This topic introduces how to use Cloud Enterprise Network (CEN) to build a centralized API management system across regions. You can also refer to steps in this topic to build a centralized API management system between VPCs and between VPCs and on-premises data centers by using CEN. This allows you to publish APIs across various networks to API Gateway, so users can call these APIs.

1. Overview

By default, an API Gateway instance can only communicate with VPCs in the same region. This topic uses the architecture shown in the following figure to illustrate how to manage APIs across regions.

In this example, a dedicated API Gateway instance is created in the China (Shanghai) region. It manages API requests in four VPCs. The ecs-2, ecs-3, and ecs-4 instances serve as the backend services of the API Gateway instance. The ecs-1, ecs-3, and ecs-4 instances need to call APIs. This example verifies three paths to call APIs: path A (black), path B (red), and path C (blue).

You must create a VPC (vpc-api-access in this example) for the API Gateway instance in the China (Shanghai) region to connect to the VPCs in the China (Zhangjiakou-Beijing Winter Olympics) region. The following figure shows the connections.

Note The architecture in the example is used to illustrate how to enable API calling across VPCs. In similar scenarios, you need to configure a VPC (vpc-api-access in this example) for the API Gateway instance. This VPC is only used to connect with other environments, such as VPCs in other regions or on-premises data centers.

The procedure is as follows:

  1. Configure a CEN instance to connect the VPC of the API Gateway instance with other VPCs.
  2. Add permissions for the API Gateway instance to access the VPCs of the backend services.
  3. Configure and publish APIs.
  4. Add permissions for the VPCs to access the API Gateway instance, so the ECS instances can call APIs from API Gateway over the internal network.

2. Preparations

Create the VPCs, ECS instances, and API Gateway instance based on the preceding architecture.

Description:

  • The ecs-2, ecs-3, and ecs-4 instances serve as the backend services. They provide APIs over HTTP.
  • A dedicated API Gateway instance is created in the China (Shanghai) region.
  • Security groups are configured for the ECS instances. The security groups of ecs-2, ecs-3, and ecs-4 allow access to the service port. In this example, the HTTP service address provided by the ECS instances ishttp://localhost:8080/web/cloudapi.Therefore, you must configure inbound rules in the security groups to allow the VPC egress address of the API Gateway instance to access port 8080. You can obtain the VPC egress address on the Instances page in the API Gateway console. The following figure shows the security group configuration.

3. Configure the CEN instance

Create a CEN instance to connect vpc-api-access in the China (Shanghai) region with the VPCs in the China (Zhangjiakou-Beijing Winter Olympics) region, so the VPCs can communicate over the internal network. For more information about CEN configuration, seeCloud Enterprise Network.

Step 1. Create a CEN instance.

Log on to theCEN consoleand create a CEN instance.

Attach vpc-api-access, vpc-backend-2, and vpc-backend-3 to the CEN instance.

Step 2. Configure the bandwidth.

Purchase a bandwidth plan used for communication within the CEN instance. In this example, a bandwidth plan of 2 Mbit/s is purchased. You can purchase the bandwidth plan based on your business requirements.

On the Region Connections tab, configure the bandwidth for the regions in the CEN instance. You can configure the bandwidth size for each pair of connected regions based on the bandwidth plan.

Step 3. Configure cross-VPC routes.

Submit a ticket to CEN technical support to configure the routes. Provide the configuration parameters required by theResolveAndRouteServiceInCenAPI. These routes enable communication between the API Gateway instance and the VPCs in the China (Zhangjiakou-Beijing Winter Olympics) region over the internal network.

AccessRegionIds.1=cn-zhangjiakou
AccessRegionIds.2=cn-shanghai
CenId=cen-uggzcthgz7cwsl7prr      # The ID of the CEN instance.
Host=100.104.255.128/26                # The VPC egress address of the dedicated API Gateway instance.
HostRegionId=cn-shanghai
HostVpcId=vpc-uf65amr4k3aepd0u4gnxa     # The ID of vpc-api-access. The API Gateway instance is associated with this VPC in the China (Shanghai) region.			

To obtain the VPC egress address of the dedicated API Gateway instance, go to the Instances page in the API Gateway console.

After your ticket is processed, you can view the routes configured for the China (Shanghai) and China (Zhangjiakou-Beijing Winter Olympics) regions in the CEN console. The custom routes are added based on the configuration parameters that you provided.

4. Configure permissions for the API Gateway instance to access the VPCs

Step 4. Configure VPC access permissions.

In this example, the ecs-2, ecs-3, and ecs-4 instances are the backend services. You must allow the API Gateway instance to access vpc-backend-1, vpc-backend-2, and vpc-backend-3 before you configure the APIs. Add VPC access permissions in the API Gateway console.

For the VPCs in the China (Zhangjiakou-Beijing Winter Olympics) region, set VPC Id to the ID of vpc-api-access, Instance Id Or IP to the private IP address of ecs-3 or ecs-4, and Instance Port to the service port.

5. Configure APIs.

Step 5. Create an API group.

When you create the API group, select the dedicated API Gateway instance you created.

Step 6. Create and publish the APIs.

Create three APIs in the API group. Configure the VPC of ecs-2, ecs-3, or ecs-4 for each API so that these ECS instances function as the backend services of the APIs. Security Certification is set to No Certification in this example to facilitate API calls by using the curl command.

Save and publish the APIs.

In this example, three APIs are published to the Release environment:

  • /test/api/backend1 on ecs-2
  • /test/api/backend2 on ecs-3
  • /test/api/backend3 on ecs-4

6. Configure access permissions for the VPCs to access the API Gateway instance over the internal network

By default, the VPCs cannot access the dedicated API Gateway instance. You must manually configure the access permissions.

Step 7. Bind the vpc-api-access to the API Gateway instance.

On the Instances page, click Bind to the user's VPC. Then, select the ID of vpc-api-access. After this operation, the other VPCs can access the dedicated API Gateway instance by using vpc-api-access over the internal network.

Step 8. Enable the intranet subdomain for the API group.

On the Group Details page, click Enable VPC Intranet Subdomain. A VPC subdomain is assigned for the API group. The APIs in the group can be called by using this subdomain over the internal network.

By default, an Internet subdomain is assigned to the API group. The APIs in the group can be called by using this subdomain over the Internet. If you disable the Internet subdomain, you cannot use the online debugging function in the API Gateway console.

7. Test connections over the internal network

  • Verify the connection on path A (black).

Run the curl command on ecs-1 to call the API on ecs-3.

  • Verify the connection on path B (red).

Run the curl command on ecs-4 to call the API on ecs-2.

  • Verify the connection on path C (blue).

Run the curl command on ecs-3 to call the API on ecs-4.

8. Limits

  • You can only use a dedicated API Gateway instance in the canary release.