Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

91APP API Gateway 導入之旅

775 views

Published on

* AWS Summit Taipei 2018
* Title: 91APP - API Gateway 導入之旅
* Date: 2018/06/28

Published in: Engineering

91APP API Gateway 導入之旅

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rick Hwang Sr. Manager, 91APP June 28, 2018 91APP 之 API 經濟學 與 API Gateway 與導入之旅 1
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 91APP 簡介 ● 我們遇到什麼問題? ● 我們對新技術的的期望 ● 導入 API Gateway 的考慮 ● 微服務的前導架構 ● API 經濟學 2 Agenda
  3. 3. 91APP 公司簡介 June 2018 3
  4. 4. 台灣最大&成長最快 新零售服務商 - 2013年成立 - 超過20年零售及電商豐富經驗 - 前Yahoo!、興奇科技經營團隊 4
  5. 5. 最佳商業模式 品牌新零售解決方案 - 快速建構 eCommerce、O2O、Omni-Channel CRM、零 售 AI 相關應用及整合數位媒體行銷等 - 連續三年榮獲「創新商務獎 /最佳商業模式」 - 獲選「勤業眾信亞太區高科技高成長前 500強」 (Ranked 152th,Deloitte Technology Fast 500 Asia Pacific) 5
  6. 6. 獲得超過10,000家品牌客戶肯定 6
  7. 7. 總部台北 / 320人 7
  8. 8. 國內外知名實體零售品牌青睞 8
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Sr. Manager @ 91APP ● Cloud / AWS ● DevOps / SRE ● Distributed Systems ● 經營管理 ● 音樂 吉他 鍵盤 編曲 ● 哲學 科幻 金庸 Rick Hwang https://www.gtcafe.com 9
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 開始之前 我們遇到什麼問題? 我們的期望? 10
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 問題一:Legacy API 11
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 認證機制過於複雜 ● Resource / Method 設計的不好、不合潮流 ● Payload 資料結構複雜 Legacy API 12
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 問題二:防禦機制不夠健全 13
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 防禦機制不健全 ● 用資源 (加機器) 來支撐異常攻擊 ○ 換 ALB + WAF 可以解 ● API 管控機制不健全 ○ 不同客戶的 KeySet,無法個別管控權限 ● 無法限制流量 (Rate Limit) 14
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 問題三:外部整合力的問題 15
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 客戶的夥伴 客戶串接 16 API KeySet
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 客戶使用我們的 API ○ 客戶的夥伴也使用我們的 API,我們不知道! ○ 權限管控問題 ● 有些客戶不吃 JSON、吃 XML ● 或者,客戶丟過來的是 XML,我們吃 JSON 外部整合力的問題 17
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 期望 18
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 期望一:架構服務導向 19
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20 向 AWS 學習
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://api.91app.com /order /v2/SaleOrder Version Service Name APIs Single entry point Backends Brand 21
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 期望二:Serverless Architecture 22
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Serverless Framework ● CloudFront / WAF ● API Gateway: Private and Regional ● Lambda ● DynamoDB / DAX ● CloudWatch 23 Serverless Architecture
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 期望三:維運自動化 24
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 即時 API 使用率統計 ● API Key 管理 ● API 授權機制 ● 監控指標 ● Log 機制 25 維運自動化
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 整理問題與期望 26
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1. 更好的認證 (Authentication)、授權 (Authorization) 機制 2. Request & Response 資料結構轉換 3. 更好的監控機制、API 使用率 4. 控速、防火牆 5. 標準化 API 介面 (RESTful) 6. 簡化既有認證機制 7. 簡化 Request Payload 8. 調整 Response Data Model 9. 後端盡量不用改 10. Serverless Architecture 27 問題與期望
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 控管:控速、防火牆 API Key 管理 認證機制 即時監控 後端盡量不用改 新舊版本並行 簡化 Payload 處理回傳資料結構 標準化 API 介面 API 文件化 外部 Developer Portal 內部文件發布流程標準化 資安、架構、維運 介面拉皮 敵動我不動 開發流程 28
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 所以我們開始導入 API Gateway 29
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 導入 API Gateway 要考慮的事情 30
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Public ○ Edge - w/ CDN, Global ○ Regional w/o CDN ● Private ○ Regional w/o CDN 31 考慮一:架構可視性 開放給 Business User 開放內部服務對接 內部服務對串 注意:使用 Custom Domain Name 不要用 Edge
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 既有的服務不用動 ● 與既有的 VPC 的服務整合 - PrivateLink ○ Network Load Balancer 32 考慮二:與既有架構的整合
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 舊客戶走新的 Endpoint、認證機制 ● 其餘商業邏輯不動 33 考慮三:客戶最小改動
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 考慮四:URL 規劃 https://api.91app.com /ec /v2/Sale/Order Version Service Name Rest APIs Single entry point Brand
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35 考慮四:認證機制 ● Authentication 認證 ● Authorization 授權 Backend or Gateway Backend or Gateway
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Serverless 架構 ● API swagger 整合與管理 ● 測試環境規劃 ● 文件 ● 部署流程 36 考慮五:開發流程
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37 考慮六:監控與維護 ● API 使用率統計 ● API Key 的管理 ● Log 蒐集與處理
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 微服務的前導架構 38
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Security Built-in: CDN + WAF ● Availability and Reliability ● 環境建置 ● 部署流程 39 前導架構的考量
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40 先看近一點
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 41 Distribution https://api.abc.com WAF SSL Certificate DNS API Gateway CDN Stages /order API Stage POST /v2/Sales/Order POST /v2/Sales/Orders Custom Authorizer DynamoDB Handler Backend Service Network Load Balancer 1. EncryptData 2. InvokeAPI 3. Restructure Data Formation Third Party Application Load Balancer 客戶 Service A
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42 稍微看遠一點
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service C Service A 客戶 (Prod) HTTPS / TLS x-api-key HTTPS HTTPS API Gateway Service B HTTPS CDN 用戶 WAF API Endpoint /ServiceName /Version/RestAPI 客戶 (Dev) HTTPS / TLS x-api-key 1. Rate Limit 2. Access Control 3. Monitoring 4. Usage Plan API Gateway API Gateway 43 Service A, B, C ...
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 44 看到全貌
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45 Service A Rest API Rest API Service B Rest API Rest API ServiceD Rest APIRest API ServiceCRest API Rest API CloudFront AWS WAF Route 53 ALB Client: Desktop / Mobile S3 Private Public Protected Access Control Public Subnet Private SubnetPublic Network /category /order /auth /theme js, css, img Message Broker Common Services Rest API Service Discovery
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● API Gateway / Service Mesh ● Service Discovery ● Message Broker 46 微服務的核心微服務
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. API 經濟學 技術的商業思維 47
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48 https://www.emome.net/4g/4g_promo
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 月繳 1999 ● 每月五千萬呼叫次 ● API 限速:5000rps ● 50 把 x-api-key + MORE + 49 API 經濟學 - Usage Plan ● 月繳 1499 ● 每月無上限使用次數 ● API 限速:無限 ● 100 把 x-api-key + MORE + 91APP 鑽石客戶 多種優惠 無上限吃到飽 91APP VIP 客戶 多種優惠 精選用到爽 ● 月繳 699 ● 每月一千萬呼叫次 ● API 限速:1000rps ● 10 把 x-api-key + MORE + 91APP 經濟客戶 多種選擇 經濟又實惠
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● Key 1 ● Key 2 ● Key 3 ● Key 4 ● … ● Key n ● Rate Limit: 5000 ● Throttling: 500 ● Quota: 50,000 / day 50 Usage Plan A API Keys API Stage A API Stage B 0..n 0..n 499 方案! Simcard 基地台
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. API 怎麼賣? ● API 依照使用率計費 ● API 依照會員等級提供使用量 ● 開發過程中,依照用途限制 51
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Usage Plan 的應用 ● 給客戶測試的 Key ○ Rate Limit: 調降 ○ Quote: 有上限 ○ 定時 Disable or Rotate ● 給客戶正式的 Key ○ 給兩把:備援的概念 → IAM Access Key ○ Rate Limit: 依照業務等級 ○ Quote: 無上限 ○ 定時 Disable or Rotate 52
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Portal ● 開發人員常看的文件是怎麼來的? ● 這個網站應該提供些什麼? ● 開發流程如何把文件放入程式碼? ● 這個網站的商業價值是什麼? 53
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● 我們遇到什麼問題? ● 我們對新技術的的期望 ● 導入 API Gateway 的考慮 ● 微服務的前導架構 ● API 經濟學 54 Recap
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 我們還在進行中 ... 55 結語 ...
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway 是非常技術性的東西 有商業價值支撐,導入才會順利! 56
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Next … DevLounge 57
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 58
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rick Hwang Sr. Manager, 91APP June 28, 2018 API Gateway 導入之旅 Q and A 59
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60 ● Custom Domain Name 不是有 CloudFront,為什麼要自 己弄? ● 後端回 JSON,客戶收 XML,這是怎麼回事? ● 如何 Debug API Gateway 的問題? ● API Gateway 可以串其他 AWS Services? 像是 DynamoDB,而不需要 Lambda? ● Rate Limit 要注意的地方? Questions
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Q1: Custom Domain Name 不是有 CloudFront 為什麼要自己弄? 61 Agenda
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 62 Endpoints for Edge, Regional, Private
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ~$ nslookup 7fal10lwzj.execute-api.us-west-2.amazonaws.com 8.8.8.8 Non-authoritative answer: Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com Address: 52.84.205.154 Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com Address: 52.84.205.177 Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com Address: 52.84.205.168 Name: 7fal10lwzj.execute-api.us-west-2.amazonaws.com Address: 52.84.205.155 ~$ nslookup 52.84.205.154 8.8.8.8 Non-authoritative answer: 154.205.84.52.in-addr.arpa name = server-52-84-205-154.tpe50.r.cloudfront.net. Authoritative answers can be found from: 63 Edge API Gateway
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ~$ nslookup 2dev1cgrqj.execute-api.us-west-2.amazonaws.com 8.8.8.8 Non-authoritative answer: Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com Address: 34.218.11.31 Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com Address: 52.10.38.34 Name: 2dev1cgrqj.execute-api.us-west-2.amazonaws.com Address: 52.88.144.89 ~$ nslookup 34.218.11.31 8.8.8.8 Non-authoritative answer: 31.11.218.34.in-addr.arpa name = ec2-34-218-11-31.us-west-2.compute.amazonaws.com. Authoritative answers can be found from: 64 Regional API Gateway
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 65 Private API Gateway ~$ nslookup wertv1jfp2.execute-api.us-west-2.amazonaws.com 8.8.8.8 ** server can't find wertv1jfp2.execute-api.us-west-2.amazonaws.com: NXDOMAIN ~$ nslookup wertv1jfp2.execute-api.us-west-2.amazonaws.com Server: 172.31.0.2 Address: 172.31.0.2#53 Non-authoritative answer: wertv1jfp2.execute-api.us-west-2.amazonaws.com canonical name = execute-api.us-west-2.amazonaws.com. Name: execute-api.us-west-2.amazonaws.com Address: 172.31.5.61 Name: execute-api.us-west-2.amazonaws.com Address: 172.31.10.251
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service C Service A 客戶 (Prod) HTTPS / TLS x-api-key HTTPS HTTPS API Gateway Service B HTTPS CDN 用戶 WAF 客戶 (Dev) HTTPS / TLS x-api-key API Gateway API Gateway 66 Service A, B, C ...
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Q2: 後端回 JSON,客戶收 XML 這是怎麼回事? 67 Agenda
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Client JSON API Gateway Backend 68 Data Transformation XML JSONXML
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 69 Apache Velocity Template Language (VTL)
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Q3: 如何 Debug API Gateway 的問 題? 70 Agenda
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ● CloudWatch Logs ● API Logging for Stage ● Custom Access Logging (Stage) 71 API Gateway Log 分類
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 72
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 73
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway 可以串其他 AWS Services?像是 DynamoDB? 74 Agenda
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 75
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 76
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 77
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Rate Limit 要注意的地方? 78 Agenda
  79. 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 79 ● Region 的總量是固定的 ● 單位時間的最大值 ● 可以控制到每一個 API ● Rate Limit 可以調整,但是 Burst 固定最大 5000 Rate Limit
  80. 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thanks 80

×