Updated on 2024-11-27 GMT+08:00

Overview

This document summarizes practices in common application scenarios of API Gateway (APIG). Each practice case is given detailed solution description and operation guidance, helping you easily build your services based on APIG.

Table 1 APIG best practices

Practice

Description

Selectively Exposing CCE Workloads with a Dedicated Gateway

You can use APIG to selectively expose your workloads and microservices in Cloud Container Engine (CCE).

Selectively Exposing Service Capabilities of a Data Center Using a Dedicated Gateway

You can use APIG to set up a connection between your on-premises data center and the gateway (or the VPC bound to the gateway).

Developing a Custom Authorizer with FunctionGraph

Custom authentication is implemented using the FunctionGraph service. You can create a FunctionGraph function so that APIG can invoke it to authenticate requests for your API.

Exposing Backend Services Across VPCs Using a Dedicated Gateway

If the VPC of your backend server is different from that of your gateway, you can expose your backend service through cross-VPC interconnection.

Using WAF to Protect APIG

To protect APIG and your backend servers from malicious attacks, deploy Web Application Firewall (WAF) between APIG and the external network.

Using Request Throttling 2.0 for Fine-grained Request Throttling

As users and their demands become more diversified, the traditional policies cannot meet the requirements for more refined rate limiting. To resolve this issue, APIG has launched request throttling 2.0, which is a type of plug-in policy. The 2.0 policies enable you to configure more refined throttling, for example, to throttle requests based on a certain request parameter or tenant.

Configuring Two-factor Authentication (App + Custom)

APIG allows you to configure a custom authorizer for two-factor authentication.

HTTP-to-HTTPS Auto Redirection with a Dedicated Gateway

HTTP APIs are insecure in transmission and authentication. You can upgrade them for access over HTTPS while ensuring HTTP compatibility.

Routing gRPC Service Requests Using a Dedicated Gateway

When you use a gRPC service, you can create an API in APIG to route requests for the service.

Configuring One-Way or Two-Way Authentication Between the Dedicated Gateway and Client

If the API frontend supports HTTPS, you need to add an SSL certificate for the independent domain name bound to the API group. An SSL certificate is used for data encryption and identity authentication. If an SSL certificate contains a CA certificate, client authentication (two-way authentication) is enabled by default. Or one-way authentication will be used.

Calling Different Backend Services Using a Dedicated Gateway

APIG allows you to define multiple backend policies and forward API requests to different backends based on these different policies. For example, to distinguish special calls from regular calls, you can define a policy backend that uses frontend custom authentication parameters.

Forwarding WebSocket Service Requests Using a Dedicated Gateway

You can create WebSocket APIs in the same way as you create HTTP APIs. WebSocket is a protocol for full-duplex communication over a single TCP connection.