All Products
Search
Document Center

Call by API Gateway

Last Updated: Aug 05, 2021

APIs that are created in API Gateway can be called not only by the client but also by API Gateway. API Gateway can call the APIs across regions and call the APIs over the internal network in a region. API Gateway can also call an API across accounts by using an AccessKey pair of an authorized application to bind a backend signature plug-in of the APIGW_FRONTEND type. Before API Gateway calls an API, API Gateway uses the AccessKey pair to generate a signature and sends the signature to the API for authentication. This feature can be used in the following typical scenario: You create an API that is used to route requests. The API is bound with a backend routing plug-in and a backend signature plug-in. In the backend, the backend routing plug-in routes requests to other APIs based on the request parameters.

1. Example

1.1. Configure APIs

If you want API Gateway to call an API over the internal network, you must purchase an exclusive instance first. Then, you must migrate the API group to which the API belongs to the exclusive instance and manually generate an internal domain name for API calls in the API Gateway console.

1.1.1. Enable API calls over the internal network for the exclusive instance

1.1.2. Enable internal domain names that are used for API calls from API Gateway for API groups

Create two API groups and generate an internal domain name that is used for API calls from API Gateway for each API group.

For example, the following two internal domain names are generated: 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com

1.1.3. Create an API in each API group

Create an API in each API group. Applications must be authorized before they can call the two APIs. The following example shows the attributes of the two APIs:

1.1.4. Grant the permissions on the two APIs

Grant the permissions on the two APIs to an application. In this example, the application has the following AccessKey pair: AccessKey ID:TESTKEY AccessKey secret:TESTSECRET

1.2. Configure an API that is used to route requests

1.2.1. Create an API that is used to route requests

Create an API that is used to route requests. The API can be called anonymously. Set the request method to Get and the path of the API to /distributeAPI. In this example, the domain name of the API group to which the API belongs is 17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com.

1.2.2. Create and bind a backend routing plug-in

Create a backend routing plug-in and bind the backend routing plug-in to the API that is used to route requests.

---
parameters:
  target: "Query:target"
routes:
- name: backend1
  condition: "$target = 'resource1'"
  backend:
    type: "HTTP"
    address: "17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com"
    path: "/business1"
- name: backend2
  condition: "$target = 'resource12'"
  backend:
    type: "HTTP"
    address: "c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com"
    path: "/business2"

After the API is bound with the backend routing plug-in, the API routes a request based on the preceding configurations. If the value of the request parameter target is resource1, the API sends an HTTP request whose path is /business1 to 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com. If the value is resource2, an HTTP request is sent based on the preceding configurations.

1.2.3. Create and bind a backend signature plug-in

Create a backend signature plug-in and bind the backend signature plug-in to the API that is used to route requests.

---
type: APIGW_FRONTEND
key: TESTKEY
secret: TESTSECRET 
signatureMethod: HmacSHA256

After the API is bound with the backend signature plug-in, the API generates a signature based on the content of a request and the frontend signature algorithm of API Gateway. Then, the API includes the signature in the request and sends the request to the backend.

2. Call the API that is used to route requests

Before you call the API that is used to route requests, make sure that all the created APIs are published to the production environment. Then, you can run the following commands to perform testing:

curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource1' -i

Request sent to the backend:

GET /business1 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 106.1.1.1, 127.0.0.1
Host: backend1.alicloudapi.com:8080
X-Ca-Request-Id: 23853B41-C54D-45E9-8C43-EE4C1E8A7889
Via: bc48a42a3d17408b991b0bb4d18c23c0

curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource2' -i

Request sent to the backend:

GET /business2 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 106.1.1.1, 127.0.0.1
Host: backend2.alicloudapi.com:8080
X-Ca-Request-Id: AFD529D2-9B24-437E-8CEC-897E0BCD8B2F
Via: bc48a42a3d17408b991b0bb4d18c23c0