Contenu connexe
Similaire à 91APP API Gateway 導入之旅 (20)
91APP API Gateway 導入之旅
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rick Hwang
Sr. Manager, 91APP
June 28, 2018
91APP 之 API 經濟學
與 API Gateway 與導入之旅
1
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 91APP 簡介
● 我們遇到什麼問題?
● 我們對新技術的的期望
● 導入 API Gateway 的考慮
● 微服務的前導架構
● API 經濟學
2
Agenda
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Sr. Manager @ 91APP
● Cloud / AWS
● DevOps / SRE
● Distributed Systems
● 經營管理
● 音樂 吉他 鍵盤 編曲
● 哲學 科幻 金庸
Rick Hwang
https://www.gtcafe.com
9
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
開始之前
我們遇到什麼問題?
我們的期望?
10
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
問題一:Legacy API
11
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 認證機制過於複雜
● Resource / Method 設計的不好、不合潮流
● Payload 資料結構複雜
Legacy API
12
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
問題二:防禦機制不夠健全
13
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
防禦機制不健全
● 用資源 (加機器) 來支撐異常攻擊
○ 換 ALB + WAF 可以解
● API 管控機制不健全
○ 不同客戶的 KeySet,無法個別管控權限
● 無法限制流量 (Rate Limit)
14
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
問題三:外部整合力的問題
15
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
客戶的夥伴
客戶串接
16
API
KeySet
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 客戶使用我們的 API
○ 客戶的夥伴也使用我們的 API,我們不知道!
○ 權限管控問題
● 有些客戶不吃 JSON、吃 XML
● 或者,客戶丟過來的是 XML,我們吃 JSON
外部整合力的問題
17
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
期望
18
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
期望一:架構服務導向
19
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20
向 AWS 學習
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://api.91app.com /order /v2/SaleOrder
Version
Service
Name
APIs
Single entry point
Backends
Brand
21
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
期望二:Serverless Architecture
22
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Serverless Framework
● CloudFront / WAF
● API Gateway: Private and Regional
● Lambda
● DynamoDB / DAX
● CloudWatch
23
Serverless Architecture
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
期望三:維運自動化
24
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 即時 API 使用率統計
● API Key 管理
● API 授權機制
● 監控指標
● Log 機制
25
維運自動化
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
整理問題與期望
26
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. 更好的認證 (Authentication)、授權 (Authorization) 機制
2. Request & Response 資料結構轉換
3. 更好的監控機制、API 使用率
4. 控速、防火牆
5. 標準化 API 介面 (RESTful)
6. 簡化既有認證機制
7. 簡化 Request Payload
8. 調整 Response Data Model
9. 後端盡量不用改
10. Serverless Architecture
27
問題與期望
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
控管:控速、防火牆
API Key 管理
認證機制
即時監控
後端盡量不用改
新舊版本並行
簡化 Payload
處理回傳資料結構
標準化 API 介面
API 文件化
外部 Developer Portal
內部文件發布流程標準化
資安、架構、維運 介面拉皮
敵動我不動 開發流程
28
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
所以我們開始導入 API Gateway
29
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
導入 API Gateway
要考慮的事情
30
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Public
○ Edge - w/ CDN, Global
○ Regional w/o CDN
● Private
○ Regional w/o CDN
31
考慮一:架構可視性
開放給 Business User
開放內部服務對接
內部服務對串
注意:使用 Custom Domain Name 不要用 Edge
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 既有的服務不用動
● 與既有的 VPC 的服務整合 - PrivateLink
○ Network Load Balancer
32
考慮二:與既有架構的整合
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 舊客戶走新的 Endpoint、認證機制
● 其餘商業邏輯不動
33
考慮三:客戶最小改動
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34
考慮四:URL 規劃
https://api.91app.com /ec /v2/Sale/Order
Version
Service
Name
Rest APIs
Single entry point
Brand
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
考慮四:認證機制
● Authentication 認證
● Authorization 授權
Backend or Gateway
Backend or Gateway
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Serverless 架構
● API swagger 整合與管理
● 測試環境規劃
● 文件
● 部署流程
36
考慮五:開發流程
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
考慮六:監控與維護
● API 使用率統計
● API Key 的管理
● Log 蒐集與處理
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
微服務的前導架構
38
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Security Built-in: CDN + WAF
● Availability and Reliability
● 環境建置
● 部署流程
39
前導架構的考量
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
先看近一點
- 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 41
Distribution
https://api.abc.com
WAF SSL Certificate
DNS
API Gateway
CDN
Stages
/order
API Stage
POST /v2/Sales/Order
POST /v2/Sales/Orders
Custom Authorizer
DynamoDB
Handler
Backend Service
Network
Load Balancer
1. EncryptData
2. InvokeAPI
3. Restructure Data Formation
Third Party
Application Load Balancer
客戶
Service A
- 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
稍微看遠一點
- 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service C
Service A
客戶 (Prod)
HTTPS / TLS
x-api-key
HTTPS
HTTPS
API Gateway
Service B
HTTPS
CDN
用戶
WAF
API Endpoint /ServiceName /Version/RestAPI
客戶 (Dev)
HTTPS / TLS
x-api-key
1. Rate Limit
2. Access Control
3. Monitoring
4. Usage Plan
API Gateway
API Gateway
43
Service A, B, C ...
- 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 44
看到全貌
- 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
Service A
Rest API
Rest API
Service B
Rest API
Rest API
ServiceD
Rest APIRest API
ServiceCRest API
Rest API
CloudFront
AWS WAF
Route 53
ALB
Client: Desktop / Mobile
S3
Private
Public
Protected
Access Control
Public Subnet Private SubnetPublic Network
/category
/order
/auth
/theme
js, css, img
Message
Broker
Common Services
Rest API
Service
Discovery
- 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● API Gateway / Service Mesh
● Service Discovery
● Message Broker
46
微服務的核心微服務
- 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API 經濟學
技術的商業思維
47
- 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
https://www.emome.net/4g/4g_promo
- 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 月繳 1999
● 每月五千萬呼叫次
● API 限速:5000rps
● 50 把 x-api-key
+ MORE +
49
API 經濟學 - Usage Plan
● 月繳 1499
● 每月無上限使用次數
● API 限速:無限
● 100 把 x-api-key
+ MORE +
91APP 鑽石客戶
多種優惠 無上限吃到飽
91APP VIP 客戶
多種優惠 精選用到爽
● 月繳 699
● 每月一千萬呼叫次
● API 限速:1000rps
● 10 把 x-api-key
+ MORE +
91APP 經濟客戶
多種選擇 經濟又實惠
- 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● Key 1
● Key 2
● Key 3
● Key 4
● …
● Key n
● Rate Limit: 5000
● Throttling: 500
● Quota: 50,000 / day
50
Usage Plan A
API Keys
API Stage A
API Stage B
0..n
0..n
499 方案!
Simcard
基地台
- 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API 怎麼賣?
● API 依照使用率計費
● API 依照會員等級提供使用量
● 開發過程中,依照用途限制
51
- 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Usage Plan 的應用
● 給客戶測試的 Key
○ Rate Limit: 調降
○ Quote: 有上限
○ 定時 Disable or Rotate
● 給客戶正式的 Key
○ 給兩把:備援的概念 → IAM Access Key
○ Rate Limit: 依照業務等級
○ Quote: 無上限
○ 定時 Disable or Rotate
52
- 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer Portal
● 開發人員常看的文件是怎麼來的?
● 這個網站應該提供些什麼?
● 開發流程如何把文件放入程式碼?
● 這個網站的商業價值是什麼?
53
- 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● 我們遇到什麼問題?
● 我們對新技術的的期望
● 導入 API Gateway 的考慮
● 微服務的前導架構
● API 經濟學
54
Recap
- 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
我們還在進行中 ...
55
結語 ...
- 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API Gateway 是非常技術性的東西
有商業價值支撐,導入才會順利!
56
- 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next … DevLounge
57
- 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58
- 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rick Hwang
Sr. Manager, 91APP
June 28, 2018
API Gateway 導入之旅
Q and A
59
- 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60
● Custom Domain Name 不是有 CloudFront,為什麼要自
己弄?
● 後端回 JSON,客戶收 XML,這是怎麼回事?
● 如何 Debug API Gateway 的問題?
● API Gateway 可以串其他 AWS Services? 像是
DynamoDB,而不需要 Lambda?
● Rate Limit 要注意的地方?
Questions
- 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Q1: Custom Domain
Name 不是有 CloudFront
為什麼要自己弄?
61
Agenda
- 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 62
Endpoints for Edge, Regional, Private
- 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
~$ nslookup 7fal10lwzj.execute-api.us-west-2.amazonaws.com 8.8.8.8
Non-authoritative answer:
Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com
Address: 52.84.205.154
Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com
Address: 52.84.205.177
Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com
Address: 52.84.205.168
Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com
Address: 52.84.205.155
~$ nslookup 52.84.205.154 8.8.8.8
Non-authoritative answer:
154.205.84.52.in-addr.arpa name = server-52-84-205-154.tpe50.r.cloudfront.net.
Authoritative answers can be found from:
63
Edge API Gateway
- 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
~$ nslookup 2dev1cgrqj.execute-api.us-west-2.amazonaws.com 8.8.8.8
Non-authoritative answer:
Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com
Address: 34.218.11.31
Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com
Address: 52.10.38.34
Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com
Address: 52.88.144.89
~$ nslookup 34.218.11.31 8.8.8.8
Non-authoritative answer:
31.11.218.34.in-addr.arpa name = ec2-34-218-11-31.us-west-2.compute.amazonaws.com.
Authoritative answers can be found from:
64
Regional API Gateway
- 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 65
Private API Gateway
~$ nslookup wertv1jfp2.execute-api.us-west-2.amazonaws.com 8.8.8.8
** server can't find wertv1jfp2.execute-api.us-west-2.amazonaws.com: NXDOMAIN
~$ nslookup wertv1jfp2.execute-api.us-west-2.amazonaws.com
Server: 172.31.0.2
Address: 172.31.0.2#53
Non-authoritative answer:
wertv1jfp2.execute-api.us-west-2.amazonaws.com canonical name = execute-api.us-west-2.amazonaws.com.
Name: execute-api.us-west-2.amazonaws.com
Address: 172.31.5.61
Name: execute-api.us-west-2.amazonaws.com
Address: 172.31.10.251
- 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service C
Service A
客戶 (Prod)
HTTPS / TLS
x-api-key
HTTPS
HTTPS
API Gateway
Service B
HTTPS
CDN
用戶
WAF
客戶 (Dev)
HTTPS / TLS
x-api-key
API Gateway
API Gateway
66
Service A, B, C ...
- 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Q2: 後端回 JSON,客戶收 XML
這是怎麼回事?
67
Agenda
- 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Client
JSON
API Gateway Backend
68
Data Transformation
XML
JSONXML
- 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 69
Apache Velocity Template Language (VTL)
- 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Q3: 如何 Debug API Gateway 的問
題?
70
Agenda
- 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
● CloudWatch Logs
● API Logging for Stage
● Custom Access Logging (Stage)
71
API Gateway Log 分類
- 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 72
- 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 73
- 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API Gateway 可以串其他 AWS
Services?像是 DynamoDB?
74
Agenda
- 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 75
- 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 76
- 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 77
- 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Rate Limit 要注意的地方?
78
Agenda
- 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 79
● Region 的總量是固定的
● 單位時間的最大值
● 可以控制到每一個 API
● Rate Limit 可以調整,但是 Burst 固定最大 5000
Rate Limit
- 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thanks
80