API gateway of Yonyou Cloud Open platform

With the rapid development of the Internet, it has stepped into the era of mobile Internet and Internet of Things. The internal systems of enterprises, the sharing between enterprises and customers, the upstream and downstream of enterprise supply chain, and even the socialized public data have put forward new requirements for system architecture.

With the strong rise of micro-service framework, more enterprises quickly complete the API-ization inside the enterprise. However, under the strong demand of enterprise supply chain and socialized open data and ability, security, isolation and sharing have become rigid demands, so API gateway has become a necessary product for enterprise opening.

Many Internet platforms have built API gateways of their own platforms based on the design idea of gateway, such as JINGdong, Ctrip and Vipshop in China, and Netflix and Amazon in foreign countries.

There are several aspects to consider when using existing or homegrown API gateways.

1. Safety and protection

Large enterprises regard network security as the top priority of informatization. As the external export of enterprise data and services, the API gateway must carry basic security protection functions, preventing injection, replay, tampering, DDOS attacks of a certain scale, and filtering illegitimate traffic by user-defined rules.

2. Performance and stability

API gateways will be the core of enterprise applications, where performance and availability are the most fundamental requirements.

(1) In terms of performance, it is better to make the time consumption increased by the gateway as short as possible. Personally, IT is less than 10ms. The system needs to use non-blocking IO, such as Epoll and NIO. The interaction between the gateway and various dependencies also needs to be non-blocking to ensure high performance for the overall system.

(2) The gateway must support cluster deployment and high availability, be able to scale, support high concurrency and large traffic, at the same time, any node down will not affect the overall availability.

(3) As many gateways as possible should support the same management platform and the same monitoring center. For example, an enterprise OpenAPI gateway and different microservice gateways for multiple systems clusters of internal applications can be monitored in the same monitoring center.

3. Scalability and maintainability

Enterprise needs are diverse and constantly changing. As the core component of the base platform, it should provide secondary development capability, facilitate expansion and flow through with other base platforms

4. Demand matching degree

It is necessary to evaluate whether each API gateway can meet the requirements. For example, if the OpenAPI platform needs to use API gateway, it is necessary to consider whether the product can meet the requirements based on OpenAPI core requirements such as partner application access, partner portal integration and access quota. If it is a microservice gateway, it is necessary to consider whether the product is strong enough from the aspects of microservice operation, maintenance, monitoring and management.

1. Enterprise security isolation

When the internal system integrates with the public cloud or external system, it needs a clear boundary to ensure the unified control and management of its own enterprise’s service data security and permissions. When the API gateway opens data and provides capabilities to the outside world, it needs to provide various security authentication standards.

2. Unified management and global entry

Under the micro-service architecture, services are fragmented, which reduces the degree of coupling and increases the difficulty of unified management of services.

The API gateway needs to analyze and manage the global open traffic entry because it lacks global view management and monitoring capabilities.

3. Cross-platform, cross-language, easy integration, convenient extension

Yonyou cloud platform is a micro-service governance platform developed based on JAVA language, which is very convenient to call in JAVA language. However, SideCar needs to be developed when calling micro-services in PHP, C series and other languages, which causes the complexity of integration. API gateway provides standard restful interface, which provides great convenience for product integration.

At present, the open source API Gateway is mainly based on Nginx, ZUUL, Spring Cloud Gateway, Linkerd and other open source projects, but each has its own characteristics:

Linkerd is also a very promising project. It is the only production-level Service Mesh on the market, based on Scala. However, it has few materials, high learning costs, difficult secondary development and function extension, and the overall development ecosystem has not been established.

Spring Cloud Gateway is an embedded Zuul proxy created by Spring Cloud, so both are essentially Netflix Zuul, Zuul performance is good, Zuul 2.0 itself uses Netty NIO, increased complexity. Zuul1.0 and the Spring framework are also native integrated, based on the JAVA development language, and can be combined with Eureka, Ribbon, Hystrix and other accessories: Zuul 1.0 has been open source for more than six years. It’s easy to use, and it’s been proven in the field. Zuul 2.0 still has some work to do in very large connected applications, but overall, Zuul is a good technology choice in a strong Java ecosystem.

Nginx ecosystem of Nginx+Lua+ C, mainly on behalf of the products have kong and other open source products. Since Kong opened source on Github in 2015, there have been more than 16,900 stars. Its core value lies in stability, high performance and easy expansion. Tengine based on Nginx + C is still widely used in Alibaba Group and still in its prime. Jingdong is using nGINx + Lua this technical framework to confirm the best practice of hundreds of millions of traffic. Although the development efficiency is low, the gateway logic is simple and stable enough that this combination of technologies is particularly appropriate for such a business scenario. The core part of YONyou cloud API gateway is developed based on this framework.

The API Gateway provides full lifecycle management of the API. Assist users to open data, business logic or functions safely and reliably in a simple, fast, low-cost and low-risk manner, so as to realize their own system integration and business connections with partners. At present, it has been successfully applied to Yonyou cloud open platform, APILink.

Product features:

1. Security protection

Supports basic functions such as security authentication, custom traffic filtering, blacklist and whitelist, service degradation, traffic limiting, and circuit breaker.

2.API lifecycle management

Provides life-cycle management for API creation, maintenance, publishing, running, and offline operations. Overrides API definitions, tests, and releases to deploy the API. It also provides easy daily management, version management, support for prior version upgrades, and fast rollback. Save the workload and manpower caused by API management.

3. Request management and link tracing

After the request passes through the API gateway, the parameter type and parameter value can be verified according to your configuration, reducing the resource consumption and processing cost of the backend for illegal and invalid requests. At the same time, you can define parameter mapping rules in the API gateway. The gateway can use the mapping rules to translate back-end services into any form to meet the different requirements of different users, thus avoiding repetitive development of functions. The link tracing mechanism of request process facilitates problem locating.

4. Monitor alarms and perform statistical analysis

Provides real-time and visual API monitoring, including call volume, call mode, response time, and error rate, enabling you to clearly understand DETAILED API information and analyze user behaviors. Convenient operation and maintenance management for users, in order to facilitate the later iteration and maintenance of API, improve efficiency. Supports user-defined alarm rules to alarm abnormal situations and shorten the troubleshooting time.