How Airwallex Empowers Global Payment Using Apache APISIX?
- A significant challenge in data governance as Airwallex’s business expands throughout the world
- Complicated management of various systems and interconnection cause problems in other systems when one problem occurs
- Stable performance for a 15-month production environment running
- 99% of the response delays are within 23 ms when dynamic routing, multi-tenant rate-limiting, multi-tenant IP whitelist, authentication, and authorization are enabled
- Safe and efficient support of data sovereignty covering more than 50 currencies in over 130 countries and regions
As a global fintech company, Airwallex has built a global financial platform, with its payment network covering more than 50 currencies in over 130 countries and regions worldwide, and it provides digital fintech products for enterprises.
This article comes from the interview with Yang Li, Ph.D., Committer of Apache APISIX and Technical Platform Lead of Airwallex, who is responsible for the evolution of Airwallex's technology platform.
Data Sovereignty Poses Challenge to Airwallex
Data sovereignty is becoming increasingly important in cyberspace data governance. Airwallex serves users in various regions, which naturally involves the problem of data sovereignty.
Before, without the requirement of data sovereignty, data could be placed in Europe and synchronized to Asia or any data center in the world. The data interaction diagram is like this:
However, in an age where data sovereignty is valued, data is under control, and the previous architecture cannot be adopted. In Europe, only European data can be processed, and similarly, only Asian data can be processed in Asia. The data interaction changes are as below.
As a result, data sovereignty poses a significant challenge for the global business of Airwallex. Airwallex intends to migrate data from Europe to other regions, and it has to ensure that the requirements of third-party countries for data sovereignty are in line with that of the EU.
Why Does Airwallex Choose APISIX?
When selecting the API gateway, Airwallex mainly compared the main gateway products from six dimensions:
Stability: Airwallex puts great emphasis on ensuring the stability of the API gateway. Among the top 1000 websites in the world, 62.1% are NGINX-based, which shows that the NGINX-based web servers have passed the test of complex and diverse scenarios in the production environment. Apache APISIX is based on NGINX. Furthermore, the design of Apache APISIX’s full dynamic feature also makes it possible to modify the route without reloading and maintaining the long connection of the client. In addition, Airwallex also conducted stress tests on Apache APISIX, which can still run stably when the CPU usage reaches more than 70%.
Performance: Every API request will pass through the API gateway. Reducing the performance loss of the gateway can significantly reduce Airwallex's overall response time of the APIs.
"In the PoC, we compared the main gateway products: the response delay of Apache APISIX is more than 50% lower than that of other gateways. In addition, Apache APISIX's independent data plane enables independent instances in the clusters, making it inherently support horizontal expansion." Li said.
Scalability: Airwallex needs APISIX to work as an API gateway that supports complex authentication, permission control, service discovery, rate-limiting, downgrade, load balancing, whitelist, and dynamic routing.
Active Community: An active community is a key for API Gateway to keep up with the pace of technological evolution.
Apache APISIX’s community was active since it was still an Apache incubation project, judging from the number of contributors, issue response time, and the number of Pull Requests. Li shared.
Private deployment: API gateway is the core technical architecture component of Airwallex, and which deploys the API gateway at the edge of its own private network. Apache APISIX has good environmental adaptability and can be easily deployed in various environments, including cloud computing platforms.
Business-friendly Open-source License: The Apache 2.0 License allows Airwallex to modify the code of APISIX and commercialize on it without worrying about vendor lock-in.
Intelligent Routing Solution of Apache APISIX
Airwallex chooses Apache APISIX to make an intelligent routing solution, and it is the Apache APISIX gateway that decides where the data should be processed.
The gateway is composed of two layers. The first layer is responsible for routing requests, determining which data center the request should reach based on the conditions. The second layer takes charge of traffic forwarding.
Moreover, Airwallex implemented the main functions as custom plugins to upgrade to a new version of Apache APISIX at any time. This way, there won’t be any race condition between Airwallex’s code library and the core code of Apache APISIX’s main repository. However, modifying the core code is necessary sometimes. At this time, Li would try his best to implement these functions in the open-source community. The contributors in the community are very enthusiastic about discussing functions implementation, and in most cases, they can quickly provide available solutions.
How is Airwallex Benefitting from Using APISIX?
Below is a diagram showing Airwallex’s integration with APISIX.
Airwallex takes Apache APISIX as the core component of the microservice gateway model. It is deployed at the edge of the network and provides a general gateway function for all traffic entering Airwallex. The problems it solves include:
Data Sovereignty: For financial infrastructure operating across borders, data sovereignty is a critical regulatory requirement. To this end, Airwallex developed a dynamic regulatory-compliant routing plugin leveraging the capabilities of Apache APISIX dynamic upstream selection. Dynamic routing can intelligently select upstreams for request distribution according to the characteristics of user requests, abstracting complex multi-data center collaboration issues from the service layer to the gateway layer. The essence of dynamic routing is to answer two questions: how to group upstream and how to match requests and groups.
Isolation in Microservices: Airwallex hopes that the engineering teams of each microservice can independently control their own services, effectively reduce the cost of communication and coordination, and improve engineering efficiency. This architectural concept requires that infrastructure components shared by various teams, such as API Gateway, can support tenant isolation. APISIX is perfect for satisfying tenant isolation. While ensuring the robustness and cost control of the entire system, APISIX allows business teams to configure and expand gateway functions according to their own needs, maintaining the independence of microservice teams and services.
Multi-Tenant Rate-Limiting: In a multi-tenant environment, the traffic characteristics of each tenant are different. Applying the same rate-limiting to different tenants cannot meet commercial needs. Multi-tenant rate-limiting can be more appropriate based on user characteristics.
Multi-Tenant IP Whitelist: The access IP of each tenant varies in a multi-tenant environment. Multi-tenant IP whitelist allows each tenant to control its own whitelist without worrying about other users’ invasion of their own resources.
Authentication: Frequent key update is a critical link to ensure the security of user resources. APISIX supports not only requests authentication but also dynamic key updates.
Authorization: The permission management of enterprise applications is very complicated, and different application scenarios have completely different permission management models. APISIX can verify whether the requesting user has sufficient permissions to access the interface according to the routing configuration and intercept illegal traffic the first time.
Airwallex’s production environment has been running for 15 months, and the overall performance is extremely stable. About 99% of the response delays are within 23ms when dynamic routing, multi-tenant rate-limiting, multi-tenant IP whitelist, authentication, authorization, and other functions are enabled.
Thanks to the excellent plugin mechanism of Apache APISIX, Airwallex can add private plugins that meet business needs without modifying its core code. The complete testing system further guarantees the software quality, and you can safely increase the personalized requirements of the plugin while ensuring that the original core logic is not damaged.
Airwallex’s follow-up plan mainly includes three aspects:
Use a multi-layer network to split gateway logic into different layers, such as distributing traffic according to data sovereignty or other gateway logic.
Easy-to-read and easy-to-use routing management are critical to the success of the API gateway. The routing management needs to be friendly to the developers so that developers can easily understand what the gateway can do for them and how to configure and publish it.
Use color-code requests to help implement production environment testing. Using color-code requests of API gateway to implement production environment testing can bring more flexibility and ease of use.
Looking for APISIX Support?
Apache APISIX is an open-source, dynamic, scalable, and high-performance cloud-native API gateway for all your APIs and microservices. Being donated to Apache Software Foundation by API7.ai, APISIX has grown into a top-level open-source Apache project.
Do you want to accelerate your development with confidence like Airwallex? To maximize APISIX support, you need API7. We provide in-depth support for APISIX and API management solutions based on your needs!
Contact us now: https://api7.ai/contact.
More about the interviewee: