Talk about Enterprise API gateways

Source: Internet
Author: User
Tags fsm

Http://architect.dataguru.cn/article-11431-1.html

API Gateway (API GW/API Gateway), as the name implies, is an API-oriented, serial centralized, strong-control service that appears on the system boundary, where the boundary is the boundary of the enterprise IT system, which mainly acts as an isolated external access and internal system. Before the popularity of the concept of microservices, API gateway entities have been born, such as banking, securities and other areas of the common front-end system, it is also to solve access authentication, message conversion, access statistics and other issues. The popularity of API gateways stems from the rise of the interconnection needs between mobile applications and enterprises in recent years. Mobile apps, Enterprise interconnects, and background service-enabled objects, extending from a single WEB application to a variety of usage scenarios, have different requirements for back-office services for each usage scenario. This not only increases the responsiveness of the backend service, but also increases the complexity of the backend service. With the concept of microservices architecture, API Gateway becomes a standard component of the microservices architecture. Several usage scenarios of Gateway our Wang Yanxie's article, "Talking about the background, architecture, and floor plan of API gateways, mentions several usage scenarios for gateways:

A gateway for Web apps. Such scenes, in physical form similar to the front and back end separation, at this time the Web app is not a full-featured web app, but based on the scene customized, scene of the app.   Gateway for Mobile apps. In this scenario, the mobile App is the user of the backend Service, and the API GW also needs to assume a portion of MDM (here, mobile device management, not master data management) functions.   Gateway for Partner OpenAPI. This kind of scenario, mainly in order to satisfy the business form to open up, with the enterprise external partners to establish the ecosystem, at this time the API GW need to increase the quota, flow control, token and so on a series of security control functions.   Gateway for Partner Externalapi. This kind of scenario, mainly is to satisfy the enterprise own business the need, realizes to the enterprise own business the mapping. A typical example is the use of "partner account Login", "payment using a third-party payment platform," and so on. At this point, the API GW need to be on the boundary, for the enterprise internal Service Unified Call external API for unified authentication, authorization, and access control.   Gateway for IoT SmartDevice. Such scenarios are mainly in traditional enterprises, especially industrial enterprises, sensors, physical equipment from industrial control protocol to IP conversion, resulting in the physical link will be a part of the public network link. At this time, the API GW needs to meet the "internal and external repair" bidirectional data flow, the device generally through a "customer side" of the centralized gateway and the enterprise's access gateway to communicate.   API Gateways in our microservices architecture, typically referring to the first two usage scenarios. That is, the main is to expose the enterprise's internal API capabilities to other applications or partners to use. The function and value of   gateway layer as a layer of the client and the service side of the baffle, the main play the role of three categories: the first type of role is to isolate the role, as the enterprise system boundary, isolated external network system and intranet system. The second kind of role is decoupling, through decoupling, so that the parties to the microservices system can be independent, free, efficient, flexible adjustment, without worrying about the impact on other aspects. The third type of role is scaffolding, providing a location that facilitates a series of processing and processing of requests through an extended mechanism. In order to protect internal system security, intranet and extranet are isolated, the service application of enterprise is running in the environment of inside and outside, in order to safety consideration, the external direct access is generally not allowed in  . API gateways are deployed outside the firewall to act as a barrier, and the internal system only accepts requests forwarded by the API Gateway. The gateway has a preliminary filtering of the access through whitelisting or validation rules. Compared to firewalls, thisSoftware implementation of the filtering rules, more dynamic and flexible.   Decoupling in the micro-service architecture, the entire environment includes service providers, service consumers, service operators, security managers, and so on, each role has different responsibilities and claims. For example, service consumers already need to put forward some new service requirements to quickly respond to business changes, service providers, as the sedimentation side of business services, want to maintain the universality and stability of services, it is difficult to respond to rapid changes. With the API gateway layer, we can decouple the interdependence of the parties and let the parties focus more on their goals.  1.     decoupling function and non-function. In addition to implementing business logic functions, enterprises face many non-functional requirements when providing services to external access. For example: need to guard against hacker attacks, need to deal with sudden traffic, need to confirm the user's rights, need to monitor access and so on. These non-functional logic, cannot be mixed with the development of business logic, need to have professional personnel or even professional team to deal with.  2.     Decoupling client and service provider client and service provider belong to different teams, and the nature of work is not the same. For service providers, his primary responsibility is to abstract the business, provide reusable business functions, they need to deeply think about the business model and precipitate, and can not easily respond to external requirements to disrupt the stability of the business model. And the rapid change of business, but also require enterprises to provide fast interface to meet the needs of clients. This requires a middle tier to encapsulate the interface of the service layer in order to respond to the client's needs in a timely manner. By decoupling, the service layer can expose services using a unified interface, protocol, and message format, regardless of the client's many forms.  3. Does the     gateway layer need to implement service orchestration? In some articles about API gateways, the service orchestration capabilities of the gateway layer are mentioned. From the decoupling point of view, the service orchestration is not suitable for the gateway layer. The orchestration of services, in fact, provides a business capability, if the orchestration of services placed in the gateway layer, in fact, a part of the business capabilities in the gateway layer, so that the service layer, gateway layer has some business capabilities, resulting in the confusion of team responsibilities, also not conducive to the sedimentation of business capabilities.   The Scaffolding gateway layer of the plug-in in addition to the requested routing, forwarding, but also responsible for security, authentication, current limit, monitoring and so on. The way these functions are implemented is often adjusted as the business changes. For example, permissions control, early may only need a simple user + password method, after the subsequent user volume is large, may use a high-performance third-party solution. For example, for different monitoring scenarios, different log files need to be logged.   Therefore, these capabilities can not be cured in the first place on the gateway platform, but should be a configurable way, easy to modify and replace。 This requires the gateway layer to provide a set of mechanisms that are well supported for this dynamic extension.   Benefits here summarizes the value of the Gateway: Gateway layer external and internal isolation, to ensure the security of back-office services. External access control is transformed from the network level to the operational dimension, reducing the process of change and the cost of error reducing the coupling between client and service, the service can be developed independently. Mapping is done through the gateway layer. Through the gateway layer aggregation, reduce the frequency of external access, improve access efficiency. Save back-end service development costs and reduce on-line risk. Provides a simple solution for service fusing, grayscale publishing, and on-line testing. Easy to expand.   Enterprise API gateways need to have the conditional microservices architecture, the Enterprise API Gateway's Location API Gateway serves as an entry point for external services, just like the door to Enterprise services. On the one hand, to have sufficient capacity to deal with a large number of external visits, on the other hand, but also to provide a certain degree of security protection of internal services.   In addition, the enterprise provides a variety of API services, API gateway to the full life cycle of these APIs can be easily managed, such as Service release, adjustment, shelving, billing, monitoring and so on.   Enterprise environment, the API gateway needs to consider which elements 1. Security issues when exposing services to external use, the first thing to do is to ensure the security of service use, to prevent the impact of external malicious access on the business, especially the services involved in transactions, but also to consider security comprehensively. To ensure security, we need to consider the establishment of communication links, the encryption of communication data, data integrity, non-repudiation and so on.  2. Performance issues. As a gateway to the Enterprise API, all requests are forwarded through API gateways, and it is conceivable that the access pressure on the API gateway is huge, and some websites even reach tens of millions of visits per minute. Especially in some Internet enterprises, a large number of mobile terminals need to interact with the backend service every moment, if the gateway is not high-performance, enterprises need to invest a lot of equipment and cost in the gateway layer. Has happened in an internet company, due to gateway performance issues, the number of gateways, the number of machines need to stay in sync with the amount of background servers to grow. This situation is obviously tolerated by corporate services.  3. High availability issues. API Gateway as a logical single point, once the problem occurs, it will cause the enterprise service is not available, the enterprise may cause the fatal impact. The calculation of the short time is not available, it will also bring direct economic losses to the enterprise. So, how to ensure the stable operation of the API Gateway, automatic scaling of the gateway, thermal update of the API, and so on, are enterprise-class gateways to consider.  4. Extensibility issues before, the Enterprise Gateway provides a scaffolding, some non-functional issues, such as logging, security, load balancing policies, authentication, and so on. These plug-ins will grow with the size of your businessThe changes are constantly strengthened and adjusted. This requires the gateway layer to provide a mechanism that allows for flexibility in making these adjustments and changes without frequent changes to the gateway layer to ensure the stability of the gateway layer.  5.api efficient operation of the problem API in the online, release process, need to involve the gateway layer of cooperation, for example, the gateway layer needs to know the API published address, API interface form, message format, also need gateway layer to the background API encapsulation. After the API is adjusted, you need to make the appropriate changes. Therefore, the API gateway design, need to clear the Gateway Layer and service layer of the responsibility of the segmentation and collaboration mode, so that the API management, release more efficient.  6. API full Lifecycle management of the problem API service life cycle, including the development of services, testing, online release, service use of the application, activation, service classification and grading of other management, service usage monitoring, billing and so on. An enterprise may expose hundreds or thousands of APIs, and it will routinely perform API publishing, upgrades, retrofits, and shelving. For different services, different visitors need to provide different service access policies. Some commercial API companies also need to pay for the use of the API. Therefore, with the API Gateway, need a complete set of self-help system, to provide service providers, managers, users, to the service release, use, and operation.   Industry's Common API Gateway solution Industry API Gateway solutions are many, including commercial, open source. Examples include Tyk, Kong, API Umbrella, Apiaxle, Netflix Zuul, WSO2 API Manager, Clydeio, and more. The following are three common API gateway scenarios.  nginx + Luanginx is a high-performance HTTP and reverse proxy server developed by Igor Sysoev for the second rambler.ru site of Russian traffic. 2012, Nginx won the annual Cloud Computing Development award, and grew into the world's second largest WEB server. More than 25% of the top 1000 most traffic sites in the world use Nginx to handle massive Internet requests.  nginx's high performance, Nginx's event-driven design, fully asynchronous network I/O processing mechanism, minimal inter-process switching, and many optimization designs make nginx inherently adept at handling high-concurrency-pressure internet requests. The stability of Nginx is also verified on the major websites. The commonly used modules are very stable, each worker process is relatively independent, and the master process can quickly "pull" the new one when the 1 worker processes failWorker subprocess to provide services. Supports hot deployment and can update configuration files, update log files, update server program versions without downtime. Nginx's design is very extensible, it is completely composed of many different functions, different levels, different types and very low coupling module. Therefore, when fixing a Bug or upgrading a module, you can focus on the module itself without worrying about the other.  nginx uses the most free BSD license agreement, allowing users to directly use or modify Nginx source code in their own projects, with a large number of plugins available. However, Nginx modules need to be developed in C and must conform to a complex set of rules. Although the third-party module can support Nginx and Perl, Lua and other scripting language integration work, but the user's requirements are still very high.  nginx can be said to be an industrial API gateway, in the domestic many Internet companies, such as Ali, Sina, etc. have been very good application.  spring Cloud Zuulzuul is an API gateway component of Netflix Open source. Provides a framework for authentication & authorization, current limit, dynamic routing, monitoring, resiliency, security, load balancing, assistance with single point of pressure measurement, static response, and other edge services. Basic features of  zuul: Authentication and Security: Identify authentication requirements for a variety of resources and reject requests that do not conform to the requirements. Review and monitoring: track meaningful data and statistical results at the edge to give us accurate production status conclusions. Dynamic routing: Dynamically route requests to different back-end clusters as needed. Stress testing: Gradually increase the load flow to the cluster to calculate performance levels. Load distribution: Allocate the corresponding capacity for each type of load and discard requests that exceed the qualified value. Static response processing: A partial response is created directly at the edge location, preventing it from flowing into the internal cluster. Netflix also uses the Zuul feature to enable precise routing and stress testing with the Canary version. Although the features offered are plentiful, they are weaker and difficult to meet high-demand scenarios.  zuul handles each request in the same way that each request is handled with one thread. Typically, to improve performance, all requests are placed in the processing queue, and an idle thread is picked up from the thread pool to process the request. By the end of 2016, Netflix upgraded their gateway service Zuul, and the new Zuul 2 changed the way HTTP requests are handled from synchronous to asynchronous to improve their processing performance. In addition to Netflix, the current Zuul in the enterprise is still relatively small, performance and stability has yet to be further observed.   As can be seen from the Zuul architecture diagram, Zuul is more likeA filter framework, its own routing, logging, reverse proxy, DDoS prevention and other functions are implemented through the filter. The PRE, ROUTING, POST, and ERROR Four extension points are available, and you can easily add a custom filter. The  zuul is easy to build, easy to use and configure. Zuul's Open source community is more active, has been updating the state, but the version is not too stable, in the process of use, there are some pits to tread. For example, the redirection problem, exception handling problem, has not been resolved very well, you need to rewrite some of the filter.   This scenario is not the best option if it is considered overall. However, if your team has limited control of the overall technical facilities, and the team is small, without a dedicated gateway developer, Zuul is the best solution to get started quickly.  mashape Kongkong is an API management software provided by Mashape, which is inherently ngnix+lua based, but offers a simpler configuration than Nginx, with Apache cassandra/postgresql& data nbsp, storage, and provide some excellent plug-ins, such as authentication, log, call frequency limit and so on. A very tempting place for  kong is to provide a large number of plugins to extend the application, providing a variety of enhancements to the service by setting up different plugins. Kong default plug-ins include: Identity authentication: Kong provides Basic authentication, Key authentication, OAuth2.0 authentication, HMAC authentication, JWT, LDAP Authentication authentication implementation.   Security: ACLs (Access Control), CORS (cross-domain resource sharing), dynamic SSL, IP throttling, crawler detection implementations.   Flow control: Request current limit (based on request count current limit), upstream response current limit (based on upstream response count limit), request size limit. Current limiting supports local, redis , and cluster current limit modes. Analytics Monitoring: Galileo (record request and response data, implement API analysis), Datadog (record API Metric such as number of requests, request size, response status and latency, visualize API Metric), Runscope (record request and response data, implement API Performance testing and monitoring).   Conversion: Request conversion, response conversion The Kong itself is Nginx-based, so there is no problem with performance and stability. Kong as a commercial software, in Nginx Has done a lot of work, and there are many paid business plugins. Kong itself also has a paid Enterprise Edition, which includes technical support, usage training services, and API analysis plug-ins.   As you can see from the comparison of the above three scenarios, Spring Cloud Zuul is ideal for early-stage teams to quickly build a "basic available" API Gateway. Nginx is suitable for a strong research and development team, self-developed enterprise's own API gateway. Kong is suitable for companies that do not have their own research and development team, but need an enterprise-class API gateway capability.   How to design a good Enterprise API Gateway product functional considerations API lifecycle management capabilities cover API definition, testing, Release lifecycle management, Easy day-to-date management, versioning, support for hot upgrades, and fast rollback.   Development and use of support features to provide page debugging tools, automatic generation of API documentation and SDK, greatly reducing labor costs.   Security API Request arrival gateway requires strict authentication and authorization to reach back-end services. Support algorithm signature, support SSL encryption. The   flow control function controls the number of times the API is allowed to be invoked per unit of time. Back-end services to protect the enterprise, enabling business ratings and user ratings. Support for API flow control, you can configure different flow control according to the importance of API, so as to ensure the stable operation of important business, support user, application and exception flow control, you can configure different flow control according to the importance of users, so as to guarantee the interests of large users; flow control granularity: minutes, hours, days. The   Request management feature enables validation of parameter types, parameter values (ranges, enumerations, regular, Json schemas) based on configuration, reducing the resource consumption and processing costs of the backend for illegal requests, invalid requests, and so on. Parameter mapping rules can be defined in the API gateway, and the gateway translates back-end services into any form through mapping rules to meet the different needs of different users, thus avoiding repetitive development of functionality. The   Monitoring alarm function provides real-time, visual API monitoring, including: call volume, invocation mode, response time, error rate, so you can clearly understand the health of the API and the user's behavior habits. Support custom alarm rules, to alarm for abnormal situation, reduce the time of fault processing. Provides data analysis reports and intelligent analytics that can be subscribed to.  API Trading Function provides API trading market, metering and billing, Quota control, operation and sales requirements. The high-performance design of the   gateway traditional thread-based concurrency model (thread-based concurrency) assigns a thread or process to each request. This model is simple to program and can be written in code that processes a complete request.In a code path. The disadvantage of this model is that as the number of threads (processes) increases, the frequent switching of operating systems between these threads (processes) will drastically degrade the performance of the system.

Another more efficient concurrency model is the event-driven concurrency model (event-driven concurrency). In this model, each request is represented as a finite state machine (FSM) in the system. The status of each FSM represents the requested sequence of operations. The server loops through a set of threads/processes (typically one per CPU) to handle various events from the queue.

This model requires the operation of each state to be transient and non-blocking, so the Event-driven concurrency model generally uses non-blocking I/O interfaces (NIO). Primeton's product, in order to increase the throughput of the system, is the SEDA architecture using the event-based concurrency model. The core idea of SEDA architecture is to divide a request processing process into stages, each stage can be handled by different handle, the stage of different resource consumption is handled by different number of threads, and the mode of asynchronous communication between handle is used.

High-availability design of gateways ensures high availability The general practice is to solve the overall impact of single point of failure on the system. Primeton in the product design, in order to ensure high availability, consider the following elements: 1, the principle of non-state design. Gateway layer to ensure high can, easy to scale, fast start, need to design to stateless. User's state data we usually use the session object to encapsulate, the gateway layer to be designed to be stateless, that is, the gateway can not be responsible for the maintenance of the session. Who will maintain the session-related information? We are using the Cookie+session server way;

A)     after the login page is completed, the server will generate a login session information, save it, set an expiration time, and set it to the user's cookie. b)     The user will carry this cookie information in each subsequent request, and the server will verify the cookie information and perform the request operation through the deemed legitimate user.  2, Graceful downline principle: When the Gateway discovers that a node is unavailable (for example, the request response time exceeds the threshold), instead of disconnecting the node directly, it marks the node as unavailable (subsequent not sending the request to this node), but also leaves a period of time for the previous request to respond.  3, Slow start feature: When the Gateway Supervisor hears that there is a new service registered, considering that some services start, there will be a lot of initialization work at the beginning, at this time the service response to the request is relatively slow. If you put too much pressure on the service at the outset, it can cause the service to be overwhelmed in a moment. To avoid this situation, the gateway layer needs to consider supporting the Slow Start feature. That is, over time, the pressure is gradually increased to the preset value. The extensibility of the   gateway design of the gateway, the following points need to be considered: where to process the interceptor processing order how to pass data between interceptors Support online shutdown or launch an interceptor   where to intercept processing we know that the gateway handles the request, There are three phases: accepting a request, routing and forwarding the request, accepting the return data of the service and returning it to the requester, in addition to handling the error. So we can also add extension points in these four places.   receives a request after locating to a service and prepares to forward the return data before it is received to the service, before returning to the client before the service call fails   the processing order of the Interceptor's processing order can be divided into two categories: a class of interceptors for the gateway platform, such as security checks, A class of logic developed for the gateway layer, such as a format conversion. In general, the Gateway executes the interceptor that comes with the gateway platform, and then executes the interceptor written for the business logic. Of course, gateways also need to provide a mechanism that makes it easier to adjust the order in which interceptors are executed. The simplest approach is to define a priority for each interceptor, and the gateways call each interceptor in order of priority.   How to pass data between interceptors to the gateway layer, the data it receives and processes is the request object, and the gateway layer encapsulates requests as request objects after receiving requests, and in order for the subsequent filter to obtain this object, consider the request object is saved in the thread variable.   SupportOn-line shutdown or enable an interceptor some interceptors, such as some debug log interceptors, are usually turned off and need to be opened only if there is a problem. To ensure high availability of the gateway, the gateway layer must have the ability to enable or disable the Interceptor online. In general, gateways need to provide a restful interface to shut down and enable an interceptor. A command like this: PUT/APIGATEWAY/V1/FILTERS/FILTERNAME?ENABLE=VALUE API Management and dynamic release design for service management, is divided into front-end service management and back-end service management. The front-end service refers to the service API that the gateway layer exposes to the client, and the backend service refers to the Business service API provided by the service tier. A service is exposed to the client, in addition to the gateway layer and the service layer to provide the services of the code, you also need to configure the front-end service and back-end service mapping relationship.  api's description of the API to be managed, first of all to describe the API. Our common Interface Description language has YAML, JSON, XML, PB, and so on, these languages have pros and cons. The description of the API contract chosen by Primeton is a reference to the Swagger spec specification, which is described using the Yaml language. Of course, Swagger's description is for restful interfaces, and we can customize our own description properties for the needs of our own interface definitions. For example, Primeton describes the service by extending properties such as X-primeton-service, X-primeton-operation, and so on, when describing the microservices. For example:

With the API interface contract, in addition to describing the service interface, you can also: use the contract, automatically generate the service API documentation. Use the contract to automatically generate the calling code for the client. Use the contract to generate the test framework code for the Service interface. The front-end service map gateway-layer API calls the service-tier API in a number of ways. For example, a client code can be generated by a service contract that follows the service layer API and published to the gateway layer for use. The disadvantage of this approach is that the gateway layer code relies on the service layer code, and the service layer frequently modifies and adjusts the interface, causing the gateway layer's code to be difficult to maintain. You can decouple the gateway layer's reliance on the service layer by configuring the front-end service mappings. When the API for the service layer (such as service name, parameter name, and so on) changes, only the mapping relationship needs to be adjusted, and the code of the gateway layer does not need to be adjusted. The gateway layer automatically assembles the data format required by the service layer API as mapped. In this way, the gateway layer team and the service layer team can develop their own services independently of each other. Mapping of settings, including mapping of service URLs to parameters. With the service contract description provided earlier, you can visually configure this mapping relationship. After the API has been published in the front and back of the shelves, and the mapping relationship is configured, the service can be exposed to external use. In the process of listing, you also need to set up access rights, traffic control and other information. This piece, each enterprise business requirements are different, do not do too much introduction. Summary API Gateway as a gateway to open enterprise capabilities, in addition to basic request forwarding, protocol conversion, routing and other functions, as well as high performance and stability, but also need to have good scalability, has been easy to enhance the gateway capabilities. In the process of gateway implementation, we should plan the interaction between gateway layer and service layer, and make the gateway Layer and service layer decoupled, so as to facilitate the independence of each team work. In addition, in the management of the API, we need to provide the API full life cycle of the release, configuration, authentication, flow control, monitoring and other supporting management functions. This allows the API gateway to really work in the enterprise.

Talk about Enterprise API gateways

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.