This topic describes how to use OpenAPI to automate service and domain preparation, configure domain and route policies, create APIs and routes, and deploy your configurations. It also provides recommendations on concurrency, status checks, and conflict avoidance.
1. Key takeaways
1.1 Recommended order for route-level policies
-
Create a route:
CreateHttpApiRoute -
Create a policy:
CreatePolicy -
Attach the policy:
CreatePolicyAttachment -
Deploy the route:
DeployHttpApi
This is the most reliable sequence. First, create the route. Next, attach the policy. Finally, deploy the configuration. This approach prevents state conflicts and repeated deployments that can occur if you modify a policy after deployment.
1.2 Concurrent operations
|
Stage |
Concurrency recommended |
Recommendation |
|
Service preparation ( |
Yes |
These resources are independent and can run concurrently. |
|
Creating multiple policies ( |
Yes |
You can create different policies concurrently. |
|
Attaching multiple policies to different routes or domains |
Yes |
To run these operations concurrently, shard them by resource ID. |
|
Updating, attaching policies to, or deploying the same route |
No |
Execute these operations sequentially to avoid state conflicts, such as |
|
Creating multiple routes with the same path prefix in bulk |
No |
To avoid this, run these operations sequentially and perform pre-checks. |
1.3 Verifying changes
-
Route deployment status: Call
GetHttpApiRouteand verify that thedeployStatusisDeployed. CheckdeployErrorMessagefor any issues. -
Policy attachment: Call
GetPolicyAttachmentand verify that the response contains the targetattachResourceIdandattachResourceType. -
Domain association: Call
GetDomainwithwithStatistics=trueand review the statistics, or check thedomainInfosfield in the route details.
1.4 Common conflict scenarios
-
Duplicate resources: Creating a service, domain, API, or route with a name that already exists. Attaching the same type of policy to a resource more than once.
-
State competition: Attempting to deploy or modify a route while it is already in the
DeployingorUndeployingstate. -
Attachment conflict: Mismatched policy attachment types or violating constraints when attaching the same policy across different environments or gateways.
2. Service and domain preparation
2.1 Create or query a service (CreateService / GetService)
API reference:
2.1.1 CreateService
POST CreateService
Content-Type: application/json
{
"gatewayId": "gw-xxx",
"sourceType": "DNS",
"serviceConfigs": [
{
"name": "orders-backend",
"addresses": [
"orders.backend.svc.cluster.local:80"
]
}
]
}
Key parameters:
-
gatewayId: Required. The ID of the target gateway instance. -
sourceType: Required. Common values includeDNS,VIP,K8s, andMseNacos. -
serviceConfigs[]: Required. Supports creating multiple services in a single request. -
Use the
serviceIds[]from the response to reference the services in subsequent route backend configurations.
2.1.2 GetService
GET GetService
Recommendations:
-
The
serviceIdmust be an existing service ID, typically in the formatsvc-.... The legacy formatgs-...is also supported. -
Before creating a route, validate that the service exists and that its key fields (address, port, protocol) are correct.
2.2 Query a domain (GetDomain)
API reference:
GET GetDomain
Query: domainId=d-xxx&withStatistics=true
Key parameters:
-
domainId: The domain ID (for example,d-...). -
withStatistics: Optional. If set totrue, the response includes statistics about resources associated with the domain, which is useful for post-deployment verification.
2.3 Create a domain (CreateDomain)
API reference:
POST CreateDomain
Content-Type: application/json
{
"name": "api.example.com",
"protocol": "HTTP",
"gatewayType": "API"
}
Key parameters:
-
name: Required. The domain name. -
protocol: Required. Valid values:HTTPandHTTPS. -
We recommend setting
gatewayTypetoAPI. If omitted, a default value is used. -
If
protocolisHTTPS, you must also provide certificate-related parameters, such asforceHttpsandcertIdentifier.
3. Domain-level policies
3.1 Create a domain-level policy (CreatePolicy)
API reference:
We recommend that you use CreatePolicy to create a policy and then use CreatePolicyAttachment to attach it. Avoid using CreateAndAttachPolicy, which combines both actions.
POST CreatePolicy
Content-Type: application/json
{
"name": "domain-ip-whitelist",
"className": "IpAccessControl",
"description": "domain-level IP whitelist",
"config": "{\"name\":\"domain-ip-whitelist\",\"ipAccessControlResourceName\":\"api.example.com\",\"ipAccessControlResourceType\":\"Domain\",\"ipAccessControlType\":\"White\",\"ipAccessControlContent\":\"10.0.0.0/8,192.168.0.0/16\",\"enable\":true,\"protocolLayer\":\"L7\"}"
}
Key parameters:
-
name: Required. The policy name, which must be unique within the same gateway. -
className: Required. The type of the policy. -
config: Required. A JSON-formatted string, not a JSON object.
3.2 Attach a domain-level policy (CreatePolicyAttachment)
API reference:
POST CreatePolicyAttachment
Content-Type: application/json
{
"policyId": "p-xxx",
"attachResourceId": "d-xxx",
"attachResourceType": "Domain",
"gatewayId": "gw-xxx"
}
Key parameters:
-
policyId: Required. The ID of the policy. -
attachResourceId: Required. The ID of the domain (for example,d-...). attachResourceType: Required. The value is fixed toDomain.-
gatewayId: Required. -
environmentId: Domain-level policies are environment-agnostic. The server treats this parameter as*.
4. APIs and routes
4.1 Create an HTTP API (CreateHttpApi)
API reference:
POST CreateHttpApi
Content-Type: application/json
{
"name": "orders-http-api",
"description": "orders route collection",
"type": "Http",
"protocols": [
"HTTP",
"HTTPS"
]
}
Key parameters:
-
name: Required. The name of the API. -
type: Required. For an HTTP API, set this toHttp. -
protocols: Optional. If omitted, the default protocol is used.
4.2 Create an HTTP API route (CreateHttpApiRoute)
API reference:
POST CreateHttpApiRoute
Content-Type: application/json
Parameters:
-
httpApiId: Required.
{
"environmentId": "env-xxx",
"name": "orders-route",
"domainIds": [
"d-xxx"
],
"match": {
"path": {
"type": "Prefix",
"value": "/orders"
},
"methods": [
"GET",
"POST"
]
},
"backendConfig": {
"scene": "SingleService",
"services": [
{
"serviceId": "svc-xxx",
"protocol": "HTTP",
"port": 80,
"weight": 100
}
]
}
}
Key parameters:
-
environmentId,name,match, andbackendConfigare required. -
The
namemust be 64 characters or less and contain only lowercase letters, digits, hyphens (-), or periods (.). -
When
backendConfig.sceneisSingleService, specify only one backend in theservicesarray. -
domainIdscan be empty during creation, but you must associate a deployable domain to deploy the route.
5. Route policies and deployment
5.1 Create a route-level policy (CreatePolicy)
As with domain-level policies, use the following operation:
POST CreatePolicy
Example of a route-level IpAccessControl policy:
{
"name": "route-ip-whitelist",
"className": "IpAccessControl",
"description": "route-level IP whitelist",
"config": "{\"name\":\"route-ip-whitelist\",\"ipAccessControlResourceName\":\"orders-route\",\"ipAccessControlResourceType\":\"GatewayRoute\",\"ipAccessControlType\":\"White\",\"ipAccessControlContent\":\"10.10.0.0/16\",\"enable\":true,\"protocolLayer\":\"L7\"}"
}
5.2 Attach a route-level policy (CreatePolicyAttachment)
POST CreatePolicyAttachment
Content-Type: application/json
{
"policyId": "p-yyy",
"attachResourceId": "hr-yyy",
"attachResourceType": "GatewayRoute",
"environmentId": "env-xxx",
"gatewayId": "gw-xxx"
}
Key parameters:
-
attachResourceId: The ID of the route, which must start with the prefixhr-. -
attachResourceType: For route-level policies, set this toGatewayRoute. -
We recommend explicitly specifying
environmentIdfor most route-level policies.IpAccessControlis an exception and does not require this parameter. -
gatewayId: Required.
5.3 Deploy an API (DeployHttpApi)
API reference:
POST DeployHttpApi
Content-Type: application/json
Parameters:
-
httpApiId: Required.
{
"routeId": "hr-yyy",
"isInternalRoute": false
}
Notes:
-
For HTTP APIs, the core parameter is
routeId. -
This is an asynchronous operation. A successful API call does not mean the deployment is complete. You must poll the status to confirm that the deployment is complete.
5.4 Optional: Conflict detection (DetectHttpApiConflicts)
POST DetectHttpApiConflicts
Content-Type: application/json
Parameters:
-
httpApiId: Required.
{
"routeId": "hr-yyy",
"isInternalRoute": false
}
Recommendations:
-
This pre-check is especially useful in scenarios where multiple teams modify routes concurrently on a custom domain.
-
If the operation detects conflicts, adjust the path, method, or domain binding before calling
DeployHttpApi.
6. Verifying changes
Follow these four steps to verify your changes:
-
Check the route deployment status
-
Call
GetHttpApiRoute(GET) and pass thehttpApiIdandrouteId. -
Check the status:
-
deployStatus=Deployed: The deployment was successful. -
deployStatus=DeployFailed: The deployment failed. Check thedeployErrorMessagefor details.
-
-
-
Check the policy attachment
-
Call
GetPolicyAttachment(GET) and pass thepolicyAttachmentId. -
Confirm that
attachResourceId,attachResourceType, andgatewayIdmatch your intended configuration.
-
-
Check the domain association
-
Call
GetDomain(GET) and pass thedomainIdandwithStatistics=true. -
Alternatively, check the route details to confirm that
domainInfoscontains the target domain.
-
-
Verify with live traffic
-
Send a request to the target domain and path to confirm that the route forwards traffic as expected and that the policy (such as a whitelist) is enforced correctly.
-
7. Conflict scenarios and solutions
The service maps the TypeConflict error code to an HTTP 409 status code.
-
CreateServiceconflicts-
Common errors:
ServiceExisted,ServiceQuotaPerGatewayExceed. -
Avoidance: Use a consistent naming convention for services within the same gateway. Estimate your quota usage before performing batch creations.
-
-
CreateDomainconflicts-
Common error:
DomainExisted. -
Avoidance: Ensure domain names are globally unique, scoped by the combination of
nameandgatewayType.
-
-
CreatePolicy/CreatePolicyAttachmentconflicts-
Common errors:
-
PolicyExisted. -
PolicyAttachResourceBounded(attaching the same policy to the same resource more than once). -
PolicyAttachConflict(another policy of the same class already exists on the resource, especially for singleton route-level policies). -
PolicyAttachResourceTypeNotMatch(attaching the same policy to different resource types).
-
-
Avoidance: Use the combination of
resourceIdandclassNameas an idempotency key. Before attaching a policy, check for existing attachments.
-
-
CreateHttpApi/CreateHttpApiRouteconflicts-
Common errors:
-
ApiNameDuplicated/ApiNameDuplicatedWithInstance. -
ApiVersionDuplicated(for multi-version REST APIs). -
RouteNameDuplicated. -
RoutePathHasDefinedByApi(path/method conflict).
-
-
Avoidance: Ensure API names are unique within the same gateway. Create routes with the same path segment sequentially and perform validation first.
-
-
DeployHttpApiconflicts-
Common errors:
-
DeployRouteForbidden(the route is in theDeployingorUndeployingstate). -
ApiNameDuplicatedWithInstance(name conflict with a deployed instance).
-
-
Avoidance: Strictly serialize the policy modification and deployment operations for the same route. Avoid deploying the same
routeIdconcurrently.
-
8. Execution checklist
-
Run the service and domain preparation steps concurrently to obtain the
serviceIdanddomainId. -
Create the
HttpApifirst, then create theHttpApiRoute. -
For route policies, follow this sequence: create a route -> create a policy -> attach the policy -> deploy the route.
-
After deployment, poll the route's
deployStatusuntil it becomesDeployed. -
Handle HTTP 409 scenarios idempotently: check if a resource exists before creating it, or gracefully handle "duplicate creation" errors.