When architecting microservice solutions, you'll often find yourself struggling with cross-cutting concerns. Think security, rate limiting, access control, monitoring, location-aware routing… Things can quickly become a nightmare.
The API Gateway pattern can help you solve such problems in an elegant and uniform way. Using Kong, an open source product, you can get started today. In this session we'll look at the why and how of this approach.
4. (source: )
“API management is the process of creating
and publishing web APIs, enforcing their
usage policies, controlling access, nurturing
the subscriber community, collecting and
analyzing usage statistics, and reporting on
performance.
Wikipedia
6. R D 1R D 1
Fro n
Be r AP Bre y AP
/api/beers/{id}
/api/brewery/{id}/beers
Ne d an AP ke !
/api/brewery/
/api/brewery/{id}
Ne d an AP ke !
1. Build a few μ-services
2. Deploy them using Docker compose
3. Observations:
1. Each μ-service has a different address
2. Logic (e.g. security) is duplicated in each μ-service
9. (source: )
“Amazon API Gateway is a fully managed
service that makes it easy for developers to
create, publish, maintain, monitor, and
secure APIs at any scale.
Amazon API Gateway
10. (source: )
“Use Azure API Management as a turnkey
solution for publishing APIs to external and
internal customers. Quickly create
consistent and modern API gateways for
existing back-end services hosted
anywhere, secure and protect them from
abuse and overuse, and get insights into
usage and health.
Azure API Management
13. C API GC API G
Authentication
Autorisation (limited)
Rate limiting
Logging
Metering
Metrics
Compression
IP black- / whitelisting
Caching
...
Aggregations and transformations → .backend-for-frontend (BFF)
14. R D 2R D 2
Fro n
Kon
Be r AP Bre y AP
/api/beers/{id}
/api/brewery/{id}/beers
Ne d an AP ke !
/api/brewery/
/api/brewery/{id}
Ne d an AP ke !
15. R D 2R D 2
Configuring Kong:
1. Define a service that points to an upstream.
2. Define a route for that service.
3. Define an upstream with (1..n) target.
SERVICE
url: http://beer-api.upstream/
name: beer-api.service
UPSTREAM
name: beer-api.upstream
SERVICE
url: http://brewery-api.upstream/
name: brewery-api.service
UPSTREAM
name: brewery-api.upstream
TARGET
target: beer-api:9080
TARGET
target: brewery-api-1:9080
weight: 10
TARGET
target: brewery-api-2:9080
weight: 20
ROUTE
paths: [ /api/beer/*, /api/brewery/*/beers ]
methods: [ GET ]
ROUTE
paths: [ /api/brewery* ]
methods: [ GET ]
16. KK
Based on Nginx
Stores configuration in a database (optional since 1.1)
Two interfaces: public and private
17. DD
Kong can be deployed in various modes
Standalone
Clustered
As Kubernetes Ingress Controller
On premise, in the cloud — you choose
21. UU
In general:
Example (rate limiting):
curl http: kong:8001/services/<service name>/plugins
data "name=<plugin name>"
data "config.param=value"
curl http: kong:8001/services/beer api.service/plugins
data "name=rate limiting"
data "config.second=6"
22. M M PM M P
https://pxhere.com/en/photo/1039147
23. AA
Authentication: maps credentials in request to a consumer.
Consumers can have multiple credentials
Upstream API receives custom HTTP headers:
X-Consumer-Username and X-Consumer-ID
24. R D 3R D 3
Fro n
Kon
Be r AP Bre y AP
Ne d an AP ke !
Aut t a co m us AP ke
As i n g o s to co m
Con r & g o s
p o d b Kon
Con r & g o s
p o d b Kon
1. Create consumer
2. Assign key to consumer
3. Assign group to consumer
4. Secure upstream API with key-auth and ACL plugin
25. CC
You can write your own plugins!
Revelant documentation:
Plugin Development Guide
Plugin Development Kit
26. SS
├── README.md # Documentation right?! ;-)
└── my plugin # Name of the plugin
├── api.lua # Administration interface for the plugin (REST)
├── daos.lua # DAO's for custom entities inside the plugin
├── handler.lua # Plugin logic, executed upon request
├── migrations # Database migrations
│ ├── cassandra.lua # for Cassandra
│ └── postgres.lua # for PostgreSQL
└── schema.lua # Schema for plugin config
27. II HANDLERHANDLER
local BasePlugin = require "kong.plugins.base_plugin"
local MyPluginHandler = BasePlugin:extend()
MyPluginHandler.PRIORITY = 1003
MyPluginHandler.VERSION = "0.2.0"
function MyPluginHandler:new()
MyPluginHandler.super.new(self, "my plugin")
end
function MyPluginHandler:access(conf)
MyPluginHandler.super.access(self)
kong.log.info("Hello from My Plugin!")
end
return MyPluginHandler
28. RR
Plugins can be invoked at various moments:
Kong startup
Serving SSL-certificate
Request rewriting
API or consumer unknown!
Before hitting upstream
After receiving all response headers from upstream
For each part of the response body
Could be multiple chunks!
After sending the last byte to the client
30. CC
Client
Load Balancer
(TLS offloading)
Request with TLS client cert
Intrusion Prevention System
Request without TLS client cert
Kong
Request without TLS client cert
31. K -K -
Read the custom headers from the request
Look up cert by subject
Verify other fields
Add consumer to request and send it upstream
33. TT
Cost (e.g. licences)
Developer experience
Documentation
Flexibility / expandability
Maintainability
Support
Functional and non-functional fit out of the box
Future proof (hard to tell, though!)
Replaceability / (vendor) lock-in
34. WW KK
Kong (OS) seemed like a good choice:
great feature set out of the box
could buy support, if we wanted
active community
frequent releases
good documentation
35. EE
Changing the configuration is easy and quick
Configuration using API's
Imperative configuration isn't easy
Declarative configuration ( , or db-less mode)
Upgrading 0.13 → 0.14.1 was pretty easy
Upgrading 0.14.1 → 1.1 was a bit harder, but not too much
Lack of GUI might disappoint business stakeholders
or can help
kongverge kongfig
konga kongdash
36. @mthmulders #MMwK
QQ
Sample code:
Please help conference organisers: don't forget to rate this talk!
POST /api/1.0/questions
User-Agent: audience/1.0
Accept: application/vnd.infosupport.answer
Content-Type: application/vnd.infosupport.question
"So, how would you "
HTTP/1.1 200 OK
Content-Type: application/vnd.infosupport.answer
Date: Wed, Nov 21 2018 20 00 00 GMT+1
Server: Maarten/1.0
Via: kong/1.0.0
"Well, it depends on "
http://bit.ly/enterprise-beers