Zuul – Netflix

Amar
What is API Gateway?
 An API gateway provides a single, unified API entry point across one or
more internal APIs. They typically layer rate limiting and security as well.

 A microservice-based architecture may have from 10 to 100 or more

services. An API gateway can help provide a unified entry point for
external consumers, independent of the number and composition of
internal microservices.

 Advantages:
 Prevents exposing internal concerns to external clients.
 Adds an additional layer of security to your microservices.
 Enables support for mixing communication protocols.
 Decreased microservice complexity.
 Microservice Mocking and Virtualization.
API Gateway - with and without
 Forward Proxy
 Forward Proxy is the proxy for the client and it hides the identities of
the clients. It receives the request from the client and sends the
requests to the server on behalf of the clients.
 The main purpose of forward proxy is to act on behalf of clients by
hiding their identities. 
Reverse Proxy
 Reverse Proxy does the opposite of what the Forward Proxy does.
 It hides the identities of the servers and receive the requests from clients
on behalf of servers.
 Behind the reverse proxy there might be different web services and servers
may exist.
 The main purpose of reverse proxy is to  server client applications on
behalf of set of backend applications deployed in behind the reverse proxy.
What is Zuul??
 Netflix created
 It is open-source
 It is API Gateway
 It is a reverse proxy
 Zuul is an edge service that proxies requests to multiple backing services.
 It provides a unified “front door” to your system, which allows a browser,
mobile app, or other user interface to consume services from multiple
hosts without managing cross-origin resource sharing (CORS) and
authentication for each one.
 It is can be used to manage routing rules, filters, and load balancing
across your system.
Spring Platform Microservice Ecosystem

Dynamic Properties
(ARCHAIS)
Spring Platform
(Karyon, Hystrix)
Micro
Service
(Zuul)
S
Monitoring EC2
3
(Atlas)

Discovery
(Eureka)

Deployment Pipeline

AWS

7
Request Lifecycle of a Request

Unless otherwise indicated, these slides are © 2013-2016 Pivotal S oftware, Inc. and licensed under a C reative C ommons 8
Attribution- NonC ommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Zuul in a Nutshell

Unless otherwise indicated, these slides are © 2013-2016 Pivotal S oftware, Inc. and licensed under a C reative C ommons 9
Attribution- NonC ommercial license: http://creativecommons.org/licenses/by-nc/3.0/
 Principles of Zuul Gateway
 Creative Routing
 Dynamic Routing
 Delivery Focused
 Traffic Shaping
 React Fast
 Insights
 Zuul Responsibilities
• Top L evel request context
– Geolocation
– Cookie / T oken decryption
• Authentication
– Hand off to Authentication Se rvices
• Request/Response “normalization”
– D evice specific “weirdness”
• C h u nked Encoding
• Header truncations
• U R L fixes

• Testing / Debug support

– Verbose Headers
– Geolocation overrides
– Error Context
Sample Configuration:
zuul:
routes:
get:
path: /get/**
url: http://httpbin.org/get
links:
path: /links/**
url: http://httpbin.org/links
images:
path: /image/**
url: http://httpbin.org/image
Zuul Filters
 There are five built-in rate limit approaches:
Authenticated User - Uses the authenticated username or 'anonymous’
Request Origin - Uses the user origin request
URL - Uses the request path of the downstream service
URL Pattern - Uses the request Ant path pattern to the downstream
service
ROLE - Uses the authenticated user roles
Request method - Uses the HTTP request method
Global configuration per service -
This one does not validate the request Origin, Authenticated User or URI
To use this approach just don’t set param 'type'
Zuul Filters Sample
 zuul.ratelimit.enabled=true
 zuul.ratelimit.key-prefix=your-prefix
 zuul.ratelimit.repository=REDIS
 zuul.ratelimit.behind-proxy=true
 zuul.ratelimit.add-response-headers=true

 zuul.ratelimit.default-policy-list[0].limit=10
 zuul.ratelimit.default-policy-list[0].quota=1000
 zuul.ratelimit.default-policy-list[0].refresh-interval=60

 # Adding multiple rate limit type

 zuul.ratelimit.default-policy-list[0].type[0]=user
 zuul.ratelimit.default-policy-list[0].type[1]=origin
 zuul.ratelimit.default-policy-list[0].type[2]=url
 zuul.ratelimit.default-policy-list[0].type[3]=http_method
Zuul Filters Samples continued..

 # Adding the first rate limit policy to "myServiceId"

 zuul.ratelimit.policy-list.myServiceId[0].limit=10
 zuul.ratelimit.policy-list.myServiceId[0].quota=1000
 zuul.ratelimit.policy-list.myServiceId[0].refresh-interval=60
 zuul.ratelimit.policy-list.myServiceId[0].type[0]=user
 zuul.ratelimit.policy-list.myServiceId[0].type[1]=origin
 zuul.ratelimit.policy-list.myServiceId[0].type[2]=url

 # Adding the second rate limit policy to "myServiceId"

 zuul.ratelimit.policy-list.myServiceId[1].type[0]=user=anonymous
 zuul.ratelimit.policy-list.myServiceId[1].type[1]=origin=somemachine.com
 zuul.ratelimit.policy-list.myServiceId[1].type[2]=url_pattern=/api/*/payment
 zuul.ratelimit.policy-list.myServiceId[1].type[3]=role=user
 zuul.ratelimit.policy-list.myServiceId[1].type[4]=http_method=get
Zuul 2!!

• Zuul 2.0
– Netty (non-blocking,
async)
– RxJava chained filters
– Coming to O S S soon.

16
Why Zuul 2?

• 100M+ Persistent connections

– Push notifications
– Events
• Transport protocol agnostic
– HTTP/2
– Websocket
– HTTP
– Asycn Blocking

17
Drawbacks:
 Zuul 1 is that calls to the API Gateway are all blocking
 the Spring Cloud Framework does not integrate Zuul 2.

Alternatives:
Demo

 Zuul directly  Zuul with Eureka

Any questions???

Thank you