📰InfoQ Architecture·February 27, 2026

Secure API Connectivity with Architecture as Code

This presentation explores managing the increasing complexity of secure API connectivity by moving beyond traditional API management tools. It introduces the Common Architecture Language Model (CALM) and emphasizes shifting security left through architectural patterns to enable faster, more secure deployments and bridge the developer-security gap.

API Design Security DevOps & SRE

Read original on InfoQ Architecture

The Evolving Complexity of API Connectivity

Initially, API creation seems simple, but adding authentication, authorization, and cross-trust boundary requirements quickly complicates matters. Traditional API management tools, while useful, introduce operational complexity and can hinder portability. As systems scale, automated deployments become crucial, requiring coordination between API services and management layers to ensure zero downtime and consistency. Furthermore, integrating gateways for security, service discovery, and routing to microservices adds another layer of complexity, moving beyond the capabilities of a single API management solution.

Key Non-Functional Requirements for Robust APIs

Security: Must be considered from the outset, not as an afterthought.
Performance: Defining and communicating clear SLAs is critical for user expectations.
Availability: Designing for resilience against infrastructure failures.
Observability: Essential for quick issue diagnosis in production.
Audit Logs & Compliance: Crucial for regulatory adherence and system accountability.
Cost: Careful management to avoid unexpected expenses as services scale.

ℹ️

Developer and Security Gaps

The article highlights two significant gaps: the developer-infrastructure gap (too much YAML, lack of support for developers with complex tooling) and the developer-security gap (unfamiliarity with security concepts, lack of appropriate training, and security acting as a gate rather than a guide). Bridging these gaps is central to achieving secure and efficient API development.

Secure Design Approaches and Architecture as Code

To address the challenges, the presentation advocates for embedding secure design approaches into system modeling from the beginning. This involves leveraging tools like C4 architecture models to visualize systems and integrating threat modeling early in the design phase. By shifting security left, developers can proactively answer security questions and build robust systems rather than facing 'no' from security teams late in the development cycle. The Common Architecture Language Model (CALM) is introduced as a framework to facilitate this proactive, 'architecture as code' approach, transforming lengthy review cycles into rapid, automated deployments.

yaml

# Example of potential 'Architecture as Code' for API policy
apiVersion: api.example.com/v1
kind: APIPolicy
metadata:
  name: secure-conference-api
spec:
  apiName: conference-attendees-service
  security:
    authentication:
      method: OAuth2
      scopes: [read:attendee, write:attendee]
    authorization:
      roleBased: true
      roles: [admin, registered_user]
  rateLimiting:
    enabled: true
    requestsPerSecond: 100
  observability:
    loggingLevel: INFO
    metricsEnabled: true

API GatewayAPI ManagementSecurityArchitecture as CodeThreat ModelingNon-Functional RequirementsDistributed SystemsDevOps

Comments

Loading comments...

Architecture Design

Design this yourself

Design a secure, scalable API connectivity platform for a large enterprise, emphasizing an "architecture as code" approach. Include mechanisms for automated policy enforcement, centralized authentication/authorization, seamless integration with microservices via gateways, and robust observability. Incorporate early threat modeling into the design workflow.

Focus: secure API connectivity platform with architecture as code

Other design angles

· Design a multi-tenant API gateway solution that supports secure API connectivity for diverse client applications.· Propose an architecture for a developer portal that facilitates secure API consumption by integrating with an architecture-as-code platform.· Focus on the security components of an API platform, detailing how to implement authentication, authorization, and threat modeling as code.