- What's New
- Function Overview
- Product Bulletin
- Service Overview
- Getting Started
-
User Guide
- Overview
- Gateway Management
- API Group Management
- API Management
- Request Throttling
- Access Control
- Environment Management
- Signature Key Management
- VPC Channel Management
- Custom Authorizers
- Plug-ins
- Monitoring
- App Management
- Log Analysis
- SDKs
- Calling Published APIs
- Permissions Management
- Key Operations Recorded by CTS
-
Developer Guide
- Overview
- Authentication Mode Selection
- Calling APIs Through App Authentication
- Calling APIs Through IAM Authentication
- Creating a Function for Frontend Custom Authentication
- Creating a Function for Backend Custom Authentication
- Creating Signatures for Backend Requests
-
Importing and Exporting APIs
- Restrictions and Compatibility
- Extended Definition
- API Import Precautions
- Examples of Importing APIs
- API Export Precautions
-
API Reference
- Before You Start
- Calling APIs
-
Dedicated Gateway APIs (V2)
- API Group Management
- Environment Management
- Environment Variable Management
- Request Throttling Policy Management
-
API Management
- Registering an API
- Modifying an API
- Deleting an API
- Publishing an API or Taking an API Offline
- Querying API Details
- Querying APIs
- Debugging an API
- Publishing APIs or Taking APIs Offline
- Querying Historical Versions of an API
- Switching the Version of an API
- Querying the Runtime Definition of an API
- Querying API Version Details
- Taking an API Version Offline
- Signature Key Management
- Binding/Unbinding Signature Keys
- Binding/Unbinding Request Throttling Policies
- Excluded Request Throttling Configuration
- App Authorization Management
- Resource Query
- App Management
- Domain Name Management
- Access Control Policy Management
- Binding/Unbinding Access Control Policies
- Custom Authorizer Management
- API Import and Export
- VPC Channel Management
- Monitoring Information Query
- Group Response Management
- Tag Management
- Gateway Feature Management
- Configuration Management
-
Gateway Management
- Creating a Dedicated Gateway
- Querying Dedicated Gateway Details
- Updating a Dedicated Gateway
- Querying the Creation Progress of a Dedicated Gateway
- Updating or Binding an EIP to a Dedicated Gateway
- Unbinding the EIP of a Dedicated Gateway
- Enabling Public Access for a Dedicated Gateway
- Updating the Outbound Access Bandwidth of a Dedicated Gateway
- Disabling Public Access for a Dedicated Gateway
- Querying AZs
- Querying Dedicated Gateways
- Deleting a Dedicated Gateway
- Permissions Policies and Supported Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- Common FAQs
-
API Creation
- Why Can't I Create APIs?
- How Do I Define Response Codes for an API?
- How Do I Specify the Host Port for a VPC Channel (or Load Balance Channel)?
- How Do I Set the Backend Address If I Will Not Use a VPC Channel (or Load Balance Channel)?
- How Can I Configure the Backend Service Address?
- Can I Specify a Private Network Load Balancer Address for the Backend Service?
- Can I Specify the Backend Address as a Subnet IP Address?
- Does APIG Support Multiple Backend Endpoints?
- What Should I Do After Applying for an Independent Domain Name?
- Can I Bind Private Domain Names for API Access?
- Why Does an API Failed to Be Called Across Domains?
-
API Calling
- What Are the Possible Causes for an API Calling Failure?
- What Should I Do If an Error Code Is Returned During API Calling?
- Why Am I Seeing the Error Message "414 Request-URI Too Large" When I Call an API?
- What Should I Do If "The API does not exist or has not been published in the environment." Is Displayed?
- Why Am I Seeing the Message "No backend available"?
- What Are the Possible Causes If the Message "Backend unavailable" or "Backend timeout" Is Displayed?
- Why Am I Seeing the Message "Backend domain name resolution failed" When a Backend Service Is Called?
- Why Doesn't Modification of the backend_timeout Parameter Take Effect?
- How Do I Switch the Environment for API Calling?
- What Is the Maximum Size of an API Request Package?
- How Do I Perform App Authentication in iOS System?
- Why Can't I Create a Header Parameter Named x-auth-token for an API Called Through IAM Authentication?
- App FAQs
- Can Mobile Apps Call APIs?
- Can Applications Deployed in a VPC Call APIs?
- How Do I Implement WebSocket Data Transmission?
- Does APIG Support Persistent Connections?
- How Will the Requests for an API with Multiple Backend Policies Be Matched and Executed?
- Is There a Limit on the Size of the Response to an API Request?
- How Can I Access Backend Services over Public Networks Through APIG?
-
API Authentication
- Does APIG Support HTTPS Two-Way Authentication?
- How Do I Call an API That Does Not Require Authentication?
- Which TLS Versions Does APIG Support?
- Does APIG Support Custom Authentication?
- Will the Request Body Be Signed for Security Authentication?
- Common Errors Related to IAM Authentication Information
- API Control Policies
- API Publishing
- API Import and Export
- API Security
-
Other FAQs
- What Are the Relationships Between an API, Environment, and App?
- How Can I Use APIG?
- What SDK Languages Does APIG Support?
- Can I Upload Files Using the POST Method?
- What Are the Error Messages Returned by APIG Like?
- How Do I Use APIG to Open Up Services Deployed on Huawei Cloud?
- Can APIG Be Deployed in a Local Data Center?
- Videos
Interconnecting with WAF
To protect API Gateway and your backend servers from malicious attacks, deploy Web Application Firewall (WAF) between API Gateway and the external network.
(Recommended) Solution 1: Register API Group Debugging Domain Name on WAF and Use the Domain Name to Access the Backend Service
API groups provide services using domain names for high scalability.
- Create an API group in a gateway, record the domain name, and create an API in the group.
Figure 2 Creating an API group and recording the subdomain name
Figure 3 Creating an API
- Go to the WAF console, and add a domain name by configuring Server Address as the API group domain name and adding a certificate. For details, see section "Connection Process (Cloud Mode)" in the Web Application Firewall User Guide.
NOTE:
You can use a public network client to access WAF with its domain name. WAF then uses the same domain name to forward your requests to API Gateway. There is no limit on the number of requests that API Gateway can receive for the domain name.
- On the gateway details page, bind the domain name to the API group.
- Enable real_ip_from_xff and set the parameter value to 1.
NOTE:
When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.
Solution 2: Forward Requests Through the DEFAULT Group and Use Gateway Inbound Access Address to Access the Backend Service from WAF
- View the inbound access addresses of your gateway. There is no limit on the number of times the API gateway can be accessed using an IP address.
- VPC Ingress Address: VPC access address
- EIP: public network access address
- Create an API in the DEFAULT group.
- Go to the WAF console, add a domain name by configuring Server Address as an inbound access address of your API gateway and adding a certificate, and then copy the WAF back-to-source IP addresses. For details, see .
NOTE:
- If WAF and your gateway are in the same VPC, set Server Address to the VPC access address.
- If your gateway is bound with an EIP, set Server Address to the EIP.
- On the gateway details page, bind the domain name to the DEFAULT group.
- Enable real_ip_from_xff and set the parameter value to 1.
NOTE:
When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.