Microservices basics - Awesome! API gateway

So what’s the problem with the client interacting directly with the back-end service?

1. The client needs to know the address of each service

2. Each back-end service needs to implement authentication, traffic limiting, logging, monitoring, caching and other functions. Repeating the wheel greatly reduces the development efficiency, and these common business logic can be completely separated

3. If some of the back-end services change from previous HTTP/HTTPS calls to RPC calls, or if some of the parameters change, the client will need to make major adjustments.

Later API gateways were introduced to solve these problems.

When introduced, the API gateway takes over all incoming traffic, just like Nginx, routing requests to the corresponding back-end service. In this way, the client doesn’t need to care about the back-end service address, just invoke the gateway. In addition, the gateway extends functions for the traffic, including authentication, traffic limiting, log monitoring, alarm, access control, and protocol conversion. In this way, the back-end service only needs to pay attention to its own service logic.

We can take a brief look at some of the capabilities of the API gateway.

To register the API

To enable back-end services, the API gateway requires the back-end service (THE API provider) to register API information with the gateway and configure the address of the back-end service for each API. The problem with this, however, is that the apis are independent of each other, and it is impossible to organize and manage the apis that serve the same function. To accommodate real-world service scenarios, API gateways use API groups to manage a set of apis and configure the same backend so that users (API providers) can manage not only apis but also API groups.

The following figure refers to THE API gateway of Jingdong Cloud

The identity authentication

Almost every component is associated with user information and needs to be identified. So the API gateway takes over the authentication function, identifies the caller information, and passes it on to the back-end service. There are many common authentication methods. These methods focus on how to carry the identity information and how to encrypt the information. Security and performance are the considerations for choosing these authentication methods. Here are some common ways to authenticate:

1. HTTP Basic Authentication

The user name and password are base64 encoded and sent to the gateway in the Authorization header. The gateway authenticates the user name and password.

Benefits: Easy to call

Insufficient: It is not secure enough. To prevent password leakage, HTTPS is generally used for transmission. You need to invoke the remote user center service to query user information and verify the user name and password.

2, HMAC Authentication

The client HMAC the request information (including the user name, but not the password) with the password, generates a string of hash values (signature information), and sends them to the gateway. The gateway obtains the password based on the user name, performs HMAC based on the received request information, generates the signature information, and compares it with the signature information of the client. If the request information is consistent with that of the client, the authentication succeeds.

Benefits: Security: the client does not need to transfer the password to the gateway, and the request information is prevented from being tampered by signing.

Disadvantages: You need to invoke the remote user center service to query user password information. The client also needs to generate signature information before each invocation, which makes the invocation inconvenient.

There are many signature Authentication algorithms based on HMAC Authentication, such as AWS, JINGdong cloud, Ali Cloud API gateway based on AK,SK signature algorithm, is improved on HMAC Authentication.

3, JWT Authentication

JSON Web Token (JWT) is also a common authentication and signature algorithm. When a client requests login with the user name and password, it requests the user center server to obtain the Token (excluding the password) and save the Token to the client. When the client invokes the gateway with the Token, the gateway parses the Token. Verify the token through the public key to obtain user information.

Benefits: High security, easy to call, the gateway does not need to access the user center service

Disadvantages: Asymmetric encryption, consumption of computing resources

Access Control (Authorization)

In many cases, we don’t want all users to have access to our interface, or we only want some users to have access to parts of the content. The gateway controls user calls at the API or API group level to restrict user access to certain groups or apis. Common access control components include acLs. For more advanced access control functions, you can refer to the access control components of major cloud vendors, such as IAM of AWS and RAM of Ali Cloud.

1. Access Control List (ACL)

An ACL associates a group of whitelisted users or blacklisted users to a specific API group or API. When a request passes through the gateway, the gateway verifies whether the caller is a whitelisted or blacklisted user to determine whether to allow or deny the request.

2, IAM

Identity and Access Management (IAM) provides more refined permission control for sub-users. IAM defines permissions based on a set of policies, including interface name, resource (parameter), and permission type, which controls permissions at the resource (parameter) level.

Current limiting

For systems with frequent traffic surges, such as the 618, Double 11 promotion and major news events on Weibo, it is difficult for us to timely assess traffic and make response plans, which ultimately leads to the entire service being unavailable. Therefore, it is necessary to perform traffic limiting. When the traffic surge exceeds the traffic limiting threshold, the core services can be protected by traffic limiting degradation policies. When selecting a traffic limiting solution, you need to select the traffic limiting algorithm and click traffic limiting or distributed traffic limiting.

1. Flow limiting algorithm

Simple counting method, token bucket and missed bucket are common traffic limiting algorithms. The simple counting method counts the number of requests within a certain period of time to determine whether to reject the requests. This simple and crude traffic limiting method cannot deal with sudden traffic. The token bucket algorithm is characterized by adding tokens to the bucket at a fixed rate, judging whether to reject requests by whether there are tokens in the bucket, and the size of the bucket determines the size of burst traffic. The idea of a leaky bucket is the opposite of a token bucket, distributing requests at a fixed rate and smoothing traffic. Therefore, when we do not care about traffic burst at all, we can choose simple counting method; when we cannot tolerate traffic burst, we choose leaky bucket algorithm; when we allow a certain degree of traffic burst, we choose token bucket algorithm.

2. Single-machine current limiting

Click traffic limiting. The number of calls is stored locally without frequent interaction with remote nodes, which provides high performance.

3. Distributed traffic limiting

Distributed limiting, where the number of calls is stored at a remote node, such as Redis. Each time you need to interact with a remote node, the performance is low. So why use distributed limiting? In some scenarios (especially the API gateway), the traffic limiting value is configured by users. Therefore, ensure the accuracy of traffic limiting. We have a compromise. We store a small number of calls locally and then synchronize them to the remote node. This reduces the number of calls to the remote node exponentially, with less accuracy, but within the acceptable range.

security

Security is an indispensable function of API gateway. Authentication, access authorization, traffic limiting and other functions can guarantee the security and stability of back-end services to a certain extent, but these are far from enough. The security defense function of the API gateway also includes IP address restriction and WAF.

1. IP restrictions

The IP address whitelist and blacklist are used to allow or deny access to back-end services from certain IP addresses

2, WAF

The Web Application Level Intrusion Prevention system (WAF) verifies the validity of requests with finer granularity through security policies, so as to guarantee the application-level security of back-end services.

The log

The API gateway takes over all inbound traffic and contains rich call logs, so there is a lot you can do for back-end services by leveraging the gateway’s logs. API gateway logs usually include access logs, error logs, and audit logs. Access logs record the complete link, total request time, gateway time, request mode, request body size, response body size, response status code, user ID, API group id, API id, and whether the request is sent to the backend. Audit logs are more complete. In addition to recording the content contained in access logs, audit logs also record request parameters, response parameters, user information and other specific content. Here is a brief list of what API gateway logging can do.

1. Simple log query. 2. Input the logs of the specified API group to the specified file, HTTP/HTTPS back end, TCP back end, UDP back end, kafka and other locations for further processing by the API provider. 3. Input logs of specified API groups to services such as DataDog, Prometheus, and ZipKin to provide log statistics, analysis, and monitoring. 4. Access the charging function, charging according to call times and incoming and outgoing traffic.

monitoring

The monitoring platform is an API gateway that monitors alarms for APIS and API groups in a unified manner. The API provider configures alarm rules on the platform to view real-time monitoring data, including QPS, success/failure count distribution, response status distribution, response time distribution, user call count distribution, and traffic distribution. As described in the logging section, if the API provider needs to customize additional monitoring capabilities, it can input logs to Prometheus for further processing.

API market

API market is an effective way to realize THE commercialization of API. The API gateway will put the API on the API market for other users to purchase and use, and calculate the fees according to the number of calls or traffic, and finally help the API provider to profit.

Of course, the API gateway does much more than that, including parameter validation, parameter transformation, protocol transformation, request body response body size limitation, request cross-domain access limitation, mock services, Serverless, back-end routing, service discovery, caching, fault tolerance degradation, Canary publishing, blue-green deployment, and more. In short, API gateway not only provides better experience and guarantee for back-end services, but also greatly reduces the API online cycle, facilitates THE OPERATION and maintenance of API, and ultimately realizes the commercialization of API, which is of great value and far-reaching significance.

Click on the”readingTo learn about JINGdong cloud API gateway service

Welcome to”Jingdong cloud”Learn more

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.