All Products
Search
Document Center

API Gateway:Centralized API management on a hybrid cloud

Last Updated:Dec 15, 2023

This topic describes how to use Cloud Enterprise Network (CEN) to build a centralized API management solution across regions. You can also refer to steps in this topic to build a centralized API management solution between virtual private clouds (VPCs) and between VPCs and on-premises data centers by using CEN and Express Connect. This way, you can publish APIs of various services for users to call in API Gateway.

Overview

By default, an API Gateway instance can communicate with only VPCs in the same region as itself. This topic uses a dedicated instance created in the China (Hangzhou) region as an example to describe how to manage APIs in three different scenarios.

API Gateway is an API hosting service. You must create a VPC in the region where your API Gateway instance resides to communicate with another region or with an on-premises data center. In this topic, VPC-1 is created in the China (Hangzhou) region to communicate with a VPC in the China (Beijing) region and with an on-premises data center.

Note

The architectures in this topic are used only to illustrate how to call APIs across VPCs. In similar cases, you must configure a VPC, such as VPC-1 in this example, in the region where your API Gateway instance resides. This VPC is used to communicate with other environments, such as VPCs in other regions or on-premises data centers.

The following scenarios are used as examples in this topic:

Scenario 1: Call APIs in another region over a VPC on Alibaba Cloud

Scenario 2: Call APIs in Alibaba Cloud from an on-premises data center

Scenario 3: Access a backend service deployed in an on-premises data center from an Elastic Compute Service (ECS) instance deployed on Alibaba Cloud

Scenario 1: Call APIs in another region over a VPC on Alibaba Cloud

In this scenario, the client is deployed on ECS instance ecs-3 in VPC-3 of the China (Beijing) region. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is a Function Compute function in the China (Hangzhou) region. The following diagram shows the architecture: ArchitectureThe configuration process is as follows:

  • Create an API.

  • Create a CEN instance and connect VPC-3 in the China (Beijing) region to VPC-1 in the China (Hangzhou) region.

  • Grant VPC-1 the access to the API Gateway instance. This way, the ECS instance in VPC-3 can call APIs over VPC-1.

Step 1: Create an API

Create an API that uses Function Compute as the backend service. For more information, see Create an API with Function Compute as the backend service.

Step 2: Create a CEN instance

Log on to the Cloud Enterprise Network console and create a CEN instance.

Create a CEN instance

Step 3: Attach VPC instances

Attach VPC-1 and VPC-3 to the CEN instance. The following figure shows the basic information of the CEN instance after the VPCs are attached.

Attach VPC instances

Step 4: Configure a bandwidth plan for cross-region communication

Purchase a bandwidth plan for communication within the CEN instance. In this example, a 2 Mbit/s bandwidth plan is purchased. You can purchase a bandwidth plan based on your business requirements.Purchase a bandwidth plan

Configure the bandwidth for the regions of the CEN instance. You can allocate the bandwidth of the bandwidth plan you purchased to multiple pairs of connected regions.Configure the bandwidth plan for cross-region communication

Step 5: Grant VPC-1 the access to the API Gateway instance

On the Instances page of the API Gateway console, find the dedicated instance you created and click Bind to VPC in the row of VPC for Access to Dedicated Instance. Select the ID of VPC-1 in the China (Hangzhou) region.

VPC for Access to Dedicated Instance

In the left-side navigation pane, choose Open API > API Groups and click the API group that you want to manage. On the Group Details page, click Enable VPC Second-level Domain. In the Enable VPC Second-level Domain message, click OK. After the previous operations, resources in VPC-3 can call APIs of this API group.

Enable VPC Second-level Domain

Scenario 2: Call APIs in Alibaba Cloud from an on-premises data center

In this scenario, the client is located in an on-premises data center in Hangzhou. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is a Function Compute function in the China (Hangzhou) region. All access requests are sent over a VPC. The following diagram shows the architecture: ArchitectureThe configuration process is as follows:

  • Create an API.

  • Connect the on-premises data center to VPC-1.

  • Grant VPC-1 the access to the API Gateway instance. This way, the client located in the on-premises data center can call APIs over VPC-1.

Step 1: Create an API

Create an API that uses Function Compute as the backend service. For more information, see Create an API with Function Compute as the backend service.

Step 2: Connect the on-premises data center to VPC-1

Connect the on-premises data center to VPC-1 by using an Express Connect circuit. For more information, see Connect a data center to ECS by using an Express Connect circuit.

Step 3: Grant VPC-1 the access to the API Gateway instance

Refer to Step 5 in Scenario 1. You must select the ID of VPC-1 in the China (Hangzhou) region. After the previous operations, the client in the on-premises data center can access the VPC domain of the API group to which the API you created belongs over VPC-1.

Scenario 3: Access a backend service deployed in an on-premises data center from an ECS instance deployed on Alibaba Cloud

In this scenario, the client is deployed on an ECS instance in the China (Hangzhou) region. The API Gateway instance is a dedicated instance in the China (Hangzhou) region. The backend service is deployed in an on-premises data center in Hangzhou. All access requests are sent over a VPC. The following diagram shows the architecture: Architecture

The configuration process is as follows:

  • Connect the on-premises data center to VPC-1.

  • Grant the API Gateway instance the access to VPC-1. This way, the API Gateway instance can access the client in the on-premises data center over VPC-1.

  • Create an API.

Step 1: Connect the on-premises data center to Alibaba Cloud over a VPC

Connect the on-premises data center to VPC-1 by using an Express Connect circuit. For more information, see Connect a data center to ECS by using an Express Connect circuit.

Step 2: Configure routes to access cloud services

  • Log on to the API Gateway console and click Instances in the left-side navigation pane. On the Instances page, find your instance and record its egress IP address.

  • Configure access routes to cloud services in the CEN console. For more information, see Access to cloud services.

Step 3: Create a VPC access authorization

Before creating an API, you must create an authorization for access from API Gateway to VPC-1. Log on to the API Gateway console. In the left-side navigation pane, choose Open API > VPCs. In the upper-right corner, click Create Authorization and configure the following parameters:

- VPC Access Name: Enter a custom name for the authorization.

- VPC Id: Enter the ID of VPC-1.

- Instance ID or IP Address: Enter the internal IP address of the data center.

- Port Number: Enter the service port number.

Create an authorization

Step 4: Create an API

For more information, see Create an API operation with a resource in a VPC as the backend service.

8. Limits

  • This topic is suitable for dedicated instances only.