Notes and Constraints

Gateway

**Table 1** Gateway notes and constraints
Item	Restrictions
Permissions	You must be assigned both the APIG Administrator and VPC Administrator roles so that you can create gateways. Alternatively, you must be attached the APIG FullAccess policy. For details about how to use custom policies, see APIG Custom Policies.
Network	If you use 192.x.x.x or 10.x.x.x, APIG uses 172.31.32.0/19 as the internal subnet. If you use 172.x.x.x, APIG uses 192.168.32.0/19 as the internal subnet.
Number of available private IP addresses in the subnet	The basic, professional, enterprise, and platinum editions of APIG require 3, 5, 6, and 7 private IP addresses. A platinum X requires 4 more private IP addresses than the previous edition. For example, platinum 2 requires 11 private addresses, and platinum 4 requires 19 private addresses. Check that the subnet you choose has sufficient private IP addresses on the VPC console.
Load	VPCs (workloads) where gateways have been deployed cannot be changed. The LVS and ELB load balancing modes are available. Currently, the LVS mode is supported only in LA-Mexico City1 and CN North-Beijing1. The ELB mode is supported in other regions.
Specifications	During the specification change, the persistent connection is intermittently disconnected and needs to be re-established. You are advised to change the specification during off-peak hours. Specifications can be upgraded but cannot be downgraded. Changing the gateway edition will also change the private network access IP addresses. Modify your firewall or whitelist configuration if necessary for service continuity. Do not perform any other operations on the gateway. After the change is complete, adjust the firewall or whitelist configuration based on service requirements. During the specification modification, the metric may fluctuate slightly.
Security group	Security groups do not take effect after gateways are purchased in regions except LA-Mexico City1 and CN North-Beijing1. To disable access from specific IP addresses, see Configuring API Access Control.

API

**Table 2** API notes and constraints
Item	Restrictions
API group	Each API can belong to only one group.
SSL Certificate	Only SSL certificates in PEM format are supported. SSL certificates support only the RSA and ECDSA encryption algorithms.
Domain name	By default, the debugging domain name of an API group can only be resolved to a server in the same VPC as the gateway. If you want to resolve the domain name to a public network, bind an EIP to the gateway. The debugging domain name cannot be used for production services and can be used only for application debugging. Groups under the same gateway cannot be bound with a same independent domain name. If a domain name is already bound to a port, it cannot be bound to the same port again. If different ports are used for the same domain name, all ports take effect no matter whether any of them are bound to, modified, or unbound from the SSL certificate or whether client authentication is enabled or disabled. If you access backend services through a load balance channel, the port bound to the independent domain name must be the same as the access port of the backend server in the load balance channel. After an independent domain name is bound to a port, if you use an IP address to access an API in a custom group, you need to add the header parameter host to the request. The host value should include the port number for access, unless you are using the default ports 80 or 443, in which case the host value is not necessary. Accessing APIs by IP address is not advised, it requires IP certificates for SSL. Otherwise, the connection may be insecure. HTTP-to-HTTPS redirection is only suitable for GET and HEAD requests. Redirecting other requests may cause data loss due to browser restrictions. Redirection takes effect only when the API request protocol is HTTPS or HTTP&HTTPS and an SSL certificate has been bound to the independent domain name.
API policies	An API can be bound with only one policy of the same type (request throttling, proxy cache, or third-party authorizer) for a given environment, but each policy can be bound to multiple APIs. Policies are independent of APIs. A policy takes effect for an API only after they are bound to each other. When binding a policy to an API, you must specify an environment where the API has been published. The policy takes effect for the API only in the specified environment. After you bind a policy to an API, unbind the policy from the API, or update the policy, you do not need to publish the API again. Taking an API offline does not affect the policies bound to it. The policies are still bound to the API if the API is published again. Policies that have been bound to APIs cannot be deleted.
Credential	A credential can be bound to a maximum of 1,000 APIs. You can create a maximum of five AppCodes for each credential.

Quota Limits

To change the default restrictions, increase the quota. For details about parameter configuration of a dedicated gateway, see Modifying Configuration Parameters.

It takes 5 to 10 seconds for a new or modified APIG resource to take effect.
The maximum quota may be slightly exceeded in case of high concurrency, but resource usage will not be affected.

**Table 3** Dedicated API gateway quotas
Item	Default Restriction	Modifiable
Gateways	5	√
API groups	1500	√
APIs	Number of APIs for each gateway edition: Basic: 250 Professional: 800 Enterprise: 2000 Platinum: 8000	√
APIs	1000 for each group	√
Backend policies	5	√
Credentials	50. The credential quota includes the apps you have created.	√
Request throttling policies	You can create a maximum of 300 request throttling policies for each gateway. The call limit for a single user cannot exceed that for the target API. The call limit for a single app (credential) cannot exceed that for a single user. The call limit for a single IP address cannot exceed that for the target API.	√
Environments	10	√
Signature keys	200	√
Access control policies	100	√
VPC channels (load balance channels)	200	√
Variables	You can create a maximum of 50 variables for an API group in each environment.	√
Independent domain names	A maximum of five independent domain names can be bound to an API group.	√
ECSs	A maximum of 10 ECSs can be added to a VPC channel.	√
Parameters	A maximum of 50 parameters can be created for an API.	√
API publication records	A maximum of 10 publication records of an API can be retained for each environment.	√
API access rate	Up to 6000 times per second	√
Excluded applications (Credentials)	A maximum of 30 excluded apps can be added to a request throttling policy.	√
Excluded tenants	A maximum of 30 excluded tenants can be added to a request throttling policy.	√
Access to a subdomain name (debugging domain name)	A subdomain name can be accessed up to 1000 times a day.	x
Maximum size of an API request package	12 MB	√
TLS protocol	TLS 1.1 and TLS 1.2 are supported. TLS 1.2 is recommended.	√
Custom authorizers	50	√
Plug-ins	500	√
HTTP protocol	When the HTTP protocol is used, the maximum size of URL+Header is 32 KB.	x
Number of orchestration rules	5 parameter orchestration rules for each API	√

**Table 4** Quotas of shared API gateway on the old console
Item	Default Restriction	Modifiable
API groups	50	√
APIs	200	√
Backend policies	5	√
Apps	50. The app quota includes created apps and apps generated when APIs are purchased from KooGallery.	√
Request throttling policies	You can create a maximum of 30 request throttling policies. The call limit for a single user cannot exceed that for the target API. The call limit for a single app cannot exceed that for a single user. The call limit for a single IP address cannot exceed that for the target API.	√
Environments	10	√
Signature keys	30	√
Access control policies	100	√
VPC channels	30	√
Variables	You can create a maximum of 50 variables for an API group in each environment.	√
Independent domain names	A maximum of five independent domain names can be bound to an API group.	√
ECSs	A maximum of 200 ECSs can be added to a VPC channel.	√
Parameters	A maximum of 50 parameters can be created for an API.	√
API publication records	A maximum of 10 publication records of an API can be retained for each environment.	√
API access rate	Up to 200 times per second	√
Excluded apps	A maximum of 30 excluded apps can be added to a request throttling policy.	√
Excluded tenants	A maximum of 30 excluded tenants can be added to a request throttling policy.	√
Access to a subdomain name	A subdomain name can be accessed up to 1000 times a day.	x
Maximum size of an API request package	12 MB	x
Custom authorizers	20	√

Previous topic: Certificates

Next topic: Permissions Management

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot