Financial Practices of Facilitating Cloud-Native Transformation Using APISIX as API Gateway
This article comes from the speech at ApacheCon Asia 2022 by Yonghui Lu, Director of API Gateway in Essence Securities. Yonghui shared the practice of Essence Securities' cloud-native API gateway based on Apache APISIX.
- The original technology stack was complicated, consisting of NGINX, Spring Cloud Gateway, and self-developed systems
- Difficulty in system management due to no unified technology stack
- Duplicate work and high costs in various business projects
- Cloud-native and easy to integrate with the business systems of Essence Securities
- To manage the deployment, monitoring, and alerting
- High performance and capability of scaling out
- Function customization and quick integration with the systems
- Enable powerful and abundant functions like traffic governance, security, protocol conversion, authorization, authentication, etc.
- Promoted traffic governance, safely managing bursting traffic
- Improved R&D efficiency and convenience
- Bolstered Essence Securities' cloud-native development
- Enhanced data security and permission management by establishing independent domains
About Essence Securities
Essence Securities Co., Ltd. (Essence Securities) is one of the leading securities corporations in China. Since its establishment in 2006, Essence Securities has fast become one of China’s Top 15 Securities Companies with a proven track record of providing the highest services to the private and public sectors. It has four independent subsidiaries and more than 120 retail branches in 25 major provinces nationwide.
Essence Securities’ core businesses range from securities brokerage, securities investment consulting, financial advisory services related to securities trade and investment, securities underwriting and sponsorship, securities investment, and asset management to other businesses approved by China Securities Regulatory Commission.
Why Choose APISIX?
Since 2021, Essence Securities started migrating applications to the cloud and conducted an API gateway plan. In 2022, it began to engage in API gateway establishment. After careful comparison, Essence Securities chose Apache APISIX among a wide range of API gateway solutions for several crucial advantages:
Securities Firms have a typical characteristic: there will be traffic spikes during peak hours. Apache APISIX is the highest performance API gateway with a single-core QPS of 23,000, with an average delay of only 0.6 milliseconds.
“We need the API gateway to undertake bursting traffics, and it won’t be our next bottleneck. After we compare some API gateways based on OpenResty or some other technology stack, Apache APISIX stands out with its competitive advantage of high performance and can meet our requirements for API gateway.” Yonghui said.
Scalable and Developers-Friendly
APISIX supports its users with rich functions. In Essence Securities, rate-limiting, circuit breaker, authorization and authentication, and canary release are the most widely used.
For this, Essence Securities self-developed some plugins to satisfy the internal need of business groups. APISIX officially supports many programming languages, including Java, Golang, Python, and Lua. Keeping consistent with the community, Essence Securities chose Lua. As a result, the whole process of development was very smooth. Essence Securities will also consider contributing our self-developed plugins to the community.
Virtual Machine and Container Scenarios
Currently, migrating the application to the cloud is a crucial strategy of Essence Securities. However, there are quite a few scenarios that are deployed on virtual machine.
“We need to consider the compatibility of these two-state applications when selecting API gateway, although our plan is more on containers. APISIX provides much support in the scenarios compatiability.” Yonghui said.
Cloud-Native Developing Track
Apache APISIX is marvelous in supporting cloud-native scenarios, while Essence Securities is keeping pace with the cloud-native trend. Using APISIX, APISIX Ingress Controller, and Service Mesh, Essence Securities also looks forward to APISIX’s new advances and development.
As an open-source project, APISIX is active in its community. Issues can be discussed and solved on time. In 2022, nearly 40 in-person and online APISIX community events were hosted by APISIX. People who are familiar with APISIX all feel excited about the activities.
How is Essence Securities Benefitting from Using APISIX?
Below is Essence Securities’ microservices architecture, commonly seen in cloud-native scenarios.
Authority and Authentication: Before using APISIX, the authority and authentication were controlled by multiple microservices, resulting in much repetitive developing work.
Traffic Governance: Essence Securities realized traffic governance by integrating with APISIX, among which the most typical scenarios are rate-limiting and canary release. Prior to using APISIX, these functions were realized by NGINX, which requires modifying the conf and restarting the nodes. By contrast, APISIX’s visible dashboard and hot-reloading feature bring significant convenience to Essence Securities’ traffic governance.
Canary Release: APISIX is flexible in canary release, which can be achieved by portion and traffic characteristics, covering request header, request parameter, cookie, and so on. For example, Essence Securities needs to proxy the user traffic to canary-release-version servers by user ID.
Observability: Before, Essence Securities needed to realize observable management by metrics, tracing, and logs. It is challenging to make multi-dimension governance come true. However, only by enabling three plugins with simple configurations can achieve the same effect after using APISIX. What remarkable progress!
Innovations Based on APISIX
CAS single sign-on
Essence Securities uses CAS (Central Authentication Service) as its standard authentication method, which is suitable for putting the authentication on the gateway.
Essence Securities extends APISIX and adds a new function, CAS single sign-on. There are several advantages to doing so.
Putting CAS on the gateway layer can access CAS and introduce its functions conveniently. For example, there exist unified certification services to fetch users' information.
Furthermore, the CAS sets user information to the request header and brings it to the upstream service to save users' login status. Thus it's unnecessary to log in to other systems repetitively, saving many users' time and improving convenience.
authz - casbin authentication plugin
authz-casbin authentication plugin is an authorization plugin based on Lua Casbin. This plugin supports powerful authorization scenarios based on RBAC (role-based access control) model.
It supports CSV file storing, APISIX plugin configuration, and storing policy by configuring metadata.
Below is an example.
In Essence Securities, there is an important concept: domain. Users will have different permissions in various domains. For example, employee A is a manager of domain A but might only be a viewer in domain B.
When defining requests, policies, and roles, the domain should be pointed to. Therefore, Essence Securities modified the casbin to match such a scenario. The plugin relies on the Lua repository, which supports RBAC with domains. Consequently, the requirement above can be satisfied only by calling the corresponding interface of the Lua repository, which is effortless. This way can greatly enhance data security and permission management.
APISIX provides multi-dimensional monitoring such as metrics, tracing, and logging collection. All of these functions can be achieved by simple configurations.
After enabling the Prometheus plugin, metrics like request delay, bandwidth, and the HTTP status code transmission rate can be observable. These can be useful in troubleshooting.
Regarding tracing analysis, when the upstream connects with Skywalking, the complete call tracing can be traced once enabling Skywalking.
Essence Securities is planning to dig out more value of logging collection. Pushing the access logs to kafka can help Essence Securities analyze and count data.
Previously, Essence Securities’ systems have its independent clusters to lower error risks and separate user information. Apache APISIX uses etcd for its configuration center, which is suitable for the current stage.
Shared clusters are helpful in unified resource management and improving O&M efficiency. Essence Securities would combine independent clusters with multi-tenancy to magnify its management capabilities.
Essence Securities would provide many microservices as products to the users, such as logging, monitoring, alerting platforms, and data center, the centralized management of which can be realized by APISIX.
After introducing the gateway layer, many API gateway governance were added, like authentication, authorization, and traffic governance.
Observable Data Monitoring
APISIX’s plugin kafka-logger can help Essences Securities to push the access log of the gateway to kafka. Kafka can clean, format, and count the information and then obtain more valuable statistics, such as the Top N of calls, abnormal requests, and request delays.
“Or we can get status code distribution, client IP distribution, traffic statistics, traffic peak, off-peak hours distribution, abnormal traffic detection, etc. This part is of great significance for extending the observable capabilities of our system.” Yonghui said.
Essences Securities also looks forward to more cooperation with APISIX Ingress Controller and Service Mesh.
Looking for APISIX Support?
Apache APISIX is an open-source, dynamic, scalable, and high-performance cloud-native API gateway for all your APIs and microservices. Being donated to Apache Software Foundation by API7.ai, APISIX has grown into a top-level open-source Apache project.
Do you want to accelerate your development with confidence like Essence Securities? To maximize APISIX support, you need API7. We provide in-depth support for APISIX and API management solutions based on your needs!
Contact us now: https://api7.ai/contact.