Help Center/ API Gateway/ User Guide/ Gateway Management/ Creating a Dedicated Gateway
Updated on 2022-09-26 GMT+08:00

Creating a Dedicated Gateway

This section describes how to create a dedicated gateway. You can create APIs and use them to provide services only after a dedicated gateway is created.

Information on Creating a Dedicated Gateway

There are some limitations on creating a dedicated gateway. If you cannot create a dedicated gateway or a gateway fails to be created, check the following items:

  • Gateway quota

    By default, your account can be used to create five dedicated gateways in a project. To create more dedicated gateways, submit a service ticket to increase the quota.

  • Permissions

    You must be assigned both the APIG Administrator and VPC Administrator roles so that you can create dedicated gateways.

  • Number of available private IP addresses in the subnet

    The basic, professional, enterprise, and platinum editions of API Gateway require 3, 5, 6, and 7 private IP addresses in a subnet, respectively. Ensure that the subnet you choose has sufficient private IP addresses on the Virtual Private Cloud (VPC) console.

Network Environment

  • VPC

    VPC Dedicated gateways are deployed in VPCs. Cloud resources, such as Elastic Cloud Servers (ECSs), in the same VPC can call APIs using the private IP address of the dedicated gateway deployed in the VPC.

    You are advised to deploy your dedicated gateways in the same VPC as your other services to facilitate network configuration and secure network access.

    VPCs of dedicated gateways cannot be modified.

  • EIP

    To allow public inbound access to the APIs deployed in a dedicated gateway, create an Elastic IP (EIP) and bind it to the dedicated gateway.

    For APIs whose backend services are deployed on a public network, API Gateway automatically generates an IP address for public outbound access and you do not need to create an EIP.

  • Security group

    Similar to a firewall, a security group controls access to a gateway through a specific port and transmission of communication data from the gateway to a specific destination address. For security purposes, create inbound rules for the security group to allow access only on specific ports.

    The security group bound to a dedicated gateway must meet the following requirements:

    • Inbound access: To allow the APIs in the dedicated gateway to be accessed over public networks or from other security groups, add inbound rules for the security group to allow access on ports 80 (HTTP) and 443 (HTTPS).
    • Outbound access: If the backend service of an API is deployed on a public network or in another security group, add outbound rules for the security group to allow access to the backend service address through the API calling port.
    • If the frontend and backend services of an API are bound with the same security group and VPC as the dedicated gateway, no inbound or outbound rules are needed to allow access through the preceding ports.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and choose API Gateway.
  3. In the navigation pane, choose Dedicated Gateways.
  4. Click Create Dedicated Gateway. The following table describes the parameters.

    Table 1 Parameters for creating a dedicated gateway

    Parameter

    Description

    Region

    A geographic area where the gateway will be deployed. Deploy the gateway in the same region as your other services to allow all services to communicate with each other through subnets within a VPC. This reduces public bandwidth costs and network latency.

    AZ

    A physical region where resources use independent power supplies and networks. Availability zones (AZs) are physically isolated but interconnected through an internal network.

    To enhance gateway availability, deploy the gateway in multiple AZs.

    Gateway Name

    Gateway name.

    Edition

    The basic, professional, enterprise, and platinum editions are available. The number of concurrent requests allowed varies depending on the gateway edition. For more information, see Specifications.

    Scheduled Maintenance

    Time period when the gateway can be maintained. The technical support personnel will contact you before maintenance.

    Select a time period with low service demands.

    Public Inbound Access

    Determine whether to allow the APIs created in the dedicated gateway to be called by external services using an EIP. To enable this function, assign an EIP to the dedicated gateway.

    APIs in the dedicated gateway can be called using independent domain names or subdomain names. There is a limitation on the number of times that APIs in an API group can be called per day using the subdomain name. To overcome the limitation, bind independent domain names to the API group and ensure that the independent domain names have already been CNAMEd to the EIP of the dedicated gateway to which the API group belongs.

    For example, you have an HTTPS API (path: /apidemo) with public access enabled. The API can be called using "https://{domain}/apidemo", where domain indicates an independent domain name bound to the API group to which the API belongs. The independent domain name must have already been CNAMEd to the EIP of the dedicated gateway. The default port is 443.

    Public Outbound Access

    Determine whether to allow backend services of the APIs created in the dedicated gateway to be deployed on public networks. If you enable this option, set a bandwidth that meets your service requirements. The bandwidth ranges from 1 to 2000 Mbit/s and will be billed by hour based on the pricing of the EIP service.

    Network

    Select a VPC and subnet for the dedicated gateway.

    Cloud resources (such as ECSs) within the same VPC can call APIs using the private IP address of the dedicated gateway.

    Deploy the dedicated gateway in the same VPC as your other services to facilitate network configuration and secure network access.

    Security Group

    Select a security group to control inbound and outbound access.

    If the backend service of an API is deployed on an external network, configure security group rules to allow access to the backend service address through the API calling port.

    NOTE:

    If public inbound access is enabled, add inbound rules for the security group to allow access on ports 80 (HTTP) and 443 (HTTPS).

    Description

    Description of the gateway.

  5. Click Next.
  6. If the gateway configurations are correct, and submit the request. The creation progress is displayed on the interface.

Follow-Up Operations

After the gateway is created, you can create and manage APIs on the console of the gateway. The Gateway Information page shows the gateway details, network configurations, API resources, and metrics.

You can modify the gateway name, description, scheduled maintenance time window, security group, and EIP.