0

I'm creating AKS cluster, and I want to use API gateway (Ocelot ) to route, and authenticate requests towards containers(microservices) behind the gateway. My question is how to achieve this? I know I must deploy ocelot API gateway inside node, but I don't know how will I configure all traffic to go through API gateway. Can't find an example or directions that could help me. What steps do I need to take? Or is there maybe a better way of accomplishing the desired scenario?

user1598696
  • 550
  • 1
  • 4
  • 22
  • "Can't find an example or directions that could help me" A simple Google search will get you to https://learn.microsoft.com/en-us/dotnet/architecture/microservices/multi-container-microservice-net-applications/implement-api-gateways-with-ocelot and this https://ocelot.readthedocs.io/en/latest/features/kubernetes.html – CSharpRocks Nov 14 '20 at 12:46
  • @CSharpRocks I already read that. It's not 100% clear how to do this, that why I'm asking, for example, should I use Ingress or using Network Policy is just enough – user1598696 Nov 15 '20 at 19:55
  • I want that no microservice is directly accessible except through API gateway – user1598696 Nov 15 '20 at 20:24

1 Answers1

1

If you use Ocelot as an API Gateway, you must create a .NET project with a configuration file for the routes you want to use. You then deploy this with a Deployment inside your cluster along with the containers running your APIs and front your API Gateway with a ClusterIP service. At this point, you should test internally if the calls are routed properly from the ClusterIP to the API Gateway and to your APIs. You can then expose your API Gateway on the Internet using either a Load Balancer service, an Ingress controller or Azure Application Gateway.

Another way is not to use an Ocelot API Gateway at all by using an Ingress controller and configuring the routes directly in it.

CSharpRocks
  • 6,791
  • 1
  • 21
  • 27
  • Thanks for helping, I already have the Ocelot app ready, I just don't know how to implement that in the Kubernetes cluster. By default, all pods are accessible from the Internet right? So I want to expose only Ocelot API Gateway. For that, I need to use Network policy Calico or Azure, have I got it right? (or make the whole cluster private - but this looks too complicated from the networking side) – user1598696 Nov 15 '20 at 20:37
  • "By default, all pods are accessible from the Internet right?" No, it's the opposite. – CSharpRocks Nov 15 '20 at 20:40
  • Are you sure? By default, pods are non-isolated; they accept traffic from any source / https://kubernetes.io/docs/concepts/services-networking/network-policies/ – user1598696 Nov 15 '20 at 20:48
  • Look at this: https://www.youtube.com/watch?v=131_TIa_ftI&feature=youtu.be&t=38 – user1598696 Nov 15 '20 at 20:51
  • The K8s network is a flat network so yes, internally, all pods see each other by default. – CSharpRocks Nov 15 '20 at 21:28
  • is that a yes for "pods are accessible from the Internet" or pods are not accessible from the internet by default – user1598696 Nov 15 '20 at 21:40
  • Yes for "pods are not accessible from the internet by default". – CSharpRocks Nov 15 '20 at 21:53