Professional Documents
Culture Documents
Microservices architecture allows you to build an application as a collection of services that are loosely coupled, which implement
business capabilities.
Continuous delivery/deployment of large, complex applications is possible using microservice.
This is more advantageous than a monolithic application that is built with database, client, and server application as a single unit.
Microservice can handle single service failure well compared to a monolithic application where the whole application goes down.
What is an API?
Application Programming Interface (API) is a business capability delivered over the internet, to the internal or external consumers.
A Web API is a software interface presented over the HTTP protocol that helps in facilitating the development of mobile, Web
and cloud applications.
In simple terms, you can imagine API as a messenger that takes your request and tells the system what you want to
do and returns the response back to you.
It is available with standard web protocol with a well-defined interface and is accessible by third parties.
Now let us relate this with our Microservice. An application needs a lot of information to run. Each information is taken care of by a
separate microservice.
Now the question is how a client would fetch the information from all the services.
A client device can be a desktop or a mobile device. In theory, a client can send a request to all the services
individually. Let us see the drawbacks in such a design.
If There is No Gateway?
An application might use 'n' number of services, and a single client making that many calls is quite difficult.
Each service might use a different protocol which might not be web-friendly.
Ideally, an application should use HTTP and WebSocket protocols.
It is hard to merge or split a service in this design.
How to overcome these issues? Yes, you guessed it right. Use an API Gateway.
Using API Gateway
An API Gateway is a server that is the single entry point into the system for all clients.
It can either route the request to one or many services based on the request.
It is capable of exposing a client to different APIs based on the devices.
It also helps in implementing security.
Client-side Discovery
Service discovery solves the problems on how microservices talk to each other, i.e. perform API calls.
In a monolithic application, services are invoked by procedure or function calls.
But in Microservice architecture the service location changes dynamically.
To overcome this, you can make use of client-side discovery pattern.
It makes use of a service registry, which act as an index of all the service and its location.
To invoke a service, a client or Gateway will query the service registry, and find the required service.
Server-side Discovery
For the same scenario in the last card, an alternate solution is a server-side discovery.
Here instead of querying the service registry, clients make the request to a router (load balancer/gateway).
This, in turn, queries the service registry and invokes the appropriate service.
Even though this requires an extra component, the client code is simple which only involves making a request to the router.
You know that an application depends on several services. The question is how to keep track of all these services?
Without gateways, client devices and services cannot decide where to look for the other service.
A gateway which has client or server side discovery implemented will help in deciding the service location, i.e. their IP address, port,
and even their version.
Circuit Breaker
One microservice might depend on another service.
If the called service is down, this might result in high latency and makes the application unusable and exhaust the available
resource.
When the number of failures crosses a threshold, the circuit breaker will trip and cause a timeout.
After the timeout, only a limited request is passed to the service, and if it succeeds normal operation is reverted, else timeout
continues.
The system will wait for A to respond and after a timeout period, it sends an error message that the service is down.
But within that time limit, a new request will queue up.
-When the service 'A' resumes, all the request in the queue will hit it causing a failure.
It has a threshold time for which a service can be down, after which the gateway itself will return an error message stating that
service is down.
This will avoid the request queueing since there is no timeout waiting.
In the background, gateway tries to ping the service, when it is up, the normal operation resumes.
_____ doesn't add anything new, it just re-exposes the existing API with some additional capabilities –API Gateways
An API call will be received by the gateway and will route it to the appropriate microservice.—true
_____ doesn't add anything new, it just re-exposes the existing API with some additional capabilities.—API proxy
API Publisher
An API Publisher is a Web application with a structured GUI.
It is designed for API publishers (Developers) and managers.
This involves API Development and API management.
The lifecycle activities of a common API developer/manager are
i) Develop
ii) Publish
iii) Manage
iv) Monitor
This includes
This involves
Lifecycle
Versions
Access policies
Keys
Monitor
API Store
The API Store is considered as a Web application where the publisher will host the API.
The consumers can register and subscribe to the APIs here.
Before your application can access an API, it should be registered in the store.
An application can subscribe to any number of APIs.
The lifecycle activities of an API consumer is:
i) Find
ii) Explore
iii) Subscribe
iv) Evaluate
Key Management
This governs access and token related operations.
The gateway connects with the key management to validate API subscription, OAuth tokens and API invoking.
The communication between the gateway and key management happens through a web service call or a thrift call.
Thrift is a communication protocol faster than HTTP and SOAP.
Caching
While subscribing to an application, a token will be created by Key management.
Then while invoking API gateway will validate the token using Key Management.
You can avoid gateway making calls to key management frequently by using caching.
The information such as token, API name and version are cached and stored in either the API Gateway or the key manager
server.
It improves the latency of the requests to your API.
Traffic Management
This helps in regulating the API traffic.
It secures the organization from attacks like DoS.
Enforces rate limiting policies.
Makes the Applications and APIs available to the consumers at different service levels.
Gateway manages traffic with the help of Throttling and role specific Rate limiting policies, which will be discussed
later.
Analytics
This helps in monitoring the API and Application.
Statistical graphs
Alerting mechanism on pre-determined events
Log analyzer
Alerts on unusual activities
Till now you have a brief overview of API gateway and its components. Now let us discuss in detail about the Key features of API
gateway in further cards.
Which of the following is not a function of analytic?--enforce rate limiting policy
The communication between the gateway and key management happens through a _____ call.—Thrift
‘To avoid the gateway from making calls to key management frequently use Caching.—True
HTTP Routing
The gateways and the microservices will register themselves in a registry when they are launched.
All the HTTP request from the client will be routed to the microservices through the gateway.
All request will be proxied, using their application name.
The gateway is capable of routing the service to one or more servers querying for the required service.
For example, when microservices 'price' is registered, it is available on the gateway through /price URL. Any clients making a request
to this service will be routed to this service using this URL.
You might be wondering what is this URL? Let us see this in the next card
API Endpoint
How will you find a particular car among many other cars?
API Resources
A resource can be defined as an object with a type, relationships to other resources, associated data, and a collection of
methods that run on it.
One or more resources combine and form an API, and each will handle a request.
A resource has a set of HTTP methods that operate on it, i.e., GET, PUT, etc.
You can locate the resource using the endpoint.
HTTP Methods
The HTTP methods will decide which action to perform on a given resources.
Rate-limiting/Throttling
Rate Limiting is the process of limiting the number of API request.
You know that the gateway proxies the request from a client to your backend services.
There is a limit for your backend system to handle the request.
Gateway implements Rate Limiting policies to control the limit.
Developers can use Rate limiting as a spigot that can be adjusted based on requirement.
User Specific Limiting: Based on the user's API key, the limit is applied above where all requests are denied.
Server Rate Limiting: Some server such as login server might have heavy traffic, while other might not have such high
usage. The rate applied based on a server is a good way of using an available resource.
Regional Rate Limit: Applying rate for a particular limit based on region. The calls from a particular region during mid-night
would be far less that a regular call limit. This type of limiting can alert the system in case of unwanted activities.
Throttling policies
Some Advanced throttling policies are
By IP address
You can make some IPs to consume more of your API resource using IP throttling.
HTTP request header
You can apply limits based on the HTTP request header. If you want to set a different throttling limit for JSON, you can create a policy that checks the
header for application/JSON and applies speed limit.
JWT has the information about the API. Based on the values in JWT claim you can apply speed limit.
Query parameters
When doing search operations, filtering based on query parameters can be applied to HTTP GET requests.
For example, if you have a search API with a category as a query parameter, you can have different speed for finding different
categories.
Amazon uses token bucket algorithm to handle throttling, where it sets the steady state rate (by default 10000 RPS) and bust
limit (Maximum request a Gateway can fulfill, by default 5000).
Exceeding the limit will cause the gateway to return a 429 Too Many Requests errorto the client. This results in better
throughput.
This can be set to individual APIs and event to specific clients.
If a caller evenly places 10,000 requests in a one second (for example, 10 requests every millisecond), without dropping all
request, will be processed by Gateway.
If the caller places 10,000 requests in the first millisecond, Gateway handles 5,000 requests and throttles the remaining in the
one-second period.
_____ are identified using _____.—Ressource, endpoints-correct
Versioning
It is the process of keeping track of changes that an API undergoes.
The change can be a change in URL, change in the request or response payload.
Example: https://hostname/v1/student/class
Here v1 is the version. Next version would be v2 and so on. Usually, version is included in URL.
To understand versioning better, you need to get familiar with API lifecycle.
CREATED: In the store, API metadata is added, but it is not deployed in the API gateway and hence, is not visible to in the
API Store.
PROTOTYPED: Deployed and published in the API Store as a prototype. API can be invoked without subscription by the
user.
The new version of API can be deployed as a prototype for testing without a subscription.
After testing, the prototyped API can be published, and the older versions get deprecated.
Types of Versioning
Media type/accept header versioning
Here you specify the version in the HTTP accept media type header.
Example: Accept: Application/vnd.api.article+xml; version=1.0
Custome header versioning
Here you create a custome header for specifying the verison
Example: X-API-Version: 2
URI versioning
The version is specified in the API Endpoint
Example: api.example.com/v1/resource)
Domain Versioning
This is a different kind of URI version.
Example: apiv1.example.com/resource
Parameter Versioning
You can specify the version in paramete of the request
Example: GET /something/?version=0.1
API Documentation
API's functionality can be understood by using API Documentation.
It helps API publishers to sustain competition and market their APIs better.
You can add various types of documentation from diverse sources, using API Publisher.
In-line: Hosts documentation in the API Publisher and can be edited directly from the UI.
To enable client and documentation systems to update at the same speed as the server is the aim of Swagger.
In Swagger, APIs are described in simple static JSON representation which can be loaded through Swagger UI, which in turn
provides an interactive documentation.
Swagger UI
Swagger UI is a collection of dependency-free Javascript, HTML, and CSS assets that dynamically generate
documentation from a Swagger-compliant API.
API manager loads Swagger UI for every API, with Swagger integration, and helps in producing auto-generated
documentation.
The API parameters and documentation can be customized by API creator or API publisher.
Consider an API without any security. It will be vulnerable to attacks and consumers will not use subscribe to those APIs.
Anybody can access the API easily, which is not preferred.
There are various methods to authenticate and authorize the APIs.
These methods can be used alone or in combination for a better experience.
API keys, Application ID, password, JWT, and OAuth are some of the methods to secure your APIs.
Gateway helps in implementing this security, making APIs secure.
corresponding microservices
Gateway and microservice share a common secret key. Hence they will be able to validate the token and authenticate
users using that token.
Security - OAuth
OAuth (Open Authorization) is considered as an open standard for token-based authentication and authorization on the
Internet.
They are a logical collection of APIs, which generates tokens to authenticate an application.
A single token can be used to access all APIs associated with an application.
Also, a single API can be subscribed multiple times with many SLA levels.
For each API, you can define which user Roles will be able to discover and subscribe API via the API Store
You can also use XML-based XACML (eXtensible Access Control Markup Language), an access control policy language for
validating the request.
It is the front door for all services supporting 1000 plus devices and handling 50000 additional requests per second at peak.
More on Zuul
Zuul is a collection of filters written in Groovy that is capable of performing a particular action during the routing of HTTP
requests and responses.
Zuul can rapidly change its behavior and react to the situations.
It can be used with other Netflix OSS such as Hystrix, Ribbon, Turbine and use it to manage filters, load balancing, routing
and routing rules across your system.
Spring Cloud offers an embedded Zuul proxy that helps in creating UI application that makes proxy calls to one or more
microservices easily.