Network APIs are like the unspoken language of modern networks. Not all systems may natively speak the same language, but through some careful planning and collaboration between each platform, a common set of instructions, inputs, and outputs can be agreed upon to remove the complexity and uncertainty of one system telling another one what to do.

Think about systems and workflows that are universal, like the ones that manage commercial aviation. Whether you fly United, Air France, or Emirates, all of these airlines need to be able to communicate with each other for a number of different purposes, from layovers and baggage transfers to security.

But under the hood, each airline’s systems are architected slightly differently, with different software, databases, and other key pieces of infrastructure. How can we get these systems to talk to each other? The answer, for us, is network APIs.

What’s an API?

API stands for application programming interface. (For a nitty gritty technical explanation, try this API for Beginners video). But really, all you need to know for now is that an API is a clearly defined set of instructions that defines how one system can interact with another.

There are different styles of APIs that have gained and lost prominence over the last few decades. For the purposes of our discussion, we’ll talk about Representative State Transfer (REST-ful) APIs, which have emerged as this decade’s most popular web service API. There are many other more developer-centric APIs, like library or class-based APIs, that we’ll keep out of scope.

Modern APIs expose what are called endpoints, or paths that represent an object or collection of objects, say, the hostname of your main firewall.

Each endpoint typically allows for (at least one of) a set of CRUD actions. CRUD stands for create, read, update, and delete. In our hostname example, using an API, you could invoke an action to create a new hostname, read the existing hostname, update the existing hostname, or delete the existing hostname.

Why are APIs such a big deal?

Until now, the network’s been stuck in the Stone Age. APIs have deeply penetrated the endpoint space of servers and workstations. Take a Windows application developer. In each area where an application needs to plug or hook into Windows, the developer can use an appropriate set of API endpoints.

But to date, APIs have been few and far between on the network.

Recall some of the legacy methods we’ve been using over the years to communicate with network devices:

  • CLI
  • Web GUIs
  • SNMP
  • Vendor-specific apps
nettwork API MSP stone age woolly mammoth
Photo: Wikimedia Commons

Think about just how fragile and frustrating these communication methods can be to use. Syntax can change from version to version of firmware. With different hardware configurations, you need to reference different components differently. Modern web-based technologies like JavaScript prevent easy scraping of data. SNMP implementations require in-depth knowledge of how to navigate the maze of MIBs and OIDs—not to mention there’s a large amount of incomplete and incorrect data that surfaces through SNMP.

Performing a “simple” task like adding a rule on a firewall has traditionally been cumbersome. But with a clearly defined set of API endpoints, I could update a set of firewall rules without having to navigate through a CLI configuration hierarchy and issue a series of commands.

Here’s an example of a cURL request I could make to the Meraki Dashboard API:

curl -L -H 'X-Cisco-Meraki-API-Key: ' -X PUT -H 
'Content-Type: application/json' --data-binary 
'{"rules":[{"comment":"A note about the rule", 
"policy":"deny", "protocol":"tcp", "destPort":"80,443", "destCidr":",", "srcPort":"any", 
"syslogEnabled":true}],"syslogDefaultRule":true}' '[organizationId]/vpnFirewallRules'

Within this relatively small request, we’re specifying the following:

  • Comment
  • Description of the rule (optional)
  • Policy
  • Allow or deny traffic specified by this rule
  • Protocol
  • Type of protocol (must be tcp, udp, icmp or any)
  • srcPort
  • Comma-separated list of source port(s)
  • srcCidr
  • Comma-separated list of source IP address(es)
  • destPort
  • Comma-separated list of destination port(s)
  • destCidr
  • Comma-separated list of destination IP address(es)
  • syslogEnabled
  • Log this rule to syslog

All done within a single command. How would this look on the CLI?

We’d have to craft something like this (for a Juniper SRX):

set interfaces fe-0/0/0 unit 0 family inet filter input blocked.IP
set interfaces fe-0/0/0 unit 0 family inet filter output blocked.IP

set policy-options prefix-list block.outbound
set policy-options prefix-list block.outbound
set policy-options prefix-list unblock.outbound

set security log mode stream
set security log source-address
set security log stream Server format syslog
set security log stream Server host
set security log stream Server host port 123

set firewall family inet filter blocked.IP term 1 from prefix-list block.outbound
set firewall family inet filter blocked.IP term 1 from prefix-list unblock.outbound except
set firewall family inet filter blocked.IP term 1 then syslog
set firewall family inet filter blocked.IP term 1 then discard
set firewall family inet filter blocked.IP term 2 then accept

See how much more concise the API query is?

network API MSP sunrise new age
Photo: Pexels

How will APIs affect the SMB space?

We all know the network layer is fundamental as a base for applications and services to ride on.

For the longest time, we’ve seen servers, workstations, and even newer device types like smartphones give developers increasingly sophisticated and data-driven ways to interface with their operating systems.

But network gear like your routers, switches, and firewalls have been relegated to using archaic methods like the command line interface (CLI), a web GUI that requires some annoying plugin like Java or Flash to show all content correctly, or a native application like Cisco ASDM to perform relevant configuration.

More recently, though, network vendors have begun exposing APIs, either as a supplement or exclusive replacement to the CLI. (GUIs are here to stay.)

MSPs and SMBs with a cloud management component to their offering, like Meraki and Datto/OpenMesh, have developer APIs. We’ve also seen some on-premise products from the likes of Barracuda and Sophos that allow interaction with devices using an API.

These network APIs make possible some powerful automated workflows, such as bulk resetting passwords, initiating firmware upgrades, and provisioning VLANs for a new application (like voice or video) throughout the network stack in a matter of seconds instead of minutes or hours. As a result, APIs free up your team to devote their time and expertise to higher-level projects.

What does this mean for MSPs?

When replacing or augmenting areas of your tool stack, look for products and vendors that have opened up their platform with APIs. This will give you the flexibility of integrating other products into your stack, and potentially developing automation to eliminate repetitive tasks that are better left to a machine.

The more information you can extract, transform, and load from one system into another, the more you open up possibilities for automation and more seamless workflows. Open APIs promote interoperability from one vendor toolset to another, allowing tight integrations.

The end goal here is automation nirvana, with historically strenuous and humanly unscalable tasks being automated, allowing you to focus on value-add projects instead of poring over spreadsheets and attempting manual reconciliation.

What’s Auvik’s API strategy?

At Auvik, we’re huge advocates for the potential breadth and depth of data injection and extraction that APIs allow. We’re working on a number of APIs that will allow our partners and third-party vendors to tightly integrate with Auvik.

UPDATE 2021: Here’s a full list of the Auvik APIs currently available.

Leave a Reply

Your email address will not be published. Required fields are marked *