I have a group of microservices built using Spring Boot and each registered to a Eureka instance. I also have a Zuul gateway built which does authentication / authorization layer for external requests coming into my microservices. External consumers are not allowed to consume my microservices directly and must go through Zuul. Let's assume that my microservices takes care of a grouped business domain called "Consumer Banking Channel".
Now, somewhere else in my organization there is another grouped domain called "Customer Relationships", where they have built another Eureka-based microservices network and have also configured Zuul to take care of authentication / authorization.
We want to consume each other's exposed API services and want to take advantage of service discovery to do that. However, we do not want to allow direct access to our microservices for security reasons and only want to allow the other group to access our services through our respective Zuuls.
How can this be accomplished?
One possible way that I thought of is to have a Spring Cloud Sidecar to register the other group's Zuul to our Eureka, but that approach does not really scale as the number of different Eureka networks in the organization grows (if we have 10 Eureka networks in the organization, we end up having to run 9 sidecars for each group, totaling up to 90 JVMs just for sidecar alone).
If we move the authentication / authorization layer down to individual microservices and create a big single Eureka network, that would make a big monolith of Zuul with different departments in the organization clashing on how to configure Zuul optimally, not ideal either.
Related
I am following a course about microservice architecture using spring, covering netflix's eureka.
The clientui serves webpages and calls the 3 microservices when needed.
The config-server serves configuration for the 3 microservices from a git repo.
Of course the 3 microservices are registered as eureka clients.
My questions are :
should the config server and also be registered as an eureka client, or is there no benefit in doing so?
what about the clientui (which is the web entry point) ? can it be registered as an eureka client in order to benefit from load balancing system and if yes, how then should the app be accessed by clients?
About your first question :- Yes you can register config server as eureka client. Benefit of this will be that in terms of service management it will give you a single point of visibility of all the services. Also later if you try to expand your app in terms of distributed architecture and say you implement an api gateway like zuul, it will be easy for you to setup a fallback config server say if one config server goes down requests can be routed to other config server and so on.
About your second question :- Honestly speaking , I didn't understand it very well in first place. I have never seen any ui service registering to eureka so I am not very sure about this. Still if you have more doubts about it , you can let me know like is it a angular ui or is it a http based client or what.
The setup:
I have a set of Spring Boot based microservices that are fronted by Spring Cloud Gateway, meaning every request that comes from UI or external API client first comes to Spring Cloud Gateway and is then forwarded to appropriate microservice.
The routes are configured in Consul, and Spring Cloud Gateway communicates with Consul to get the routes accordingly.
Requirement:
There is a need of some microservices communicating with each other with REST APIs. I would prefer this communication to happen via the Spring Cloud Gateway as well. This will help in reducing multiple services going to Consul for getting other service's details.
This means every service should know Gateway's detail at least. And there can be multiple instances of Gateways as well. How is this dealt with in bigger architectures?
Any example that I look up contains one service using Consul, or Gateway using the consul with one microservice. Couldn't understand how to extrapolate that design to a bigger system.
There is no doubt that API gateway should be the edge server to outside world.We are wondering that should we use API gateway in the communications between the microservices?
You can definitely use API gateway lets say for that matter (netflix -zuul) for inter-service calls, only thing of concern for you would be,
what happens when you start versioning your services, assuming you'll be using eureka as a naming server from which zuul gateway will fetch all registered services, but now in your case zuul will get two instances of your service (version previous and verison next) and ribbon will load balance the requests between the two, this point is already thoughtfully covered in
How to route in between microservices using Spring Cloud & Netflix OSS
Basically if you are familiar with BlueGreen Deployment model, implementing that would be a problem, surely there are proper workarounds for that as in defining/registering some metadata along with your previous and latest versions which would later be picked by ribbon client to route accordingly
i have created two java spring-boot micro services they are
1) producer
2) consumer
and i have used spring eureka server for service registration and discovery . it worked fine . then what is the use of Netflix Zuul.
Let's suppose you have 20 services to which user can interact to, and of course we are not going to expose each and every services publicly because that will be madness (because all services will have different ports and context), so the best approach will be to use an API gateway which will act as single entry point access to our application (developed in micro service pattern) and that is where Zuul comes into picture. Zuul act as a reverse proxy to all your micro-services running behind it and is capable of following
Authentication
Dynamic Routing
Service Migration
Load Shedding
Security
Static Response handling
Active/Active traffic management
You can go through documentation here
If you have enough experience in the domain, you could look at zuul as an API gateway like Apigee. It is very feature rich and touches up on a lot of different concerns like routing, monitoring and most importantly, security. And eureka as a service discovery platform that allows you to load balance (in Linux terms the nginx or haproxy) and fail over between your service instances.
Typically the backend services that perform the server side business operations (i.e. core) are not exposed publicly due to many reasons. They are shielded by some Gateway layer that also serves as reverse-proxy. Netflix Zuul serves as this gateway layer which easily gives you the capabilities as mentioned by #Apollo and here
I am new to spring cloud and going through some examples and material available online to make myself comfortable. However, while reading about ZUUL, some sites configured the routes in ZUUL's application.yml and some other sites mentioned that the requests will be forwarded to the respective microservice and no need to explicitly configure the routes. I was bit confused. For ex, in the below scenario what is the approach, to configure routes or to let zuul route automatically?
Let's say i have few micro services running and all of them along with ZUUL are registered to Eureka.
I have a front end which is running on a different port on the same server and needs to interact with the above micro services.
I also have few other applications (Running entirely on different servers) which need to interact with the above micro services for fetching the data.
TIA..
Did you use Zuul (which know microservices address through Eureka) to forward request between your micro-services ? if it's the case, you are using Server-Side Load Balancing pattern.
If you use a discovery service (Eureka in your case), i think the best approach it's to use Client-Side load balancing pattern for all inter-services requests (inside your system). (you can use Ribbon or RestTemplate for that).
You can use Zuul as a unified front door to your system, which allows a browser, mobile app or other user interface to consume services from multiple hosts without managing cross-origin resource sharing (CORS) and authentication for each one.
For example : a client (mobile app) request for all picture comments. The client dont need to know the Comments-service address. Only proxy address needed and Zuul will forward the request to the right service. You can do this in application.yml/.properties by
zuul.routes.comments.path=/comments/**
zuul.routes.comments.service-id=comments
The request will be GET www.myproxy.mycompany.com/comments. Dont forget the service name in your application.yml/.properties is very important (spring.application.name). It's the service-id in Zuul routes (which the same identifier in Eureka).
For some reason, your system need to request external services (as you mentionned in the 3th note). In this case, your external services are not a discovery client, Zuul can't look for the service-id from Eureka. you use routes as
zuul.routes.currencyprovider.path=/currencies/**
zuul.routes.currencyprovider.url=https://currencies.net/
with this route, all /currencies/** requests from your services THROUGH Zuul will be done.
with this approach you have one door for all your system. This is API Gateway pattern.
Sometimes your system need to aggregate multiple results from different services to response to client request. You can do this in Proxy (Zuul in your case).