1. API Gateway instance types
An API Gateway instance is a group of resources used to access and process your APIs. The resources include public IP addresses, internal IP addresses, outbound public IP addresses, SLB instances, servers, and storage resources. API groups can only run on valid instances. API Gateway provides the following instance types: shared instance (classic network), shared instance (VPC), and dedicated instance (VPC).
1.1. Instance type description
-
Shared instance (classic network): If you select a shared instance, you are billed based on the number of API calls and traffic generated on the Internet. However, resources such as the server resource pool, IP addresses, and bandwidth are shared by a group of users in a region. By default, a maximum of 500 requests per second (RPS) is allowed for API groups under a shared instance. If you want to increase the RPS value, you can directly purchase dedicated instances. Shared instances (classic network) are provided in the earliest version of API Gateway. This instance type supports access over the Internet or VPC. It also supports backend service addresses in a VPC, the Internet, or the classic network. This instance type does not support the newly released plug-in system.
-
Shared instance (VPC): The billing methods and RPS management rules are the same for both shared instances of the VPC and classic network types. Instances of the VPC type are newly introduced for technical reconstruction. Such instances support the entire plug-in system, covering JSON Web Token (JWT) authentication, throttling, IP access control, backend signature, cross-origin resource sharing (CORS), caching, and routing. They also support access over the Internet or a VPC and backend service addresses in a VPC and on the Internet. However, they do not support backend service addresses of the classic network. Instances of the VPC and classic network types have differences in technical implementation.
-
Dedicated instance (VPC): The technical specifications of dedicated instances (VPC) and shared instances (VPC) are the same. To obtain a higher SLA guarantee, you can purchase a higher RPS to obtain dedicated resources. The resources include inbound public IP addresses, IP addresses of VPCs, outbound Internet bandwidth, and isolated server clusters. For more information about the specifications and pricing of dedicated instances, seePricing of dedicated instances
1.2. Technical specifications and limits
Item | Shared instance (classic network) | Shared instance (VPC) | Dedicated instance (VPC) |
---|---|---|---|
Scenarios and suggestions | Shared instances (classic network) are provided in the earliest version of API Gateway and have feature limits. We do not recommend that you use this instance type unless you configure a backend service address of the classic network for API Gateway. | R&D and test environments. | Production environments. |
Activation fee | No fee. | No fee. | Instance type fee. |
SLA | 99.9% | 99.9% | 99.95% ~ 99.99% |
Billing method | Number of API calls + Internet traffic fee. | Number of API calls + Internet traffic fee. | Instance type fee + Internet traffic fee. |
Inbound public IP address | Multi-tenant sharing. | Multi-tenant sharing. | Exclusive. |
Inbound IP address in a VPC | Multi-tenant sharing. | Multi-tenant sharing. | Exclusive (only accessible from the specified VPC). |
Outbound Internet bandwidth | Outbound IP address and bandwidth shared by multiple tenants. | Outbound IP address and bandwidth shared by multiple tenants. | Exclusive outbound IP address and bandwidth. |
Management of hybrid cloud APIs | Not supported. | Not supported. | Supported. For more information, seeCentralized management of hybrid cloud APIs. |
Request body length | 8M Bytes | 8M Bytes | 32M Bytes |
Circuit breaker plug-in | Not supported. | It is configured by default and cannot be customized. | It can be customized. |
Caching | Not supported. | 30 MB per user. | Based on the instance type. |
Dashboard | Not supported. | Not supported. | *Supported. |
Custom log content | Not supported. | Not supported. | *Supported. |
Note: * indicates that the feature has been published recently.
2. Technical differences between shared and dedicated instances
The following table lists important technical differences between shared and dedicated instances. If you have any questions, submit a ticket.
Item | Shared instance (classic network) | Shared instance (VPC) and dedicated instance (VPC) |
---|---|---|
Plug-in system | Not supported. | Supported. |
Backend service address | The backend service address of the classic network is supported. | The backend service address of the classic network is not supported. The backend service address in a VPC and public address are supported. |
Function Compute | It accesses API Gateway over the internal network in the same region. | It accesses API Gateway over the internal network in the same region. If Function Compute is deployed in the China (Beijing), China (Hangzhou), China (Shenzhen), or China (Shanghai) region, you must switch Function Compute to a VPC. |
HTTPS TLS version | TLS1.0 | TLS 1.0, TLS 1.1, or TLS 1.2 |
CORS | All domain names and headers are allowed by default. | You can customize the configuration by using the CORS plug-in. |
Cross-domain flash | The crossdomain.xml file is preconfigured. | Not supported. You can set the backend service type to Mock to achieve cross-domain flash. |
3. Instances supported in each region
RegionId | Region name | Shared instance (classic network) | Shared instance (VPC) and dedicated instance (VPC) |
---|---|---|---|
cn-qingdao | China (Qingdao) | Supported | Supported |
cn-beijing | China (Beijing) | Supported | Supported |
cn-zhangjiakou | China (Zhangjiakou-Beijing Winter Olympics) | N/A | Supported |
cn-huhehaote | China (Hohhot) | N/A | Supported |
cn-hangzhou | China (Hangzhou) | Supported | Supported |
cn-shanghai | China (Shanghai) | Supported | Supported |
cn-shenzhen | China (Shenzhen) | Supported | Supported |
cn-heyuan | China (Heyuan) | N/A | Supported |
cn-hongkong | China (Hong Kong) | Supported | Supported |
ap-northeast-1 | Japan (Tokyo) | N/A* | Supported |
ap-southeast-1 | Singapore | Supported | Supported |
ap-southeast-2 | Australia (Sydney) | N/A | Supported |
ap-southeast-3 | Malaysia (Kuala Lumpur) | N/A | Supported |
ap-southeast-5 | Indonesia (Jakarta) | N/A* | Supported |
ap-south-1 | India (Mumbai) | N/A | Supported |
us-east-1 | US (Virginia) | N/A | Supported |
us-west-1 | US (Silicon Valley) | N/A | Supported |
eu-west-1 | UK (London) | N/A | Supported |
me-east-1 | UAE (Dubai) | N/A | Supported |
eu-central-1 | Germany (Frankfurt) | Supported | Supported |
Instances of the classic network type in the Japan (Tokyo) and Indonesia (Jakarta) regions are no longer supported.
4. Migrate an API group between instances
You can migrate an API group between instances in the API Gateway console. It takes
about 1 to 10 minutes for the migration to take effect on the API group based on the
cache expiration time of DNS servers. The following sections describe the migration
procedure and precautions when you migrate an API group between instances.
4.1. Migrate an API group to a shared instance (VPC)
You can migrate API groups between instances. To migrate an API group, follow these
steps: Log on to the API Gateway console. In the left-side navigation pane, choose
Publish APIs > API Groups. On the Group List page, click the target API group. On
the Group Details page, click Modify API Group's Instance
and migrate the API group. The migration takes effect immediately on the DNS servers
of the second-level domain names of API Gateway. If you want to migrate an API group
for which you have changed the value of RPS, submit a ticket. Instances of the VPC
and classic network types have differences in technical implementation. We recommend
that you understand all the following technical details before you migrate API groups.
- API Gateway of a VPC does not support backend service addresses of the classic network. If your backend service address belongs to the classic network, API operations cannot be called after you migrate an API group. Change the backend configuration by using VPC access authorization before you migrate an API group.
- If the outbound IP address of API Gateway changes, go to the Instances page to check the outbound IP address. Make sure that the outbound IP address of API Gateway is included in the list of IP addresses that are allowed to access the backend service.
- API Gateway of a VPC does not provide a preconfigured
crossdomain.xml
file. If you want to use the file, configure an API in mock mode. - The throttling, IP access control, and backend signature policies that have been configured are still valid. After the plug-ins of throttling, IP access control, and backend signature policies are used, these configured policies will become invalid.
- The APIs for which you have configured the OpenID Connect access policy are still valid. After the JWTAuth plug-in is used, the related configuration on APIs will become invalid.
- If you use Function Compute as a backend service that is deployed in the China (Beijing), China (Shanghai), China (Hangzhou), or China (Shenzhen) region and you have not migrated Function Compute to a VPC, API Gateway will temporarily access your Function Compute over the Internet.
4.2. Migrate an API group to a dedicated instance (VPC)
You can purchase a dedicated instance to obtain a higher RPS and SLA. To migrate an
API group to a dedicated instance (VPC), follow these steps: Log on to the API Gateway
console. In the left-side navigation pane, choose Publish APIs > API Groups. On the
Group List page, click the target API group. On the Group Details page, click Modify API Group's Instance
and migrate the API group. The migration takes effect immediately on the DNS servers
of the second-level domain names of API Gateway. After you migrate the API group to
a dedicated instance, the maximum RPS and HTTPS security policies of the API group
will be replaced with those of the target instance. If you want to migrate an API
group from a shared instance (classic network) to a dedicated instance (VPC), understand
the following technical details before the migration. We recommend that you conduct
a test before the migration.
- API Gateway of the VPC type does not support backend service addresses of the classic network. If your backend service address belongs to the classic network, API operations cannot be called after you migrate an API group. Change the backend configuration by using VPC access authorization before you migrate an API group.
- If the outbound IP address of API Gateway changes, go to the Instances page to check the outbound IP address. Make sure that the outbound IP address of API Gateway is included in the list of IP addresses that are allowed to access the backend service.
- API Gateway of the VPC type does not provide a preconfigured
crossdomain.xml
file. If you want to use the file, configure an API in mock mode. - The throttling, IP access control, and backend signature policies that have been configured are still valid. After the plug-ins of throttling, IP access control, and backend signature policies are used, these configured policies will become invalid.
- The APIs for which you have configured the OpenID Connect access policy are still valid. After the JWTAuth plug-in is used, the related configuration on APIs will become invalid.
- If you use Function Compute as a backend service that is deployed in the China (Beijing), China (Shanghai), China (Hangzhou), or China (Shenzhen) region and you have not migrated Function Compute to a VPC, API Gateway will temporarily access your Function Compute over the Internet.
4.3. Migrate an API group back to a shared instance (classic network)
You can migrate an API group back to a shared instance (classic network). To migrate
an API group, follow these steps: Log on to the API Gateway console. In the left-side
navigation pane, choose Publish APIs > API Groups. On the Group List page, click the
target API group. On the Group Details page, click Modify API Group's Instance
and migrate the API group. Understand the following technical details before you
migrate an API group.
- For instances of the VPC type, the backend service can use the TLS 1.2 protocol. For instances of the classic network type, the backend service can only use the TLS 1.0 protocol.
- All plug-in configurations become invalid. The throttling, IP access control, and backend signature policies for instances of the classic network type must be reconfigured.
- If the outbound IP address of API Gateway changes, go to the Instances page to check the outbound IP address. Make sure that the outbound IP address of API Gateway is included in the list of IP addresses that are allowed to access the backend service.
- Some new features may not be supported. Pay attention to the prompt displayed in the API Gateway console.