Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to build a suitable enterprise API gateway. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

API Gateway (API GW / API Gateway), as its name implies, is an API-oriented, serial centralized strong management and control service that appears on the system boundary. The boundary here is the boundary of the enterprise IT system, which mainly plays the role of isolating external access from the internal system. Before the popularity of the concept of micro-services, the entity of API gateway has been born, such as banking, securities and other common front computer systems, which also solve the problems of access authentication, message conversion, access statistics and so on.

The popularity of API gateway stems from the rise of the demand for interconnection between mobile applications and enterprises in recent years. Mobile applications and enterprise interconnection make the objects supported by background services expand from a single Web application to a variety of usage scenarios, and the requirements for background services are different in each scenario. This not only increases the response of the background service, but also increases the complexity of the background service. With the introduction of the concept of micro-service architecture, API gateway has become a standard component of micro-service architecture.

One: several usage scenarios of gateways

1. Facing Web App

This kind of scenario is similar to the separation of front and rear ends in physical form. At this time, the Web App is no longer a full-featured Web App, but a scene-based App customized according to the scene.

2. Facing Mobile App

In such scenarios, the mobile App is the user of the back-end Service, and the API GW also needs to assume part of the MDM (in this case, mobile device management, not master data management).

3. Facing Partner OpenAPI

In this kind of scenario, in order to meet the opening of business form and establish an ecological circle with external partners, API GW needs to add a series of security control functions such as quota, flow control, token and so on.

4. Facing Partner ExternalAPI

This kind of scene is rarely mentioned in the industry, and most of the time, the construction of the system is to meet the needs of the enterprise's own business and realize the mapping to the enterprise's own business. When the shape of the Internet gradually affects traditional enterprises, many systems rely on the capabilities of external partners in order to import traffic or content. Some typical examples are using "partner account login", "using third-party payment platform to pay" and so on. At this time, the API GW needs to do unified authentication, authorization (in the form of multi-tenancy), and access control for the internal Service of the enterprise to call the external API.

The API gateway under the micro-service architecture we are talking about generally refers to the first three usage scenarios. That is, it mainly exposes the API capabilities within the enterprise to other applications or partners. As a baffle between the client and the server, the gateway layer plays three main roles:

The first type of function is isolation, as the boundary of the enterprise system, isolating the external network system from the internal network system.

The second kind of function is decoupling, which enables all parties of the micro-service system to adjust independently, freely, efficiently and flexibly without having to worry about the impact on other aspects.

The third type of function is the role of scaffolding, which provides a location to facilitate a series of processing and processing of requests through an extension mechanism.

Second: the benefits of the gateway

The main contents are as follows: (1) the gateway layer isolates the external and internal, which ensures the security of the background service.

(2) external access control has been transformed from the network level to the operation and maintenance level, reducing the process and error cost of the change.

(3) reduce the coupling between the client and the service, and the service can develop independently. Mapping is done through the gateway layer.

(4) through the aggregation of the gateway layer, the frequency of external access is reduced and the access efficiency is improved.

(5) save the cost of back-end service development and reduce the risk of launching.

(6) provide a simple scheme for service circuit breaker, grayscale release and online testing.

(7) it is easy to expand.

Third: factors to be considered in API gateway

1. Security issues

When exposing services to external use, enterprises should first ensure the security of service use, prevent the impact of external malicious access on the company's business, especially services involving transactions, and comprehensively consider security. In order to ensure security, we need to consider the establishment of communication link, the encryption of communication data, the integrity of data, non-repudiation and so on.

2. Performance issues

As the entrance to the enterprise API, all requests will be forwarded through the API gateway. It is conceivable that the pressure to visit the API gateway is huge, and some websites even reach tens of millions of visits per minute. Especially in some Internet enterprises, a large number of mobile terminals need to interact with back-end services all the time. If the high performance of the gateway can not be guaranteed, enterprises need to invest a lot of equipment and costs in the gateway layer. Once happened in an Internet company, due to gateway performance problems, the number of machines in the gateway needs to keep pace with the number of back-end servers. This situation is obviously endured by enterprise services.

3. High availability issues

As a logical single point, once a problem occurs, the API gateway will cause the unavailability of enterprise services, which may have a fatal impact on the enterprise. If the calculation is unavailable for a short time, it will also bring direct economic losses to the enterprise. Therefore, how to ensure the stable operation of the API gateway 24 hours a day, the automatic scaling of the gateway and the hot update of API are all issues that enterprise gateways need to consider.

4. Scalability problem

As mentioned earlier, the enterprise gateway provides a scaffolding, some non-functional issues, such as logging, security, load balancing policy, authentication, and so on. These plug-ins will be continuously strengthened and adjusted with the change of the business scale of the enterprise. This requires the gateway layer to provide such a mechanism so that these adjustments and changes can be made flexibly without frequent changes to the gateway layer to ensure the stability of the gateway layer.

5. Efficient operation and maintenance of API.

API needs the cooperation of the gateway layer in the process of launching and publishing. For example, the gateway layer needs to know the address of the API release, the interface form and message format of the API, and the gateway layer to encapsulate the background API. After the API adjustment, changes need to be made accordingly. Therefore, when designing the API gateway, we need to make clear the responsibility division and cooperation mode between the gateway layer and the service layer, so as to make the management and release of API more efficient.

6. API lifecycle management

The whole life cycle of API services, including service development, testing, online release, service usage application, activation, service classification and level management, service usage monitoring, billing, and so on.

An enterprise may expose hundreds of API, and daily API will be released, upgraded, modified, removed and so on. For different services, different visitors need to provide different service access policies. Some commercial API companies also need to pay for the use of API. Therefore, matching with the API gateway, we need a set of perfect self-help system to provide to the service providers, managers and users to release, use and operate the service.

4: API gateway scheme commonly used in the industry

1:Nginx + Lua

Basic functions:

(1) static web resource server, which can cache open file descriptors

(2) reverse proxy supporting http/imap/pop3/smtp; supporting caching and load balancing

(3) support fastcgi (fpm)

(4) Modularization, non-DSO mechanism, support filter zip compression, SSI and image resizing

(5) support SSL

Extended functions of Nginx:

(1) Virtual host based on name and IP

(2) support the retention mechanism of keepalive

(3) support smooth upgrade

(4) Custom access logs to support the use of log caches to improve log storage performance

(5) support url rewrite

(6) path aliases are supported (specified by root or alias)

(7) support access control based on IP and users

(8) support transmission rate limit and concurrency limit

In terms of performance and high availability:

Nginx has extremely high performance. Nginx's innate event-driven design, fully asynchronous network Imax O processing mechanism, few inter-process switching and many optimization designs make Nginx naturally good at handling Internet requests under high concurrency pressure. The stability of Nginx has also been verified on major websites. The commonly used modules provided by the government are very stable, and each worker process is relatively independent. When a worker process goes wrong, the master process can quickly "pull" a new worker subprocess to provide services. Hot deployment is supported, and configuration files, log files, and server program versions can be updated without downtime.

Scalability:

The design of Nginx is very scalable, it is completely composed of many modules with different functions, different levels, different types and very low coupling. Therefore, when repairing Bug or upgrading a module, you can focus on the module itself, regardless of the others.

For ease of use:

Nginx uses the freest BSD license agreement, which allows users to directly use or modify Nginx source code in their own projects, and there are a large number of plug-ins available. However, the Nginx module needs to be developed in C # and must conform to a complex set of rules. Although the integration of Nginx with scripting languages such as Perl and Lua can be supported through third-party modules, the requirements for users are still very high.

2:Spring Cloud Zuul

Basic function

Verification and security: identify verification requirements for all types of resources and reject requests that do not meet the requirements.

Review and monitoring: track meaningful data and statistical results at the edge, so as to bring us accurate production status conclusions.

Dynamic routing: dynamically routes requests to different back-end clusters as needed.

Stress testing: gradually increase the load flow to the cluster to calculate the performance level.

Load distribution: allocate the corresponding capacity for each load type and discard requests that exceed the limit.

Static response processing: establish a partial response directly at the edge to prevent it from flowing into the internal cluster.

Netflix also uses the features of Zuul for precise routing and stress testing through the Canary version.

Although the features provided are relatively rich, they are relatively weak, so it is difficult to meet the high requirements of the scene.

Performance and high availability

The way Zuul handles each request is for each request to be processed by one thread. Typically, to improve performance, all requests are placed in the processing queue and free threads are selected from the thread pool to process the request. At the end of 2016, Netflix upgraded its gateway service, Zuul, and the new Zuul 2 changed the processing of HTTP requests from synchronous to asynchronous to improve its processing performance. In addition to Netflix, Zuul is rarely used in enterprises at present, and its performance and stability need to be further observed.

On expansibility

As can be seen from the architecture diagram of Zuul, Zuul is more like a filter framework, and its own routing, logging, reverse proxy, ddos prevention and other functions are implemented through filters. Four extension points, PRE, ROUTING, POST and ERROR, are provided to make it easy to add custom filters.

Ease of use

Zuul is easy to build, easy to use and configure. The open source community of Zuul is active and is updating its status all the time, but the version is not very stable, and there are still some holes to step on in the process of using it. For example, the problems of redirection and exception handling have not been solved well, so you need to rewrite some filter yourself.

3.Mashape Kong

One of the most attractive things about Kong is that it provides a large number of plug-ins to extend applications, and various enhanced functions can be provided for services by setting different plug-ins. Kong default plug-ins include:

Identity authentication: Kong provides Basic Authentication, Key authentication, OAuth3.0 authentication, HMAC authentication, JWT, LDAP authentication authentication implementation.

Security: ACL (access control), CORS (cross-domain resource sharing), dynamic SSL, IP restrictions, crawler detection.

L flow control: request limit (based on request count), upstream response limit (based on upstream response count), request size limit. Current limit supports local, Redis and cluster current limit modes.

L Analysis monitoring: Galileo (recording request and response data to achieve API analysis), Datadog (recording API Metric such as request times, request size, response status and delay, visual API Metric), Runscope (recording request and response data to achieve API performance testing and monitoring).

L conversion: request conversion, response transformation

Kong itself is based on Nginx, so there are no problems in performance and stability. As a commercial software, Kong has done a lot of extension work on Nginx, and there are many paid commercial plug-ins. Kong itself has a paid enterprise version, which includes technical support, usage training services, and API analytics plug-ins.

From the comparison of the above three options, we can see that Spring Cloud Zuul is very suitable for early-stage teams to quickly build a "basically available" API gateway. Nginx is suitable for enterprises to develop their own API gateways with a strong R & D team. Kong is suitable for companies that do not have their own R & D team, but need to have enterprise-class API gateway capabilities.

Five: how to design a good enterprise API gateway product

1: functional requirements

1) API lifecycle management features:

Covers the entire lifecycle management of API definition, testing and release, convenient daily management, version management, support for hot upgrades and fast rollback

2) develop and use support features:

Provide page debugging tools to automatically generate API documents and SDK, greatly reducing labor costs.

3) Security protection function:

When the API request arrives at the gateway, it needs strict identity authentication and permission authentication before it can reach the back-end service. Support algorithm signature, support SSL encryption.

4) flow control function:

The number of times API is allowed to be called per unit time can be controlled. It is used to protect the enterprise's back-end services and achieve business classification and user classification. API traffic control is supported, and you can configure different flow control according to the importance of API to ensure the stable operation of important business; support users, applications and exception traffic control, and you can configure different flow control according to the importance of users, thus ensuring the rights and interests of large users; flow control granularity: minutes, hours, days.

5) request management function:

You can verify the parameter type and parameter values (range, enumeration, regular, Json Schema) according to the configuration to reduce the resource consumption and processing cost of illegal and invalid requests at the backend. Parameter mapping rules can be defined in the API gateway. Through the mapping rules, the gateway translates the back-end services into any form through mapping to meet the different needs of different users, so as to avoid repeated development of functions.

6) Monitoring and alarm function:

Provide real-time and visual API monitoring, including: call amount, call mode, response time, error rate, so that you can clearly understand the running status of API and the behavior of users.

Support custom alarm rules to alarm for abnormal situations and reduce fault handling time.

Provide subscribed data analysis reports and intelligent analysis.

2: high performance design

The traditional thread-based concurrency model (Thread-based concurrency) allocates a thread or process to each request. This model is easy to program, and the code that handles a complete request can be written in a code path. The disadvantage of this model is that with the increase of the number of threads (processes), the frequent switching of the operating system between these threads (processes) will greatly reduce the performance of the system.

3: high availability design

1) stateless design principle.

The gateway layer needs to be designed to be stateless in order to ensure that it is high, easy to scale and start quickly. We usually use session objects to encapsulate the user's state data, and the gateway layer should be designed to be stateless, that is to say, the gateway cannot be responsible for the maintenance of session. So who maintains the session-related information? We use the way of cookie+session server.

A) after the user completes the login operation on the login page, the server will generate a login session information, save it, set an expiration time, and set it to the user's cookie

B) the user will carry this cookie information in each subsequent request, and the server will verify the cookie information, consider it to be a legitimate user, and perform the request operation.

2) graceful offline principle

When you need to remove a gateway service, instead of directly ending the gateway process, close the listening socket first, but continue to provide services to the currently connected customers, and shut down the process after all client services are completed.

3) Slow start characteristics

When the gateway listens to the registration of a new service, considering that there will be a lot of initialization work at the beginning after some services are started, the response speed of the service to the request is relatively slow. If you assign too much pressure to the service in the first place, it may cause the service to be overwhelmed instantly. To avoid this, the gateway layer needs to consider supporting the Slow Start feature. That is, after a period of time, the pressure is gradually increased to a preset value.

4) Extensible design

We know that the processing of the request by the gateway can be divided into three stages: accepting the request, routing and forwarding the request, accepting the returned data from the service and returning it to the requestor. So we can also add extension points in these four places.

(1) after receiving the request

(2) before locating a service and preparing to forward it

(3) before receiving the returned data from the service and returning it to the client

(4) when the service invocation fails

The processing order of interceptors can be divided into two categories: interceptors for gateway platforms, such as security checking, logging, etc., and those developed for gateway layer logic, such as format conversion. Generally speaking, the gateway first executes the interceptor that comes with the gateway platform, and then executes the interceptor written for the business logic. Of course, the gateway also needs to provide a mechanism that can easily adjust the execution order of interceptors. The simplest way is to define a priority for each interceptor, and the gateway calls each interceptor in order of priority.

For the gateway layer, the data it receives and processes are Request objects. After receiving the request, the gateway layer encapsulates the request as a Request object. In order to enable the subsequent filter to get this object, you can consider saving the Request object in the thread variable.

Some interceptors, such as those for debug logs, are usually turned off and need to be turned on only when there is a problem. In order to ensure the high availability of the gateway, the gateway layer must have the ability to enable or disable interceptors online. In general, the gateway needs to provide a restful interface to turn off and enable an interceptor.

5) API management and dynamic release design

For service management, it is divided into front-end service management and back-end service management. The front-end service refers to the service API that the gateway layer exposes to the client, while the back-end service refers to the business service API provided by the service layer. When a service is exposed to the client, in addition to the code provided by the gateway layer and the service layer, it is also necessary to configure the mapping between the front-end service and the back-end service.

There are many ways for the gateway layer API to call the service layer API. For example, a piece of client code can be generated and released to the gateway layer according to the service contract of the service layer API. The disadvantage of this approach is that the gateway layer code depends on the service layer code, and when the service layer frequently modifies and adjusts the interface, the gateway layer code is difficult to maintain.

The dependence of the gateway layer on the service layer can be decoupled by configuring the front and back end service mapping. When the API of the service layer (such as service name, parameter name, etc.) changes, only the mapping relationship needs to be adjusted, and there is no need to adjust the code of the gateway layer. The gateway layer automatically assembles the data format required by the service layer API according to the mapping. In this way, the gateway layer team and the service layer team can develop their own services without interference with each other.

The above is the editor for you to share how to build a suitable enterprise API gateway, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.