Original author: Yi Jiuping

Original link: Sharing the record | Building NGINX into a powerful API gateway (Part 1)

The only official Chinese community of NGINX, all at nginx.org.cn

Hello everyone, I am very happy to join this NGINX deep dive trip. Next, I will share with you how to build NGINX into an API gateway. Today I will share with you the following two parts. The first part will sort out what an API gateway is, and the second part will focus on sharing with you why NGINX is more suitable as an API gateway.

1.What is an API gateway?

The picture above is a survey report released by Gartner in 2022, which shows the changes in API usage of various enterprises from 2019 to 2022. At present, the use of APIs by enterprises has undergone great changes. Whether they are self-developed APIs, using public cloud APIs, or using partner APIs, the number of enterprises has increased greatly. What surprised us most is that there are many Companies are expected to provide APIs developed by themselves in the future, which shows that the development of APIs is becoming more and more important in the economic environment.

This can also be understood as the development of enterprises is now inseparable from APIs. APIs are becoming more and more important due to the digital transformation of enterprises. It is precisely because of digital transformation that our application architecture is constantly changing, from monolithic architecture to microservice architecture, from microservice architecture to serviceless architecture, and various public cloud platforms such as SaaS and PaaS have also been derived.

As the process of digital transformation continues to advance, the role and form of APIs in the process of technological evolution are also constantly changing. In the early days, the main function of API was to access information. In the microservice architecture, the function of API was more to accelerate innovation, make business iteration faster, and better match the pace of business development.

Now, APIs have been given a more important role - improving user experience, especially in the process of digital transformation. When more and more life trajectories are put online, user experience becomes very important, which also leads to the emergence of APIs. APIs are everywhere, whether it is public cloud, private cloud, or edge cloud, and APIs may exist in different environments, which also makes API management more difficult.

No matter what form of service it is, whether it is a microservice developed in any language, or a single application service, it may provide an API to the outside world, and there may be an API gateway in it to take over the responsibility of the API entrance. The client request passes through the Internet and then passes through the API gateway, and then the request is forwarded to the business server that actually provides the API behavior.

So what role does the API gateway play in this process? We can understand that the main core responsibility of the API gateway is to serve as a unified entrance to the API. With the API gateway, we can move the common capabilities of a certain type of business field to the API gateway. The specific functional responsibilities of the API gateway are as follows:

Authentication: Verify that client access is allowed
Access authorization: Verify which resources the client can access
Traffic encryption and decryption: TLS offload, mTLS
Traffic control: Control the traffic passing through the gateway through current speed limit, bandwidth limit, request verification, content rewriting, etc.
Traffic scheduling: Routing requests to backend services based on request and client conditional matching or proportional routing
Logging: Create logs to monitor and view API traffic
Indicator monitoring: perform refined indicator monitoring on API traffic to observe the running status in real time

To sum up, the core functions of API gateway mainly include the following aspects:

Authentication for API calls: Use Basic Auth, OAuth 2.0/OIDC, JSON Web Tokens (JWT), or your own authentication method for authentication;
Control resource access permissions: Use JWT, API Keys or other authorization methods to manage access permissions;
Routing and management API traffic: Supports traffic routing and control strategies such as content rewriting, current limiting, and seven-layer forwarding;
Secure backend services: encrypt traffic using TLS, manage CORS policies, allow specific request methods, or deploy WAAP;
Obtain the observability of API traffic: customize the log format and export monitoring indicators to Prometheus, Grafana, Splunk, Datadog, etc.;
Support common protocols: API gateway supports common protocols such as HTTP/2, gRPC, WebSocket, etc.

In addition, in addition to the core functional requirements, the API gateway also needs to consider non-core functional requirements, such as:

Flexible configuration: The gateway configuration is flexible and can quickly support key business scenarios;
Platform agnostic: deploy anywhere - in the cloud, on-premises or at the edge;
DevOps friendly: easily integrated into existing CI/CD pipelines;
Traffic Visibility: Access and export metrics and logs to observe and monitor API traffic.

Everyone has their own understanding of API gateway. Based on the actual application deployment situation, API gateway is called traffic gateway in some scenarios, and it is called microservice gateway or business gateway in some scenarios. Today’s sharing is more based on application scenarios. Let’s consider this question.

At present, most applications of API gateway may focus on the following categories: single application, microservice, microservice BFF, K8s cluster, K8s cluster KIC.

When choosing, in addition to considering the form of the application architecture, you also need to consider what kind of background applications it needs to proxy as an API gateway, or a so-called traffic gateway, and whether it needs to be scheduled across business systems or across K8s groups. Scheduling, the choice is different at this time. In addition, you need to consider which team the API gateway belongs to for maintenance. Does it belong to the operation and maintenance team or the application team?

API gateways have different responsibilities at some levels. For example, traffic gateways are more responsible for global stability and traffic scheduling, but business gateways or microservice networks focus on whether a certain business can better provide external business services. Of course, there are also situations where the two are superimposed. So today's sharing is more about the API gateway that needs to implement certain functions. The specific deployment situation requires us to consider the actual business.

2. Why NGINX is more suitable for API gateway

Let’s look at a set of data first. So far, NGINX has 400 million online deployment instances, ranking first among Web servers. According to the NGINX community survey, 97% of users deploy the NGINX open source version, but what everyone has overlooked is that 30% of users deploy NGINX as an API gateway.

Because NGINX provides an open source free version and a commercial closed source version, from a functional perspective, in addition to data plane capabilities, it also has control plane and management plane capabilities. NGINX has many official modules and configuration instructions, as well as many third-party open source modules. These instructions can be used in different fields. They may be placed under the HTTP context, within the Server, or under the Location. .

With so many instructions and different contexts, it can create many scenes after being arranged and combined. These scenarios actually mainly include the following types, such as: soft load, reverse proxy, API gateway, web service cache, security, etc.

The performance of NGINX is very excellent. According to test data from the third-party organization GigaOm, NGINX's latency and throughput capabilities have great advantages over other products. This is because the source code structure and optimization of NGINX are very good, and the multi-process architecture is also very good. Officials prefer to use the native C language to develop modules and functions. Overall, the performance of NGINX is very excellent.

As we all know, as a traffic entrance, API gateway's traffic requests, whether it is client-oriented statistics or server-oriented statistics, are very important, and it may be necessary to pay attention to its stability and observability. As versions change, NGINX provides more than 200 monitoring indicators, which can be published and collected in a Prometheus-style format, so that they can be displayed uniformly through Grafana.

In addition to the above security functions, NGINX also supports the WAAP security protection system, which is the protection of Web applications and APIs. NGINX provides the NGINX APP Protect module, which can be deployed together with NGINX. Simply understood, security protection capabilities can be superimposed wherever NGINX is deployed.

The entire NAP is built along the lines of WAAP. WAAP is based on traditional WAF, extending 7-layer DoS protection and robot protection, and also expanding API security capabilities.

The only official Chinese community of NGINX, all at nginx.org.cn

More NGINX-related technical information, interactive Q&A, series of courses, and event resources:

Open source community official website: https://www.nginx.org.cn/

WeChat public account: https://mp.weixin.qq.com/s/XVE5

Share the record | Build NGINX into a powerful API gateway (Part 1)

1.What is an API gateway?

2. Why NGINX is more suitable for API gateway

Supongo que te gusta