Deploying the API gateway next to your backend services not only reduces the network latency between backend service and the gateway, but it allows you to adhere to the security and compliance requirements of your organization. Additionally, you inherit the complete API management capabilities into your deployments such as API lifecycle management, OAuth token-based security with scope validation, throttling policies, statistics, anomaly detection, monetization, etc.

As an example, if your services are deployed in a container management system like Kubernetes on any cloud such as Alibaba, Google, AWS, Azure, etc., the gateway can be deployed as a container on the CMS while other API management components are deployed in WSO2 API Cloud.

Based on where your API consumer applications are deployed, API Gateway can be exposed to the public through a Kubernetes ingress/load balancer or run internally,  just like your backend services and consumers.

Internal API Consumer Applications

Gateway URLs are resolved using k8s service names, while backend services are deployed as APIs in API gateway using the k8s service names of the backend services.

External API Consumer Applications

The API gateway is exposed to external consumers using a load balancer or an ingress controller provided by your cloud vendor.

Hybrid API Management: WSO2 API Cloud

The API gateway pulls the API definitions from API Cloud and deploys the APIs. It connects to API Cloud to validate OAuth tokens and upload the API invocation events to perform analytics in API Cloud.

Trying out On-Prem Gateway on Alibaba Cloud

Create a Kubernetes Cluster

Follow the ‘Running Kubernetes on Alibaba Cloud’ document and create a Kubernetes cluster. Once you have successfully created the cluster, you can download the Kubernetes configuration file from Alibaba Cloud Console and update the ~/.kube/config. You can verify if it is connected to the correct cluster by listing the nodes(kubectl get nodes).

Create a namespace to try out the example.

kubectl create ns wso2-api-gateway

Deploy a Sample Backend Service

This is a stock quote service written in microservice framework for Java. You can use the below deployment.yaml and service.yaml to expose the microservice on Kubernetes.

Deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: stockquote-service
  name: stockquote-service
  namespace: wso2-api-gateway
spec:
  replicas: 2
  selector:
    matchLabels:
      app: stockquote-service
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: stockquote-service
    spec:
      containers:
      - image: manjula/stockquote-service:1.0.0
        imagePullPolicy: Always
        name: stockquote-service
        ports:
        - containerPort: 8080
          protocol: TCP
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler

kubectl create -f Deployment.yaml

Service.yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    app: stockquote-service-k8s-service
  name: stockquote-service-k8s-service
  namespace: wso2-api-gateway
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: stockquote-service

kubectl create -f Service.yaml

Publish an API for the stockquote service

Login to WSO2 API Cloud, create, and publish the API.

1. Design the API

2. Connect with the backend service through Kubernetes service name

3. Configure security, throttling policies and publish

Invoke the Stockquote API

API portal allows the API consumers to discover the APIs, subscribe, and generate tokens to invoke the API.

Once tokens are generated, you can try to invoke the API from API Cloud itself, but as you have already figured out, it fails due to connectivity issues because the backend kubernetes service name is not exposed to the internet.

Deploy WSO2 On-Prem Gateway

WSO2 On-Prem gateway can be deployed as a Docker container. Refer to online documentation for more details. Use the below deployment.yaml file to deploy On-Prem gateway on Kubernetes. You only need to provide the user details (WSO2_CLOUD_ORG_KEY, WSO2_CLOUD_EMAIL, WSO2_CLOUD_PASSWORD) that you use to login to WSO2 API Cloud to configure the On-Prem gateway successfully.

Deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: wso2-on-prem-api-gateway 
  name: wso2-on-prem-api-gateway 
  namespace: wso2-api-gateway 
spec:
  replicas: 1 
  selector:
    matchLabels:
      app: wso2-on-prem-api-gateway 
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: wso2-on-prem-api-gateway 
    spec:
      containers:
      - env:
        - name: WSO2_CLOUD_ORG_KEY 
          value: gatewayanywhere
        - name: WSO2_CLOUD_EMAIL 
          value: manjula.cse@gmail.com 
        - name: WSO2_CLOUD_PASSWORD
          value: Password 
        image: manjula/wso2cloud-onprem-gateway:2.1.0
        imagePullPolicy: Always
        name: wso2-on-prem-api-gateway 
        ports:
        - containerPort: 8280
          protocol: TCP
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler

kubectl create -f Deployment.yaml

Check the On-Prem gateway availability status in API Cloud. If the status is not updated in API Cloud, you can get the logs of the container and identify the error such as invalid credentials etc.

Expose On-Prem gateway through a load balancer

kubectl expose deployment wso2-on-prem-api-gateway --type=LoadBalancer --namespace=wso2-api-gateway

To get the load balancer public IP, you can execute below command.

kubectl describe service wso2-on-prem-api-gateway --namespace=wso2-api-gateway

Invoke the stock quote API through the load balancer

You can replace the OAuth bearer token and load balancer IP in following cURL commands to get the response.

curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 35b22efd-6ba5-36e6-a176-005c36b70939' 'http://<<Load Balancer IP>>:8280/t/gatewayanywhere/stockquote/1.0.0/GOOG'

curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 35b22efd-6ba5-36e6-a176-005c36b70939' 'http://<<Load Balancer IP>>:8280/t/gatewayanywhere/stockquote/1.0.0/all'

Note: In the above example, only HTTP port was exposed but you can make use of both HTTPs and HTTP transports to expose your backend services as secured APIs to the internet.

API Statistics in API Cloud

Various statistics on API consumption are provided out of the box in API Cloud.

Summary

In this article, we demonstrated how to expose backend services deployed in a Kubernetes cluster on Alibaba Cloud as managed APIs using a Hybrid API deployment pattern where the On-Prem gateway is deployed in the Kubernetes cluster and complete API lifecycle is governed by WSO2 API Cloud.