Defined gateway
Gateway (Gateway), also known as gateways, protocol converters. As the name implies, Gateway (Gateway) is a network connection to another network's "gateway." Gateway in the transport layer are interconnected, it is the most complex of the internetworking devices, only two different high-level protocol for network interconnection.
1
Gateway structure
Gateway routers and similar structure, except that the interconnect layers. Gateway can be used for both WAN interconnection, it can also be used for LAN interconnection.
2
Gateway function
Gateway is a computer system or a device for converting the task of acting as. Between the use of different communication protocols, data formats, or language, or even completely different architecture systems, a gateway translator.
And bridges simply convey different information, the gateway to the information received repackaged to meet the needs of the destination system. Meanwhile, the gateway can also provide filtering and security features. Most gateway runs on top of OSI 7 layer protocol - the application layer.
3
Classification gateway
In OSI, the gateway has two: one is connection-oriented gateway a gateway is connectionless. When a distance between the two subnets, a gateway is often divided into two halves, connected by an intermediate link, which we call the half gateways.
According to different classification criteria, there are also different types of gateways. TCP / IP protocol in the Gateway is the most common, and here we are talking about a "gateway" refer to a gateway in the TCP / IP protocol.
Essence Gateway
Gateway is essentially a network IP address leading to other networks.
For example, there network A and network B, IP address range of the network A is "192.168.1.1 ~ 192 168.1.254.", Subnet mask 255.255.255.0; IP address range of the network B is "192.168.2.1 ~ 192.168. 2.254 ", a subnet mask of 255.255.255.0.
In the absence of routers, between the two networks can not be TCP / IP communication, even if the two network connections on the same switch (or hub), TCP / IP protocol will be based on the subnet mask (255.255 .255.0) determined that the two hosts on the network in a different network.
And to enable communication between the two networks, it must be through the gateway.
If network A host that the destination host the packet is not in the local network, put forward the packet to its own gateway, then the gateway to the network by the gateway forwards B, B of the network gateway forwarded to a network B host. Network B to the packet forwarding network A.
Default gateway, which means a host if no gateway is available, put the packets sent to default gateway specified by the gateway to process the data packet. Now host gateway used, generally refers to the default gateway. So, just set the gateway IP address, TCP / IP protocol to communicate with each other between different networks.
What is the API Gateway
In their daily work, on different occasions, we may have heard this many times gateway name, said here refers specifically to the Gateway API Gateway (API Gataway). Literally it refers to all API calls Unified Access Gateway API layer by layer is responsible for access and gateway output.
We need an API gateway then under what circumstances? The following applications from single service to process micro-evolution to elaborate, recalling the era of single use, simple in business, a small team size of the organization, we often have several functions with one application, unified deployment, unified test, As shown below:
With the rapid development of business, members of the organization is increasing. All functions several times in a Tomcat, no update function module is bound to update all the programs. Indeed affect the whole body, the system will be difficult to maintain.
After monomers application can not meet the growing demand, the emergence of micro-services. We use the idea of micro-services, the original single applications of micro-services. The original focus in one of the features (such as commodity, service orders) split, each functional module and release their self-contained, operation and maintenance and other functions. This would solve the drawbacks of single application, as follows:
At this point, we have not seen the API Gateway. For example, the original IOS, Android, PC client calls service areas, require multiple URL addresses, there are orders, commodity users. After service of micro must have a unified entrance, in this case, API Gateway has emerged. API Gateway good solution under micro calling service, unified access and other issues, as shown below:
With the API Gateway after each service provider API team can focus on their business logic processing, and API ignore the praise to focus more on security, traffic, routing and other issues.
See illustration and description above, we may think of another gateway something like that - agents. The difference between the gateway and the agent: Agent is purely transparent transmission of data, do not change the protocol; in the context of the gateway transparent transmission of data, but also the conversion of protocol design, such as the figure above the user request to the gateway protocol is HTTP, gateway transparently transmitted by downstream may have been converted into the RPC within the enterprise (enterprise, such as self-study JSF, Dubbo frame RPC, etc.).
The basic functions of the API gateway covered
The basic functions of the API Gateway contains a unified access, protocol adaptation, traffic management and fault tolerance, and security, these four basic functions form the core functionality of the gateway. The primary function of the gateway is responsible for unified access, and then convert to an internal agreement requested interface protocols, even in the process of calling in a limited flow, demotion, fuse and other fault-tolerant way to protect the overall stability of the gateway, but also a gateway so the basic security (anti brush control), and a black list (such as an IP whitelist) basic security measures, as shown below:
Architecture Example API Gateway
In addition to the four basic functions, the gateway to run a good environment also includes a registry (such as: dynamic configuration API interface ZK read published). To achieve high performance, all isomers of data to the cache (such as: Redis) while the local cache can be blended to further improve the performance of the gateway system. In order to improve the throughput of the gateway, NIO + Servlet 3 may be used in an asynchronous manner, the asynchronous nature can also be used Servlet 3 separate thread service request thread substantially do support the thread pool for subsequent isolation. Access log, we can put Hbase, if you want to use as an open gateway, you need a support center authorized OAuth2.0 of. Nginx + lua manner may also be incorporated into the basic parity judgment on applications, so that the problem can be more lightweight access processing, the overall gateway architecture example is shown below:
summary
Article, we evolved from a single system to the micro-service system, introduced the concept of the API gateway, followed by the basic functionality of the API Gateway, and demonstrate a gateway architecture diagram of the production line. The film by the article, you can have a basic knowledge of the contents of the API Gateway
Author: RelaxHeart
link: https: //www.jianshu.com/p/7baab672b822
Suppose you are developing a Web site electricity supplier, this will involve a lot of back-end micro-services, such as membership, goods, services, etc. is recommended.
This will encounter a problem, APP / Browser how to access the back-end services if the business is relatively simple, it can be assigned a separate domain name for each business (? https://service.api.company.com), But this way there will be a few questions:
- Each business will need local authentication, limiting, and other permissions check logic, if every business were fighting each other, build their own wheels to achieve it again, will be very boring, can it out, put a uniform to do .
- If the traffic is relatively simple, then, this way early is not a problem, but as the business more complex, such as Taobao, Amazon opened a page may involve hundreds of micro-services work together, if each micro service is assigned a domain name, then the one hand, the client code will be difficult to maintain, involving hundreds of domain names, on the other hand is the bottleneck of the number of connections, imagine that you open an APP, we found to be involved to get caught by hundreds of long-distance calls , which in the end will move very inefficient.
- Each on a new line of service, operation and maintenance are required to participate, the application domain, configure Nginx, etc., when on-line, off-line server, also need to participate in the operation and maintenance, in addition to the use of the domain name in this way, for the isolation environment is also not very friendly The caller needs to be judged according to their own domain name yourself.
- There is also a problem, the rear end of each service may be caused by micro written in different languages, using different protocols, such as HTTP, Dubbo, GRPC, etc., but you can not ask the client to fit so many agreements, this It is a very challenging work, the project will become very complex and difficult to maintain.
- Later if the need for micro-services reconstruct it, also become very cumbersome, requiring clients to transform along with you, such as goods and services, as business becomes more complex, the latter needs to be split into multiple micro service, services provided externally this time also need to be split into multiple, simultaneous client needs with you to transform, very boring.
API Gateway
A better way is to use the API Gateway, achieved an API gateway to take over all of the inlet flow, similar to the role of Nginx, to forward all requests to the user's back-end server, but do not just simple gateway forwarding, also for traffic do some extensions, such as authentication, limiting, authority, fuse, protocol conversion, error code unified cache, logging, monitoring, alarms, etc., so that the general logic it out, do a unified gateway, the business side can be more focus on business logic, improve the efficiency of iterations.
By introducing the API Gateway, the client only needs to interact with the API Gateway, without communication interface are various business parties, but more on the introduction of a multi-component introduces a potential point of failure, so to achieve a high-performance, stable gateway also involves a lot of points.
API Registration
How business party access gateway? In general there are several ways.
-
Using a first scan widget API party service, such as
Spring MVCnotes, combined withSwaggerthe annotation, to achieve calibration parameters, the document generation && SDK functions, after the scanning is completed, the storage service needs to be reported to the gateway. -
Manual entry. For example, the path of the interface, request parameters, response parameter information, calls and other ways, but this way will be relatively trouble, if too many parameters, then the pre-entry will be very time consuming.
-
Profile import. For example, by Swagger \ OpenAPI, etc., such as Ali cloud gateway:
Protocol conversion
Internal API may be implemented by a variety of different protocols, such as HTTP, Dubbo, GRPC, etc., but for users, many of them are not very friendly, or simply can not be exposed outside, such as Dubbo service, it is necessary at the gateway layer do a protocol conversion, the user's HTTP protocol request, be converted into the corresponding underlying protocol layer at the gateway, for example HTTP -> Dubbo, but here need to pay attention to many problems, such as parameter type, if the wrong type, resulting in conversion problems, and logs are still not detail, the problem will be difficult to locate.
Service Discovery
As the entrance gateway traffic is responsible for forwarding the request, but first you need to know to whom to forward, how to address, there are several ways:
- Write dead code / configuration file, in this way, albeit frustrated, but can also be used, such as online still use the physical machine, IP will not change very often, but scalable capacity, including offline application will be very troublesome The gateway itself even need to implement a health monitoring mechanism.
- domain name. The use of the domain name is also a good program, applicable to all languages, but for internal services, and take the domain name will be very inefficient, while isolated from the environment is not very friendly, and such advance, online is usually the same database, gateway may be read to the same domain name, this time gateway advance of the call is the service line.
- Registry. Adoption registry would not have these problems described above, even in a container environment, IP node changes frequently, but the node list of ongoing maintenance will get a registration center, the gateway is transparent, and the other off the assembly line on normal applications including abnormal downtime, etc., it will be detected by the health check mechanism to the registration center, and real-time feedback to the gateway. And the use of registry performance and no additional performance loss, the use of domain names the way, need to take the extra time DNS resolution, Nginx forwarding, a lot more middle-hop, performance will be greatly decreased, but the use of a registry, and is the gateway direct point to point communications business side, there will be no additional losses.
Service call
As the gateway butt of many different protocols, calls may need to implement a variety of ways, such as HTTP, Dubbo, etc., based on performance reasons, the best are asynchronous manner, and Http, Dubbo is to support asynchronous, such as the provision of apache NIO-based asynchronous HTTP client implemented end.
Because the gateway will involve a lot of asynchronous calls, such as interceptors, HTTP client, dubbo, redis, etc., it is necessary to consider the way the asynchronous call, if based on the callback or future, then the code will be deeply nested, poor readability , and reference may be zuul spring cloud gateway program, based on the response of formula transform.
Elegant offline
Elegant off the assembly line is an issue of concern gateway, the gateway will involve a variety of underlying protocols, such as HTTP, Dubbo, and HTTP and can continue subdivided, such as domain name registration centers, some to support themselves off the assembly line elegant, such as Nginx their health is to support the monitoring mechanism, if it detects a certain node has hung up, will take off this node, for normal applications offline, it requires a combination of distribution system, the logical first off the assembly line, and then the subsequent health of Nginx monitoring requests directly returns a failure (such as direct return 500), and then waits for a period of time (determined according to the Nginx configuration), then the actual application out offline. In addition to a similar registry in fact, generally only supports manual registry is offline, you can call interface registry in a logical nodes offline offline phase out, and some do not support the initiative off the assembly line, requires a combination of caching configuration, so that delayed the application offline. In addition it is similar to other such Dubbo and other principles.
performance
As the entrance gateway for all traffic, performance is the most important, most of the early model based on synchronous blocking gateways are built, such as Zuul 1.x. But this synchronization model we all know, every request / connection takes up a thread, and the thread is a heavy resource in the JVM, such as Tomcat default is 200 threads, if the gateway isolation did not do it, occurs when the network delay, FullGC, third-party services and slow service delays caused by the upstream, the thread pool will be played easily, resulting in a new request was denied, but this time actually threads are blocked on IO, system resources are not designation. Another point, vulnerable to the impact of network latency, disk IO and so on. Need to be careful to set a timeout period, if set properly, and service isolation do not quite perfect, it could easily be a gateway interface to a slow collapse.
Asynchronously of completely different manner, usually a CPU core to start a thread to handle all requests, responses. The life cycle of a request is no longer fixed in one thread, but will be divided into different stages handed over to a different thread pool, system resources can be more fully utilized. And because the thread is no longer exclusively a certain connection, a system resource occupied by the connection will be much lower, just a file descriptor plus several sniffers, etc., and in the blocking model, each connection will monopolize a thread , and the thread is a very important resource. For delays the upstream and services can be greatly alleviated because the occlusion model, the slow request is exclusively a thread resource, but after Asynchronized, since a single connection resources occupied becomes very low, the system can handle a large number of requests.
If it is a good selection of asynchronous gateway JVM platform, Zuul 2, Spring Cloud gateway, etc. Alternatively, you can self-study based Netty, Spring Boot2.x of webflux, vert.x or asynchronous support servlet3.1 of.
Cache
For some idempotent get request may be made according to the service side of the buffer layer of the specified cache-level head in the gateway, and the like stored in the secondary cache Redis, so some of the repeated request, at the gateway can be processed directly, without hitting line of business, reducing the pressure side of the service, if the service node hang additionally, it is possible to return to gateway own cache.
Limiting
Limiting for each business component, it can be said is a necessary component if the current limiting do not, then, when the sudden increase in the amount requested, can easily lead to the business side of the service hang, such as double 11, double 12 isochronous big promotion, requested amount interface is usually several times, if not better assessment capacity, nor do current limit, then it is easy to serve the whole is not available, it is necessary according to the processing capacity of the business side of the interface, limiting policy to do I believe we all have seen Taobao, Baidu downgraded page when grab a red envelope.
Therefore, we must do a good job limiting policies at the access layer, for non-core interface can be directly relegated out to ensure the availability of core services for the core interface, the need to interface capacity obtained when measuring pressure, limiting the development of corresponding strategies. Limiting divided into categories:
- Stand-alone. Stand-alone high performance, do not involve long-distance calls, but local count, with minimal impact on the interface RT. However, to consider setting the lower limit of the number of streams, such as for a single gateway, the gateway or the entire cluster, if it is, then the entire cluster, the gateway needs to take into account the volume reduction, to modify the number of streams corresponding to the time limit expansion.
- distributed. Distributed storage nodes on the need to maintain a number of calls the current interface, such as redis, sentinel, etc., in this way as it relates to long-distance calls will be some performance loss is also a need to consider the question hang in the store, such as hang if redis away, the gateway needs to consider downgrading program, is relegated to the local limit, or directly to the current limiting itself off relegation.
There are also different strategies: a simple count, token bucket, etc., in fact, in most scenarios simply count has been good enough, but if you need to support bursty traffic and other scenes, the token bucket and other programs can be used. The need to consider what further flow restrictor, such as a IP, interface and user dimension, or certain values of the parameters in the request, an expression may be used here, it is relatively flexible.
stability
Stability is a very important part of the gateway, monitoring, alarms need to do is complete before they can, for example, the amount of the interface calls, response time, the monitor alarms related exceptions, error code, the success rate, as well as some relevant thread pool, For example, the number of active threads, queue backlog, and some system level, such as CPU, memory, FullGC these basic.
Gateway is the entrance to all the services required for stability when compared to other gateway services will be higher, it is best to run has been stable, as little as possible restart, but new features, or add logs to troubleshoot problems, inevitable need to re-release, so you can refer zuul way, all the core functionality based on a different interceptor implementation interceptor code uses Groovy written, stored in the database, support for dynamic loading, compile, run, so that is a problem when the first time be able to locate and resolve, and if the gateway need to develop new features, only need to add new interceptors, and dynamically added to the gateway, you do not need to re-release.
Fuse downgrade
Fuse mechanism is a very important one. If a hang up a service, in response to the interface severe timeout occurs, it may be a gateway interface to the entire worn down, it is necessary to increase the fuse degraded, when a specific-error occurs, the downgrade of the interface returned by the gateway directly, or may be based Hystrix Resilience4j achieve.
Journal
Since all requests are handled by the gateway, so the log needs to be relatively complete, consuming such interfaces, the request mode, the IP request, request parameters, response parameters (note desensitization), etc. In addition, as may involve many micro services, it is necessary to provide a unified convenience traceId associated with all of the log, this traceId can be placed in the response header, to facilitate troubleshooting.
isolation
For example, isolating the application level thread pool, http connection pool, redis, etc. In addition can also be based on business scenarios, the core service deployment with a single gateway cluster, and other non-core business isolated.
Gateway control platform
This is a very important link in the whole process needs to be considered a good user experience, such as an access gateway to this process, can not be as simple as possible, intelligence, such as if it is dubbo interface, we can get the source code to the git repository, analytical corresponding class, a method, in order to achieve automatic filling, to reduce as much as possible to help the user to operate; other interfaces are typically from the test -> advance -> line, if every time again fill form will be very troublesome, we can automatically do this thing off, while if the gateway is deployed to multiple availability zones, even different countries, and that this time, we also need to interface data synchronization, or each user needs to have a background operation again, very troublesome.
Personal recommendation this is a direct reference to Ali cloud, aws and other services provided to the gateway, which is very comprehensive.
other
Some other points need to be considered, such as the interface mock, document generation, sdk code generation, error code unified, service-related and other governance, not tired out here.
to sum up
The current gateway or a centralized architecture, all requests need to go once the gateway, so when the big promotion or a sudden increase in traffic, the gateway can become a performance bottleneck, and when a large number of interface gateway access, good traffic assessment is not an easy task, we need to do together for the interface with the business side pressure, assess the approximate capacity before each big promotion, and gateway for expansion, but gateway is the entrance to all traffic, all requests it is handled by the gateway, in order to accurately assess the capacity of the complex. Can refer to the more popular ServiceMesh, the use of decentralized program, the logical gateway to sink into the sidecar,
sidecar and application deployment to the same node, and take over the application of the inflow, outflow of traffic, when this big promotion, only pressure measurement of related business, and targeted expansion to additional upgrades will be more smooth, centralized gateway, even if the gray release, but in theory, all traffic will flow into the business side of the gateway to the new version, if a problem, it will affect all business, but this decentralized way, you can upgrade for non-core business, after a period of observation, no problem, then the full amount onto the line. In addition ServiceMesh solution for multi-language support is also more friendly