11436 SSO

API Best Practices: Platform Deployment Models

Where should you deploy your API management platform?
Oct 04, 2016

In a previous post, we discussed best practices around deploying microservices. Here we’ll cover how to decide on the right deployment model for your API platform.

So you’ve decided to purchase API management. Now you need to decide where you deploy your API management solution: in the public cloud or in your own private cloud? Or is there a hybrid approach that’s appropriate? When evaluating deployment alternatives, there are several considerations: time to success, total cost of ownership, security, performance, and scalability, and reliability.

Time to success

Deploying API management in a private cloud requires time to acquire, provision, and deploy hardware, configure software, and train employees to manage the software. Typically, the cloud deployment option is the fastest one to launch your API program. TrustPilot, for example, went from purchase to live production in four hours.

With readily accessible infrastructure and the right people, however, a private cloud is still a viable alternative, as it grants more control over an organization’s infrastructure.

Total cost of ownership

Typically, private cloud deployments tend to have lower software license costs compared to cloud subscription fees of API management. To do an apples-to-apples comparison, organizations typically look at the total cost of ownership of each option over three years.

Once you factor in infrastructure and people costs to deploy, manage, monitor, and support the API management infrastructure around the clock, the cloud option typically carries a lower total cost of ownership than the private cloud option. API management vendors can distribute infrastructure and operational costs across a large set of customers—and pass the savings on to customers.


In most use cases, performance doesn’t differ much between private or public cloud options. There can be an exception, however. In internal use cases, where the target backends and API users are both in the private cloud, public cloud deployment can sometimes add additional round-trip latency to the API call. In this instance, one can pursue either the private cloud or a hybrid cloud solution.

In the hybrid approach, federated gateways are co-located with the application environment, while the rest of API management is in the public cloud.



Security and compliance

Depending on an organization’s specific security and compliance requirements, private cloud deployment might be the only option. API management vendors like Apigee have put in place many security processes and have employed third parties to enhance security of their public cloud offerings. In some organizations, certain workloads like payment transactions cannot be on the public network. In these cases, organizations pursue a hybrid API management deployment, where some workloads remain on-premises while the rest of the workloads are in the public cloud.

For example, Apigee Services are third-party audited, compliant, and certified for PCI DSS, HIPAA, SOC1, and SOC2. Apigee uses multiple frameworks to define and manage security controls, including Cloud Security Alliance (CSA) and ISO. And vendors can provide a detailed security checklists to help guide organizations to make the right decisions.

Scale and reliability

An organization’s peak API traffic volume and uptime requirements can also help determine the right deployment option, as the public cloud option might or might not be available from your API management vendor. For example, Apigee in the public cloud processes over 300 billion API calls per year and hit a peak traffic of over 50,000 requests per second over Thanksgiving weekend 2015. Apigee also delivered 99.99% availability to its customers over the past year. 

Once you've figured out your requirements around the five considerations we've discussed here, the choice of deployment model that's right for your organization should be clear.

Creating World-Class Developer Experiences