1
API gateway for microservices environments - the NGINX way
microservicesparis
30-Nov-2017 Liam Crilly
@liamcrilly
We empower creators of the new digital world
Source: Source information goes here.Source: Source information goes here.
#1for the busiest sites
The busiest sites choose NGINX
4Source: W3Techs Web server ranking 20-Nov-2017
Innovators powered by NGINX
5
• NGINX v0.1 published in 2004
• NGINX, Inc. founded in 2011
• NGINX Plus released in 2013
• Offices in San Francisco, Cambridge, Cork, Moscow and Singapore
• 300M+ websites
• 1,200+ commercial customers
• 180+ employees across engineering, support, sales and marketing
Our Products
NGINX Plus
The only all-in-one load balancer, web server, application firewall and content cache.
Simplify your architecture while reducing costs.
NGINX Controller
Centralized monitoring and management for
NGINX Plus. Deploy and automate virtual
load balancers with a beautiful interface and
API.
NGINX Unit
The new, open source application server
from NGINX, Inc. Lightweight, with multi-
language support and an API-driven
configuration.
NGINX
Industry-defining, open source webserver, reverse proxy and web accelerator
NGINX Amplify
NGINX Monitoring Made Easy: out-of-the-box graphs for NGINX and OS metrics, static analyzer and
automated alerts
Microservices
If beer
was a
web
app…
Monoliths are complex
11
• Tightly coupled to the
underlying infrastructure
• Nobody knows how it all
works
• Hard to maintain
• Impossible to debug
Microservices are minimal
12
• Easily separated from
underlying infrastructure
• Independently managed
• Easily
replaced/replenished
• Consistent interface
Photos
http://www.thedieline.com/blog/2017/1/26/a-fresh-look-at-craft-beer-cans
https://www.threadless.com/product/3314/ring_pull
Microservices do one thing
13
• One function
• Easy to test
• Easy to scale
Photo http://www.thedieline.com/blog/2017/1/26/a-fresh-look-at-craft-beer-cans
Microservices do one thing
14
• Avoid duplicating
functionality◦ Crypto
◦ Authentication
◦ Access Control
◦ Analytics
Microservices do one thing
15
• Microservice?
• Miniservice?
• Mini-monolith?
But singular services can go bad
16
So deploy with redundancy
17
• Plan for failure
• At least 2 per service
• Scale independently
• Scale on demand
Photo:
https://twitter.com/clinkbeer/status/812324082809180161
Choose complexity carefully
19
Proxy Model Fabric Model (Service
Mesh)
The Goldilocks principle
20
Suitabili
ty
Low
High
“Just right”Too simple Too complex
Router Mesh Architecture
21
Secure Proxy API Gateway
Separation of duties
22
Secure proxy
• North-South traffic
• TLS termination
• Client authentication
• Centralized logging for all client-initiated requests
• Request tracing injection
API gateway
• East-West and N-S traffic
• API routing
• Fine-grained access control
• Rate limiting
• Propagate request ID
Everyone needs an API gateway!
API Management products look a lot like
monoliths
Docker
#1 stars
#1 pulls
API gateway functions
26
Things you need
• Fast proxying
• API routing
• Overload protection
• Authentication of clients
• TLS support (termination or
end-to-end encryption)
Things you don’t need
• Digital strategy alignment
• API design tools
• Monetization metrics
• Business value measures
• Developer portals
API routing
(URI mapping)
27
# conf.d/routing_map.conf
map $request_uri $upstream_api {{
# Pricing API"^/api/prices/.*$" pricing_api;"^/v1/pricing/.*$" pricing_api;"^/item/.*/price/.*$" pricing_api;
# Partcodes API"^/api/partcodes/.*$" partcodes_api;"^/v1/partno/.*$" partcodes_api;"^/item/.*/sku/.*$" partcodes_api;
# More APIs# ...
}
API routing
Overload protection
28
# conf.d/api_gateway.conf
upstream pricing_api {server 172.16.0.1:80 max_conns=500;server 172.16.0.2:80 max_conns=500;
}
upstream partcodes_api {server partcodes.app.example.com resolve;
}
server {listen 80;location / {
proxy_pass http://$upstream_api;limit_conn clientip 20;limit_req zone=10persec;
}}
Authentication
(API keys)
29
# conf.d/apikeys_map.conf
map $http_apikey $client_name {{
rL0Y20zC-Fzt72VPzMSk2A client_foo;N7UdGUp1E-RbVvZSTy1R8g client_bar;c_7_pLf2u2jkTPmEyF9uiA client_baz;OiHNcxfhRFvomZn11_YqUw client_pub;
# ...}
Authentication
(API keys)
30
# conf.d/api_gateway.conf
#[upstreams here]
server {listen 80;location / {
if ($client_name = "") {return 401;
}
proxy_pass http://$upstream_api;proxy_set_header API-Client $client_name;
limit_conn clientip 20;limit_req zone=10persec;
}}
Authentication
(JSON Web Token)
31
# conf.d/api_gateway.conf
#[upstreams here]
server {listen 80;
auth_jwt "private API";auth_jwt_key_file jwk.json;
location / {proxy_pass http://$upstream_api;proxy_set_header APIclient $jwt_claim_sub;
limit_conn clientip 20;limit_req zone=10persec;
}}
Request tracing
32
# conf.d/api_gateway.conf
#[upstreams here]
server {listen 80;location / {
proxy_pass http://$upstream_api;proxy_set_header RequestID $http_requestid;
}}
# Secure Proxy
server {listen 443 ssl;#ssl_* # TLS configuration
proxy_set_header RequestID $request_id;proxy_pass http://api_gateway;
}
If beer
was a
web
app…
If beer was a web app…
Top Related