APIs that are created in API Gateway can be called by clients and also by API Gateway. API Gateway can call APIs in the same region over internal networks or across regions over the Internet. API Gateway can also call an API across accounts by using an AccessKey pair of an authorized application to bind a backend signature plug-in of the APIGW_FRONTEND type. Before API Gateway calls an API, API Gateway uses the AccessKey pair to generate a signature and sends the signature to the API for authentication. The Call by API Gateway feature can be used in the following typical scenario: You create an API that is used to route requests. A backend routing plug-in and a backend signature plug-in are bound to the API. The backend routing plug-in routes requests to other APIs based on request parameters.
1. Configuration example
1.1 Configure business APIs
If you want API Gateway to call your API over a virtual private cloud (VPC), you must perform the following steps in the API Gateway console: purchase a dedicated instance, migrate the API group to which the API belongs to the dedicated instance, and manually generate an internal domain name for VPC-based API calls.
1.1.1 Enable the Call by API Gateway feature
Log on to the API Gateway console.
In the left-side navigation pane, choose Instances and Clusters > Dedicated Instances. Find the desired dedicated instance on the Instances tab and click Enable beside Calls from API Gateway.
1.1.2 Generate internal domain names for API calls
Create two API groups on the instance. Then, click each of the groups and generate an internal domain name.
For example, the following two internal domain names are generated:
17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com
c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com
1.1.3 Create an API in each of the groups
Create an API in each API group. Set the Security Authentication parameter to Alibaba Cloud App for both APIs. The following examples show the assumed attributes of the two APIs:
API1: Method: GET Path: /business1 Backend service URL:
http://backend1.alicloudapi.com:8080/business1
API2 Method: GET Path: /business2 Backend service URL:
http://backend2.alicloudapi.com:8080/business2
1.1.4 Authorize an application to call the APIs
Authorize the same application to call both APIs. In this example, the application has the following AccessKey pair: KEY:TESTKEY SECRET:TESTSECRET
1.2 Configure the distribution API
1.2.1 Create the distribution API
Create a distribution API that can be anonymously accessed. Configure GET as its HTTP method, /distributeAPI as its path, and 17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com
as the domain name of the API group to which it belongs.
1.2.2 Create and bind a backend routing plug-in
Create a backend routing plug-in and bind the plug-in to the API.
---
parameters:
target: "Query:target"
routes:
- name: backend1
condition: "$target = 'resource1'"
backend:
type: "HTTP"
address: "17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com"
path: "/business1"
- name: backend2
condition: "$target = 'resource2'"
backend:
type: "HTTP"
address: "c6e984b2dd784c0fb843f7c2a8878b15-cn-huhehaote-intranet.alicloudapi.com"
path: "/business2"
The preceding plug-in code specifies that the plug-in routes a received request based on the value of the target parameter in the query section of the request. If the value is resource1, the plug-in forwards the request to 17ff4c9189004a1d87b557606b767334-cn-huhehaote-intranet.alicloudapi.com, and the path of the request is changed to /business1. If the value is resource2, the plug-in forwards the request in the same way.
1.2.3 Create and bind a backend signature plug-in
Create a backend signature plug-in and bind the plug-in to the API.
---
type: APIGW_FRONTEND
key: TESTKEY
secret: TESTSECRET
signatureMethod: HmacSHA256
The preceding plug-in code specifies that the plug-in calculates a signature based on the content of a received request and the signature algorithm used by the front end. Then, the plug-in adds the calculated signature to the request and sends the request to the backend service.
2. Call the distribution API
Before you call the API, make sure that all involved APIs are published and properly tested.
curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource1' -i
The following code snippet shows a sample request that is sent to a backend service:
GET /business1 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 192.168.XX.XX, 127.0.0.1
Host: backend1.alicloudapi.com:8080
X-Ca-Request-Id: 23853B41-C54D-45E9-8C43-EE4C1E8A7889
Via: bc48a42a3d17408b991b0bb4d18c23c0
curl 'http://17ff4c9189004a1d87b557606b767334-cn-huhehaote.alicloudapi.com/distributeAPI?target=resource2' -i
The following code snippet shows another sample request that is sent to a backend service:
GET /business2 HTTP/1.1
User-Agent: curl/7.64.1
Via: 0045e52ee3a8400b8501b4c449b28779
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Forwarded-Proto: http
X-Forwarded-For: 192.168.XX.XX, 127.0.0.1
Host: backend2.alicloudapi.com:8080
X-Ca-Request-Id: AFD529D2-9B24-437E-8CEC-897E0BCD8B2F
Via: bc48a42a3d17408b991b0bb4d18c23c0