API Gateway
Contents:
-----------
API Gateway patterns
Architecture of API Gateway
Key features of API Gateway
Netflix API Gateway
Creating an Api using WSO2
Microservices architecture allows you to build an application as a collection of services that are loosely coupled which implement business capabilities.
Continuous delivery/deployment of large complex application is possible using microservice.
This is more advantageous than a monolithic application that is built with database client and server application as a single unit.
Microservice can handle single service failure well compared to a monolithic application where the whole application goes down.
Application Programming Interface is a business capability delivered over the internet or external consumers
A web API is a software interface presented over the HTTP protocol that helps in facilitating the development of mobile, web and cloud applications.
In simple terms you can imagine API as a messenger that takes your request and tells the system what you want to do and returns the response back to you.
It is available with standard web protocol with a well-defined interface and is accessibl by third parties.
API Gateway - The Moderator
-------------------------------
An API gateway is considered as a single interface that takes care of various requests to internal srvers.
It offers security, governance, integration and acceleration for API.
It is a complete platform to manage deliver and secure web APIs.
An API call will be received by the gateway and will route it to the appropriate microservice.
API Proxy vs API Gateway
-------------------------
An API proxy will simply add transport security and monitoring capabilities to an existing API.
It does not add anything new, just re-exposes the existing API with some additional capabilities.
A gateway has more functionality on top of API proxy, including content mediation and transformation, rate-limiting, caching etc.
Even though API proxy is lightweight and offers the same functionality as Gateway, a well-built gateway will offer lightweight proxy with more capabilities.
API Gateway vs API Manager
-------------------------------
An API Gateway helps in managing the endpoints.
An API Manager can include an API Gateway as part of its features but will include other things like OAuth, caching, rol checking tc
You might get confused with both as some API Gateways try to act as API Managers these days.
An API Gateway is just one tool amongst many in an API Managers package.
Consider an example
--------------------
Let us meet John, who is planning a road trip. For his road trip, John needs a car with services like Insurance, Speed throttler, and Navigator. He can purchase all that separately, but he is looking for a simple solution.
Now let us relate this with our Microservice. An application needs a lot of information to run. Each information is taken care of by a separate microservice.
Now the question is how a client would fetch the information from all the services.
A client device can be a desktop or a mobile device. In theory, a client can send a request to all the services individually. Let us see the drawbacks in such a design.
Just think what happens if there is no Gateway?
An application might use 'n' number of services, and a single client making that many calls is quite difficult.
Each service might use a different protocol which might not be web-friendly.
Ideally, an application should use HTTP and WebSocket protocols.
It is hard to merge or split a service in this design.
How to overcome these issues? Yes, you guessed it right. Use an API Gateway.
Using API Gateway
---------------------
An API Gateway is a server that is the single entry point into the system for all clients.
It can either route the request to one or many services based on the request.
It is capable of exposing a client to different APIs based on the devices.
It also helps in implementing security.
Variation: Backend for Frontend
-------------------------------
In practice, our mobile devices will make fewer calls and will display different (and probably less) data than a desktop device.
The general-purpose API backend does a lot of work, and hence a separate team will be required to maintain that.
To overcome all these, the before mentioned pattern can be modified to have a separate gateway for each type of client device.
Each gateway has access to all the microservices.
Benefits of API Gateway:
------------------------
Gateway is like the tip of the ice berg that encapsulates the internal structure of the application.
Insulates the client from location determination of service instances.
Provides specific API to each client reducing the number of round-trips between the client and application.
Simplifies the client by moving the logic for calling multiple services from the client to API gateway
Restraints of API Gateway
--------------------------------
Developers need to update the gateway to expose the microservice endpoint which might result in a risk of developemnt bottleneck.
Need to develop deploy and maintain an additional highly available component.
Du to the additional network hop through the API gateway there is an increased response time.
Client-side Discovery
-------------------------------
Service discovery solves the problems on how microservices talk to each other, i.e. perform API calls.
In a monolithic application, services are invoked by procedure or function calls.
But in Microservice architecture the service location changes dynamically.
To overcome this, you can make use of client-side discovery pattern.
It makes use of a service registry, which act as an index of all the service and its location.
To invoke a service, a client or Gateway will query the service registry, and find the required service.
Server-side Discovery
---------------------
For the same scenario in the last card, an alternate solution is a server-side discovery.
Here instead of querying the service registry, clients make the request to a router (load balancer/gateway).
This, in turn, queries the service registry and invokes the appropriate service.
Even though this requires an extra component, the client code is simple which only involves making a request to the router.
Role on Gateways in Service Discovery
---------------------------------------
The service discovery consists of a key-value store (Service Registry) and APIs to read and write to this store.
Service start-up and shut-down script should include code that registers and unregisters itself, when it starts and shutdown respectively.
The registry will check for service's heartbeat periodically to ensure that it is functional.
Role on Gateways in Service Discovery...
-------------------------------------------
Consider two services A and B. Service A needs to call Service B. But A has no idea where B is located. Now introduce a Gateway in this scenario.
Both A and B will register their IP address and port in Gateway service Registry. Now all the application connected to the Gateway can access both A and B.
Without gateways, client devices and services cannot decide where to look for the other service.
A gateway which has client or server side discovery implemented will help in deciding the service location, i.e. their IP address, port, and even their version.
Circuit Breaker
---------------------
One microservice might depend on another service.
If the called service is down, this might result in high latency and makes the application unusable and exhaust the available resource.
When the number of failures crosses a threshold, the circuit breaker will trip and cause a timeout.
After the timeout, only a limited request is passed to the service, and if it succeeds normal operation is reverted, else timeout continues.
Need for Circuit Breakers in Gateway...
-------------------------------------
Now introduce a Gateway with circuit breaker implemented.
It has a threshold time for which a service can be down, after which the gateway itself will return an error message stating that service is down.
This will avoid the request queueing since there is no timeout waiting.
In the background, gateway tries to ping the service, when it is up, the normal operation resumes.
API Gateway - Components
------------------------------
API Publishing & Management:
monitor --> Design --> publish --> manage --> monitor
Developer portal:
Discover --> Explore --> Test-->subscribe -->monitor
publishers <---> Store
Runtime: --> API Gateway -->Existing services
overview of the whole architecture and see how it works.
--------------------------------------------------
A Typical Gateway consists of a Publisher and store.
Apart from this, it has a key management, traffic management, and analytics component.
Creating an API starts with the publisher, where it will be designed, and it will be published to the store for the consumer to explore and subscribe.
Once subscribed, the clients can invoke the API using the API key generated by Key managements component.
The gateway receives the call and verifies the token with the key management and allows the API to hit the service.
The traffic management component helps in applying rate limiting features.
API Publisher
----------------
An API Publisher is a Web application with a structured GUI.
It is designed for API publishers (Developers) and managers.
This involves API Development and API management.
The lifecycle activities of a common API developer/manager are
i) Develop
ii) Publish
iii) Manage
iv) Monitor
Develop and Publish
---------------------
Develop
------------
This includes
Creating an API or making changes to an existing one
Deploying the API to a server
Publish
----------
This involves
Registering the API
Associate corresponding Service level agreement and security policy
Rate limiting/throttling
Manage and Monitor
----------------------------
Manage
-------------------
This includes managing the
Lifecycle
Versions
Access policies
Keys
Monitor
---------------
This involves Monitoring
the API behavior
the consumer usage
the consumer requirements
API Store
---------
The API Store is considered as a Web application where the publisher will host the API.
The consumers can register and subscribe to the APIs here.
Before your application can access an API, it should be registered in the store.
An application can subscribe to any number of APIs.
The lifecycle activities of an API consumer is:
i) Find
ii) Explore
iii) Subscribe
iv) Evaluate
Life Cycle Activities of an API Consumer
-------------------------------------
Find: Searching the store for the required API
Explore: Trying out the API online
Subscribe: Subscribing to the Application
Evaluate: Providing rating and comments
Key Management
This governs access and token related operations.
The gateway connects with the key management to validate API subscription, OAuth tokens and API invoking.
The communication between the gateway and key management happens through a web service call or a thrift call.
Thrift is a communication protocol faster than HTTP and SOAP.
Caching
While subscribing to an application, a token will be created by Key management.
Then while invoking API gateway will validate the token using Key Management.
You can avoid gateway making calls to key management frequently by using caching.
The information such as token, API name and version are cached and stored in either the API Gateway or the key manager server.
It improves the latency of the requests to your API.
Traffic Management:
------------------------
This helps in regulating the API traffic.
It secures the organization from attacks like DoS.
Enforces rate limiting policies.
Makes the Applications and APIs available to the consumers at different service levels.
领英推荐
Gateway manages traffic with the help of Throttling and role specific Rate limiting policies.
Analytics
-------------
This helps in monitoring the API and Application.
This includes functionalities like
Statistical graphs
Alerting mechanism on pre-determined events
Log analyzer
Alerts on unusual activities
Till now you have a brief overview of API gateway and its components.
HTTP Routing
---------------
The gateways and the microservices will register themselves in a registry when they are launched.
All the HTTP request from the client will be routed to the microservices through the gateway.
All request will be proxied, using their application name.
The gateway is capable of routing the service to one or more servers querying for the required service.
For example, when microservices 'price' is registered, it is available on the gateway through /price URL. Any clients making a request to this service will be routed to this service using this URL.
API Endpoint
-------------
Endpoint is an URL that communicates with the API.
It can be a collection of Object.
If you want your HTTP client to interact with the data resource, point it to the required endpoint.
Simply, it is an URL using which a client will access a service.
A single service can have multiple endpoints.
API Resources
---------------
A resource can be defined as an object with a type, relationships to other resources, associated data, and a collection of methods that run on it.
One or more resources combine and form an API, and each will handle a request.
A resource has a set of HTTP methods that operate on it, i.e., GET, PUT, etc.
You can locate the resource using the endpoint.
HTTP Method with description:
-------------------------------
Head: To send header part data.
Trace: To resend th receive request.
Put: Help us to put file into server.
Delete: Remove file from server.
Options: It determines which of the HTTP method server support and return appropriate error
Post: It is used to post data into server
Get: It used to get data from server.
C - CREATE - Post
R - READ - GET
U - UPDATE - PUT
D - DELETE - DELETE
Rate-limiting/Throttling
---------------------------
Rate Limiting is the process of limiting the number of API request.
You know that the gateway proxies the request from a client to your backend services.
There is a limit for your backend system to handle the request.
Gateway implements Rate Limiting policies to control the limit.
Developers can use Rate limiting as a spigot that can be adjusted based on requirement.
Need for Rate Limiting
-------------------------
In Physical Context, Rate limiting should be implemented keeping in mind the Physical limitation of the system such as some concurrent connection, data transfer, bandwidth, etc.
In safety context, it should be implemented to avoid overflowing of the request which might result in service failure.
In a business context, a developer can monetize their APIs by applying rate limiting. You might want to pay if you need to make more requests.
Types of Rate Limiting
----------------------
There are three main types of rate limiting.
User Specific Limiting: Based on the user's API key, the limit is applied above where all requests are denied.
Server Rate Limiting: Some server such as login server might have heavy traffic, while other might not have such high usage. The rate applied based on a server is a good way of using an available resource.
Regional Rate Limit: Applying rate for a particular limit based on region. The calls from a particular region during mid-night would be far less that a regular call limit. This type of limiting can alert the system in case of unwanted activities.
Throttling policies
------------------------
Some Advanced throttling policies are
By IP address
You can make some IPs to consume more of your API resource using IP throttling.
HTTP request header
You can apply limits based on the HTTP request header. If you want to set a different throttling limit for JSON, you can create a policy that checks the header for application/JSON and applies speed limit.
Versioning
-------------
It is the process of keeping track of changes that an API undergoes.
The change can be a change in URL, change in the request or response payload.
Example: https://hostname/v1/student/class
Here v1 is the version. Next version would be v2 and so on. Usually, version is included in URL.
To understand versioning better, you need to get familiar with API lifecycle.
Life Cycle Management
APIs have separate lifecycle apart from the back-end service that they depend on. The Publisher manages the lifecycle
The following stages are available in an API lifecycle:
CREATED: In the store, API metadata is added, but it is not deployed in the API gateway and hence, is not visible to in the API Store.
PROTOTYPED: Deployed and published in the API Store as a prototype. API can be invoked without subscription by the user.
PUBLISHED: Visible in the API Store and ready for subscription.
DEPRECATED: New subscriptions are disabled. But the API is still deployed in the Gateway and is available at runtime to existing subscribers. Existing subscribers can use it until the API is retired.
RETIRED: Unpublished from the API gateway and removed from the store.
BLOCKED: Access is temporarily blocked. Not shown in the API Store afterward.
Need for Versioning
A new API version is created when you change published API's behavior, authentication mechanism, resources, throttling tiers, target audiences, etc.
Modifying a published API that has subscribers, it is not recommended.
The new version of API can be deployed as a prototype for testing without a subscription.
After testing, the prototyped API can be published, and the older versions get deprecated.
Need for Versioning
--------------------------------------------------
A new API version is created when you change published API's behavior, authentication mechanism, resources, throttling tiers, target audiences, etc.
Modifying a published API that has subscribers, it is not recommended.
The new version of API can be deployed as a prototype for testing without a subscription.
After testing, the prototyped API can be published, and the older versions get deprecated.
Types of Versioning
-------------------------
Media type/accept header versioning
Here you specify the version in the HTTP accept media type header.
Example: Accept: Application/vnd.api.article+xml; version=1.0
Custom header versioning
Here you create a custome header for specifying the verison
Example: X-API-Version: 2
URI versioning
The version is specified in the API Endpoint
Example: api.example.com/v1/resource
Domain Versioning
This is a different kind of URI version.
Example: apiv1.example.com/resource
Parameter Versioning
You can specify the version in paramete of the request
Example: GET /something/?version=0.1
API Documentation
API's functionality can be understood by using API Documentation.
It helps API publishers to sustain competition and market their APIs better.
You can add various types of documentation from diverse sources, using API Publisher.
Unique URLs are given to documents created in API Publisher.
API Documentation Types:
The API Publisher supports the following files:
In-line: Hosts documentation in the API Publisher and can be edited directly from the UI.
URL: Links to reference files.
File: Can upload the documentation directly to the server.
Interactive API Documentation - Swagger
-------------------------------------
Swagger is a framework implementation for producing, describing, visualizing and consuming RESTful web services.
To enable client and documentation systems to update at the same speed as the server is the aim of Swagger.
One of the modules of swagger is Swagger UI.
In Swagger, APIs are described in simple static JSON representation which can be loaded through Swagger UI, which in turn provides an interactive documentation.
Swagger UI is a collection of dependency-free Javascript, HTML, and CSS assets that dynamically generate documentation from a Swagger-compliant API.
API manager loads Swagger UI for every API, with Swagger integration, and helps in producing auto-generated documentation.
The API parameters and documentation can be customized by API creator or API publisher.
Swagger UI
--------------
Swagger UI is a collection of dependency-free Javascript, HTML, and CSS assets that dynamically generate documentation from a Swagger-compliant API.
API manager loads Swagger UI for every API, with Swagger integration, and helps in producing auto-generated documentation.
The API parameters and documentation can be customized by API creator or API publisher.
Need for Security
------------------
Consider an API without any security. It will be vulnerable to attacks and consumers will not use subscribe to those APIs. Anybody can access the API easily, which is not preferred.
There are various methods to authenticate and authorize the APIs.
These methods can be used alone or in combination for a better experience.
API keys, Application ID, password, JWT, and OAuth are some of the methods to secure your APIs.
Gateway helps in implementing this security, making APIs secure.
Security- JSON Web Token (JWT)
------------------------------
JSON Web Token (JWT) is a method for securing applications in a microservices architecture.
Access Tokens are generated by the gateway and sent to the -
corresponding microservices
Gateway and microservice share a common secret key. Hence they will be able to validate the token and authenticate users using that token.
Those tokens have both authorization and authentication information.
Security - OAuth
-------------------------------
Open Authorization (OAuth) is considered as an open standard for token-based authentication and authorization on the Internet.
OAuth2 to provide simple key management.
They are a logical collection of APIs, which generates tokens to authenticate an application.
A single token can be used to access all APIs associated with an application.
Also, a single API can be subscribed multiple times with many SLA levels.
What is Access Control?
Access Control helps in deciding who gets access and control different levels of access for different types of users.
Access control is one method to ensure that the API call is valid.
If needed, you can also classify various types of users and offer a variety of business services.
Access Gateways let you deny the access to specific endpoints, methods, and services and you can easily apply access policy for groups of users.
Users and Roles
---------------
Admin: The API management provider who manages and hosts the API Gateway. Admin creates and assigns user roles, manages databases, security, etc.
Creator: A person who understands the technical aspects of the API and uses the API publisher to move APIs into the API store. The creator can add an API to store but cannot manage its lifecycle.
Publisher: Manages a set of APIs and controls the API lifecycle, monetization and subscriptions aspects. The publisher also has access to all API statistics.
Subscriber: Uses the API store to discover APIs, read forums and documentations, rate APIs, subscribe APIs, obtain access tokens and invoke the APIs.
Role Based Access Control
All registered microservices are accessible through the gateway.
You can exclude a specific API from the gateway, using a particular access control policy filter.
For each API, you can define which user Roles will be able to discover and subscribe API via the API Store
This can be done using the API Visibility setting.
Only authorized users should access APIs without any interruption.
OAuth 2.0 scope is one method of controlling access to users.
You can also use XML-based XACML (eXtensible Access Control Markup Language), an access control policy language for validating the request.
Netflix API Gateway
Now let us see about Netflix API gateway, which has all these key features incorporated.
Netflix is one of the major adopters of microservices.
They created an open-source proxy server Zuul.
Zuul proxies requests to multiple microservices.
It is the front door for all services supporting 1000 plus devices and handling 50000 additional requests per second at peak.
It is built to enable dynamic routing, resiliency, monitoring, and security.
Fact - Zuul
The name Zuul comes from the movie Ghostbusters where Zuul appears as the Gatekeeper of Gozer.
More on Zuul
Zuul is a collection of filters written in Groovy that is capable of performing a particular action during the routing of HTTP requests and responses.
It provides a framework to read, compile, and run these filters dynamically.
Zuul can rapidly change its behavior and react to the situations.
It can be used with other Netflix OSS such as Hystrix, Ribbon, Turbine and use it to manage filters, load balancing, routing and routing rules across your system.
Spring Cloud offers an embedded Zuul proxy that helps in creating UI application that makes proxy calls to one or more microservices easily.
Introduction to API Manager
-------------------------------
So far, you got a basic idea about API gateway and its features, now it's time to use an API manager to create and invoke an API.
WSO2 API Manager is a API management application that allows you to create, publish and manage APIs.
It supports API application development, lifecycle management, rate limiting, analytics and access control in one system.
Course Summary - API Gateways
In this course, you have learned,
API Gateway
Brief idea of API gateway architecture
Rate limiting using API Gateway
Security using API Gateway
Documentation using Swagger UI
And various key features of API Gateway