At Adobe APIs are powering the next generation of Creative applications. Mesos makes it very easy and fun to deploy and run Robust and Scalable Microservices in the Cloud. Today's technologies offer simple solutions to create RESTfull services while Mesos brings them to life faster. As the number of microservices increase and the inter communication between them becomes more complicated, we soon realize we have new questions awaiting our answers: how do microservices authenticate ? how do we monitor who's using the APIs they expose ? How do we protect them from attacks ? How do we set throttling and rate limiting rules across a cluster of microservices ? How do we control which service allows public access and which one we want to keep private ? How about Mesos APIs and its frameworks ? Can they benefit from these features as well ? Come and learn a scalable architecture to manage microservices in Mesos by integrating an API Management layer inside your Mesos clusters. This presentation will show you what an API Management layer is, what it's composed of and how it can help you expose microservices in a secure,managed and highly-available way, even in multi-Mesos cluster setups. During this session you will also have the opportunity to learn how Adobe's API Platform solved this problem, where it is today and what it envisions do to with Mesos further. If you're working with microservices already or you're creating new ones then this presentation is for you. Come and learn how Mesos together with an API management layer will make you a microservices hero in your organisation. At Adobe APIs are powering the next generation of Creative applications.

1. Be a Microservices Hero | MesosCon’16
Dragos Dascalita Haut | Project Lead | Adobe I/O

2. Adobe I/O provides the definitive destination for Developers looking to
learn about, engage with and integrate Adobe cloud, mobile, and web
technologies.

3. Adobe Creative Cloud Apps

4. A CreativeCloud Microservice: Content-Aware Fill

5. A CreativeCloud Microservice: send to Photoshop from the mobile device

6. Focus of this presentation:
§ How to make it simple and consistent for developers to consume APIs
§ How to make it straight forward to publish APIs

7. There are 2 players in Microservices

8. There are common aspects surrounding an API

9. There are common aspects surrounding an API

10. There are common aspects surrounding an API

11. There are common aspects surrounding an API

14. API Management

15. API Management

16. api1 api2

19. Adobe I/O & Apache Mesos

20. Fill the API Management gap in Apache Mesos
by sharing the technology behind Adobe I/O
and develop it further with the community.

21. GOAL
§ Make it simple and consistent for developers to consume APIs
§ … and straight forward to publish APIs

22. API GATEWAY : The Adobe I/O Engine
• OPEN SOURCE:
• https://github.com/adobe-apiplatform/apigateway
• FEATURES:
• API Façade - to build a unified API from mutiple microservices
• Controls Access by validating requests
• Prevents Attacks through Throttling and Rate Limiting rules
• Provides Analytics based on usage data
• OOTB Service Discovery using Marathon and Mesos
• With hooks for other service discovery implementations

23. API GATEWAY : The Adobe I/O Engine
• FEATURES THE API GATEWAY SHOULD AVOID:
• Payload transformation
• Any other business logic particular to the domain of an API

24. DESIGN PRINCIPLES
Simple
Scalable
Secure
Super fast
API GATEWAY : The Adobe I/O Engine

25. OPENRESTY
• Nginx Lua Module
• Nginx Redis
• Headers more
• Set misc
• LuaJIT
• ….
API Gateway Modules
• Request Validation
• Throttling & Rate Limiting
• HTTP Logger
NGINX
• Upstream
• HTTP Proxy
• PCRE
• SSL
• ….
API GATEWAY : " …TAKE ONE OF THE MOST POPULAR WEB SERVER AND
ADD API GATEWAY CAPABILITIES TO IT…"

26. {
"id": "api-gateway",
"container": {
"type": "DOCKER",
"docker": {
"image": "adobeapiplatform/apigateway:throttling",
"forcePullImage": true,
"network": "HOST"
}
},
"cpus": 4,
"mem": 4028.0,
"env": { "MARATHON_HOST": "http://<marathon_host>" },
"acceptedResourceRoles": ["slave_public"],
"constraints": [ [ "hostname", "UNIQUE" ] ],
"ports": [ 80 ],
"instances": 1
}
curl -X POST -H "Content-Type:application/json" ${MARATHON_HOST}/v2/apps?force=true --data '
API GATEWAY : Deployment with Marathon

27. API GATEWAY : Deployment with Marathon
{
"id": "api-gateway",
"container": {
"type": "DOCKER",
"docker": {
"image": "apiplatform/apigateway:latest",
"forcePullImage": true,
"network": "HOST"
}
},
"cpus": 4,
"mem": 4028.0,
"env": { "MARATHON_HOST": "http://<marathon_host>" },
"acceptedResourceRoles": ["slave_public"],
"constraints": [ [ "hostname", "UNIQUE" ] ],
"ports": [ 80 ],
"instances": 1,
<health_check_block>
}
curl -X POST -H "Content-Type:application/json" ${MARATHON_HOST}/v2/apps?force=true --data '
Optionally you can include health-check
"healthChecks": [
{
"protocol": "HTTP",
"portIndex": 0,
"path": "/health-check",
"gracePeriodSeconds": 3,
"intervalSeconds": 10,
"timeoutSeconds": 10
}
]

28. server {
listen 80;
server_name hello-world.gw.mesosconference.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
API GATEWAY : Simple Service Definition to validate requests

29. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
API GATEWAY : Routing is done based on Service Discovery
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}

30. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}
SERVICE DEFINITION vs SERVICE DISCOVERY

31. server {
listen 80;
server_name hello-world.api.mesoscon.org;
location / {
# -------------------------------------------------
# Specify what to validate for this location
# -------------------------------------------------
set $validate_api_key on;
set $validate_oauth_token on;
set $validate_user_profile on;
set $validate_service_plan on;
...
access_by_lua "ngx.apiGateway.validation.validateRequest()";
# -------------------------------------------------
# Proxy the request to the actual microservice
# -------------------------------------------------
proxy_pass http://hello-world;
}
}
...
upstream hello-world {
# --------------------------------
# Specify the list of backends
# where hello-world microservice
# is running
# --------------------------------
server 10.0.0.7:13780;
server 10.0.0.8:11900;
...
}
SERVICE DEFINITION vs SERVICE DISCOVERY

32. • Demo

33. curl -X POST -H "Content-Type:application/json" ${MARATHON_HOST}/v2/apps?force=true --data '
{
"id": "hello-world",
"container": {
"type": "DOCKER",
"docker": {
"image": "adobeapiplatform/echo-microservice:latest",
"forcePullImage": false,
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 8080,
"hostPort": 0,
"protocol": "tcp"
}
]
}
},
"cpus": 0.5,
"mem": 1024.0,
"ports": [ 0 ],
"instances": 1
}'
DEPLOY THE SAMPLE hello-world MICROSERVICE :

34. … WITH 2 SIMPLE ENDPOINTS

35. curl -X POST -H "Content-Type:application/json" ${MARATHON_HOST}/v2/apps?force=true --data '
{
"id": "api-gateway-redis",
"container": {
"type": "DOCKER",
"docker": {
"image": "redis:latest",
"forcePullImage": true,
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 6379,
"hostPort": 0,
"protocol": "tcp"
}
]
}
},
"cpus": 0.5,
"mem": 1024.0,
"constraints": [ [ "hostname", "UNIQUE" ] ],
"ports": [ 0 ],
"instances": 1
}'
API GATEWAY : API KEY Management with Redis

36. set $marathon_app_name hello-world;
location / {
…
# identify the service
set $service_id $marathon_app_name;
# READ THE API KEY
# either from the query string or from the "X-Api-Key" header
set $api_key $arg_api_key;
set_if_empty $api_key $http_x_api_key;
# add the api-key validator
set $validate_api_key on;
# validate request
access_by_lua "ngx.apiGateway.validation.validateRequest()";
proxy_pass http://$marathon_app_name;
Create a new Vhost for server_name ~hello-world.api.(?<domain>.+);
API GATEWAY : API KEY Management with Redis
Protecting a service with API-KEY Validation

37. # ADD an API-KEY for the HELLO-WORLD service
# NOTE: this API SHOULD not be exposed publicly
curl -X POST "http://api-gateway.${API_DOMAIN}/cache/api_key?key=key-1&
app_name=demo-app&
service_id=hello-world&
service_name=hello-world&
consumer_org_name=demo-consumer"
# update hello-world microservice to require an API-KEY
curl "http://hello-world.${API_DOMAIN}/hello"
# {"error_code":"403000","message":"Api Key is required"}
# make another call including the api-key
curl "http://hello-world.${API_DOMAIN}/hello" -H "X-Api-Key:key-1"
API GATEWAY : API KEY Management with Redis
Create a new API-KEY and save it into Redis cache

38. • Demo: Throttling / Rate Limiting

39. THROTTLING: Installing the Microservice
curl -X POST -H "Content-Type:application/json" ${MARATHON_HOST}/v2/apps?force=true --data '
{
"id": "cell-os/gateway-tracking-service",
"container": {
"type": "DOCKER",
"docker": {
"image": "adobeapiplatform/gateway-tracking-service:latest",
"forcePullImage": false,
"network": "BRIDGE",
"portMappings": [ {"containerPort": 8080, "hostPort": 0, "protocol": "tcp"} ]
}
},
"env": {
"mesos.api.endpoint":"http://<marathon-host>/v2/apps/cell-os/api-gateway/tasks",
"spring.profiles.active":"mesos-cluster",
"gw.http.port":"5000",
"zmq.port":"6001",
"logging.level.com.adobe.api.platform.gwts.metrics.MetricsService":"WARN",
"redis.host":"<redis-host>",
"redis.port":"<redis_port>"
},
"cpus": 2,
"mem": 4096.0,
"ports": [ 0 ],
"instances": 1
}'

40. API GATEWAY : Adding a new throttling policy
curl -i -X POST "http://cell-os_gateway-tracking-service.<domain>/api/policies/throttling"
-H "Content-Type:application/json" -H "X-AMS-Policy-Type:THROTTLING_POLICY" --data '
[{
"id": "2",
"softLimit": 3,
"maxDelayPeriod": 4,
"hardLimit": 5,
"timeUnit": "SECONDS",
"span": 30,
"lastModified": 1438019079000,
"domain": {
"$api_key": "key-1"
}
}]'
A Low Water Mark after which the Gateway DELAYS requests
A High Water Mark after which the Gateway BLOCKS requests
Limits are enforced on a 30s time window
This policy is enforced only on requests with api_key=key-1

41. API GATEWAY : Listing existing throttling policies
curl "http://cell-os_gateway-tracking-service.<domain>/api/policies/throttling"
[{
id: 2,
lastModified: 1438019079000,
domain: {
$api_key: "key-1"
},
softLimit: 5,
hardLimit: 9,
timeUnit: "SECONDS",
span: 30,
maxDelayPeriod: 3
}]

42. • Demo: Analytics

45. Key Takeaways
1. Think holistically at microservices
2. "Less is more." "Does my microservice really need to care about ..."
• Identify Provider, Access Control, Throttling
3. Think about integrating a microservice API Gateway into your
Mesos clusters
• Consider using a proven solution used by Adobe I/O
https://github.com/adobe-apiplatform/apigateway

46. Resources:
https://github.com/adobe-apiplatform/apigateway
http://adobe.io