1

API gateway for microservices environments - the NGINX way

microservicesparis

30-Nov-2017 Liam Crilly

liam@nginx.com

@liamcrilly

We empower creators of the new digital world

Source: Source information goes here.Source: Source information goes here.

#1for the busiest sites

The busiest sites choose NGINX

4Source: W3Techs Web server ranking 20-Nov-2017

Innovators powered by NGINX

5

• NGINX v0.1 published in 2004

• NGINX, Inc. founded in 2011

• NGINX Plus released in 2013

• Offices in San Francisco, Cambridge, Cork, Moscow and Singapore

• 300M+ websites

• 1,200+ commercial customers

• 180+ employees across engineering, support, sales and marketing

Our Products

NGINX Plus

The only all-in-one load balancer, web server, application firewall and content cache.

Simplify your architecture while reducing costs.

NGINX Controller

Centralized monitoring and management for

NGINX Plus. Deploy and automate virtual

load balancers with a beautiful interface and

API.

NGINX Unit

The new, open source application server

from NGINX, Inc. Lightweight, with multi-

language support and an API-driven

configuration.

NGINX

Industry-defining, open source webserver, reverse proxy and web accelerator

NGINX Amplify

NGINX Monitoring Made Easy: out-of-the-box graphs for NGINX and OS metrics, static analyzer and

automated alerts

Microservices

If beer

was a

web

app…

Monoliths are complex

11

• Tightly coupled to the

underlying infrastructure

• Nobody knows how it all

works

• Hard to maintain

• Impossible to debug

Microservices are minimal

12

• Easily separated from

underlying infrastructure

• Independently managed

• Easily

replaced/replenished

• Consistent interface

Photos

http://www.thedieline.com/blog/2017/1/26/a-fresh-look-at-craft-beer-cans

https://www.threadless.com/product/3314/ring_pull

Microservices do one thing

13

• One function

• Easy to test

• Easy to scale

Photo http://www.thedieline.com/blog/2017/1/26/a-fresh-look-at-craft-beer-cans

Microservices do one thing

14

• Avoid duplicating

functionality◦ Crypto

◦ Authentication

◦ Access Control

◦ Analytics

Microservices do one thing

15

• Microservice?

• Miniservice?

• Mini-monolith?

But singular services can go bad

16

So deploy with redundancy

17

• Plan for failure

• At least 2 per service

• Scale independently

• Scale on demand

Photo:

https://twitter.com/clinkbeer/status/812324082809180161

Choose complexity carefully

19

Proxy Model Fabric Model (Service

Mesh)

The Goldilocks principle

20

Suitabili

ty

Low

High

“Just right”Too simple Too complex

Router Mesh Architecture

21

Secure Proxy API Gateway

Separation of duties

22

Secure proxy

• North-South traffic

• TLS termination

• Client authentication

• Centralized logging for all client-initiated requests

• Request tracing injection

API gateway

• East-West and N-S traffic

• API routing

• Fine-grained access control

• Rate limiting

• Propagate request ID

Everyone needs an API gateway!

API Management products look a lot like

monoliths

Docker

#1 stars

#1 pulls

API gateway functions

26

Things you need

• Fast proxying

• API routing

• Overload protection

• Authentication of clients

• TLS support (termination or

end-to-end encryption)

Things you don’t need

• Digital strategy alignment

• API design tools

• Monetization metrics

• Business value measures

• Developer portals

API routing

(URI mapping)

27

# conf.d/routing_map.conf

map $request_uri $upstream_api {{

# Pricing API"^/api/prices/.*$" pricing_api;"^/v1/pricing/.*$" pricing_api;"^/item/.*/price/.*$" pricing_api;

# Partcodes API"^/api/partcodes/.*$" partcodes_api;"^/v1/partno/.*$" partcodes_api;"^/item/.*/sku/.*$" partcodes_api;

# More APIs# ...

}

API routing

Overload protection

28

# conf.d/api_gateway.conf

upstream pricing_api {server 172.16.0.1:80 max_conns=500;server 172.16.0.2:80 max_conns=500;

}

upstream partcodes_api {server partcodes.app.example.com resolve;

}

server {listen 80;location / {

proxy_pass http://$upstream_api;limit_conn clientip 20;limit_req zone=10persec;

}}

Authentication

(API keys)

29

# conf.d/apikeys_map.conf

map $http_apikey $client_name {{

rL0Y20zC-Fzt72VPzMSk2A client_foo;N7UdGUp1E-RbVvZSTy1R8g client_bar;c_7_pLf2u2jkTPmEyF9uiA client_baz;OiHNcxfhRFvomZn11_YqUw client_pub;

# ...}

Authentication

(API keys)

30

# conf.d/api_gateway.conf

#[upstreams here]

server {listen 80;location / {

if ($client_name = "") {return 401;

}

proxy_pass http://$upstream_api;proxy_set_header API-Client $client_name;

limit_conn clientip 20;limit_req zone=10persec;

}}

Authentication

(JSON Web Token)

31

# conf.d/api_gateway.conf

#[upstreams here]

server {listen 80;

auth_jwt "private API";auth_jwt_key_file jwk.json;

location / {proxy_pass http://$upstream_api;proxy_set_header APIclient $jwt_claim_sub;

limit_conn clientip 20;limit_req zone=10persec;

}}

Request tracing

32

# conf.d/api_gateway.conf

#[upstreams here]

server {listen 80;location / {

proxy_pass http://$upstream_api;proxy_set_header RequestID $http_requestid;

}}

# Secure Proxy

server {listen 443 ssl;#ssl_* # TLS configuration

proxy_set_header RequestID $request_id;proxy_pass http://api_gateway;

}

If beer

was a

web

app…

If beer was a web app…

nginx.com | @nginxnginx.com | @nginx

liam@nginx.com

@liamcrilly

Thank you

Merci