About Us
Company Profile Chronology Chairman News Center Contact Us
Solutions
Bank
Core Business Solutions
Core Banking Solution
Loan Accounting Solution
Smart Deposit Solution
Cash Management Solution
Investment TA Solution
Credit Business
Big Data Solutions
Data Lake Solution
Data Asset Management Solution
Data Mid-tier Platform Solution
Business Management Solution
Customer Precision Marketing Solution
Market Risk Management Solution
Internal Capital Adequacy Assessment Solution
Unified Supervision and Submission Solution
Risk Weighted Asset Measurement and Application Management (RWA) Solution
Intelligent Risk Control Platform Solution
Intelligent Marketing Intermediate Platform Solution
Management Solutions
Financial Management Solution
Accounting Platform Solution
Management Accounting Solution
Performance Management Solution
Comprehensive Tax Management Solution
Comprehensive Budget Management Solution
Asset and Liability Management Solution
Treasury Business Solutions
Integrated Fund Management Solution
Financial Derivatives Solution
Sunline Treasury & Capital Market Solution
FXCORE Total FX Solution
Channel Business Solutions
Unified Front-end Solution
Agency Business Solution
Unified Payment Solution
Digital Business Solutions
End-to-end Credit Card Business Solution
Digital Banking Solution
Fintech Services
Omni-channel Marketing Management Solution
Financial Product Supermarket Business Solution
Scenario Consumer Credit Business Solution
Credit Business Solutions for SME
Products & Services
Products
Core Products
Core Business System SunLTTS
Bank Loan Business System
Smart Deposit Business System
Cash Management Business System
Digital Products
Digital Core System
Digital Financial Business Platform
Business Middle Office Center
Open Platform
Digital Loan Business System
Unified Payment Platform
Big Data Products
Data Warehouse
External Data Management Platform
Financial Data Mart
Risk Data Mart
Tag Management Platform
Smart Marketing Center
Data Service Platform
Indicator Management Platform
Decision Engine
Services
IT Consulting and Planning Services
Test Services
Training Services
IT Operation and Maintenance Services
Hardware Installation Services
Technologies
Microservices Framework Application Development Platform Open API Platform Unified Front-end Framework Financial Marketing Empowerment System
Customers & Partners
Our Customers Ecological Partners
Culture
Sunline’s Culture Working in Sunline
Investors
Announcements Equity Information Financial Releases Corporate Governance Investor Service Investor Protection
Stock Code: 300348
CN
Your Position:
Home > About Us > Fintech News > API Gateway in Enterprise-level Microser...
API Gateway in Enterprise-level Microservices Architecture
Sizzling News
2021.10.14

Since the birth of Sunline API Gateway, it has been applied in dozens of financial customer projects such as Bank of Communications, Bohai Bank, Minsheng Bank’s Credit Card Business, etc. with numerous production tests, displaying high performance and high reliability.

With the development of microservices architecture, the legacy coarse-grained application is divided into many fine-grained microservices. With each service having its own API services and the demands between services have become intricate and complicated, issues such as unified API management, API security, traffic forwarding, and traffic management have become particularly prominent.

Breaking the game—introducing the API gateway

How to solve the problems associated with the development of microservices architecture, an extra layer needs to be introduced between the client and the services as a reverse proxy that initiates request routing from the client to the services which is similar to the appearance pattern in object-oriented design, providing a single entry-point for the API that encapsulates the underlying system architecture, the API gateway.

In short, the API gateway uses a single and unified API entry point to combine one or more internal APIs. The API gateway takes over all ingress traffic and forwards all user requests to the back-end server, uniformly managing the entire life cycle of the API.

The function of the gateway is not as simple as that. The API will also perform traffic governance such as authentication, current limiting, permissions, fuse, protocol conversion, error code uniformity, caching as well as traffic monitoring such as logs, monitoring, alarms, and security precautions such as protocol security, Access security, message security, etc. With the gateway unifying the services, the business side can focus more on the business logic and improve iteration efficiency. Hence, the importance of API gateway is evident.

The API gateway brings multiple values to the microservices architecture system:

• Isolates the external and internal to ensure the security of back-end services.

• Transforms external access control from the network level to the operation and maintenance level, reducing the change process and error costs.

• Reduces the coupling between client and services, enabling independent development of services through the mapping of gateway layers.

• Reduces the frequency of external access and improve access efficiency through gateway layer aggregation.

• Saves cost of back-end service development and reduces risk of going online.

• Provides simple solutions for service fusing, grayscale release and online testing.

• Facilitates application-level expansion.

As the entrance of traffic, the non-functional characteristics of the gateway such as high performance, high availability and scalability are crucial.

Sunline API Gateway relies on its good scalability to continuously improving and enriching its functions to dock with many internal and external systems, expand multiple access and access protocols. The gateway also supports multiple traffic management strategies and provide more comprehensive security defense control.

The following is a detailed analysis of the design practice of Sunline's API gateway from three aspects: the overall design of API gateway, API governance design, and API security.

The overall design of Sunline API Gateway:

1. Technical architecture design with maximum functional decoupling

At present, the maximum functional decoupling is not achieved. On this basis, Sunline has innovated comprehensively. The gateway service is divided into two parts: the control end and the operation end which are operated separately, so that the gateway operation service is separated. External dependence truly decouples the gateway to the maximum extent.

The API gateway adopts a front-end and back-end separation architecture model, is developed in Java language and uses the current mainstream technology stack Spring Boot and Spring Cloud systems.

• The main function of the control terminal is to manage gateway configuration, UI interaction, push data to the gateway running terminal, etc. The control terminal and the server side have a clear division of labor so that the gateway running terminal that is really responsible for processing the request will strive to maximize resources.

• The running end of the gateway is the gateway service. The core mechanism is the filter chain mechanism, the access and output mechanism. The gateway running end is docked with a variety of basic components including the monitoring center, Registration center, link center, log center, configuration center, etc. In order to ensure that the parameters configured by the user are lost in push, the gateway operation service will also regularly pull data from the gateway management and control service to achieve the effect of two-way data synchronization.

2. Highly expandable design provides more comprehensive expansion

The gateway running side adopts SPI mechanism which greatly increases the scalability of the gateway. In addition to the filter extension and management function extension that are supported on the market, Sunline can also provide access protocol extension, encryption and decryption. The expansion of multiple locations such as mode and message greatly increase the scalability points of the gateway.

• The filter extension function of the gateway belongs to a filter chain in the entire project. Filter of the gateway can be chosen through dynamic configuration of the page, for example the addition of a certain authentication mechanism to expand the filter chain.

• Access extension on the basis of the existing gateway multi-protocol to extend an access protocol, such as Dubbo, TSF, etc.

• Encryption and decryption extension extend new algorithms and rules such as encrypt and decrypt request, response messages and add signature verification.

• Gateway request response secondary extension supports the modification of the access request and the received response at the gateway level.

• Extended gateway response code and response information extension of the gateway response to the code and information is used to adapt to various response code response format requirements.

Except for the filter extension, the other extensions are for inbound and outbound.

3. High-availability design-logical cluster division with easy management and maintenance

The gateway is divided into two services, the control end (data control) and the running end (API call), and they run separately. The running end uses local cache to store information without any read library operations. When the control end is Down, it can still continue. API call.

The gateway server adopts a stateless cluster architecture that can contain multiple gateway instances. The cluster can be classified as a logical instance with each instance corresponds to only one gateway control terminal to prevent data confusion. Compared to the physical cluster division that is commonly used on the market, this logical cluster division is better to manage and maintain.

The gateway control end will actively send heartbeat detection to the running end and the gateway running end will periodically synchronize data to the control end to prevent inconsistencies caused by abnormal data synchronization at the control end.

The client accesses the gateway instance through the load balancer. The load balancer can adopt soft load or hard load mode. The load balancer can use MS architecture to avoid single points of failure.

API governance design:

1. API current limit

Limits the number of times API is accessed, ensuring the service to run normally under pressure and prevent the service from crashing due to excessive traffic. Distributed current limiting is implemented by distributed cache Redis.

When a request enters the RateLimiter Filter, a set of keys will be constructed according to the current request, then judged whether Redis is available. If it is available, Redis will be used for cluster current.          

2. Fuse downgrade

When the service fails, in order to prevent the failure of the entire system, a fuse downgrade strategy is adopted for the system. Fuse downgrade processing can be performed according to dimensions such as the average response time, the proportion of abnormalities in seconds and the number of abnormalities in minutes.  

3. API routing

API routing refers to invoking routing to different back-end services. Gateways support routing based on client IP, ratio, caller and custom methods according to the invocation as well as also support priority configuration.

Four modes of API routing include IP mode, keyword mode, tenant mode and proportion mode.

API security:

1. Protocol security

In order to ensure the security issues in the process of accessing the API, the gateway has added support for https in the design and the access method of https can be used directly to access the API in the gateway.

2. Access security

In many cases, the API is directly exposed to the public network so it is likely to be accessed maliciously. What the gateway has to do is to prevent such malicious access from occurring. Through JTW authentication access, permission control, signature authentication, black and white lists as well as other means to reduce the risk of API will be maliciously accessed.

Compared to a single access security method, Sunline's access security is more comprehensive in addition to the existing access security as it can continue to expand other security methods:

• Through authority control interface authorized by the administrator, the client has authority to access. If it is not authorized, it will be intercepted at the gateway and the response will be given to the client without access rights.

• Through signature authentication, the request parameters are generated by the SHA256 algorithm | RSA | national secret and other operations to generate a signature value according to the rules. The gateway verifies the customer's signature and continues after the verification is successful, otherwise it will be directly intercepted.

• Black and white list verify configuration.

• Through JWT authentication, a token from the gateway is applied before accessing the API. Each time the API accesses the Token, the gateway will analyze the Token including Token validity period verification, access authority verification and visitor identity verification, proceeding and intercepting as necessary.

3. Message security

When the client calls the API, the security of the incoming message is very important. The gateway ensures the security of the message by encrypting/signing the message.

• Encryption of the message ensures the security of the message during the access process. In addition to the currently supported AES, DES, RSA and national encryption methods, other encryption and decryption methods can be extended through the SPI mechanism.

• Signing the message to ensure the integrity of the message during the access process in addition to the currently supported RSA, SHA256 and national secret methods. Other signing methods can also be extended through the SPI mechanism.

4. Traffic safety

As an entrance of all applications, the gateway carries the access of massive traffic and the pressure of malicious traffic attacks that may erupt at any time. Therefore, flow control is a necessary part of gateway security to ensure the normal operation of the service and prevent the service from crashing due to excessive traffic.

Summary

In the rich practice of financial customers, Sunline believes that as a portal for enterprise capabilities, API gateways not only have basic request forwarding, protocol conversion, routing, security control and other functions but also high performance and high stability. It needs to have good scalability to facilitate the continuous enhancement of gateway capabilities. During the implementation of the gateway, it is necessary to plan the interaction between the gateway layer and the service layer. The decoupling of the gateway layer and the service layer to facilitate the independence of the work of each team and at the same time, in the management of the API, it is necessary to provide the full life cycle of the API to support management functions such as publishing, configuration, authentication, flow control and monitoring.

Whether it is microservices, distributed architecture or grid service architecture, API gateway is an indispensable part. As the traffic changes between services show explosive growth, API gateway serves as the system entry, playing an increasingly important role in the performance and reliability improvement of the system.


Related News
DevOps Practices | Continuous Integrated Testing Platform, Guaranteed Efficient Delivery
Sizzling News
2022.08.12
DevOps Practices|Agile Iteration to Enable Efficient Collaboration Among R&D Teams
Sizzling News
2022.08.05
DevOps Practices | One-stop DevOps Platform Makes a Huge Difference in R&D
Sizzling News
2022.07.29
Let’s spread China's financial technology globally
Sunline can empower your digital transformation