. We use it on-premise, on-cloud, and it can be hosted and used at any place and scaled across the regions. That's the primary benefit we have seen; other than providing security and the performance.

What we had before, Forum, obviously was not reaching our performance requirements. This really helped us, because every API that we get from external or from internal goes through this layer first, and it should not be a bottleneck. That was the problem we had before. Now it's no longer a bottleneck. It's more like a throughput, this process is less than 10 milliseconds for any particular API. 

So the number of transactions that we are able to process per second and the number of instances that we can use are benefits. 

Even before microservices API gateway came into the picture, two years back, CA really worked with us and helped us to get hourly pricing, so that we could spin up, spin down instances as we need, like during Thanksgiving or Christmas. So the product, by itself, is great, and the flexibility that CA has given us out of this product is really great.

From the security point of view it provides lot of features, as well as performance. I think it's 4000 transactions per seconds, per node, is what the performance is. So those two are major features that we have been looking for. It does both in a great way.

Microservices gateway is one thing in which we thought would be really good. It has come up, we just have to see how it's going to play out. Obviously, it's not going to replace the classic gateway, although we want to see that something in the microservices gateway that can actually replace classic gateway. That would be really nice. Right now, I don't think it's completely replaceable. It's just a part of it, but eventually they're saying that it will replace. So one day, where we can have a microservices gateway and we will not need the classic gateway at all, that is what we want to see.

We have never had any issues, to be frank. From the time that we had it installed we have never had any issues, whether in the non-prod or in production. So I would give it top rating from the stability point of view.

As mentioned, that's one of the great features, the scalability. We were able to scale up in incidences as needed, and scale down. So again, completely flexible. Top-rate, from the scalability point of view.

We use technical support only when we do the upgrades. My team, we always try to be at the latest and greatest version. Whenever they release, the next week we are already there, both in test and production. So when there's a new release, obviously there are some important technical features of which we are not aware. To learn about them we use the technical team. 

But other than that, from our point of view, as I mentioned, it has been pretty straightforward and pretty stable. We don't have a need to reach out to them, except when there are new features and we are migrating.

They're good. They have been really helping us. As I mentioned, CA as a whole has been a great partner for us and has been helping as we need. Whenever we need their support, they are there. Whenever we need information, they are there.

We were using Forum before, but we wanted a much more flexible solution that scales and has better performance. That's why we chose CA's API Gateway, to resolve our security, and provide the best performance for all the APIs that we have.

It wasn't really all that complex. What we had before was really pretty complex. When compared to that, what we have with CA is not.

We evaluated Forum, obviously. Layer 7 is one we looked into. Axway. IBM, because we use it a lot for e-commerce, so that is an API gateway we have been looking into.

Among most important criteria when selecting a vendor, the first thing is pricing. After that features, obviously, and then the performance and stability.

We would definitely recommend implementing Layer 7. The only reason you might not implement it is if you are looking at open source, but open source comes with its own issues and cons. But if the cost is not an issue, Layer 7 is the top and I would definitely recommend it to anybody.

The primary use case is we are using the API Management Suite. It has the Gateway and Portal, and we are using the Gateway to front all the APIs in FedEx.

The Gateway is performing very well. The Portal is not.

We can get more visibility into our data.

The benefit of the Gateway is that it provides security, authorization authentication, and analytics. These are the main benefits which we are using it for. 

The most valuable, for the Gateway, is it can front our APIs very easily, and it can integrate with FedEx easily, so those are good. 

For the Portal, we are able to manage with APIs and documentation. However, there are a lot of improvements, which could be done on the Portal side.

For additional features, I would like to see how it can be deployed into the cloud platform out-of-the-box and not having to do a lot of the initial setup. If it can be done out-of-the-box, that will make customer's life very easy.

Their upgrade solutions are not straightforward. Therefore, we are running the older version. We wanted to go to the latest and greatest. However, it is really complex going from where we are to the next one. 

It is fairly stable for the Gateway side. However, not for the Portal side.

We have seen that it can scale both vertically and horizontally. 

We have used technical support quite often, and they are really good. We have opened multiple tickets, and they are very responsive, especially for the Severity 1 tickets. 

The initial setup was very complex.

CA Service was helping me with the implementation. 

Initially we were looking into different options. We looked into Apigee, Axway, and CA. We did the whole evaluation, and CA come out to be the winner, because CA is the market industry leader.

From CA's new technologies, it looks like CA is moving in the right direction.

Look to your performance matrix and your benchmarks. What are you interested in? If you are looking for support, this is definitely the best solution. 

Most important criteria when selecting a vendor: Performance is one of the major ones. Security is another. 

We have the API Gateway deployed in production. The primary use case is for the API Gateway to provide API access, and authentication, and authorization for the APIs we expose through our product. 

I am also looking forward to having the API developer portal deploy as well so we get a bit more insights into the analytics part, and also some of the API lifecycle management associated with it.

I love the API Gateway, especially the architecture, in terms of the composability of the policies. We approach it from a very software-engineering approach.We build on the policies, like legal blocks, and we deploy them throughout different environments. It's been working out great for us.

It definitely helps a lot with the DevOps and the support. Reliability is one thing, and having visibility into who is using which APIs. 

Some of the performance matrix that API Gateway gives off - we monitor them via SNMP traps - and then we tie them into our monitoring system. You can actually monitor some of the latencies and some of the performance aspects of both API Gateways, as well back end services. So having that line of sight surely helps in terms DevOps.

The most valuable feature, as I mentioned, is the composability, because we use a lot of functionalities. 

Also, right now we're looking into the Dockerized version of API Gateway because that would allow us to flow nicely into our Microservice Architecture.

The more automation the better. I think CA is stepping in the right direction. I went through the micro API Gateway presentations here at the CA World conference, on how you can automate more of the policy deployment via the JSON format, so you don't even having to touch the Policy Manager. Because every time you touch something in the Policy Manager you think, "Well, that's a GUI, humans need to go in and do something with it." So if we can automate everything with the APIs, that helps a lot in the DevOps lifecycle, where we want to automate everything.

I've always been a fan of API Gateway. In the past we've used various API Gateways, some of them are open source. It's definitely very reliable and robust. The three years that we have them in production, not a single instance of downtime due to the API Gateway. We have issues, but it's mostly because of API backend issues or low balance issues and such, but API Gateway has been pretty reliable for us.

The scalability has been good. Now we have exposed the APIs, we have a four-node cluster of API Gateways in production. It's been scaling out well for us. I haven't had any issue yet.

I have ended up using technical support several times. I think it's fantastic. I've been working with a particular technical person in CA and he's been really, really helpful. He's been very busy, but the support that he gives me is above and beyond the call of duty.

Even going through the 24/7 support I usually get the answer back within 24 hours.

It was three years back, and at that time there wasn't a lot of automation going on with the API Gateway. It was a lot manuals, so we're using the OVA version of the API Gateway. As time went on, with the API Gateway you can pretty much auto-provision things. But two years back at least, I wasn't aware of that, so there was some manual steps. But even manual it was still quite painless to get it done.

We did do some evaluations against other products. Just to name a few, we looked at Mulesoft, WS02. We went with CA because the solution is simple to implement, it fits our use case well, and in terms of price point it also chimes well with our VPs.

I like that CA is continuing to improve the product, looking for new solutions using the API Gateway. That's something that we're familiar with. And that they're trying to make it work for different types of architectures. As I mentioned, we are moving toward Microservice Architecture and having the Docker form and the micro API Gateway to help with those kind of architectures is really helpful.

I'm an engineer, so from my perspective things have to be simple. If things get way too complicated then maybe you don't have the right solution, or you're not using the right solution to solve the right problem. In that case you may want to look for a different solution.

When selecting a vendor, as an engineer the solution that's offered by the vendor needs to be simple enough to solve my problem in an efficient way. Of course, I don't worry too much about cost because I'm not paying for it, but certainly cost does play a part in terms of licensing scheme.

The solution you choose depends a lot on the use case, so without really understanding a colleague's use case it would be hard for me to recommend anything at all. Definitely, if they want functionality like API management, I would recommend looking at CA to see it fits their use case or not.

Our primary use case is for API management. We use it as a security gateway in our DMZ and ESB and our trusted zone.

It works great. We haven't had any problems, it just runs.

Day to day functionality. It just works and it's easy to use, that's the best part of it.

Most valuable features are 

• the ease of use
• a very nice UI
• you can navigate through the screens
• a very good search feature.

I would like to see it work better with one of our back-end databases, DB2 UDB. Other than that, I really don't have any complaints so far. It's doing everything we need it do.

Stability is great. We run a high resilient load balance configuration. We haven't had any problems with it.

It scales.

We have not used technical support yet. We have not run into any problems yet.

We had API gateways before, we just divested from IBM and went with CA.

We bought 16 gateways earlier this year and we're setting them up right now. It's good. Straightforward.

When choosing a company to work with and buy from, they need to be industry-rated, they need to be one of the upper-right companies for strength, vision, and performance.

If I were advising a colleague at another company who's searching for a similar product I would tell them to talk to CA.

To protect the web services, security, authentication; protect against any kind of attacks from external sites.

We have been using API Gateway for four years and we have huge class actions, like 600 parts per second, and we have not seen any issues as of now. It's stable.

Security.

We get a lot of class actions, payloads, which have real security requirements, like personal identification information. So we need to protect all of this information, make sure it is secure. 

Also, we can handle the huge class actions we get from different clients.

It really benefits us a lot because, since we are maintaining financial information, personal identification information, we need to protect the customers' data as well as the clients' information. We can encrypt the payloads and decrypt the payloads and do SSL authentication. We can also store the files in the Amazon bucket with the encryption file.

We're integrating the cloud. I would like some more integration of cloud capabilities.

Regarding stability, we have not seen any issues as of now. It's a more stable product.

Scalability is very good.

We haven't had any issues. It's more stable. We didn't even have to touch anything.

It's a more stable product and we have very good support from technical point of view, but not from a professional point of view. We have some issues with Profession Services. But technical are always good, they support us as quickly as they. They give us solutions for customers, which is really helpful.

We were using an IBM product. We switched because we had some constraints, technical issues, support issues, and some other issues like use cases.

I developed the PoC and then moved it to production.

The setup is not complex, and we got very good support from CA technical support and Professional Services. I felt the technical support was really good compared to the Professional Services.

We did evaluate other vendors but we finally chose API Gateway.

In general when we are picking vendors, the most important criterion is support. When they can really help us we feel more confident.

I give it a 10 out of 10 compared to other products. I would definitely recommend CA API Gateway.

We use the API Gateway as a front door to access our APIs that we host internally, to enable us to get involved in the digitalization.

It has performed very well, actually. It's given us new capabilities that we never had before and gives us more confidence in increasing the number of APIs that we actually have.

I think the flexibility. It's very configurable. Each policy is very customizable, where we can accommodate different capabilities that our trading partners actually have. Even though from a textbook standpoint, there's always a certain ideal pattern that you want to apply, that's rarely the case with our trading partners. That flexibility is very important.

And the main point of the Gateway is the security aspect of it. It's very good from that standpoint. It has met all of our expectations. We're very happy with that.

It gave us new capabilities that we really didn't have before. We didn't have a good way of exposing APIs to the internet in a reliable, secure way. It gave us that ability. 

It also gives us a focal point where it's allowing us to consolidate our portfolio. Where before - Cargill is a very large company - from one business unit to the next, they didn't necessarily know what we actually have. This product enables us to consolidate that, so there's one place to look.

The tool itself, I think, could be better. Along with the flexibility it does have, I wish it had a little more modern user interface. For troubleshooting, debugging, that kind of thing, it could definitely be better. I would like to see improvements in the user interface, for sure for Policy Manager. That's the developer's tool. 

Debugging seems a little bit archaic by modern standards. I would like to see that improved. 

I would like to see better documentation for the development language itself. I think they took a step backwards, actually, when they published all their documentation online. Accessibility is better because it's on the web. But the content seems to me to have taken a step backwards. Not enough details, more difficult to find specifics. And you would almost think that would be the opposite, but the feedback I've gotten from our developers, and my own experience, is that it's not the case.

But in terms of the structure of how the language works, it's pretty good. It gives you a lot of flexibility and allows you to accomplish a lot quickly.

So, in general, improvements in the UI, usability. Like I said, it seems dated in terms of how it works, by modern standards. I think they could go a long way to refurbishing the whole UI.

It's been very good. 

We have had some issues. Technically it's like a database replication issue, where our operations people tell me that the audit logs have been quite large, and that has caused some replication issues between the two nodes in our cluster. 

But outside of that, it's been very good.

We're relatively new to this so I don't think we're taxing the capacity of our gateway at all. In the business that we're in, I don't think that we're going to get to huge volumes anyways. Our goal is to leverage it more. So far, that hasn't been an issue at all.

The biggest thing for us would be that currently it is deployed in one region. We're a global company, so that technically is a little bit of a constraint for us. We haven't been able to deploy more gateways in other regions mainly due to cost of licensing.

Overall it's been very good. 

There are two perspectives. We've used our technical sales contacts. They have been very responsive and very good. We're lucky that we have a couple of them local in our city. They've actually come on-premise to help us. That's been very helpful, very good. Professional services has been really good too. I've spent a lot of time with them. Again, their expertise has been very valuable. 

From a ticket support point of view, where we submit a ticket, I would say that's been a little bit less helpful, in terms of responsiveness, and conveying the actual issue to the person. Once you get them on the phone, and have a one on one working session - which they have been willing to do - that's been very good. But through the ticketing system and the support website, it could be better.

It was a gap in our company. We knew we had APIs that we wanted to leverage and work with our trading partners, for them to access it. But working with our security team, we knew that we didn't have a good way of exposing them securely. That was a roadblock for our business. We couldn't make them accessible because of polices. API Gateway filled that gap and enabled us to use best practices to expose our APIs.

I have been involved more from the development standpoint. We're set up in two groups, an operational side which sets up the infrastructure, does actual server software; I haven't been involved too much from that standpoint. It's more in the development side, to get initial templates together and patterns that we're going to apply. And just coming up with some standards for our developers to use.

I would say it's complex. But I think part of it is just the nature of what this stuff is, when you're dealing with security and the variety of approaches that there can be. That makes it complex. For us, it was relatively new, so there were a lot of challenges there to just learn all the different aspects of it. 

We did consider other vendors. I wasn't part of the original selection, but it came down to two different vendors, CA being one of them - at the time it was Layer 7. Then we did a proof of concept, so I was involved in that. 

In the end, it was really no contest. I tell our other people about this: That it was a week long proof of concept and the other vendor, it couldn't complete one use case. In one week, they had three people that they brought on-premise to work on our use cases for the proof of concept, and they couldn't complete any of them. Layer 7, they completed all of the use cases in one afternoon. It was pretty convincing.

What's important to us when selecting a vendor, besides the product, the vendor needs to be of significant size to be able to continue to evolve the product. It needs to be able to provide enterprise-level support. We're a large company, so we expect the vendor to provide that backing of their product and SLAs. When we choose a product we don't want it to be a product that comes and goes. We want there to be a clear vision of where it's going, that's important to us. CA was able to demonstrate that to us.

It's very good in terms of what we wanted out of the product, initially. But now that we've explored and had the product for a while, we expect more. I think it definitely has room for improvement. Some of those things we're seeing here today, or in this week, at the CA World conference, give me some hope that that improvement is going to happen.

I would advise taking a look at what's available. Clearly, we've had good success with CA API Gateway, but this is a very quickly evolving space. I would encourage them to look at what's out there, what's available. They should prioritize what's important to them, what they're looking for out of the product. Then do a proof of concept to make sure that they feel comfortable, that the product is what they need. Also work with the technical support staff, to make sure that they're comfortable working with them too.

The primary use case would be services for APIs that we are going to expose either internally, within the enterprise, or at the outside edge of the enterprise.

Most valuable might be the security assertions, the policy assertions that are able to be bound somehow to the APIs.

We are a company with a rather complex process when it comes to integration of applications. Our expectation - we are only about to get this product into  a productive state so we are not using it productively at the moment - so the expectation is that it will simplify the on-boarding of either internal or external developers when they are using our APIs.

The solution is divided into their Gateway and to their Developer Portal components. For the Gateway component, our expectation was that it is provided as a Docker image, but it turned out that it was not supported in production up to the version that we are currently using. But the next version is obviously provided as a complete containerized version for production, which is quite good.

On the other hand, the Portal provides some questions so to speak, at the moment, because as we decided on the product last year, at the end of 2016, and it turned out that CA completely rewrote the Portal solution and the current version of it is not at the level of the functionality of the previous 3.5 version. That's quite a problem for us because we expected some functions in the Portal which are currently not available. Unfortunately, the new version is also not being introduced here at CA World, so I'm somewhat doubtful as to whether it will be provided this year. So it will probably be available only next year.

We are not in the production state at the moment so I cannot say anything about its stability.

We have quite good support by the guys from sales support so far but, as I said, as we are not in production yet, we cannot evaluate the normal support services.

It's a completely new solution for us as we were not dealing with REST-based APIs up to that point, and internally we are used to using SOAP Vitsa-based web services instead, as the major application technology. Now it's more and more moving to the REST-based approach with some kind of mircrosource architecture concepts that are being introduced, so we need to look for another solution or some kind of add-on to a existing integration infrastructure.

I was not directly involved but I was on the side getting feedback from the guys who were doing the real set up. It was a mixture out of straightforward implementation or installation and rather complex stuff. We're dealing with a specific installation image that was due to the fact that we were using specific combination of hardware, software and operating system.

Without naming them, they are the top contenders in the well-known ratings, so the ones that you find there were used as a basis for evaluation and, from then on, we did some deep-dives into the functional capabilities of these products and then decided on a shortlist. Those vendors were then were evaluated by our procurement concerning the financial aspect of the old stuff.

When considering the most important criteria when selecting a vendor, of course there are all kinds of functional criteria according to the product that we are evaluating. On the other hand, it's important, of course, that the vendor is stable. And because we are a large company, it is for us important that the vendor also provide some kind of stability due to its size and its footprint internationally.

Brand name isn't a big consideration for us. On the other hand, you have different analysts' reports that are quite important for us, as we don't have time and budget, from an architecture point of view, to evaluate all existing solutions in detail. So we have to have a starting point, which of course is the analysts' ratings and then, with some products, we usually do some kind of PoC and workshops to find out if they match our requirements.

I would actually divide my rating into two parts. The CA Gateway solution I would rate at nine out of 10, based on its mature capabilities in all the areas that are relevant for us. On the Portal, I would give only four out of 10 because I actually I don't quite understand the CA market strategy in that area, and the fact that the current version doesn't provide the same capabilities that they used to have with 3.5. There are some major capabilities that we miss there and which have not been introduced in the current 4.x version schemes; we're waiting for that to happen.

I would advise you plan a thorough PoC with the top two or three contenders on the list to find out about not only the functional criteria on the paper, but also how the product works and looks and feels in real life.