1. Manuals
  2. Brands
  3. Alibaba Cloud Manuals
  4. Gateway
  5. API Gateway
  6. User manual

Alibaba Cloud API Gateway User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
API Gateway
User Guide for Providers

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the API Gateway and is the answer not in the manual?

Questions and answers

Related Manuals for Alibaba Cloud API Gateway

Summary of Contents for Alibaba Cloud API Gateway

  • Page 1 API Gateway User Guide for Providers...
  • Page 2 API Gateway provides high-performance and highly available API hosting service to help users to publish or access to the APIs on Alibaba Cloud products such as ECS and Container Service. It manages the entire API lifecycle from release and management to maintenance. You can quickly open data or services at low costs and risks through simple operations.

  • Page 3: Create An Api

    Comprehensive monitoring and warning API Gateway provides visualized API monitoring in real time, including the calling traffic, calling method, response time, and error rate, and supports query of historical records for comprehensive analysis. You can also configure and subscribe to the warning method (SMS or email) to check the API running status in real time.

  • Page 4: Define The Api Request Format

    API Gateway User Guide for Providers Backend service address. It is the complete IP address used by the API Gateway to call underlying services, which includes a domain name/IP+Path without Query parameter. It may contain dynamic parameters, such as username (written as username), and could be obtained only through the path entered by the caller.

  • Page 5: Enable Api Services

    API Gateway User Guide for Providers The domain name which sends the CaDomain request CaRequestHandleTime Request time (Greenwich mean time) CaAppId ID of the app which sends the request CaRequestId RequestId CaApiName API name The protocol (HTTP or HTTPS) used by...

  • Page 6: Api Group

    Domain name and certificate API Gateway locates the unique API group through the domain name, and the unique API through the Path+HTTPMethod. Before enabling API services, you must know the second-level domain name and independent domain name as follows: The unique and fixed second-level domain name is assigned by the system during group creation.

  • Page 7: Test, Production, And Authorization

    API Gateway User Guide for Providers Test, production, and authorization To test or enable the API, authorization is indispensable. Authorization means granting an app the permission to call an API. Note that: You can authorize the created app and access the second-level domain name to call the API.

  • Page 8: Api Authorization Management

    User Guide for Providers API authorization management You can establish or revoke the authorization relationship between an API and an app. API Gateway verifies the permission relationship. During authorization, pay attention to the following points: You can authorize one or more APIs to one or more apps. We recommend that you do not operate APIs in multiple groups at the same time during batch operation.

  • Page 9: Modify Or Replace The Leaked Key

    An Alibaba Cloud account may have multiple apps. User traffic limit The traffic limit for an Alibaba Cloud account is exactly the limit on the total traffic of all apps in this account. For example, the traffic may be 500,000 times per day.

  • Page 10: Monitoring And Warning

    Monitoring and warning The API Gateway console provides visualized API monitoring and warning in real time. You can obtain the calling status of an API, including the calling traffic, calling method, response time, and error rate. API Gateway displays data statistics on the calling status from multiple dimensions in multiple time units, and supports query of historical data for comprehensive analysis.

  • Page 11: Backend Signature Demo

    (including Header and Query) cannot exceed 128 Kb. Backend Signature Demo Overview API Gateway provides the backend HTTP service signature verification function. To enable backend signature, you must create a signature key and bind the key to the corresponding API. ( keep this key...

  • Page 12: How To Read The Api Gateway Signature

    API Gateway User Guide for Providers properly. API Gateway encrypts and stores the key to guarantee the security of the key.) After backend signature is enabled, API Gateway adds signature information to the request destined to the backend HTTP service. The backend HTTP service reads the signature string of API Gateway and performs local signature calculation on the received request to check whether the gateway signature and local signature result are consistent.
  • Page 13 API Gateway User Guide for Providers Description Content-MD5 Content-MD5 indicates the MD5 value of the body. MD5 is calculated only when HTTPMethod is PUT or POST and the body is not a form. The calculation method is as follows: String content-MD5 = Base64.encodeBase64(MD5(bodyStream.getbytes("UTF-8")));...

  • Page 14: Debugging Mode

    To access and debug the backend signature conveniently, you can enable the Debug mode. The debugging procedure is as follows: Add X-Ca-Request-Mode = debug to the header of the request destined to API Gateway. The backend service can only read X-Ca-Proxy-Signature-String-To-Sign from the header because the linefeed is not allowed in the HTTP Header and thereby is replaced with “|”.

  • Page 15: Implementation Principle

    APIs. Authorization APIs: Interfaces used to issue a Token to the client. When configuring such APIs, you must inform the API gateway about the key corresponding to your Token and the public key used to resolve the Token. Service APIs: Interfaces used to obtain user information and perform an operation. When configuring such APIs, you must inform the API gateway about the parameter that represents the Token in your request.
  • Page 16 After receiving the request, the API gateway authenticates your Appkey first(Be effect on OpenID Connect & AlibabaCloudAPP, and OpenID Connect not). If the authentication succeeds, the API gateway calls the account system of the backend service to authenticate your user name/password.
  • Page 17 API in the API gateway as follows. As shown in the preceding figure, the process is as follows: The Consumer (caller) sends an id_token authentication request to the API gateway, for example, in the user name+password (U+P) mode. The API gateway transparently transmits the request to the AS.

  • Page 18: Resource Server (Rs): Used To Verify The Id_Token And Resolve Corresponding Information

    The Consumer sends the parameter with the id_token to the API gateway. The API gateway saves the publicKey used for verification, verifies and resolves the id_token to obtain the User information, and sends the User information to the Provider. If the authentication fails, the API gateway returns an error message.

  • Page 19: Keyid Description

    API Gateway User Guide for Providers Use the OIDC in the AS to generate the id_token The id_token, also known as ID Token, is a type of tokens defined in the OIDC protocol. For more information, see OpenID Connect Core 1.0.
  • Page 20 API Gateway User Guide for Providers mxn3ZgK8kmaeotkS0zS0pYMb4EEOxFFnGFqjCThuO2pimF0imxiEWw5WCdREz1v8RW72WdEfLpTLJEOpP1FsFyG3OI DbTYOqowD1YQEf5Nk2TqN\_7pYrGRKsK3BPpw4s9aXHbGrpwsCRwYbKYbmeJst8MQ4AgcorE3NPmp- E6RxA5jLQ4axXrwC0T458LIVhypWhDqejUw","e":"AQAB","d":"aQsHnLnOK-1xxghw2KP5JTZyJZsiwt- ENFqqJfPUzmlYSCNAV4T39chKpkch2utd7hRtSN6Zo4NTnY8EzGQQb9yvunaiEbWUkPyJ6kM3RdlkkGLvVtp0sRwPCZ2 EAYBlsMad9jkyrtmdC0rtf9jerzt3LMLC7XWbnpC3WAl8rsRDR1CGs\_- u4sfZfttsaUbJDD9hD0q4NfLDCVOZoQ\_8wkZxyWDAQGCe6GcCbu6N81fTp2CSVbiBj7DST\_4x2NYUA2KG8vyZYcwvi NTxQzk4iPfdN2YQz\_9aMTZmmhVUGlmTvAjE5ebBqcqKAS0NfhOQHg2uR46eBKBy\_OyVOLohsQ","p":"8Tdo3DCs- 0t9JMtM0lYqPRP4wYJs37Rv6S-ygRui2MI\_hadTY9I2A199JMYw7Fjke\_wa3gqJLa98pbybdLWkrOxXbKEkwE4uc4- fuNjLbUTC5tqdM5- nXmpL887uREVYnk8FUzvWeXYTCNCb7OLw5l8yPJ1tR8aNcd0fJNDKh98","q":"qlRrGSTsZzBkDgDi1xlCoYvoM76cbmx rCUK- mc\_kBRHfMjlHosxFUnAbxqIBE4eAJEKVfIJLQrHFvIDjQb3kM9ylmwMCu9f8u9DHrT8J7LSDlLqDaXuiM2oiKtW3bAaBP uiR7sVMFcuB5baCebHU487YymJCBTfeCZtFdi6c4w0","dp":"gVCROKonsjiQCG-s6X4j-saAL016jJsw- 7QEYE6uiMHqR\_6iJ\_uD1V8Vuec- RxaItyc6SBsh24oeqsNoG7Ndaw7w912UVDwVjwJKQFCJDjU0v4oniItosKcPvM8M0TDUB1qZojuMCWWRYsJjNSWcvA QA7JoBAd-h6I8AqT39tcU","dq":"BckMQjRg2zhnjZo2Gjw\_aSFJZ8iHo7CHCi98LdlD03BB9oC\_kCYEDMLGDr8d7j3h- llQnoQGbmN\_ZeGy1l7Oy3wpG9TEWQEDEpYK0jWb7rBK79hN8l1CqyBlvLK5oi- uYCaiHkwRQ4RACz9huyRxKLOz5VvlBixZnFXrzBHVPlk","qi":"M5NCVjSegf\_KP8kQLAudXUZi\_6X8T- owtsG\_gB9xYVGnCsbHW8gccRocOY1Xa0KMotTWJl1AskCu- TZhOJmrdeGpvkdulwmbIcnjA\_Fgflp4lAj4TCWmtRI6982hnC3XP2e- nf\_z2XsPNiuOactY7W042D\_cajyyX\_tBEJaGOXM"} Example of generating a KeyPair (Java) import java.security.PrivateKey; import org.jose4j.json.JsonUtil; import org.jose4j.jwk.RsaJsonWebKey; import org.jose4j.jwk.RsaJwkGenerator;...

  • Page 21: Configure An Api In The Api Gateway

    PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyText)).getPrivateKey(); jws.setKey(privateKey); Use the JWS to obtain the value of the id_token. Code example (Java) String idToken = jws.getCompactSerialization(); Example of a generated id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg4NDgzNzI3NTU2OTI5MzI2NzAzMzA5OTA0MzUxMTg1ODE1NDg5In0.e yJ1c2VySWQiOiIzMzcwMTU0NDA2ODI1OTY4NjI3IiwidGFnTmFtZSI6ImNvbmFuVGVzdCIsImV4cCI6MTQ4 MDU5Njg3OSwiYXVkIjoiQWxpX0FQSV9Vc2VyIiwianRpIjoiTm9DMFVVeW5xV0N0RUFEVjNoeEIydyIsImlh dCI6MTQ4MDU5MzI3OSwibmJmIjoxNDgwNTkzMjE5LCJzdWIiOiJ7ZGF0YU1hcD0ne3VzZXJJZD0zMzcwM TU0NDA2ODI1OTY4NjI3fScsIHN0YXR1c0NvZGU9JzAnLCBlcnJvcnM9J1tdJ30ifQ.V3rU2VCziSt6uTgdCktYR sIwkMEMsO_jUHNCCIW_Sp4qQ5ExjtwNt9h9mTGKFRujk2z1E0k36smWf9PbNGTZTWmSYN8rvcQqdsupc C6LU9r8jreA1Rw1CmmeWY4HsfBfeInr1wCFrEfZl6_QOtf3raKSK9AowhzEsnYRKAYuc297gmV8qlQdevAwU 75qtg8j8ii3hZpJqTX67EteNCHZfhXn8wJjckl5sHz2xPPyMqj8CGRQ1wrZEHjUmNPw- unrUkt6neM0UrSqcjlrQ25L8PEL2TNs7nGVdl6iS7Nasbj8fsERMKcZbP2RFzOZfKJuaivD306cJIpQwxfS1u2be Configure an API in the API gateway...
  • Page 22 User Guide for Providers In the API edition function, the OpenID Connect option is added to Security certification of Basic Info. The Alibaba Cloud App certification method is also included, which means that only authorized apps can call this API.
  • Page 23 For the service APIs, you must configure the parameter corresponding to the Token. As shown in the preceding figure, the parameter corresponding to the Token is that sent to the id_token when the Consumer calls the API. The API gateway identifies, verifies, and resolves this parameter.

  • Page 24: Part 1: Policy Management

    ApiGateway_RAM The API gateway and Alibaba Cloud Resource Access Management (RAM) are integrated to enable multiple employees in an enterprise to perform permission-based API management. The API provider can create sub-accounts for employees and allow different employees to manage different APIs.

  • Page 25: Custom Authorization Policy

    API Gateway User Guide for Providers permissions.! AliyunApiGatewayFullAccess: It is an administrator privilege which can be used to manage all resources under the primary account, including API groups, APIs, throttling policies, and applications. AliyunApiGatewayReadOnlyAccess: It is used to view all resources under the primary account, including API groups, APIs, throttling policies, and applications, but cannot operate on them.
  • Page 26 You can also enter the wildcards * which indicate all regions. account-id indicates the account ID, such as 1234567890123456. You can also enter the wildcards *. relative-id indicates the resource description related to the API gateway. The format is similar to a tree-like structure of a file path. Example:...
  • Page 27 API Gateway User Guide for Providers acs:apigateway:$regionid:$accountid:trafficco AddTrafficSpecialControl ntrol/$trafficcontrolid acs:apigateway:$regionid:$accountid:apigroup CreateApi /$groupId acs:apigateway:$regionid:$accountid:apigroup CreateApiGroup acs:apigateway:$regionid:$accountid:trafficco CreateTrafficControl ntrol/* acs:apigateway:$regionid:$accountid:trafficco DeleteAllTrafficSpecialControl ntrol/$trafficcontrolid acs:apigateway:$regionid:$accountid:apigroup DeleteApi /$groupId acs:apigateway:$regionid:$accountid:apigroup DeleteApiGroup /$groupId acs:apigateway:$regionid:$accountid:apigroup DeleteDomain /$groupId acs:apigateway:$regionid:$accountid:apigroup DeleteDomainCertificate /$groupId acs:apigateway:$regionid:$accountid:trafficco DeleteTrafficControl ntrol/$trafficcontrolId acs:apigateway:$regionid:$accountid:trafficco DeleteTrafficSpecialControl ntrol/$trafficcontrolId acs:apigateway:$regionid:$accountid:apigroup DeployApi...
  • Page 28 API Gateway User Guide for Providers key/$secretKeyId acs:apigateway:$regionid:$accountid:apigroup DescribeApiTraffic /$groupid acs:apigateway:$regionid:$accountid:apigroup DescribeAppsByApi /$groupId acs:apigateway:$regionid:$accountid:blacklist/ AddBlackList acs:apigateway:$regionid:$accountid:blacklist/ DescribeBlackLists acs:apigateway:$regionid:$accountid:apigroup DescribeDeployedApi /$groupId acs:apigateway:$regionid:$accountid:apigroup DescribeDeployedApis /$groupId acs:apigateway:$regionid:$accountid:apigroup DescribeDomain /$groupId acs:apigateway:$regionid:$accountid:apigroup DescribeDomainResolution /$groupId acs:apigateway:$regionid:$accountid:apigroup DescribeHistoryApi /$groupId acs:apigateway:$regionid:$accountid:apigroup DescribeHistoryApis acs:apigateway:$regionid:$accountid:group/$ DescribeRulesByApi groupId acs:apigateway:$regionid:$accountid:secretke DescribeSecretKeys acs:apigateway:$regionid:$accountid:trafficco...
  • Page 29 VPC and traditional IDC through a leased line, VPN, or GRE to build hybrid cloud services. The API gateway also supports open APIs for your service deployed in a VPC instance. Before reading this document, make sure that you have understood how to use VPC.
  • Page 30 The API gateway cannot access unauthorized resources or ports. For example, if only port 80 of Server Load Balancer 1 in VPC 1 is authorized to the API gateway, the API gateway can only access this port. 1.1 Prepare for a VPC environment (1) Buy Server Load Balancer and ECS instances in the VPC environment and build the service.
  • Page 31 Port number: Indicates the number of the port that calls your backend service. 1.2 Authorize the API gateway for access Click API Gateway Console > Open API > Authorize VPC, and then click Create Authorization. Go to the authorization page and enter corresponding information.
  • Page 32 API Gateway User Guide for Providers Click OK to complete the authorization. Repeat the preceding steps if you have multiple VPC instances or need to authorize multiple instances and ports. 2 Create an API The process for creating an API is the same as that for creating other APIs. For more information, see Create an API.
  • Page 33 Make sure that the VPC ID, instance ID, and port number are correct and that the authorization policy and VPC are within the same region. If I authorize the API gateway, is my VPC secure? If you authorize the API gateway to access your VPC, the network between the gateway and VPC is...

  • Page 34: Configure Mock

    Security restrictions are implemented, and VPC security issues will not occur. Security control authorization: Only the owner of the VPC can perform authorization. Exclusive channel between the API gateway and VPC after authorization: Other persons cannot use this channel.

  • Page 35: Remove A Mock

    Mock return results in JSON, XML or file format. For example: "result": { "title": " Mock test for API Gateway", Save the Mock configuration and release it to the test or online environment for test or to the API debugging page for debugging based on your actual needs.
  • Page 36 HTTP 2.0 API Gateway supports HTTP 2.0 API Gateway supports new features of HTTP 2.0, multiplexing, and request header compression. MultiPlexing: Dependency on multiple connections during concurrent processing and sending of requests and responses in HTTP 1.x is eliminated. The client and server can divide...

  • Page 37: To Support Https

    HTTPS is widely used today. The API gateway also supports HTTPS to encrypt your API requests. The encryption can be API-level, that is, you can configure your APIs to support only HTTP or HTTPS or support both of them.
  • Page 38 Step 2: Bind the SSL certificate After preparing the preceding materials, log on to the API gateway console and click Open API > Group Management. Click the group to which the SSL certificate is to be bound and check the group details.
  • Page 39 API Gateway User Guide for Providers Certificate name: Indicates the custom name for further identification. Certificate content: Indicates the complete content of the certificate. You must copy all content in XXXXX.pem. Private key: Indicates the private key of the certificate. You must copy the content in XXXXX.key.
  • Page 40 API Gateway User Guide for Providers After the adjustment, the API configuration is complete. Your API supports access over HTTPS.

Table of Contents