All Products
Search
Document Center

API Gateway:Create an API with a resource in a VPC as the backend service

Last Updated:Mar 05, 2024

This topic describes how to create and publish an API with a resource in a VPC as the backend service in API Gateway, and how to call the API by using an application and an AppCode. The AppCode is automatically generated for the application when you set the authentication method of the API to Alibaba Cloud App.

Overview

You must perform the following steps in sequence:

  • Authorize API Gateway to access the VPC

  • Create an API group

  • Create and define an API

  • Create an application and grant the application the permissions to call the API

  • Allow the egress IP addresses of API Gateway in a security group

  • Debug the API

  • Call the API

1. Create instances in a VPC

Purchase and create Server Load Balancer (SLB) and Elastic Compute Service (ECS) instances in a VPC.

In this example, an ECS instance in a VPC is used as the backend service of an API. A web service that uses Nginx is deployed on the ECS instance, and the web service uses port 80 for communication.

2. Authorize API Gateway to access the VPC

Step 1: Create a VPC access authorization.

To allow API Gateway to access a VPC, you must create a VPC access authorization.

In the left-side navigation pane of the API Gateway console, choose Manage APIs > VPCs. On the VPC Access Authorizations page, select the region where your VPC resides and click Create Authorization. In the Create VPC Access dialog box, specify VPC Access Name, VPC Id, Instance ID or IP Address, and Port Number. If you need to specify a domain name to access a vhost on an SLB instance or ECS instance, you can specify the domain name as Host.

创建vpc授权

In VPC Id, enter the ID of the VPC where your backend service resides. In Instance ID or IP Address, enter the ID or private IP address of the instance where your backend service resides. You can obtain the information in the ECS instance details.

Important
  • For Application Load Balancer (ALB) instances, the network type must be VPC, and you cannot change the network type to Internet after you create the authorization. Otherwise, requests may fail to be sent to API Gateway, and you are responsible for the consequences.

3. Create an API group

APIs are managed in API groups. You must create an API group before you create an API.

Step 2: Create an API group.

In the left-side navigation pane, choose Manage APIs > API Groups. On the API Groups page, select a region and click Create Group in the upper-right corner. In the dialog box that appears, select an instance, specify a name for the group, and then click Confirm.

Step 3: View details of the API group.

After you create the API group, the API group appears on the API Groups page. You can click the group name to go to the Group Details page. On this page, you can bind a domain name, modify basic information, and change the instance type.

API Gateway automatically assigns a public second-level domain name for the API group. This domain name is used only for debugging and has a limit of 100 calls per day for regions outside the Chinese mainland and 1,000 calls per day for regions in the Chinese mainland. We recommend that you bind an independent domain name after you create an API group.

4. Create an API

In the left-side navigation pane, choose Manage APIs > APIs, select the region where the created API group resides, and then click Create API.

Step 4: Configure basic information for the API.

In this step, configure basic information for the API that you want to create, including the API group to which the API belongs and the name, authentication method, type, and description of the API. Select the group that you created from the Group drop-down list, set the Security Authentication parameter to Alibaba Cloud App and the AppCode Authentication parameter to Enable AppCode Authentication (Header & Query), configure other parameters based on your business requirements, and then click Next.

定义api

Step 5: Configure request information for the API.

In this step, define how a client, such as a web browser, a mobile app, or a business system, requests the API. The parameters that you need to configure in this step include Protocol, Request Path, HTTP Method, Request Mode, and the parameters in the Request Parameters section. Then, click Next. In this example, Request Mode is set to Pass-through, which indicates that API Gateway directly passes API requests to the backend service in the VPC without processing them.

Step 6: Configure backend service information for the API.

In this step, configure the type and URL of the backend service to which API Gateway sends the requests received from a client and how request parameters are mapped and processed. In this example, VPC is specified for Backend Service Type, the VPC access authorization you created in the "Authorize API Gateway to access the VPC" section is specified for VPC Access Name, and a path is specified for Backend Request Path. Then, click Next.

Step 7: Configure response information for the API.

In this step, specify the response information to generate API documentation. The documentation helps API callers better understand the API. You can set parameters such as Response ContentType, Response Example, and Error Response Example. This example does not include this step. Click Create.

Step 8: Publish the API.

After you click Create, a message appears to inform you that the API is created In this example, click Publish in the message. In the dialog box that appears, publish the API to the production environment as prompted.

Note

If you modify an API, the modification takes effect only after you publish the API to the corresponding environment. API Gateway provides three environments to which you can publish an API: Release, Pre, and Test.

5. Create and authorize an application

An application is an identity that you use to call an API. In step 4, the authentication type is set to Alibaba Cloud App. Therefore, after you publish the API, you must create and authorize an application to call the API.

Step 9: Create an application.

In the left-side navigation pane, choose Call APIs > Apps. On the Apps page, click Create App. In the Create App dialog box, enter an application name and click Confirm. In the application list, click the name of the created application. Two authentication modes are provided for the security authentication method Alibaba Cloud App: an AppKey and AppSecret pair and an AppCode. In this example, an AppCode is used. For more information, see Call an API in simple authentication mode.

创建应用

Step 10: Authorize the application to call the API.

Find the created API and click Authorize in the Actions column. A dialog box appears, as shown in the following figure. Set the Environment parameter to the environment to which you have published the API. In this example, this parameter is set to Release. Enter the name of the application you created in the search bar of the Choose Apps for Authorization section. In the search result, select the created application, click Add in the Actions column, and then click Confirm. A message appears to inform you that the application is authorized to call the API operation.

授权

6. Allow egress IP addresses of API Gateway in a security group

If the security group of your ECS instance does not allow all CIDR blocks over a specified port, you must add the egress IP addresses of API Gateway to the security group to allow these IP addresses. The egress IP addresses of API Gateway refer to the egress IP addresses of the API Gateway instance on which the API group resides.

  1. Log on to the API Gateway console. In the left-side navigation pane, choose Manage APIs > API Groups. On the API Groups page, click the name of the API group to which the API belongs. Then, view the API Gateway instance to which the API group belongs.

  2. In the left-side navigation pane, choose Instances and Clusters > Shared Instances or Instances and Clusters > Dedicated Instances depending on the instance type.

7. Debug the API

API Gateway supports online debugging. We recommend that you use this feature to check whether an API is correctly configured before you call this API on clients.

In the left-side navigation pane, choose Call APIs > Debug. Find the created API and debug the API. If you have defined request parameters for the API, you can enter different values for the request parameters to check whether the API is correctly configured.

When you debug the API, make sure that the App Name parameter is set to the authorized application. The environment for debugging must be the one in which the application is authorized to call the API. Otherwise, debugging may fail.

8. Call the API

For more information, see Call an API in simple authentication mode.

Note

If no environment is specified for debugging, the API is debugged in the production environment by default. For information about environments, see Environmental Management..

The main purpose of this topic is to help you quickly get started. The high availability of a backend service is not considered. If you have any questions, see Use a resource in a VPC as the backend service of an API.