Recap on Microservices

 Microservices architecture allows you to build an application as a collection of services that are loosely coupled, which implement
business capabilities.
 Continuous delivery/deployment of large, complex applications is possible using microservice.
 This is more advantageous than a monolithic application that is built with database, client, and server application as a single unit.
 Microservice can handle single service failure well compared to a monolithic application where the whole application goes down.

What is an API?
Application Programming Interface (API) is a business capability delivered over the internet, to the internal or external consumers.

 A Web API is a software interface presented over the HTTP protocol that helps in facilitating the development of mobile, Web
and cloud applications.
 In simple terms, you can imagine API as a messenger that takes your request and tells the system what you want to
do and returns the response back to you.
 It is available with standard web protocol with a well-defined interface and is accessible by third parties.

API Gateway - The Moderator

 An API gateway is considered as a single interface that takes care of various requests to internal servers.
 It offers security, governance, integration, and acceleration for API.
 It is a complete platform to manage, deliver, and secure Web APIs.
 An API call will be received by the gateway and will route it to the appropriate microservice.

API Gateway vs API Proxy

 An API Proxy will simply add Transport Security and Monitoring capabilities to an existing API.
 It does not add anything new, just re-exposes the existing API with some additional capabilities.
 A gateway has more functionality on top of API proxy, including content mediation and transformation, rate-limiting, caching, etc.
 Even though API Proxy is lightweight and offers the same functionality as Gateway, a well-built gateway will offer lightweight proxy with more
capabilities.

API Gateway vs API Manager

 An API Gateway helps in managing the endpoints.
 An API Manager can include an API Gateway as part of its features but will include other things like OAuth, caching, role
checking, etc.
 You might get confused with both as some API Gateways try to act as API Managers these days.
 An API Gateway is just one tool amongst many in an API Managers package.

Setting the Context

Let us meet John, who is planning a road trip. For his road trip, John needs a car with services like Insurance, Speed throttler, and
Navigator. He can purchase all that separately, but he is looking for a simple solution.

Now let us relate this with our Microservice. An application needs a lot of information to run. Each information is taken care of by a
separate microservice.

Now the question is how a client would fetch the information from all the services.

A client device can be a desktop or a mobile device. In theory, a client can send a request to all the services
individually. Let us see the drawbacks in such a design.

If There is No Gateway?
 An application might use 'n' number of services, and a single client making that many calls is quite difficult.
 Each service might use a different protocol which might not be web-friendly.
 Ideally, an application should use HTTP and WebSocket protocols.
 It is hard to merge or split a service in this design.
 How to overcome these issues? Yes, you guessed it right. Use an API Gateway.
Using API Gateway
 An API Gateway is a server that is the single entry point into the system for all clients.
 It can either route the request to one or many services based on the request.
 It is capable of exposing a client to different APIs based on the devices.
 It also helps in implementing security.

Variation: Backend for Frontend

 In practice, our mobile devices will make fewer calls and will display different (and probably less) data than a desktop device.
 The general-purpose API backend does a lot of work, and hence a separate team will be required to maintain that.
 To overcome all these, the before mentioned pattern can be modified to have a separate gateway for each type of client device.
 Each gateway has access to all the microservices.

Benefits of API Gateway

 Gateway is like the tip of the iceberg that Encapsulates the internal structure of the application.
 Insulates the clients from Location determination of service instances.
 Provides specific API to each client, reducing the number of round-trips between the client and application.
 Simplifies the client by moving the logic for calling multiple services from the client to API gateway.

Restraints of API Gateway

 Developers need to update the gateway to expose the microservice endpoint which might result in a risk of development
bottleneck.
 Need to develop, deploy and maintain an additional highly available component.
 Due to the additional network hop through the API gateway, there is an increased response time.

Client-side Discovery
 Service discovery solves the problems on how microservices talk to each other, i.e. perform API calls.
 In a monolithic application, services are invoked by procedure or function calls.
 But in Microservice architecture the service location changes dynamically.
 To overcome this, you can make use of client-side discovery pattern.
 It makes use of a service registry, which act as an index of all the service and its location.
 To invoke a service, a client or Gateway will query the service registry, and find the required service.

Server-side Discovery
 For the same scenario in the last card, an alternate solution is a server-side discovery.
 Here instead of querying the service registry, clients make the request to a router (load balancer/gateway).
 This, in turn, queries the service registry and invokes the appropriate service.
 Even though this requires an extra component, the client code is simple which only involves making a request to the router.

Role on Gateways in Service Discovery

 The service discovery consists of a key-value store (Service Registry) and APIs to read and write to this store.
 Service start-up and shut-down script should include code that registers and unregisters itself, when it starts and shutdown
respectively.
 The registry will check for service's heartbeat periodically to ensure that it is functional.

You know that an application depends on several services. The question is how to keep track of all these services?

Let us discuss that with an example in the next card

Role on Gateways in Service Discovery...

Consider two services A and B. Service A needs to call Service B. But A has no idea where B is located. Now introduce a Gateway in
this scenario.
Both A and B will register their IP address and port in Gateway service Registry. Now all the application connected to the Gateway
can access both A and B.

Without gateways, client devices and services cannot decide where to look for the other service.

A gateway which has client or server side discovery implemented will help in deciding the service location, i.e. their IP address, port,
and even their version.

Circuit Breaker
 One microservice might depend on another service.
 If the called service is down, this might result in high latency and makes the application unusable and exhaust the available
resource.
 When the number of failures crosses a threshold, the circuit breaker will trip and cause a timeout.
 After the timeout, only a limited request is passed to the service, and if it succeeds normal operation is reverted, else timeout
continues.

Need for Circut breakers in Gateways

Consider the same scenario with service A and B without a Gateway.

What if Service A goes down for a while?

 The system will wait for A to respond and after a timeout period, it sends an error message that the service is down.
 But within that time limit, a new request will queue up.

-When the service 'A' resumes, all the request in the queue will hit it causing a failure.

Need for Circuit Breakers in Gateway...

Now introduce a Gateway with circuit breaker implemented.

 It has a threshold time for which a service can be down, after which the gateway itself will return an error message stating that
service is down.
 This will avoid the request queueing since there is no timeout waiting.
 In the background, gateway tries to ping the service, when it is up, the normal operation resumes.

_____ doesn't add anything new, it just re-exposes the existing API with some additional capabilities –API Gateways

A variation for regular Gateway pattern is ______.—Backend for frontend

Ideally an application should use _____ protocols.—HTTP-wrong//

_____ helps in reducing latency during service calls.—Circuit breaker

Which service discovery requires an additional router?—Server side discovery

Gateway is capable of exposing a client to different APIs based on the devices.—True

An API call will be received by the gateway and will route it to the appropriate microservice.—true

An API proxy can act as an API gateway.—False

_____ doesn't add anything new, it just re-exposes the existing API with some additional capabilities.—API proxy

Gateway is capable of exposing a client to different APIs based on the devices.-True

API Gateway - Components

Let's have an overview of the whole architecture and see how it works.

 A Typical Gateway consists of a Publisher and store.

 Apart from this, it has a key management, traffic management, and analytics component.
 Creating an API starts with the publisher, where it will be designed, and it will be published to the store for the consumer to
explore and subscribe.
 Once subscribed, the clients can invoke the API using the API key generated by Key managements component.
 The gateway receives the call and verifies the token with the key management and allows the API to hit the service.
 The traffic management component helps in applying rate limiting features.

API Publisher
 An API Publisher is a Web application with a structured GUI.
 It is designed for API publishers (Developers) and managers.
 This involves API Development and API management.
 The lifecycle activities of a common API developer/manager are

i) Develop

ii) Publish

iii) Manage

iv) Monitor

Develop and Publish

Develop

This includes

 Creating an API or making changes to an existing one

 Deploying the API to a server
Publish

This involves

 Registering the API

 Associate corresponding Service level agreement and security policy
 Rate limiting/throttling

Manage and Monitor

Manage

This includes managing the

 Lifecycle
 Versions
 Access policies
 Keys
Monitor

This involves Monitoring

 the API behavior

 the consumer usage
 the consumer requirements

API Store
 The API Store is considered as a Web application where the publisher will host the API.
 The consumers can register and subscribe to the APIs here.
 Before your application can access an API, it should be registered in the store.
 An application can subscribe to any number of APIs.
  The lifecycle activities of an API consumer is:

i) Find

ii) Explore

iii) Subscribe

iv) Evaluate

Life Cycle Activities of an API Consumer

 Find: Searching the store for the required API

 Explore: Trying out the API online

 Subscribe: Subscribing to the Application

 Evaluate: Providing rating and comments

Key Management
 This governs access and token related operations.
 The gateway connects with the key management to validate API subscription, OAuth tokens and API invoking.
 The communication between the gateway and key management happens through a web service call or a thrift call.
 Thrift is a communication protocol faster than HTTP and SOAP.

Caching
 While subscribing to an application, a token will be created by Key management.
 Then while invoking API gateway will validate the token using Key Management.
 You can avoid gateway making calls to key management frequently by using caching.
 The information such as token, API name and version are cached and stored in either the API Gateway or the key manager
server.
 It improves the latency of the requests to your API.

Traffic Management
 This helps in regulating the API traffic.
 It secures the organization from attacks like DoS.
 Enforces rate limiting policies.
 Makes the Applications and APIs available to the consumers at different service levels.
 Gateway manages traffic with the help of Throttling and role specific Rate limiting policies, which will be discussed
later.

Analytics
This helps in monitoring the API and Application.

This includes functionalities like

 Statistical graphs
 Alerting mechanism on pre-determined events
 Log analyzer
 Alerts on unusual activities

Till now you have a brief overview of API gateway and its components. Now let us discuss in detail about the Key features of API
gateway in further cards.
Which of the following is not a function of analytic?--enforce rate limiting policy

Which one of the following is an API consumer lifecycle?—Explore

Which one of the following is not an API developer/manager lifecycle?—Explore

The communication between the gateway and key management happens through a _____ call.—Thrift

DoS Attacks are prevented using _______.—Traffic management

‘To avoid the gateway from making calls to key management frequently use Caching.—True

API creation and management is done in ______.—API Publisher

HTTP Routing
 The gateways and the microservices will register themselves in a registry when they are launched.
 All the HTTP request from the client will be routed to the microservices through the gateway.
 All request will be proxied, using their application name.
 The gateway is capable of routing the service to one or more servers querying for the required service.

For example, when microservices 'price' is registered, it is available on the gateway through /price URL. Any clients making a request
to this service will be routed to this service using this URL.

You might be wondering what is this URL? Let us see this in the next card

API Endpoint
How will you find a particular car among many other cars?

Right! Using its Registration number

 Endpoint is an URL that communicates with the API.

 It can be a collection of Object.
 If you want your HTTP client to interact with the data resource, point it to the required endpoint.
 Simply, it is an URL using which a client will access a service.
 A single service can have multiple endpoints.

API Resources
 A resource can be defined as an object with a type, relationships to other resources, associated data, and a collection of
methods that run on it.
 One or more resources combine and form an API, and each will handle a request.
 A resource has a set of HTTP methods that operate on it, i.e., GET, PUT, etc.
 You can locate the resource using the endpoint.

HTTP Methods
The HTTP methods will decide which action to perform on a given resources.

Rate-limiting/Throttling
 Rate Limiting is the process of limiting the number of API request.
 You know that the gateway proxies the request from a client to your backend services.
 There is a limit for your backend system to handle the request.
 Gateway implements Rate Limiting policies to control the limit.
 Developers can use Rate limiting as a spigot that can be adjusted based on requirement.

Need for Rate Limiting

  In Physical Context, Rate limiting should be implemented keeping in mind the Physical limitation of the system such as some
concurrent connection, data transfer, bandwidth, etc.
 In safety context, it should be implemented to avoid overflowing of the request which might result in service failure.
 In a business context, a developer can monetize their APIs by applying rate limiting. You might want to pay if you need to
make more requests.

Types of Rate Limiting

There are three main types of rate limiting.

 User Specific Limiting: Based on the user's API key, the limit is applied above where all requests are denied.

 Server Rate Limiting: Some server such as login server might have heavy traffic, while other might not have such high
usage. The rate applied based on a server is a good way of using an available resource.

 Regional Rate Limit: Applying rate for a particular limit based on region. The calls from a particular region during mid-night
would be far less that a regular call limit. This type of limiting can alert the system in case of unwanted activities.

Throttling policies
Some Advanced throttling policies are
By IP address

You can make some IPs to consume more of your API resource using IP throttling.
HTTP request header

You can apply limits based on the HTTP request header. If you want to set a different throttling limit for JSON, you can create a policy that checks the
header for application/JSON and applies speed limit.

More on Throttling Policies

JWT Claims

JWT has the information about the API. Based on the values in JWT claim you can apply speed limit.
Query parameters

When doing search operations, filtering based on query parameters can be applied to HTTP GET requests.

For example, if you have a search API with a category as a query parameter, you can have different speed for finding different
categories.

Throttle for Better Throughput

The type of rate limiting varies from company to company.

Let us see how Amazon Handles rate limiting.

 Amazon uses token bucket algorithm to handle throttling, where it sets the steady state rate (by default 10000 RPS) and bust
limit (Maximum request a Gateway can fulfill, by default 5000).
 Exceeding the limit will cause the gateway to return a 429 Too Many Requests errorto the client. This results in better
throughput.
 This can be set to individual APIs and event to specific clients.

 If a caller evenly places 10,000 requests in a one second (for example, 10 requests every millisecond), without dropping all
request, will be processed by Gateway.
 If the caller places 10,000 requests in the first millisecond, Gateway handles 5,000 requests and throttles the remaining in the
one-second period.
_____ are identified using _____.—Ressource, endpoints-correct

Which of the following is not a rate limiting types?—Bandwidth specific ratelimit-correct

All request will be proxied through Gateway, using their ______.—Application name-correct

Rate limiting based on the HTTP header is not possible.—False-correct

_____ is a URL that communicates with the API.—Resource

Bandwidth is one of the reason to enforce Rate-Limiting.—True

A single service can have multiple endpoints.—True-correct

Which of the following is not a HTTP method?—CONNECT-wrong/DELETE-wrong

Versioning
 It is the process of keeping track of changes that an API undergoes.

 The change can be a change in URL, change in the request or response payload.

Example: https://hostname/v1/student/class

Here v1 is the version. Next version would be v2 and so on. Usually, version is included in URL.

To understand versioning better, you need to get familiar with API lifecycle.

Life Cycle Management

APIs have separate lifecycle apart from the back-end service that they depend on. The Publisher manages the lifecycle

The following stages are available in an API lifecycle:

 CREATED: In the store, API metadata is added, but it is not deployed in the API gateway and hence, is not visible to in the
API Store.

 PROTOTYPED: Deployed and published in the API Store as a prototype. API can be invoked without subscription by the
user.

 Life Cycle Management...

 PUBLISHED: Visible in the API Store and ready for subscription.
 DEPRECATED: New subscriptions are disabled. But the API is still deployed in the Gateway and is available at runtime to
existing subscribers. Existing subscribers can use it until the API is retired.
 RETIRED: Unpublished from the API gateway and removed from the store.
 BLOCKED: Access is temporarily blocked. Not shown in the API Store afterward.

Need for Versioning

 A new API version is created when you change published API's behavior, authentication mechanism, resources, throttling
tiers, target audiences, etc.

 Modifying a published API that has subscribers, it not recommended.

 The new version of API can be deployed as a prototype for testing without a subscription.
  After testing, the prototyped API can be published, and the older versions get deprecated.

Types of Versioning
 Media type/accept header versioning
 Here you specify the version in the HTTP accept media type header.
 Example: Accept: Application/vnd.api.article+xml; version=1.0
 Custome header versioning
 Here you create a custome header for specifying the verison
 Example: X-API-Version: 2
 URI versioning
 The version is specified in the API Endpoint
 Example: api.example.com/v1/resource)
  Domain Versioning
 This is a different kind of URI version.
 Example: apiv1.example.com/resource
 Parameter Versioning
 You can specify the version in paramete of the request
 Example: GET /something/?version=0.1

API Documentation
 API's functionality can be understood by using API Documentation.

 It helps API publishers to sustain competition and market their APIs better.

 You can add various types of documentation from diverse sources, using API Publisher.

 Unique URLs are given to documents created in API Publisher.

API Documentation Types

The API Publisher supports the following files:

 In-line: Hosts documentation in the API Publisher and can be edited directly from the UI.

 URL: Links to reference files.

 File: Can upload the documentation directly to the server.

Interactive API Documentation - Swagger

 Swagger is a framework implementation for producing, describing, visualizing and consuming RESTful web services.

 To enable client and documentation systems to update at the same speed as the server is the aim of Swagger.

 One of the modules of swagger is Swagger UI.

 In Swagger, APIs are described in simple static JSON representation which can be loaded through Swagger UI, which in turn
provides an interactive documentation.

 Swagger UI
 Swagger UI is a collection of dependency-free Javascript, HTML, and CSS assets that dynamically generate
documentation from a Swagger-compliant API.
 API manager loads Swagger UI for every API, with Swagger integration, and helps in producing auto-generated
documentation.
 The API parameters and documentation can be customized by API creator or API publisher.

API Documentation can be added using ______.—API publisher

Swagger UI creates Documentation based on API Parameters.—True
Which of the core modules of Swagger helps in creating Interactive documentation?—Swagger UI
It is possible to test an API without subscribing.—True

X-API-Version: 2 is _____ type of versioning.—custom header

Which of the following is a type of documentation?—URL
Need for Security

 Consider an API without any security. It will be vulnerable to attacks and consumers will not use subscribe to those APIs.
Anybody can access the API easily, which is not preferred.
 There are various methods to authenticate and authorize the APIs.
 These methods can be used alone or in combination for a better experience.
 API keys, Application ID, password, JWT, and OAuth are some of the methods to secure your APIs.
 Gateway helps in implementing this security, making APIs secure.

Security- JWT (JSON Web Token)

 JWT (JSON Web Token) is a method for securing applications in a microservices architecture.

 Access Tokens are generated by the gateway and sent to the -

corresponding microservices

 Gateway and microservice share a common secret key. Hence they will be able to validate the token and authenticate
users using that token.

 Those tokens have both authorization and authentication information.

Security - OAuth
 OAuth (Open Authorization) is considered as an open standard for token-based authentication and authorization on the
Internet.

 OAuth2 to provide simple key management.

 They are a logical collection of APIs, which generates tokens to authenticate an application.

 A single token can be used to access all APIs associated with an application.

 Also, a single API can be subscribed multiple times with many SLA levels.

What is Access Control?

 Access Control helps in deciding who gets access and control different levels of access for different types of users.
 Access control is one method to ensure that the API call is valid.
 If needed, you can also classify various types of users and offer a variety of business services.
 Access Gateways let you deny the access to specific endpoints, methods, and services and you can easily apply access
policy for groups of users.

 Users and Roles

 Admin: The API management provider who manages and hosts the API Gateway. Admin creates and assigns user roles,
manages databases, security, etc.
 Creator: A person who understands the technical aspects of the API and uses the API publisher to move APIs into the API
store. The creator can add an API to store but cannot manage its lifecycle.
 Publisher: Manages a set of APIs and controls the API lifecycle, monetization and subscriptions aspects. The publisher also
has access to all API statistics.
 Subscriber: Uses the API store to discover APIs, read forums and documentations, rate APIs, subscribe APIs, obtain access
tokens and invoke the APIs.

Role Based Access control

 All registered microservices are accessible through the gateway.
  You can exclude a specific API from the gateway, using a particular access control policy filter.

 For each API, you can define which user Roles will be able to discover and subscribe API via the API Store

 This can be done using the API Visibility setting.

 Only authorized users should access APIs without any interruption.

 OAuth 2.0 scope is one method of controlling access to users.

 You can also use XML-based XACML (eXtensible Access Control Markup Language), an access control policy language for
validating the request.

Netflix API Gateway

Now let us see about Netflix API gateway, which has all these key features incorporated.

 Netflix is one of the major adopters of microservices.

 They created an open-source proxy server Zuul.

 Zuul proxies requests to multiple microservices.

 It is the front door for all services supporting 1000 plus devices and handling 50000 additional requests per second at peak.

 It is built to enable dynamic routing, resiliency, monitoring, and security.

The name Zuul comes from the movie Ghostbusters where Zuul appears as

the Gatekeeper of Gozer.

More on Zuul
 Zuul is a collection of filters written in Groovy that is capable of performing a particular action during the routing of HTTP
requests and responses.

 It provides a framework to read, compile, and run these filters dynamically.

 Zuul can rapidly change its behavior and react to the situations.

 It can be used with other Netflix OSS such as Hystrix, Ribbon, Turbine and use it to manage filters, load balancing, routing
and routing rules across your system.

 Spring Cloud offers an embedded Zuul proxy that helps in creating UI application that makes proxy calls to one or more
microservices easily.

 Introduction to API manager

 So far, you got a basic idea about API gateway and its features, now it's time to use an API manager to create and invoke an
API.
 WSO2 API Manager is a API management application that allows you to create, publish and manage APIs.
 It supports API application development, lifecycle management, rate limiting, analytics and access control in one system.

Who manages the API lifecycle?—Publisher

Role based authentication is done using _____ setting.—Visibility
_____ does not add anything new, it just re-exposes the existing API with some additional capabilities.—Proxy

WSO2 store is a ______. --Key Manager-wrong

A single API cannot be subscribed multiple times with many SLA levels.—False
Oauth uses ____ to authenticate the users.—Tokens
Monetization is one of the reason for Rate limiting.—True
WSO2 API publisher can be accessed through the address.—9444-wrong
______ is a process of storing server response at the client-end.—All--wrong

The tool that is used to develop API documentation is _____.—Swagger

The default burst limit in AWS gateway is _____.-5000--wrong
What HTTP Status Code 401 indicates?-Forbidden