This topic describes the release notes for API Gateway and provides links to the relevant references.
For the latest updates on Alibaba Cloud services, visit the Product Updates page.
2024-01
Feature | Description | Region | References |
Hashing algorithm for backend routing plug-ins | Backend routing plug-ins support hashing-based distribution policies. | All | |
Logging | A field is added to logs to record the occurrence points of time of all input/output (I/O) operations. | All | |
Throttling plug-ins | The retry-after header is supported for all levels of throttling in throttling plug-ins. | All |
2023-12
Feature | Description | Region | References |
A size limit of 50 KB for a mocked response | The size of a mocked response cannot exceed 50 KB. | All | |
BasePath of an API group | The length of the BasePath of an API group cannot exceed 300 bytes. | All | |
The XFF header for plug-ins | The XFF header is supported by all plug-ins. A plug-in reads a specific IP address from the XFF header for logical judgment. | All | |
API debug |
| All |
2023-11
Feature | Description | Region | References |
API operation history | Plug-in-related operation records are added to API operation history. | All | |
Datasets for basic authentication plug-ins | Datasets of basic authentication plug-ins support special characters. | All |
2023-10
Feature | Description | Region | References |
OAS 3.0 | You can export and import OpenAPI Specification (OAS) 3.0-compliant data in the API Gateway console. | All | |
ZooKeeper | ZooKeeper-registered microservices applications are supported as the backend services of APIs on a virtual private cloud (VPC) integration instance. | All | |
Multiple key pairs for an application | You can configure multiple key pairs for an application. | All |
2023-09
Feature | Description | Region | References |
Extended fields of applications | You can configure an extended field for an application. This field is passed as a system parameter to the backend service in an API call. | All | |
Timeout configuration for a backend service | You can configure a timeout period in a backend service and use the timeout period as the default timeout period for all APIs. You can also separately configure a timeout period for the backend service for each API. | All |
2023-08
Feature | Description | Region | References |
Support for datasets by basic authentication plug-ins | You can use the plug-in dataset feature in a basic authentication plug-in. This allows you to maintain a custom authentication system in API Gateway. You can add, modify, or delete entries in a dataset to manage the credentials of API callers. | All | |
Support for datasets by throttling plug-ins | You can dynamically adjust throttling rules in API sales scenarios where applications are dynamically authorized based on corresponding throttling policies. | All |
2023-07
Feature | Description | Region | References |
Specification upgrade and downgrade of VPC integration instances | You can upgrade or downgrade a virtual private cloud (VPC) integration instance to meet your scaling requirements in real time. | All | |
API export | You can export the metadata of APIs in an API group to your local device. This feature is suitable for the following scenarios:
| All |
2023-06
Feature | Description | Region | References |
Support for the characters of multiple languages and for common symbols in the Path parameter | You can use the characters of multiple languages and common symbols in the Path parameter of an API request. | All | |
CIDR blocks of VPC integration instances | You can add CIDR blocks that are allowed to access your virtual private cloud (VPC) to a VPC integration instance. | All |
2023-05
Feature | Description | Region | References |
Support for percentages as conditions for circuit breaker plug-ins to trip | You can configure an occurrence percentage of a specific error or timeout in a time window as a condition for a circuit breaker plug-in to trip. | All | |
Support for custom maintenance windows for dedicated instances | You can specify a custom time window for API Gateway to upgrade your dedicated instance in the background. API Gateway upgrades instances when new features are added or when major bugs are detected. | All | |
Change of the billing method for a dedicated instance | You can change the billing method of a dedicated instance from subscription to pay-as-you-go and vice versa. | All | |
Support for APIs whose backend service type is Service discovery | You can create an API whose backend service type is Service discovery in a VPC integration instance. Currently, only Nacos can be configured to discover backend services. | All |
2023-04
Feature | Description | Region | References |
Support for plug-in datasets by IP address-based access control plug-ins | You can configure blacklist or whitelist data entries in a plug-in dataset and reference the dataset in your IP address-based access control plug-in to control access. Modifications to the data entries take effect immediately. | All | |
Support for plug-in datasets by parameter-based access control plug-ins | You can configure parameter value data entries in a plug-in dataset and reference the dataset in your parameter-based access control plug-in to control access. Modifications to the data entries take effect immediately. | All | |
Optimized alerts upon DDoS attacks | Alerts with optimized messages are synchronized to users when distributed denial-of-service (DDoS) attacks are detected. | All | |
Temporary throttling configuration upon the tripping of a circuit breaker plug-in | Once a circuit breaker trips, a temporary throttling configuration is added to the API, and all traffic is throttled based on this configuration when the circuit breaker is open or half open. | All | |
New region | API Gateway is available in the China (Ulanqab) region. |
2023-03
Feature | Description | Region | References |
Network connectivity test of a VPC access authorization | The API Gateway console provides a feature for you to test the network connectivity of your VPC access authorization. | All | |
Addition of information that can be used for troubleshooting on the API debugging page | API Gateway allows you to debug published APIs online. In addition, the console provides a tab that provides information to help you troubleshoot issues discovered during the debugging. | All | |
Passing of authentication results to the backend service by the third-party authentication plug-in | Specific fields can be extracted from the response returned by the authentication service and then sent to the backend service. The authResultPassThrough section can be used to map the parameters that you want to pass to the backend service. | All | |
Support for the fixed time window algorithm by the throttling plug-in | By default, a throttling plug-in throttles requests by using the token bucket algorithm when the time unit used for throttling is second. You can configure the plug-in to make it use the fixed time window algorithm. | All |
2023-02
Feature | Description | Region | References |
Support for VPC integration instances | API Gateway provides VPC integration instances to allow direct communication between API Gateway and your VPC. Before this instance type is provided, communication between API Gateway and a user's VPC is implemented based on a VPC access authorization. VPC integration instances can directly communicate with services in your VPC. | All | |
Ignorance of empty values of the parameters that are used for parameter-based throttling by throttling plug-ins | In parameter-based throttling, the throttling plug-in uses the default throttling mode when parameters that are used for throttling are left empty. The plug-in does not throttle based on a value of null or another similar value of the parameters. | All | |
Support for the direct returning of the 429 code and for making requests wait in a queue by throttling plug-ins | By default, a throttling plug-in throttles requests by using the token bucket algorithm when the time unit used for throttling is second. In this case, requests that fail to obtain a token wait in a queue for tokens. You can configure the plug-in to directly return the 429 code to requests that fail to obtain a token. | All |
2023-01
Feature | Description | Region | References |
Support for accurate status control by circuit breaker plug-ins | The API Gateway service is deployed on distributed nodes in a cluster to ensure performance. Different service nodes independently calculate and save the circuit breaker status. As a consequence, the circuit breaker may have status inaccuracy. If you require accurate circuit breaker status, you can configure the plug-in for the global circuit breaker status to be obtained for every request. This causes performance loss. | All | |
Batch modification of basic configurations of multiple APIs | You can modify the basic configurations, such as the API request protocol and security authentication type, for multiple APIs at a time in the console. | All | |
Notification before the certificate associated with the domain name bound to an API group expires | Notification can be sent by email, internal letter, or SMS message to remind the user of replacing the certificate before the certificate that is associated with the domain name bound to an API group expires. | All | |
Resetting of the AppKey and AppSecret of an application | You can reset the AppKey and AppSecret of an application. | All |
2022-12
Feature | Description | Region | References |
Implementation of the dynamic whitelist mechanism based on plug-in datasets that are used by third-party authentication plug-ins | Plug-in datasets can be used to create user ID whitelists. This allows API Gateway to check whether user IDs are included in the user ID whitelists after API Gateway obtains the user IDs from third-party authentication results. Only users whose IDS are included in the user ID whitelists can pass the authentication. | All | |
Support for Host parameters by routing plug-ins | The values of Host parameters of wildcard domains can be passed into routing expressions. | All | |
Support for IPv6 addresses in instance-level access control | IPv6 addresses are supported in instance-level access control. | All | |
Support for the Thailand (Bangkok) region | API Gateway is available in the Thailand (Bangkok) region. |
2022-11
Feature | Description | Region | References |
Support for authentication response bodies by third-party authentication plug-ins | The JSON strings that are extracted from the authentication response bodies can be used as authentication results. | All | |
Combination of application-based authentication with third-party authentication | Authentication is considered successful if one of the application-based authentication and third-party authentication is successful. | All | |
Automatic removal of the A header prefix when third-party authentication plug-ins verify tokens | If authentication parameters are included in the Authorization headers, header prefixes are intelligently skipped by third-party authentication plug-ins. Only the parameter content is extracted by the plug-ins. | All |
2022-10
Feature | Description | Region | References |
Support for the standard OAS | APIs that are defined by using the standard OpenAPI specification (OAS) 2.0 can be imported. This allows you to easily connect your business to API Gateway or migrate your APIs to API Gateway. Up to 100 APIs can be imported by using the standard OAS at a time. | All | |
Support for obtaining the Path information of requests by third-party authentication plug-ins | Third-party authentication plug-ins allow you to pass the Path parameter in a request to the authentication service. | All | |
Historical operation logs of APIs | Operations such as creating, modifying, publishing, or unpublishing APIs are logged by API Gateway. | All | |
Unified Arms TraceId and API Gateway TraceId | When you request event tracking data from Application Real-Time Monitoring Service (ARMS), the default value of the TraceId parameter that conforms to the protocol is added and returned. | All |
2022-09
Feature | Description | Region | References |
Plug-in datasets | Configuration data of plug-ins can be extracted and separately managed as dataset objects. This greatly improves user experience and plug-in scalability. After configuration data of plug-ins is extracted as individual dataset objects, plug-ins allow you to reference the datasets. Changes in a dataset object immediately take effect for all plug-ins that reference the dataset object. | All | |
Implementation of the dynamic blacklist mechanism based on plug-in datasets that are used by JWT authentication plug-ins | JWT authentication plug-ins are used to block requests that are sent from users who obtained an official token. The value of the claim parameter that is decrypted from the token is used by API Gateway to determine whether the user who sends the request is included in the blacklist. Custom responses to rejected objects can be configured. | All | |
Support for the China (Guangzhou) region | API Gateway is available in the China (Guangzhou) region. |
2022-08
Feature | Description | Region | References |
Third-party authentication plug-ins | Third-party authentication plug-ins are supported. API Gateway calls the authentication service of the user before calling the backend service. After API Gateway receives a success response from the authentication service, API Gateway calls the backend service. Authentication results can be cached, authentication request parameters can be mapped, and custom authentication responses can be configured in third-party authentication plug-ins. | All | |
Mixed HTTP/HTTP-VPC backends | Custom mixed HTTP/HTTP-VPC backends are supported. Different backend types can be configured for different environments. | All | |
Custom domain names in VPC authorizations | Custom values of the Host parameter are supported for VPC backend services that are used in different environments. Custom values of the Host parameter are also supported in VPC authorizations. | All | Create an API operation with a resource in a VPC as the backend service |
2022-07
Feature | Description | Region | References |
Automatic HTTP-to-HTTPS redirection | Automatic redirection of HTTP requests to HTTPS requests is supported. You can configure this feature in your domain name configurations. | All | |
Access from domain names of Application Load Balancer (ALB) in VPC authorizations | Auto-scaling domain names of ALB can be configured as URLs of backend services in the configurations of VPC authorizations. API Gateway automatically adapts when an ALB instance is scaled. | All | Create an API with a resource in a VPC as the backend service |
Optimized naming rules for API groups and APIs | Underscores (_), hyphen (-), spaces, and periods (.) can be used in the names of API groups and APIs. | All |
2022-06
Feature | Description | Region | References |
Configuration of inbound VPCs for dedicated instances | The source vSwitch of inbound requests can be specified when you bind an inbound VPC to a dedicated instance. | All | |
Configuration of access keys (AKs) and AppCodes for applications | Custom AKs and AppCodes are supported when you create applications. The AKs and AppCodes for applications that are already in production can be changed. The change immediately takes effect. | All |
2022-05
Feature | Description | Region | References |
HTTPS two-way authentication | The verification depth of intermediate certificates can be configured for HTTPS two-way authentication. API Gateway verifies the certificates in requests based on the verification depth configured. | All | |
Four blacklist and whitelist levels for dedicated instances | Blacklists and whitelists for dedicated instances can be configured at four levels. This feature helps you block suspicious requests. | All | |
Extension of validity periods for application authorizations | The validity periods of application authorizations can be extended. | All |
2022-04
Feature | Description | Region | References |
VPC access authorization | The Host parameter can be configured when you configure VPC access authorizations. The Host parameter is added to the requests that are forwarded by API Gateway to backend services that are deployed in the VPC. | All | Create an API with a resource in a VPC as the backend service |
Routing plug-ins | Plug-ins of the Routing type are provided to specify the weight of routing options. Requests are distributed to the routing options that meet specific criteria according to the specified weight ratio. | All |
2022-03
Feature | Description | Region | References |
Configuration of EventBridge as a backend service | EventBridge can be integrated with API Gateway as a backend service. After you integrate EventBridge as a backend service, you can read the event buses that are configured in EventBridge. | All |
2022-02
Feature | Description | Region | References |
API group synchronization | Model data can be synchronized when metadata is synchronized between API groups. | All |
2022-01
Feature | Description | Region | References |
JWT authentication plug-ins | Tokens can be read from the Cookie header in a request by using JWT authentication plug-ins. | All | |
Backend service | A backend service can be referenced by multiple APIs. If you modify the definition of the backend service, the change is pushed to all APIs that reference the service. | All |
2021-12
Feature | Description | Region | References |
Integration with Log Service | Requested plug-ins and the request context can be recorded in API call logs. | All | |
IP address-based access control plug-ins | Plug-ins of the IP Access Control type can be used to allow or reject the originating IP addresses or the direct IP addresses. | All | |
Console optimization | VPC authorizations can be filtered by IP address, VPC ID, and port number. Plug-ins can be searched for by name in fuzzy search mode. | All |
2021-11
Feature | Description | Region | References |
Cross-zone resources for upgrading the specifications of a dedicated instance | If you want to upgrade the specifications of a dedicated instance but the resources in the zone where the instance resides are insufficient, resources in other zones can be used to upgrade the specifications. | All | |
Multiple HTTPS security policies for internal domain names of a dedicated instance | Multiple HTTPS security policies are supported by the internal domain names that are bound to the API groups on a dedicated instance. The HTTPS security policy that is used by an internal domain name can be the same as the HTTPS security policy that is used by the dedicated instance. | All |
2021-10
Feature | Description | Region | References |
Removal of the Server header that is generated by API Gateway from responses | The Server header that is generated by API Gateway can be hidden in the responses. This feature is available only for dedicated instances. | All | |
Debugging by using an AppCode | An AppCode can be used for debugging on the Debug API page of the API Gateway console. | All |
2021-09
Feature | Description | Region | References |
Support for Object Storage Service (OSS) as a backend service | OSS can be configured as the backend service. If you activate API Gateway and OSS in the same region, APIs can access OSS over the internal network. | All | |
Modification of VPC authorization settings and simultaneous publishing of multiple related APIs | The APIs that are referenced when you modify or delete VPC authorization settings can be published at the same time. | All |
2021-08
Feature | Description | Region | References |
Specification change for dedicated instances | The specifications of a dedicated instance can be upgraded or downgraded without business impacts. | All | |
Instance monitoring | The monitoring data of each dedicated instance can be viewed in the API Gateway console. | All | |
Basic authentication | Basic authentication is supported. | All |
2021-07
Feature | Description | Region | References |
Custom internal domain names | Custom internal domain names can be bound to API groups. After you bind a custom internal domain name to an API group, the APIs in the group can be called only over the internal network. | All | |
Fuzzy search on the Authorizations page | VPC authorizations can be searched for by authorization name in fuzzy search mode on the Authorizations page. | All | |
Support for the milliseconds unit by plug-ins of the Circuit Breaker type | The milliseconds unit can be used in conditional expressions that are configured for plug-ins of the Circuit Breaker type. | All |
2021-06
Feature | Description | Region | References |
BasePath parameter | The BasePath parameter can be configured for API groups. The value of the BasePath parameter must be used together with the value of the Path parameter of an API in the API group for all requests. | All | |
Support for the Array type in Swagger files | The Array type is supported in Swagger files. | All | |
End-to-end log tracing | B3 Propagation and EagleEye are supported to implement end-to-end log tracing. By default, B3 Propagation headers and EagleEye-related headers are passed through. | All |
2021-05
Feature | Description | Region | References |
API filtering based on the request path and method | APIs can be filtered based on the request path and method on the APIs page. | All | |
Simultaneous addition of tags to multiple APIs | Tags can be added to multiple APIs at the same time on the APIs page. | All |
2021-04
Feature | Description | Region | References |
API Gateway logs | The content of decrypted JWTs can be included in logs that are delivered to Log Service. This feature is supported only for dedicated instances. | All | |
Multiple shared instances | Multiple shared instances are supported. | All | |
Synchronizing API metadata for a group and changing the backend service in a VPC for multiple APIs | The metadata of APIs in an API group can be synchronized, and the backend service type of multiple APIs can be changed at the same time. | All |
2021-03
Feature | Description | Region | References |
Binding a VPC of another Alibaba Cloud account | A VPC of another Alibaba Cloud account can be bound to an instance. | All |
2021-02
Feature | Description | Region | References |
API metadata synchronization for API groups and metadata comparison | The metadata of APIs in an API group can be synchronized to another API group within the same Alibaba Cloud account. Before synchronization, the metadata of APIs in the source API group can be compared with the metadata of existing APIs in the destination API group. | All | |
Wildcard domain names for plug-ins of the CORS type | Wildcard domain names are supported by plug-ins of the CORS type. | All |
2021-01
Feature | Description | Region | References |
API filtering for Swagger file import | API filtering is supported by Swagger file import. | All | |
Binding one domain name to multiple instances | One domain name can be bound to multiple instances. | All |
2020-12
Feature | Description | Region | References |
Protection against HTTP flood attacks | Throttling plug-ins can be used to block requests based on IP addresses and parameters from clients. This helps protect against HTTP flood attacks. | All | |
Setting the timeout period of the backend service of dedicated instances to 90 seconds | The timeout period of the backend service of dedicated instances can be set to 90 seconds. | All |
2020-11
Feature | Description | Region | References |
End-to-end log tracing | API Gateway is integrated with Tracing Analysis. You can specify the sampling mode and sampling rate in the API Gateway console. | All |
2020-10
Feature | Description | Region | References |
Parameter configuration for plug-ins of the CORS type | Plug-ins of the CORS type can be configured by using parameters. | All | |
IPv6 | API calls from IPv6 addresses are supported by the backend service of dedicated instances. | All |
2020-09
Feature | Description | Region | References |
Increased limit for the size of an HTTP request body | The allowed maximum size of an HTTP request body for dedicated instances is increased to 32 MB. The maximum size of an HTTP request body for shared instances is 8 MB. | All | |
Reading parameters from multiple parts of a form | Parameters can be read from multiple parts of a form. | All | |
Monitoring data in the API Gateway console | The monitoring data of API calls can be collected by region and API group. | All |
2020-08
Feature | Description | Region | References |
Support for published APIs at the backend service | APIs that are published in the API Gateway console can be configured at the backend service. APIs that are created within the same account or within different accounts can be called. | All | |
API version comparison | The differences between the current version and an earlier version of an API can be checked. | All | |
Support for Function Compute as a backend service | API Gateway, which is developed based on cloud-native technologies, can communicate with Function Compute, which provides an HTTP trigger over a VPC in simple configuration mode. | All | |
IP address whitelist and blacklist based on the value of the X-Forwarded-For header | An IP address blacklist or whitelist can be configured based on the value of the X-Forwarded-For header. This feature is suitable for scenarios in which API Gateway connects to middleware, such as Web Application Firewall (WAF). | All | |
Support for caching of filter conditions on the APIs page | Filter conditions on the APIs page can be retained to facilitate API management. | All |
2020-07
Feature | Description | Region | References |
Cross-origin header | The cross-origin header origin:app://. is supported. | All | |
Resource tags on the console | Tags can be added to all resources of API Gateway. Resources can be queried by tag, and permissions on resources can be granted by tag. | All | |
Verification of the ownership of domain names by using Domain Name System (DNS) records of the TXT type | A DNS record of the TXT type can be added to verify the ownership of domain names that are bound to API groups. | All | |
Optimized Swagger file import | Global variables can be configured and used to import native Swagger specifications to API Gateway to create APIs. | All |
2020-06
Feature | Description | Region | References |
Increased connection quota for shared instances | Each user of a shared instance can use up to 500 connections. | All | |
Support for default certificates for dedicated instances | Default certificates are supported for dedicated instances to improve user experience on clients that do not support the server name indication (SNI) of an earlier version. | All | |
Addition of the Overview page to the API Gateway console | The Overview page is added to show how to use the API Gateway console, plan API groups, and view API usage. | All |
2020-05
Feature | Description | Region | References |
Support for dedicated instances by Alibaba Finance Cloud | Dedicated instances are supported by Alibaba Finance Cloud. | China East 1 Finance, China East 2 Finance, and China South 1 Finance | |
Optimized API Gateway SDK for Java | API Gateway SDK for Java is optimized. Parameters of the Array type are supported. Content-MD5 and X-Ca-Nonce headers can be not transmitted. | All | |
Access to the ID and IP address of VPCs | The ID and IP address of a VPC can be obtained when users access API Gateway over the VPC. | All | |
Plug-in binding on the API details page | Plug-ins can be bound and managed on the API details page. | All | |
Simultaneous publishing or unpublishing of multiple APIs | Multiple APIs can be published or unpublished at the same time in the API Gateway console. | All |
2020-04
Feature | Description | Region | References |
Support for shared instances by Alibaba Finance Cloud | Shared instances are supported by Alibaba Finance Cloud. | China East 1 Finance, China East 2 Finance, and China South 1 Finance | |
Troubleshooting | The troubleshooting feature is provided to query logs and troubleshoot errors by request ID. | All | |
Log configuration for users of dedicated instances | Users who use dedicated instances can record business information in logs. | All | |
Passing the Host Header parameter | The HOST headers of all APIs in an API group can be passed through to the backend service after you select Pass Host Header. | All | |
Addition of trace logs on the Debug API page | End-to-end logs for debugging can be queried by request ID. | All | |
Query of authorized APIs by API name | Authorized APIs can be queried by API name. | All | |
Support for deployment of dedicated instances in all regions outside the Chinese mainland | Dedicated instances can be deployed in all regions outside the Chinese mainland. | All |