Creating a Gateway

Constraints

• Gateway quota

  By default, your account can be used to create five gateways in a project. To create more dedicated gateways, contact technical support to increase the quota.

• Permissions
  • You must be assigned both the APIG Administrator and VPC Administrator roles so that you can create gateways.
  • Alternatively, you must be attached the APIG FullAccess policy.
  • You can also be granted permissions using custom policies. For details, see Custom APIG Policies.
• Network

  If you use 192.x.x.x or 10.x.x.x, APIG uses 172.31.32.0/19 as the internal subnet. If you use 172.x.x.x, APIG uses 192.168.32.0/19 as the internal subnet.

• Number of available private IP addresses in the subnet

  The basic, professional, enterprise, and platinum editions of APIG require 3, 5, 6, and 7 private IP addresses. Check that the subnet you choose has sufficient private IP addresses on the VPC console.

• Workload

  VPCs (workloads) where gateways have been deployed cannot be changed.

• Security group

  Security groups do not take effect after gateways are purchased in regions. To disable access from specific IP addresses, see Configuring API Access Control.

Preparing the Network Environment

• Workload

  Gateways are deployed in VPCs (workloads). Cloud resources, such as Elastic Cloud Servers (ECSs), in the same workload can call APIs using the private IP address of the gateway deployed in the workload.

  You are advised to deploy your gateways in the same workload as your other services to facilitate network configuration and secure network access.

• Security group

  Similar to a firewall, a security group controls access to a gateway through a specific port and transmission of communication data from the gateway to a specific destination address. For security purposes, create inbound rules for the security group to allow access only on specific ports.

  The security group bound to a gateway must meet the following requirements:

  • Inbound access: To allow the APIs in the gateway to be accessed over public networks or from other security groups, configure inbound rules for the security group to allow access on ports 80 (HTTP) and 443 (HTTPS).
  • Outbound access: If the backend service of an API is deployed on a public network or in another security group, add outbound rules for the security group to allow access to the backend service address through the API calling port.
  • If the frontend and backend services of an API are bound with the same security group and VPC as the gateway, no inbound or outbound rules are needed to allow access through the preceding ports.

Creating a Gateway

1. Go to the APIG console.
2. In the navigation pane, choose Gateways.

3. Click Buy Gateway. Set the gateway parameters by referring to the following table.

   Table 1 API gateway parameters

   Parameter	Description
   Region	A geographic area where the gateway will be deployed. Deploy the gateway in the same region as your other services to allow all services to communicate with each other through subnets within a workload. This reduces public bandwidth costs and network latency.
   AZ	Select the availability zone (AZ) where the gateway resides. Different AZs are physically isolated but can communicate with each other via a private network. To enhance gateway availability, deploy the gateway in multiple AZs. APIG does not support gateway migration across AZs. To create a single-AZ gateway, create two gateways in at least two AZs to improve service reliability. Otherwise, services will be unavailable if one AZ is faulty.
   Gateway Name	Gateway name, which can be customized. The value must start with a letter and consist of 3 to 64 characters, including letters, digits, hyphens (-), and underscores (_).
   Edition	The basic, professional, enterprise, and platinum editions are available. The number of concurrent requests allowed varies depending on the gateway edition. For more information, see Specifications.
   Scheduled Maintenance	Time period when technical support engineers can maintain the gateway. The technical support personnel will contact you before maintenance. Select a time period with low service demands.
   Enterprise Project	Select an enterprise project to which the gateway belongs. This parameter is available only if your account is an enterprise account. For details about resource usage, migration, and user permissions of enterprise projects, see Enterprise Management User Guide.
   Public Inbound Access	Determine whether to allow the APIs created in the gateway to be called by external services using an EIP. If the feature is enabled, an EIP is bound by default. And you can set a bandwidth that meets your service requirements. APIs in the gateway can be called using independent or debugging domain names. There is a limit on the number of times that APIs in an API group can be called per day using the debugging domain name. To overcome the limitation, bind independent domain names to the API group and ensure that the domain names have already been CNAMEd to the EIP of the gateway to which the API group belongs. For example, you have an HTTPS API (path: /apidemo) with public access enabled. The API can be called using "https://{domain}/apidemo", where {domain} indicates an independent domain name bound to the group of the API. The default port is 443.
   Public Outbound Access	Determine whether to allow backend services of the APIs created in the gateway to be deployed on public networks. Set a bandwidth that meets your service requirements for public outbound access.
   Network	Select a VPC and subnet for the dedicated gateway. Select the created VPC and subnet from the drop-down list. Create a VPC and subnet by clicking Create VPC. For details, see section "Creating a VPC" in Virtual Private Cloud User Guide.
   Security Group	Select a security group to control inbound and outbound access. If the backend service of an API is deployed on an external network, configure security group rules to allow access to the backend service address through the API calling port. If public inbound access is enabled, add inbound rules for the security group to allow access on ports 80 (HTTP) and 443 (HTTPS). NOTE: ELB load balancing is enabled by default after gateway purchase. To disable access from specific IP addresses, use access control policies. ELB functions as a load balancer for gateways, which support cross-VPC access. Gateways with public inbound access enabled are randomly assigned an EIP and cannot use an existing EIP.
   VPC Endpoint Service	Name of a VPC endpoint service to create when you buy the gateway. The gateway then can be accessed using the endpoint service. If a name is specified, the VPC endpoint service name to display on the VPC Endpoints tab will be in the format "{region}.{Specified VPC endpoint service name}.{VPC endpoint service ID}". If no name is specified, the displayed name will be in the format "{region}.apig.{VPC endpoint service ID}".
   Tags	Tags classify your gateways to facilitate search, analysis, and management. If no tag is available, click View predefined tags or enter a tag key and value to create one. Alternatively, set tags on the Tag Management Service (TMS) console by referring to Configuring Gateway Tags.
   Description	Gateway description. Enter 1 to 255 characters.

4. Click Next.
5. Confirm the gateway configurations. The gateway is created with the status displayed on the screen.
   • For details about how to view or edit a gateway, see Viewing or Modifying Gateway Information.
   • Before deleting a gateway, ensure that the deletion will not impact your services.

Related Documents