A brief analysis of the importance of service gateways to enterprise core application architecture

[[421049]]

This article is reprinted from the WeChat public account "New Titanium Cloud Service", written by Yang Liangchun. Please contact the New Titanium Cloud Service public account to reprint this article.

Whether you are an architect in an enterprise, cloud vendor, or service provider, when you are sorting out business scenarios, planning, and deploying application architecture, the success or failure of service gateway design and implementation is the most direct reflection of the value delivered by your system.

What is the role of service gateway?

In short, routing, forwarding and filtering.

· Routing forwarding: receiving all external requests and forwarding them to the backend;

Filters: perform cross-cutting functions such as permission verification, current limiting, and monitoring.

Where is the service gateway function reflected?

In recent years, with the increasing popularity of microservices and lightweight applications, API gateways are playing a pivotal role, because they not only need to serve as the only portal for enterprise application services to the outside world, but more importantly, they extract the common functions of many applications.

Currently, the functions implemented by the API gateway include request distribution, conditional routing, API management, current limiting isolation, circuit breaking and degradation, security policies, monitoring alarms, and call chain tracing.

1. Request Distribution

When the API performs service discovery, it builds different namespace objects for different URL prefixes and microservice applications. When matching requests, you only need to select the corresponding namespace according to the URL prefix to match the corresponding microservice application. The subsequent functions are the existing microservice framework SDK: routing, load balancing until the entire call is completed.

2. Conditional Routing & Grayscale Release

Conditional routing still reuses the existing microservice framework to avoid reinventing the wheel. When the gateway performs service discovery initialization, it will create an Invoker proxy object for each application. Different Space spaces will be created in the Invoker according to different groups. When a request is called, these Space spaces will be matched according to the rules to determine whether to route to a specific group.

API Management

When most applications are still nakedly connected to the gateway instead of being aggregated by BFF, it is necessary to manage each interface to distinguish which are calls between microservices and which are exposed to the front-end/client calls.

4. Current Limitation Isolation/Fuse Degradation

As the only entrance for north-south traffic, the API gateway requires overall governance.

Current limiting and isolation mainly control the flow measured by the server in the inflow direction. Current limiting mainly controls qps, and isolation mainly controls the number of concurrency. Through the relevant SDK (based on Prometheus), metrics data is exposed to the monitoring platform so that we can observe the flow control level at any time.

5. Security Strategy

For malicious crawler-like abnormal traffic, users can manually configure rules on the gateway management and control platform, and send them to the gateway's Security Control through the configuration center for hot update. When a request comes in, it determines whether it complies with the rules. The blocked traffic also exposes metrics data to the monitoring platform for us to view at any time.

At the same time, the gateway logs will be collected in real time to the big data analysis platform. If an IP or user is found to be abnormal, the security policy rules will be automatically configured to the gateway management platform, and an alarm will be triggered to remind the business owner. Currently, support includes client IP, user ID, other http header/attribute, etc.

6. Monitoring and alarm

API Gateway has comprehensive monitoring and alarm, call chain tracking, log query and other functions. Monitoring here mainly refers to querying metrics, call chain mainly refers to querying tracing, and log is logging. These three are typical indicators in the monitoring field:

In addition, it also supports host-level alarms. Through the embedded metrics SDK, metrics indicators are exposed to the endpoint for the monitoring center to pull. The tracing SDK is responsible for printing tracing logs. Both tracing logs and business logs will be input into the monitoring center for processing through the log collector. On the monitoring platform, users can query the call chain, monitoring, and log information. Host anomalies or business anomalies in the API gateway will also be reported to the owner.

Technology Selection

If you are interested in building a lightweight service gateway, the following technology selection recommendations are available:

Development language: Java + Groovy. The advantage of Groovy is that the gateway service can dynamically add filters without restarting.

Microservice basic framework: Springboot;

Gateway infrastructure: Netflix Zuul;

Service registration center: Consul;

· Permission verification: JWT;

API monitoring: Prometheus + Grafana;

API unified log collection: Logback + ELK;

Stress testing: Jmeter.