When developing backend microservices that sit behind an API Gateway how do you develop locally, ensuring that client requests to a single endpoint (the API gateway) and request path are routed to the right local service?
The Microsoft eShopOnContainers architecture example uses Envoy as a local API Gateway (it used to be Ocelot) but how would you then deploy a stack like this to the cloud, keeping your local and cloud API Gateways in sync with the right request routing, resource descriptions, etc? Do you essentially need to manage two API gateway configurations?
I'm aware of SAM and sam local start-api but I'm referring to other backend services that aren't serverless, e.g. using VpcLink.
Related
We are using Cognito for authentication and authorization for our microservices deployed in ec2, We are currently using ALB in front of ec2 which is connected to Route-53 and then connected with API gateway, Indeed we knew this is not a good way of using both the service but was using it in a hurry. Now we have time to correct this.
What we want to do:
Use Cognito for authorization and authentication for our microservices deployed in ec2
Use auto sccaling in case of high traffic
Map some of the exposed API, with our custom domain url.
Any security related practices for both internal and external calls that we should take care!
I will be really gratefull for help from all the techies out there!
Thanks!
We are deploying kind of micros services developed in .Net core and will be deployed in Azure WebApp
There will be numerous communications between these WebApps.
Now as WebApp is internet facing, all calls between them will go through internet which will have impact on performance.
Apart from ASE (App Service Enviornment), is there any way we can achieve this?
Yes you can do that with Access Restriction:
az webapp config access-restriction add --resource-group ResourceGroup --name AppName \
--rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-access-restriction-rules-in-the-portal
ps. AKS would probably be a better option for microservices ;)
There are two ways to have communication over private IP between two web app.
Configure regional VNET integration on either or both web app.
Think of having Azure Application gateway before web app one and configure access restriction to allow access to only application gateway subnet.
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#set-a-service-endpoint-based-rule
Some other use cases
Use Service fabric if you don't want to expose web application to internet.
You can also think of putting both application as backend to API management.
https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2#routing
whenever you have application gateway enabled that time app gateway act as interceptor and forwards the traffic hence both of your web app can communicate over a private IP.
I have some applications which have UI embedded in Django or ROR app. These applications do not have api but a monolithic web application which have UI and backend in a single module.
All the example I have seen talk about using api gateway for http api. Does it add any value to put such Django or ROR app behind an api gateway?
I am using Kong as api gateway. Not sure if Kong even works with such app. The documentation in Kong only talks about configuring services which are pure api.
If I do not put these applications behind api gateway, then I end up creating a mixed approach where some applications are behind api gateway and some are not. I definitely want to avoid this situation. This makes the whole configuration complex.
Any suggestions will be helpful.
There is nothing wrong with monolithic applications behind a gateway and seems to be a recommended way.
You would benefit from Kong, as it provides different plugins, like Traffic Control or IP Restriction. Also you would have your configurations in a single place. So there are no reasons not to use gateway.
I do not know how your applications are exposed now, but when you will put them behind kong (or proxy) one thing you probably have to look at is client’s request IP: https://discuss.konghq.com/t/how-to-forward-clients-request-ip/384
I'm new to Lambda... Assuming I have an API Gateway that invokes my Lambda function (node.js) upon some HTTPS POST request from the web, how do I perform SSL peer authentication of the original HTTP client?
For example, let's say some server on the internet performs an HTTP POST to my API Gateway, which in turn invokes my Lambda. I want my Lambda to allow requests only from a client whose SSL certificate is associated to a specific domain..
thanks!
Lambda does not deal with SSL certificates. API Gateway does.
Also, API Gateway does not provide you with HTTP endpoints, only HTTPS.
From the FAQ:
Q: Can I create HTTPS endpoints?
Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
To set up your specific domain, see the following link:
Set up Custom Domain Name for API Host Name
The Lambda authorizer is passed in Cert data from the request.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-input.html
I'm building a small web application for a personal project. It will be an Angular web application which will talk to a Spring-Boot service layer which in turn will read/write stuff to MongoDb.
I hope to host all this on a single EC2 instance in AWS. My question is how to configure a web server (like Apache but doesn't have to be) to 'beautify' the URLs a bit. Example, without touching anything angular will run at something like host:4200 and the service layer at host:8080. I will then have to map a proper domain to host in AWS, but the hiding of ports etc is where it gets murky for me.
I want to be able to hit my web app at domain.com (no ports etc) and I also want my service layer to ideally have a similar setup e.g. domain.com/service (no ports etc).
How do I configure a webservice to do this for me? Examples or pointers to specific examples would be ideal, but even a pointer to the right documentation will be helpful.
This thread is kind of similar to what I want but not too helpful: How to deploy Spring framework backend and Angular 2 frontend application in any online server?
You can use a setup with AWS CloudFront as reverse proxy and CDN cache. You can map the Domain Name and SSL Certificates(You can use AWS issued free SSL Certificates through AWS Certificate Manager) to CloudFront while the EC2 instance is plugged as an origin behind CloudFront as shown in the following diagram.
In the diagram I have optionally added, which is a common practice in designing applications in AWS.
Hosting the Angular App in S3
Using Autoscaling & Loadbalancing for EC2 instances.
You need to use Apache or other web server as a reverse proxy. Start here -
https://devops.profitbricks.com/tutorials/configure-apache-as-a-reverse-proxy-using-mod_proxy-on-ubuntu/
You then will need to setup a custom domain name. The easiest option is to just use an ELB (now called Classic Load Balancer). More details are here -
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-domain-names-with-elb.html