自托管网关概述Self-hosted gateway overview

本文介绍 Azure API 管理的自托管网关功能如何实现混合和多云 API 管理,从较高层面演示其体系结构,并重点介绍其功能。This article explains how self-hosted gateway feature of Azure API Management enables hybrid and multi-cloud API management, presents its high-level architecture, and highlights its capabilities.

混合和多云 API 管理Hybrid and multi-cloud API management

自承载网关功能扩展了混合和多云环境的 API 管理支持,使组织能够安全有效地从 Azure 中的单个 API 管理服务来管理本地和跨云承载的 API。The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

借助自承载网关,客户可以灵活地将 API 管理网关组件的容器化版本部署到用于承载其 API 的相同环境。With the self-hosted gateway, customers have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where they host their APIs. 所有自承载网关都是通过与它们联合的 API 管理服务进行管理的,因此,在所有内部和外部 API 中可为客户提供直观统一的管理体验。All self-hosted gateways are managed from the API Management service they are federated with, thus providing customers with the visibility and unified management experience across all internal and external APIs. 将网关放在靠近 API 的位置可让客户优化 API 流量流,并满足安全性与合规性的要求。Placing the gateways close to the APIs allow customers to optimize API traffic flows and address security and compliance requirements.

每个 API 管理服务由以下关键组件构成:Each API Management service is composed of the following key components:

  • 作为 API 公开的管理平面,用于通过 Azure 门户、PowerShell 和其他支持的机制配置服务。Management plane, exposed as an API, used to configure the service via the Azure portal, PowerShell, and other supported mechanisms.
  • 网关(或数据平面)负责代理 API 请求、应用策略以及收集遥测数据Gateway (or data plane) is responsible for proxying API requests, applying policies, and collecting telemetry
  • 开发人员门户,供开发人员用来发现、学习 API 以及在登记后使用 APIDeveloper portal used by developers to discover, learn, and onboard to use the APIs

默认情况下,所有这些组件都部署在 Azure 中,因此,无论实现 API 的后端承载在何处,所有 API 流量(在下图中以黑色实线箭头指示)都会流经 Azure。By default, all these components are deployed in Azure, causing all API traffic (shown as solid black arrows on the picture below) to flow through Azure regardless of where backends implementing the APIs are hosted. 此模型虽然在操作上比较简单,但代价是增大延迟,造成合规性问题,而且在某些情况下还会产生额外的数据传输费。The operational simplicity of this model comes at the cost of increased latency, compliance issues, and in some cases, additional data transfer fees.

不使用自承载网关的 API 流量流

如果将自托管网关部署到后端 API 实现所在的相同环境,则可以使 API 流量直接流向后端 API,从而改善延迟,减少数据传输成本,并且在实现合规性的同时,可以继续享有单一管理点、以及发现并观察组织中所有 API 的优势,而不管这些 API 的实现托管在何处。Deploying self-hosted gateways into the same environments where the backend API implementations are hosted allows API traffic to flow directly to the backend APIs, which improves latency, optimizes data transfer costs, and enables compliance while retaining the benefits of having a single point of management, observability, and discovery of all APIs within the organization regardless of where their implementations are hosted.

使用自承载网关的 API 流量流

打包和功能Packaging and features

自承载网关是托管网关的容器化版本,两者的功能相当,但前者作为每个 API 管理服务的一部分部署到 Azure。The self-hosted gateway is a containerized, functionally-equivalent version of the managed gateway deployed to Azure as part of every API Management service. 自托管网关在 Microsoft 容器注册表中以基于 Linux 的 Docker 容器的形式提供。The self-hosted gateway is available as a Linux-based Docker container from the Microsoft Container Registry. 它可以部署到 Docker、Kubernetes,或任何其他在本地服务器节点上、云基础结构上或出于评估和开发目的在个人计算机上运行的容器业务流程解决方案。It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer.

托管网关中的以下功能在自托管网关中不可用:The following functionality found in the managed gateways is not available in the self-hosted gateways:

  • Azure Monitor 日志Azure Monitor logs
  • 上游(后端)TLS 版本和密码管理Upstream (backend side) TLS version and cipher management
  • 使用上传到 API 管理服务的 CA 根证书验证服务器和客户端证书。Validation of server and client certificates using CA root certificates uploaded to API Management service. 要添加对自定义 CA 的支持,请在安装了 CA 根证书的自托管网关容器映像中添加一个层。To add support for custom CA, add a layer to the self-hosted gateway container image that installs the CA's root certificate.
  • Service Fabric 集成Integration with the Service Fabric
  • TLS 会话恢复TLS session resumption
  • 客户端证书重新协商。Client certificate renegotiation. 这意味着要使客户端证书身份验证起作用,API 使用者必须出示其证书作为初始 TLS 握手的一部分。This means that for client certificate authentication to work API consumers must present their certificates as part of the initial TLS handshake. 为确保这一点,请在配置自托管网关自定义主机名时启用协商客户端证书设置。To ensure that, enable the negotiate client certificate setting when configuring a self-hosted gateway custom hostname.
  • 内置缓存。Built-in cache. 请参阅此文档,了解如何在自托管网关上使用外部缓存。See this document to learn about using external cache in self-hosted gateways.

连接到 AzureConnectivity to Azure

自托管网关需要通过端口 443 来与 Azure 建立出站 TCP/IP 连接。Self-hosted gateways require outbound TCP/IP connectivity to Azure on port 443. 每个自托管网关必须与单个 API 管理服务相关联,并通过其管理平面进行配置。Each self-hosted gateway must be associated with a single API Management service and is configured via its management plane. 自承载网关使用与 Azure 的连接来执行以下操作:Self-hosted gateway uses connectivity to Azure for:

  • 通过每隔一分钟发送检测信号消息来报告自身的状态Reporting its status by sending heartbeat messages every minute
  • 定期(每隔 10 秒)检查配置更新,每当有可用更新时应用这些更新Regularly checking for (every 10 seconds) and applying configuration updates whenever they are available
  • 将请求日志和指标发送到 Azure Monitor(如果采用此配置)Sending request logs and metrics to Azure Monitor, if configured to do so
  • 将事件发送到 Application Insights(如果采用此设置)Sending events to Application Insights, if set to do so

与 Azure 断开连接时,自承载网关将无法接收配置更新、报告自身的状态或上传遥测数据。When connectivity to Azure is lost, self-hosted gateway will be unable to receive configuration updates, report its status, or upload telemetry.

自托管网关采用“静态失败”设计,在暂时与 Azure 断开连接时可以留存。The self-hosted gateway is designed to "fail static" and can survive temporary loss of connectivity to Azure. 可以在启用或不启用本地配置备份的情况下部署自托管网关。It can be deployed with or without local configuration backup. 对于前一种情况,自托管网关会定期将下载配置的备份副本保存在已附加到其容器或 pod 的持久性卷上。In the former case, self-hosted gateways will regularly save a backup copy of the latest downloaded configuration on a persistent volume attached to its container or pod.

已禁用配置备份且与 Azure 中断连接时:When configuration backup is turned off and connectivity to Azure is interrupted:

  • 正在运行的自托管网关将使用配置的内存中副本继续正常工作Running self-hosted gateways will continue to function using an in-memory copy of the configuration
  • 已停止的自承载网关将无法启动Stopped self-hosted gateways will not be able to start

已启用配置备份且与 Azure 中断连接时:When configuration backup is turned on and connectivity to Azure is interrupted:

  • 正在运行的自托管网关将使用配置的内存中副本继续正常工作Running self-hosted gateways will continue to function using an in-memory copy of the configuration
  • 已停止的自托管网关将可以使用配置的备份副本启动Stopped self-hosted gateways will be able to start using a backup copy of the configuration

连接恢复后,受中断影响的每个自承载网关将自动重新连接到其关联的 API 管理服务,并下载它处于“脱机”状态时发生的所有配置更新。When connectivity is restored, each self-hosted gateway affected by the outage will automatically reconnect with its associated API Management service and download all configuration updates that occurred while the gateway was "offline".

后续步骤Next steps