manualshive.com logo in svg

Alibaba Cloud API Gateway, User Manual

Share
Download
Alibaba Cloud API Gateway User Manual Download Page 30

-

-

-

-

-

If your backend service works in a VPC instance, you must authorize the API gateway to open

corresponding APIs. The process of creating an API is as follows:

 

 

 
1 Authorize and bind a VPC instance

 

In a VPC environment, you must authorize the API gateway so that it can access the service in your

VPC. During authorization, you must specify the resource and port which the API gateway can access,

such as port 443 of Server Load Balancer and port 80 of ECS.

 

After the authorization succeeds, the API gateway accesses resources in the VPC instance

through the intranet.

This authorization is only used for the API gateway to access corresponding backend

resources.

The API gateway cannot access unauthorized resources or ports.
 

For example, if only port 80 of Server Load Balancer 1 in VPC 1 is authorized to the API gateway, the

API gateway can only access this port.

 

 

 
1.1 Prepare for a VPC environment

 

(1) Buy Server Load Balancer and ECS instances in the VPC environment and build the service. For

more information, see 

VPC user manual

.

 

(2) Query the VPC information. Prepare the following VPC information:

 

VPC ID: Indicates the ID of the VPC where your backend service is located.

Instance ID: Indicates the ID of the instance of your backend service. The instance can be an

API Gateway

User Guide for Providers

29

Summary of Contents for API Gateway

Page 1: ...API Gateway User Guide for Providers...

Page 2: ...deprecation and version switching Easy data conversion You can configure a mapping rule to convert the calling request into the format required by the backend Presetting of request verification You c...

Page 3: ...o backend services the format of returned results the parameter verification rules and so on Define basic information Basic API information includes the API group API name description and API type Sel...

Page 4: ...rom that in the backend service address You have to map the parameters when defining the path if they are in the backend service address Input parameter definition The parameters to input conprise hea...

Page 5: ...r The parameter name must be globally unique It is not allowed to enter a parameter named name in headers and queries at the same time After the preceding steps now you can test and release the API gr...

Page 6: ...in name as follows The unique and fixed second level domain name is assigned by the system during group creation By default a second level domain name is used to call the API only in the test environm...

Page 7: ...definitions Editing the definition of a released API does not affect the definition in the production environment unless you release and synchronize it to the production environment It is not allowed...

Page 8: ...ew the release history of each of you APIs including the version number notes test production and time of each release When viewing the release history you can select a version and switch to it The ne...

Page 9: ...he throttling policy is described as follows Throttling policy contains the following dimensions The three values can be set in one throttling policy Note that the user traffic limit API traffic limit...

Page 10: ...e and special object settings appliable to each API separately The lattest policy bound to the API overwrites the previous one and takes effect immediately To add a special app or user you must obtain...

Page 11: ...ount Restrictions on the number of independent domain names bound to an API group At most five independent domain names can be bound to a group Restrictions on the traffic for calling an API The traff...

Page 12: ...name is X Ca Signature How to add a signature at the backend HTTP service For more information about the demo Java of signature calculation see https github com aliyun api gateway demo sign backend ja...

Page 13: ...ercase letters in the key of the header to lowercase and splice the keys in the following method URL URL indicates the Form parameter in the Path Query Body The organization method is as follows If Qu...

Page 14: ...uthorization OpenID Connect is a lightweight standard based on OAuth 2 0 which provides a framework for identity interaction through APIs Compared with OAuth OpenID Connect not only authenticates a re...

Page 15: ...oken to the client When configuring such APIs you must inform the API gateway about the key corresponding to your Token and the public key used to resolve the Token Service APIs Interfaces used to obt...

Page 16: ...ined by the authorization API and the signed Appkey to call the service API The API gateway authenticates and resolves the Token and sends the user information contained in the Token to the backend Du...

Page 17: ...d U P mode The API gateway transparently transmits the request to the AS The AS sends the user authentication request to the Provider service provider The Provider returns the authentication results o...

Page 18: ...as follows The Consumer sends the parameter with the id_token to the API gateway The API gateway saves the publicKey used for verification verifies and resolves the id_token to obtain the User informa...

Page 19: ...e KeyPair uses the RSA SHA256 encryption algorithm To guarantee security 2 048 bits are encrypted All KeyPairs used in the AS are in the JSON format The following is an example publicKey privateKey St...

Page 20: ...uiM2oiKtW3bAaBP uiR7sVMFcuB5baCebHU487YymJCBTfeCZtFdi6c4w0 dp gVCROKonsjiQCG s6X4j saAL016jJsw 7QEYE6uiMHqR _6iJ _uD1V8Vuec RxaItyc6SBsh24oeqsNoG7Ndaw7w912UVDwVjwJKQFCJDjU0v4oniItosKcPvM8M0TDUB1qZojuM...

Page 21: ...s toJson PrivateKey privateKey new RsaJsonWebKey JsonUtil parseJson privateKeyText getPrivateKey jws setKey privateKey String idToken jws getCompactSerialization eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg4NDgzNz...

Page 22: ...example obtaining the Token using U P Service APIs Used by the Provider to provide services The Consumer calls the obtained Token as an input parameter The OpenID Connect certification method is used...

Page 23: ...he Input parameter definition area a corresponding parameter must be defined Otherwise an error message is prompted as shown in the following figure Configuring the custom system parameters The servic...

Page 24: ...sing the RAM employees can use the sub accounts to view create manage and delete API groups APIs authorizations and throttling policies However the sub accounts are not the owner of resources whose op...

Page 25: ...policy For more information about how to view create modify and delete a custom authorization see Authorization policy management For more information about how to enter the authorization policy conte...

Page 26: ...region indicates the region You can also enter the wildcards which indicate all regions account id indicates the account ID such as 1234567890123456 You can also enter the wildcards relative id indica...

Page 27: ...ntid trafficco ntrol trafficcontrolId DeleteTrafficSpecialControl acs apigateway regionid accountid trafficco ntrol trafficcontrolId DeployApi acs apigateway regionid accountid apigroup groupId Descri...

Page 28: ...cs apigateway regionid accountid apigroup DescribeRulesByApi acs apigateway regionid accountid group groupId DescribeSecretKeys acs apigateway regionid accountid secretke y DescribeTrafficControls acs...

Page 29: ...rafficcontrolId RemoveAppsFromApi acs apigateway regionid accountid apigroup groupId RemoveBlackList acs apigateway regionid accountid blacklist blacklistid SetAccessPermissionByApis acs apigateway re...

Page 30: ...the intranet This authorization is only used for the API gateway to access corresponding backend resources The API gateway cannot access unauthorized resources or ports For example if only port 80 of...

Page 31: ...e the API gateway for access Click API Gateway Console Open API Authorize VPC and then click Create Authorization Go to the authorization page and enter corresponding information VPC name Indicates th...

Page 32: ...tion of other parameters for the API is consistent with that for other APIs Save the configuration The API creation is complete 3 Authorize a security group Optional You can skip this step if you use...

Page 33: ...backend service works in multiple VPC instances Why cannot I authorize my VPC Make sure that the VPC ID instance ID and port number are correct and that the authorization policy and VPC are within the...

Page 34: ...e interdependency among them may in turn restrict each of them during the process and mutual misunderstanding may influence the development progress or even delay the project schedule Therefore Mock i...

Page 35: ...t to the test or online environment for test or to the API debugging page for debugging based on your actual needs Debugging You can initiate an API call on the API debugging page to test the setting...

Page 36: ...r end which avoids unnecessary latency and improves efficiency In case of a large amount of requests the client can use this method to transmit the request data with only a few connections Header comp...

Page 37: ...future To Support HTTPS HTTPS is a protocol integrating HTTP and SSL It encrypts information and data to guarantee data transmission security HTTPS is widely used today The API gateway also supports...

Page 38: ...e and click Open API Group Management Click the group to which the SSL certificate is to be bound and check the group details Before binding the SSL certificate bind an Independent domain name to the...

Page 39: ...er binding the SSL certificate you can enable access over HTTP HTTPS or HTTP and HTTPS for APIs For security considerations we recommend that you configure all APIs to support access over HTTPS You ca...

Page 40: ...After the adjustment the API configuration is complete Your API supports access over HTTPS API Gateway User Guide for Providers 39...

Reviews:

No comments

Brands by name

Popular brands

Load more brands