Managed service instance on AWS

API Connect for GraphQL runs your GraphQL as a managed service on Amazon Web Services.

API Connect for GraphQL as a Service provides the capabilities described in Table 1.

Table 1. API Connect for GraphQL as a Service capabilities
AutoScaling API Connect for GraphQL automatically scatters your workload across our Kubernetes cluster. Scales to meet your traffic throughput.
Low latency We typically see a 6-12msec. latency in our optimized, in memory (for both data and runtime state) GraphQL engine. Latencies to our system and to your backend data sources will vary. You can test/measure latencies for yourself using the free performance tool.
Security and data protection See Data protection.
A stable IP address to create an allowlist at your firewall See Creating an allowlist of IP addresses.
Global points of presence (PoP) Amazon Web Services provides a globally distributed point-of-presence (PoP) footprint. In practice, regardless of where your traffic originates, it enters the AWS network at the nearest PoP and is subsequently routed to our servers.
Hermetic builds IBM can recreate each released version of our cloud service exactly (including compiler, other build tools used, and libraries). This enables us to diagnose, validate and trace any problems in our codebase with precision, and address issues quickly when they occur.
Fully automated deployments and frequent releases We release small updates frequently to provide reliable testing and avoid complex side effects from multiple interacting and conflicting updates.

Data protection in API Connect for GraphQL

IBM takes the protection of your data seriously.

  • All account information is encrypted before it is stored in AWS RDS.
  • Your secrets are safe by design. Deployment artifacts (secrets and configuration), once provided to API Connect for GraphQL as a Service, can never be downloaded from API Connect for GraphQL as a Service. Information only flows one way — from the developer's machines to our cloud. The only operation supported is deletion using a valid admin key.
  • Schema and configuration can only be created or updated using admin API Keys.
  • Each GraphQL API that you create can be called using Admin Key, API Key, valid JWT token, or with no credentials (public). You specify which applies in a configuration setting.
  • Our data retention polices are GDPR compliant.

Protecting your data sources

API Connect for GraphQL accesses your backend data sources using SQL queries, REST API calls, or GraphQL API calls.

  • Databases:
    • SQL calls are always prepared statically, to prevent SQL injection attacks.
    • API Connect for GraphQL accesses your databases with the least privilege needed to get the data or perform the mutation you have requested.
  • REST API and GraphQL backends:
    • API Connect for GraphQL uses the correct authentication as required by the target data source, and protects your secrets and keys.
    • To make sure that the backend can further do the checks, API Connect for GraphQL will also pass through the headers needed by the backend (such as your JWT tokens or API Keys)