APIs that are created in API Gateway can be called not only by the client but also by API Gateway. API Gateway can call the APIs across regions and call the APIs over the internal network in a region. API Gateway can also call an API across accounts by using an AccessKey pair of an authorized application to bind a backend signature plug-in of the APIGW_FRONTEND type. Before API Gateway calls an API, API Gateway uses the AccessKey pair to generate a signature and sends the signature to the API for authentication. This feature can be used in the following typical scenario: You create an API that is used to route requests. The API is bound with a backend routing plug-in and a backend signature plug-in. In the backend, the backend routing plug-in routes requests to other APIs based on the request parameters.
1.1. Configure APIs
If you want API Gateway to call an API over the internal network, you must purchase an exclusive instance first. Then, you must migrate the API group to which the API belongs to the exclusive instance and manually generate an internal domain name for API calls in the API Gateway console.
1.1.1. Enable API calls over the internal network for the exclusive instance
1.1.2. Enable internal domain names that are used for API calls from API Gateway for API groups
Create two API groups and generate an internal domain name that is used for API calls from API Gateway for each API group.
For example, the following two internal domain names are generated: 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com
1.1.3. Create an API in each API group
Create an API in each API group. Applications must be authorized before they can call the two APIs. The following example shows the attributes of the two APIs:
API1: Method: Get Path: /business1 Backend service address:
API2 Method: Get Path: /business2 Backend service address:
1.1.4. Grant the permissions on the two APIs
Grant the permissions on the two APIs to an application. In this example, the application has the following AccessKey pair: AccessKey ID:TESTKEY AccessKey secret:TESTSECRET
1.2. Configure an API that is used to route requests
1.2.1. Create an API that is used to route requests
Create an API that is used to route requests. The API can be called anonymously. Set the request method to Get and the path of the API to /distributeAPI. In this example, the domain name of the API group to which the API belongs is 17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com.
1.2.2. Create and bind a backend routing plug-in
Create a backend routing plug-in and bind the backend routing plug-in to the API that is used to route requests.
--- parameters: target: "Query:target" routes: - name: backend1 condition: "$target = 'resource1'" backend: type: "HTTP" address: "17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com" path: "/business1" - name: backend2 condition: "$target = 'resource12'" backend: type: "HTTP" address: "c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com" path: "/business2"
After the API is bound with the backend routing plug-in, the API routes a request based on the preceding configurations. If the value of the request parameter target is resource1, the API sends an HTTP request whose path is /business1 to 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com. If the value is resource2, an HTTP request is sent based on the preceding configurations.
1.2.3. Create and bind a backend signature plug-in
Create a backend signature plug-in and bind the backend signature plug-in to the API that is used to route requests.
--- type: APIGW_FRONTEND key: TESTKEY secret: TESTSECRET signatureMethod: HmacSHA256
After the API is bound with the backend signature plug-in, the API generates a signature based on the content of a request and the frontend signature algorithm of API Gateway. Then, the API includes the signature in the request and sends the request to the backend.
2. Call the API that is used to route requests
Before you call the API that is used to route requests, make sure that all the created APIs are published to the production environment. Then, you can run the following commands to perform testing:
curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource1' -i
Request sent to the backend:
GET /business1 HTTP/1.1 User-Agent: curl/7.64.1 Via: 0045e52ee3a8400b8501b4c449b28779 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Forwarded-Proto: http X-Forwarded-For: 220.127.116.11, 127.0.0.1 Host: backend1.alicloudapi.com:8080 X-Ca-Request-Id: 23853B41-C54D-45E9-8C43-EE4C1E8A7889 Via: bc48a42a3d17408b991b0bb4d18c23c0
curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource2' -i
Request sent to the backend:
GET /business2 HTTP/1.1 User-Agent: curl/7.64.1 Via: 0045e52ee3a8400b8501b4c449b28779 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Forwarded-Proto: http X-Forwarded-For: 18.104.22.168, 127.0.0.1 Host: backend2.alicloudapi.com:8080 X-Ca-Request-Id: AFD529D2-9B24-437E-8CEC-897E0BCD8B2F Via: bc48a42a3d17408b991b0bb4d18c23c0