This document describes how to migrate an original API Gateway instance to a cloud-native API Gateway to ensure service continuity.
1. Overview
The cloud-native API Gateway is our primary, actively developed product. If you use the original API Gateway, you can choose to migrate your services to the cloud-native API Gateway. After you configure the API metadata in the cloud-native API Gateway, you can gradually migrate your service traffic from the original API Gateway by changing your domain name resolution settings.
Conceptual differences between the two gateways
To align with the OpenAPI Specification (OAS) standard, the original API Gateway and the cloud-native API Gateway have an important conceptual difference. You must understand this difference during the migration process:
An API group in the original API Gateway corresponds to an API in the cloud-native API Gateway.
An API in the original API Gateway corresponds to an operation in the cloud-native API Gateway.
Scenarios where migration is not recommended
We do not currently recommend migration in the following scenarios:
Shared instance (Serverless) users: The cost for shared instances is currently low. If you migrate to the cloud-native API Gateway, you must purchase an instance for production. This incurs instance fees and increases your costs.
Alibaba Cloud Marketplace or DataWorks users: The cloud-native API Gateway is not yet integrated with Alibaba Cloud Marketplace or DataWorks. We do not recommend migration for these users at this time.
2. Overall migration flow
3. Migration procedure
3.1. Purchase a cloud-native instance
When you purchase a cloud-native API Gateway instance, note the following two points:
The instance type limits for the original API Gateway and the cloud-native API Gateway are different. Re-evaluate your service capacity based on the specifications of the cloud-native API Gateway instance. For more information about capacity, see Capacity description.
When you create the instance, select the virtual private cloud (VPC) where your backend service is located. If you do not, service access will fail because the VPCs cannot communicate.
3.2. Configure API metadata
3.2.1. Configure domain names and certificates
After you create a cloud-native API Gateway instance, you must first configure the service domain name and its corresponding certificate on the instance. For more information, see the following documents:
Change the protocol and certificate of a domain name
The cloud-native API Gateway provides more flexible configuration for Secure Sockets Layer (SSL) encryption. You can configure equivalent settings in the cloud-native API Gateway based on the TLS version and cipher suite in the HTTPS security policy of the original API Gateway group:
Log on to the original API Gateway console.
In the navigation pane on the left, click API Management > Group Management. Click the group name to go to the group details page and find the HTTPS security policy type.
For details about the corresponding TLS version and cipher suite, see HTTPS security policies.
Configure the equivalent settings in the cloud-native API Gateway. For more information, see Set a specific HTTPS cipher suite.
Note:
The cloud-native API Gateway does not have the concept of environments. Domain names can only be attached to instances. The environment attachment feature of the original API Gateway does not have an equivalent in the cloud-native API Gateway.
The cloud-native API Gateway does not currently support features such as OCSP or ssl_client_s_dn pass-through. If you use these two features, we do not recommend migration at this time.
The cloud-native API Gateway does not currently support domain name parameters based on wildcard domain names. If you use domain name parameters, we do not recommend migration at this time.
3.2.2. Import API definitions
Both the original API Gateway and the cloud-native API Gateway support the standard OAS protocol. You can export the API definitions from the original API Gateway to an API definition file in the OAS protocol, and then import the file into the cloud-native API Gateway.
Export the API definitions of an entire group from the original API Gateway. For more information, see Export standard OAS definitions.
Log on to the API Gateway console.
In the navigation pane on the left, choose API Management > Group Management.
On the Group List page, select the target API group. In the Actions column, click Export API Definition.
In the Export API Definition dialog box, specify the data format for the export.
You must export the API definitions in the OAS 3.0 protocol. Do not select API Gateway extension definition. Export the online API definitions directly.
Import the API definition file that you exported from the original API Gateway into the cloud-native API Gateway.
Log on to the cloud-native API Gateway console. In the navigation pane on the left, choose APIs, and select a region in the top menu bar.
Click Create API. In the REST API section, click Import and upload the API definition file that you exported in the previous step.
Key points:
The cloud-native API Gateway does not support parameter-level verification. Parameter verification settings configured in the original API Gateway become invalid after migration.
The cloud-native API Gateway requires the request/response transformation plugin to implement parameter mapping.
The cloud-native API Gateway does not currently have an anti-replay feature. If you require this feature, we do not recommend migration at this time.
3.2.3. Configure backend services
Next, configure the backend services in the instance. The backend services supported by the original API Gateway and the cloud-native API Gateway are slightly different:
Original API Gateway | Cloud-native API Gateway |
VPC authorization (HTTP/HTTPS) | Supported (Fixed address/DNS domain name) |
Internet address (HTTP/HTTPS) | Supported (Fixed address/DNS domain name, requires NAT) |
Function Compute | Support |
EventBridge | Not supported |
Nacos/Zookeeper | Supported |
Mock | Supported |
DataWorks/Dataphin/DMS | Not supported |
OSS | Not supported |
For common backend services, such as ECS and CLB, you can create a fixed-address service in the cloud-native API Gateway:
Log on to the cloud-native API Gateway console.
In the navigation pane on the left, choose Instances, and select a region in the top menu bar.
On the Instances page, click the ID of the target gateway instance.
In the navigation pane on the left, choose Services, and click Create Service. In the Create Service panel, set Service Source to Fixed Address, configure the related parameters, and then click OK.
Note:
The cloud-native API Gateway communicates with backend services through your Elastic Network Interface (ENI). When you add addresses to a whitelist, use the CIDR block of the instance's vSwitch. To find the CIDR block, go to the instance details page, find the vSwitch connection, and click it to find the corresponding CIDR block.
If the backend service is on the Internet, the VPC used by the cloud-native API Gateway instance must have an Internet NAT gateway to access the Internet. Test this thoroughly before migration.
If your backend services are deployed in multiple VPCs, you must use CEN or PrivateLink to establish network connectivity before you can migrate.
3.2.4. Publish APIs
After you complete the preceding configurations, you can publish the API to the instance that you just purchased for testing. The publishing logic of the cloud-native API Gateway is significantly different from that of the original API Gateway.
Publishing in the original API Gateway:
An API group is bound to a specific instance. You cannot select the instance during publishing. The API is published to the instance of its group by default.
The backend service for the API is pre-configured. You do not need to specify it each time you publish.
The request domain name is configured on the group and cannot be modified during publishing.
You must specify an environment for each publication. You can only publish to one environment at a time.
You can only publish a single API from a group at a time.
Publishing in the cloud-native API Gateway:
When you publish an API, you must select the instance that will host it. The published content takes effect only on the selected instance. An API can be published to multiple instances.
You must specify the backend service each time you publish an API. You can change the backend service during publishing.
You must select the request domain name each time you publish. If multiple domain names provide the service, you must select all of them during publishing.
There is no concept of environments. Instances are generally used to differentiate environments.
All operations under an API are published at once. You cannot publish a single operation.
3.2.5. Configure plugins
After an API is published to an instance, you can configure policies for the API or its operations. The policies supported by the cloud-native API Gateway and the plugins supported by the original API Gateway are significantly different. The following table lists the main differences for your reference.
Original API Gateway | Corresponding cloud-native API Gateway policy/plugin |
Third-party authorization plugin | External authentication plugin Note for the cloud-native gateway external authentication plugin:
|
JWT plugin | JWT plugin Note for the cloud-native gateway JWT authentication plugin:
|
BasicAuth plugin | Basic authentication |
Backend signing plugin | Not currently supported by the cloud-native API Gateway |
Throttling plugin - Basic throttling | Throttling policy
|
Throttling plugin - Parameter-based throttling | Key-based cluster throttling |
IP access control plugin | IP restriction |
Parameter access control plugin | Parameter access control |
Cross-domain resource access plugin | Cross-origin resource sharing |
Caching plugin | General response caching |
Backend routing plugin | Services in the cloud-native API Gateway natively support routing based on matching conditions and also support grayscale routing. |
Error code mapping plugin | Custom response plugin: |
Circuit breaker plugin | Circuit breaking policy: |
Log desensitization plugin | Not currently supported by the cloud-native API Gateway |
Request/Response rewriting plugin | Request/Response transformation |
For more information about plugins for the original API Gateway, see Plugin overview.
For more information about plugins for the cloud-native API Gateway, see Plugin marketplace.
3.2.6. Configure application authorization information
Application (APP) migration
The concept of an "application" in the original API Gateway is called a "consumer" in the cloud-native API Gateway. Their capabilities are equivalent, and you can smoothly migrate this feature. For more information about managing consumers in the cloud-native API Gateway, see Manage consumers.
Important:
The API key of a consumer in the cloud-native API Gateway is the same as the AppCode of an application in the original API Gateway. You can choose to generate a custom API key to migrate the AppCode from the original application.
The AccessKey (AK) within the Hash-based Message Authentication Code (HMAC) of a consumer in the cloud-native API Gateway is the same as the AK of an application in the original API Gateway. You can choose to generate a custom AK to migrate the AK from the original application.
Authorization relationship migration
Consumer authorization in the cloud-native API Gateway is based on operations, which is consistent with the original API Gateway. You can configure authorization relationships for specific API operations on the API operations page of the cloud-native API Gateway. You can also grant batch authorization for API operations to a consumer on the consumer page.
4. Function verification
After you configure all the API metadata, you can begin functional verification. Because the official domain name is currently in production on the original API Gateway, you have two options for testing:
Configure a test domain name on the cloud-native API Gateway and create a CNAME record that maps the test domain name to the instance's endpoint for testing.
Modify the host configuration of your test machine to use the original production domain name for testing.
After you resolve the endpoint issue, you need to perform system integration. The cloud-native API Gateway provides software development kits (SDKs) for download. You can download sample code for calling all operations under an API directly from the API details page.
5. Grayscale migration of production services
After you perform strict functional verification, you can gradually migrate your services from the original API Gateway to the cloud-native API Gateway. You must use a grayscale plan for the entire migration process. The migration should be performed slowly so that you can roll back all services to the original API Gateway at any time if you encounter problems. We recommend that you gradually migrate production services to the cloud-native API Gateway by changing the resolution weight of your production domain name. For more information, see Configure weights.
On the instance's Basic Information page, find the endpoint of the cloud-native API Gateway instance.
Create a CNAME record that maps your production domain name to the endpoint of the cloud-native API Gateway instance. We recommend that you start with a weight of 1 and then gradually increase it.
You must control the initial weight of the new CNAME record. We strongly recommend that you keep the weight below 1% and monitor for at least 24 hours before you increase the traffic weight.
Service monitoring
You can view the operational status of your services in the Observation & Analysis module of the instance. For more information, see View gateway monitoring data. If there are no abnormalities during service monitoring, you can continue to gradually increase the traffic weight.
Rollback
If you find an abnormality during the grayscale migration, immediately delete the CNAME record for the cloud-native API Gateway endpoint that you added to your production domain name. This rolls back your services. After you resolve the issue, you can resume the migration.