Any interaction between a datacenter component (or any component) can be thought of as an API — a web server talking to a database server, a REST API talking to an API a client is using, or even a DNS protocol talking to the authoritative DNS server youre hosting. From a security angle, pretty much any attack must happen over APIs. Once APIs are defined, the threat surface is easier to define and protect. At one extreme, you can choose just to protect the Internet-facing APIs. At the other, choose to isolate all components and protect all APIs.”]
Source: https://www.darkreading.com/attacks-breaches/api-first-3-steps-for-building-secure-cloud-apps