This article will discuss the concept of an API Gateway using a sample .NET (Core) application. In this example, I am utilizing Ocelot (version 23.4.2) to manage key functionalities of Routing, Rate limiting, Caching, and Authentication.
What is an API Gateway?
An API Gateway is a server that acts as a central entry point for all client requests to a system's microservices or backend APIs.
It simplifies and manages communication between clients and services by performing various tasks.
- Request Routing: Directing client requests to the appropriate services.
- Load Balancing: Distributing requests across multiple service instances.
- Authentication and Authorization: Ensuring secure access to services.
- Rate Limiting: Preventing overuse or abuse of APIs.
- Caching: Improving performance by storing frequently accessed data.
![API Gateway]()
Figure 1.0
What is Ocelot?
Ocelot is an open-source API Gateway specifically built for the .NET ecosystem. It provides powerful features like routing, rate limiting, load balancing, authentication, and caching to simplify the management of microservices in a .NET application.
From this point onward, I will explain the configuration used for Ocelot in this example.
The example contains 3 services for students, payments and authentication.
![Authentication]()
Figure 2.0
The "Ocelot.Api.Gateway" project contains the Ocelot.json configuration file as below.
![Ocelot.json]()
Figure 3.0
![File]()
Figure 4.0
This Ocelot configuration file defines settings for an API Gateway, enabling routing, rate limiting, caching, and authentication for different API endpoints. Here's a breakdown.
Global Configuration
- BaseUrl: Sets the base URL for the API Gateway, which is https://localhost:7195.
- RateLimitOptions: Configures rate-limiting for the gateway.
- DisableRateLimitHeaders: If false, headers with rate limit information will be included in responses.
- QuotaExceededMessage: Custom message shown when the rate limit is exceeded.
- HttpStatusCode: Status code returned when the rate limit is exceeded (429 - Too Many Requests).
Routes
Authentication Route
- UpstreamPathTemplate: /stdmgt/authenticate Incoming requests to this path will be routed downstream.
- UpstreamHttpMethod: POST Specifies that only POST requests are allowed.
- DownstreamPathTemplate: /API/Authentication Defines the downstream API path to which the requests will be forwarded.
- DownstreamScheme: https Uses HTTPS for downstream communication.
- DownstreamHostAndPorts
- Host: localhost
- Port: 7022 Defines the host and port of the downstream service.
- RateLimitOptions
- EnableRateLimiting: Enables rate limiting for this route.
- Period: 10s (10 seconds) Rate limits are reset every 10 seconds.
- Limit: 3 Maximum of 3 requests per 10 seconds.
- PeriodTimespan: 10 Duration of the rate-limiting window (10 seconds).
Students Route
- UpstreamPathTemplate: /stdmgt/students Routes requests for student-related data.
- UpstreamHttpMethod: GET Only allows GET requests.
- DownstreamPathTemplate: /api/Student Points to the downstream service's student API.
- DownstreamScheme: https
- DownstreamHostAndPorts
- Host: localhost
- Port: 7156
- RateLimitOptions: Same as the authentication route.
- FileCacheOptions
- TtlSeconds: 10 Enables caching with a time-to-live (TTL) of 10 seconds.
- AuthenticationOptions
- AuthenticationProviderKey: Bearer Requires Bearer token authentication.
- AllowedScopes: An empty list implying all scopes are allowed.
Payments Route
- UpstreamPathTemplate: /stdmgt/payments Routes requests for student payment-related data.
- UpstreamHttpMethod: GET
- DownstreamPathTemplate: /api/StudentPayment Points to the downstream service's payment API.
- DownstreamScheme: https
- DownstreamHostAndPorts
- Host: localhost
- Port: 44381
- RateLimitOptions: Same as the previous routes.
- FileCacheOptions
- TtlSeconds: 10 Enables a 10-second cache.
Summary
This configuration enables an API Gateway with,
- Routing: Maps specific upstream paths (e.g., /stdmgt/students) to downstream paths (e.g., /API/Student).
- Rate Limiting: Restricts each route to 3 requests every 10 seconds.
- Caching: Adds short-term caching for certain routes to improve performance.
- Authentication: Requires Bearer token authentication for secure access to some routes.