The document introduces VMware's Spring Cloud Gateway and API Hub for VMware Tanzu, outlining its features and functions such as routing, security, rate limiting, and single sign-on. It emphasizes that the information is for illustrative purposes only and is subject to changes, and should not influence purchasing decisions. Additionally, it details how to configure various settings and the integration process within the Tanzu platform.

1. Introducing
Spring Cloud Gateway
and API Hub
for VMware Tanzu
Alexey Nesterov and
Gareth Clay

2. Disclaimer
The following is intended to outline the general direction of VMware's offerings. Itis intended for information
purposes only and may not be incorporated into any contract. Any information regarding pre-release of
VMwareofferings, futureupdates or other planned modifications is subject to ongoing evaluation by VMware
and is subjectto change. This information is provided without warranty or any kind, express or implied, and is
not a commitment to deliver any material, code, or functionality, and should not be relied upon in making
purchasing decisions regarding VMware's offerings. Thesepurchasing decisions should only be based on features
currently available. The development, release, and timing of any features or functionality described for
VMware's offerings in this presentation remain at the sole discretion of VMware. VMwarehas no obligation to
update forward looking information in this presentation.

3. VMware Tanzu Application Service (TAS)
cf push
cf create-
service
cf bind-
service

4. Best of Spring Open Source
with VMware Tanzu Integration
+ =

5. Getting started with
Spring Cloud Gateway

6. ✏️ 🔐
✋😱 🤔👍
vm/api3
app2/api2
app1/api1
gateway/api3gateway/api2gateway/api1gateway/*app1/api1
vm/api2
vm/api3
❌
Function of an API Gateway
api1
api2
api3

7. What is a Route?
Routes define how the Gateway will process incoming requests
Each Route is composed of Predicates, Filters and a URI
Predicates determine whether the Route matches any given request
Filters apply behaviourto matching requests or their responses
The URI determines where the request will be forwarded after filtering

8. Let’s Create a Gateway
-c '{
"routes": [{
"predicates": [
"Path=/a/**",
"Method=GET,POST"
],
"filters": [
"StripPrefix=1"
],
"uri": "http://example.com"
}]
}'
"path": "/a/**",
"method": "GET,POST",
"uri": "http://example.com"
}]
}'
cf create-service p.gateway standard my-gateway

9. Service Bindings
Exposing a route to an app running on Tanzu applicationplatform is simpler:
cf bind-service my-app my-gateway -c '{
"routes": [{
"path": "/a/**",
"method": “GET,POST"
}]
}'
To remove routes:
cf unbind-service my-app my-gateway

10. Container to Container Networking
app1.apps.example.com
app1.apps.internal 🔐
app2.apps.internal 🔐
/app1/app2
gateway.example.com
TAS

11. Updating Routes
To update routes that were created at Gateway creation time, use:
cf update-service my-gateway -c '{"routes": [...]}'
Binding and unbindingis one way to modify routes to on-platform apps after the
Gateway has been created.
Another way is to use Gateway’s bound-appsactuatorAPI
curl -X PUT https://<gateway uri>/actuator/bound-apps/<app id>/routes
-d "@./updated-route-config.json"
-H "Authorization: $(cf oauth-token)"
-H "Content-Type: application/json"

12. Spring Cloud Gateway Predicates
After a certain datetime?
Before a certain datetime?
Between two datetimes?
Cookie matches a regex?
Header value matches a regex?
Host matches a pattern list?
HTTP Method matches a list?
URI Path matches a pattern?
URI Query matches a regex?
RemoteAddr matches CIDRs?
Weight within a route group

13. Filters

14. Filters allow you to do things with request/response
Add, remove, modify headers, map values, add security headers
Rewrite path, extract segments, add / remove prefix
Redirect users
Retry and use Circuit Breaker
Change response status
And even more in Spring Cloud Gateway for TAS!

15. Single Sign-On
/app1
"sso-enabled": true
SAML
OpenID
JWT Token
TAS

16. Single Sign-On
/app1
"sso-enabled": true,
"scopes": [ "accounts.view" ],
"roles": [ "Auditor" ]
SAML
OpenID
JWT Token
"scope": [ "openid" ],
"roles": [ "Support" ]
TAS
❌

17. Token Relay
/app1
"sso-enabled": true
SAML
OpenID
JWT Token
TAS
"token-relay": true
Authorization: Bearer <token>
"credentials": {
"auth_domain": "https://test.example.com/"
}
Public keys
https://test.example.com/token_keys

18. End-to-end mTLS
🤝
TLS
TAS Gorouter
🤝
mTLS
Gateway container Application container
🤝
mTLS
TAS
XFCC

19. Client Certificate validation
cf bind-service my-app my-gateway -c '{ "routes": [{
...,
"filters":["ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99"]
}] }'
This filter checks:
• the client certificate presented in inbound requests for chain of trust (always)
• (optionally) certificate Common Name value
• (optionally) SHA-1 or SHA-256 fingerprint

20. Rate Limiting
/app
TAS
"rate-limit": "100,1s"
gateway.example.com
In Memory Data Grid

21. Rate Limiting
cf bind-service my-app my-gateway -c '{
"routes": [ {
...,
"rate-limit": “100,1s"
} ]
}'
Prevents APIs from becoming overloadedby requests
Easily specify the maximum number of requests per time interval per route

22. Other Features

23. High Availability
Using the count parameter you can horizontallyscale your Gateway to a given number
of instances:
cf create-service p.gateway standard my-gateway -c '{
"count": 5
}'
When count is greater than one, the Gateway instances use an in-memory data grid to
form a cluster. This is used to store shared state, such as session and rate limiterdata.

24. Host and Domain
By default, a Gateway instance will be given an external URI of
<gateway service name>.<your platform apps domain>
But of course this is configurable!
To map an external URI with a different hostname and domain:
cf create-service p.gateway standard my-gateway -c '{
"host": "api",
"domain": "my-domain.com"
}'

25. Cross Origin Resource Sharing (CORS) Configuration
Gateway can be configured to handleCORS requests:
cf create-service p.gateway standard my-gateway -c '{
"cors": {
"allowed-origins": [ "https://example.com" ],
"allowed-methods": [ "GET", "POST" ],
"allowed-headers": [ "X-Custom-Header" ],
"allow-credentials": true,
"max-age": 300,
"exposed-headers": [ "X-Custom-Header" ]
}
}'

26. API Hub
(if only there was some way to see all these APIs together…
🤔)

28. Summary and
documentation
Version
Available paths and
methods
Security configuration
Rate limiting
configuration
Available response
codes
“Try it out” button

29. API Hub – how it works
gateway.example.com
TAS
api-hub.example.com gateway.domain.com
TAS
OpenAPI Spec
API Hub

31. Gateway and API Hub Demo

32. What’s Next for Gateway?

34. ❤️