1. The background
In this architecture, the Service cluster consists of internal Service A and Service B, both of which register and subscribe services to Eureka Server, while Open Service is an external Service that is exposed to Service callers through load balancing. Does it make sense for us to focus on external services and expose our service address directly, or is there a better way to do this?
Let’s start with some of the things that such an architecture needs to do and the drawbacks: • It breaks the stateless nature of the service. In order to ensure the security of external services, we need to implement permission control on service access, and the permission control mechanism of open services will run through and pollute the entire business logic of open services, which brings the most immediate problem is that it destroys the stateless nature of REST APIS in service clusters. From the perspective of specific development and testing, in addition to the actual business logic, we also need to consider the control of interface access. • Existing interfaces cannot be reused directly. When we need to implement external service access to an existing in-cluster access interface, we have to add verification logic on the original interface, or add a proxy call to achieve permission control, and cannot directly reuse the original interface.
Faced with problems like the above, how can we solve them? The answer is: service gateways!Copy the code
To solve these problems, we need to take things like permission control out of our service unit, and the best place for this logic is at the front end of external access. We need a service gateway with a more powerful load balancer.
Service gateways are an integral part of microservices architecture. In the process of uniformly providing REST APIS to external systems through the service gateway, it provides functions such as service routing and load balancing, as well as permission control. Zuul in Spring Cloud Netflix plays such a role, providing front door protection for microservices architecture, and at the same time migrating these heavy non-business logic content of permission control to the service routing level, enabling higher reusability and testability for service cluster principals.
2. Zuul profile
Zuul is Netflix’s open source microservices gateway that works with Eureka, Ribbon, Hystrix, and more. At the heart of Zuul is a series of filters that do the following:
- Authentication and security: Identify every voluntary authentication request and reject those that do not comply with the request.
- Review and monitor: Track meaningful data and statistics at the edge to produce an accurate view of production.
- Dynamic routing: Dynamically routing requests to different back-end clusters.
- Stress test: Primary keys increase traffic to the cluster to understand performance.
- Load allocation: Allocate capacity for each load type and enable requests that exceed the limit.
- Static response processing: Part of the response is built directly at the edge to avoid forwarding to the internal cluster.
- Multi-region behavior: Request routing across AWS Regions aims to diversify the use of Elastic Load Balancing (ELB) and bring the edge of the system closer to the users of the system.
In the microservice architecture, there are multiple services, each with different addresses. When users request a service, they may perform multiple requests. At this time, our gateway is needed for forwarding. The gateway is located in the middle layer after the request is initiated and before accessing the service. All access needs to pass through the gateway first. For example, when a user accesses the API, the request link is /login, the user is forwarded to login service, and the request link is /shop, the user is forwarded to shop service.
Zuul is an open source API Gateway server for Netflix. It is essentially a Web servlet application. Zuul’s main functions are routing and forwarding and filters.
Zuul provides a framework for edge services such as dynamic routing, monitoring, resilience, and security on cloud platforms. Comparing the whole project to a big house, Zuul acts as a doorman for all requests at the back end of the Web site of the device and Netflix streaming app, guiding them to their requested rooms.
3. Structure after Zuul’s entry
As you can see from the figure, whether it is a request from a client (PC or mobile) or an internal invocation of the service. All requests to the service pass through the Zuul gateway, which then implements authentication, dynamic routing, and so on. Zuul is the unified gateway for our services.