All Products
Search

This Product

    API Gateway:API gateways in multiple levels

    Document Center

    API Gateway:API gateways in multiple levels

    Last Updated:Dec 15, 2023

    APIs that are created in API Gateway can be called by clients and also by API Gateway. API Gateway can call APIs in the same region over internal networks or across regions over the Internet. API Gateway can also call an API across accounts by using an AccessKey pair of an authorized application to bind a backend signature plug-in of the APIGW_FRONTEND type. Before API Gateway calls an API, API Gateway uses the AccessKey pair to generate a signature and sends the signature to the API for authentication. The Call by API Gateway feature can be used in the following typical scenario: You create an API that is used to route requests. A backend routing plug-in and a backend signature plug-in are bound to the API. The backend routing plug-in routes requests to other APIs based on request parameters.

    1. Configuration example

    1.1 Configure business APIs

    If you want API Gateway to call your API over a virtual private cloud (VPC), you must perform the following steps in the API Gateway console: purchase a dedicated instance, migrate the API group to which the API belongs to the dedicated instance, and manually generate an internal domain name for VPC-based API calls.

    1.1.1 Enable the Call by API Gateway feature

    1. Log on to the API Gateway console.

    2. In the left-side navigation pane, click Instances. Find the dedicated instance and click Call by API Gateway.

    1.1.2 Generate internal domain names for API calls

    Create two API groups on the instance. Then click each of the groups and generate an internal domain name.

    For example, the following two internal domain names are generated:

    17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com
c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com

    1.1.3 Create an API in each of the groups

    Create an API in each API group. Set the Security Authentication parameter to Alibaba Cloud App for both APIs. The following examples show the assumed attributes of the two APIs:

    • API1: Method: GET Path: /business1 Backend service URL:

      http://backend1.alicloudapi.com:8080/business1

    • API2 Method: GET Path: /business2 Backend service URL:

      http://backend2.alicloudapi.com:8080/business2

    1.1.4 Authorize an application to call the APIs

    Authorize the same application to call both APIs. In this example, the application has the following AccessKey pair: KEY:TESTKEY SECRET:TESTSECRET

    1.2 Configure the distribution API

    1.2.1 Create the distribution API

    Create a distribution API that can be anonymously accessed. Configure GET as its HTTP method, /distributeAPI as its path, and 17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com as the domain name of the API group to which it belongs.

    1.2.2 Create and bind a backend routing plug-in

    Create a backend routing plug-in and bind the plug-in to the API. 

    ---
parameters:
  target: "Query:target"
routes:
- name: backend1
  condition: "$target = 'resource1'"
  backend:
    type: "HTTP"
    address: "17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com"
    path: "/business1"
- name: backend2
  condition: "$target = 'resource2'"
  backend:
    type: "HTTP"
    address: "c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com"
    path: "/business2"

    The preceding plug-in code specifies that the plug-in routes a received request based on the value of the target parameter in the query section of the request. If the value is resource1, the plug-in forwards the request to 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com, and the path of the request is changed to /business1. If the value is resource2, the plug-in forwards the request in the similar way.

    1.2.3 Create and bind a backend signature plug-in

    Create a backend signature plug-in and bind the plug-in to the API.

    ---
type: APIGW_FRONTEND
key: TESTKEY
secret: TESTSECRET 
signatureMethod: HmacSHA256

    The preceding plug-in code specifies that the plug-in calculates a signature based on the content of a received request and the signature algorithm used by the front end. Then the plug-in adds the calculated signature to the request and sends the request to the backend service.

    2. Call the distribution API

    Before you call the API, make sure that all involved APIs are published and properly tested.

    curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource1' -i

    The following code snippet shows a sample request that is sent to a backend service:

    GET /business1 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 192.168.XX.XX, 127.0.0.1
Host: backend1.alicloudapi.com:8080
X-Ca-Request-Id: 23853B41-C54D-45E9-8C43-EE4C1E8A7889
Via: bc48a42a3d17408b991b0bb4d18c23c0

    curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource2' -i

    The following code snippet shows another sample request that is sent to a backend service:

    GET /business2 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 192.168.XX.XX, 127.0.0.1
Host: backend2.alicloudapi.com:8080
X-Ca-Request-Id: AFD529D2-9B24-437E-8CEC-897E0BCD8B2F
Via: bc48a42a3d17408b991b0bb4d18c23c0