D22 maintenance mode api gateway

2023 iThome 鐵人賽

DAY 22

DevOps

SRE/K8S 碎碎念系列第 22 篇

15th鐵人賽

嗷嗷嗷

2023-10-07 09:33:11

276 瀏覽

分享至

來談談看 API Gateway

可行性

建立一個連接原本 API 服務的 API Gateway
1. APIs → create resource → create method → Any → HTTP → Proxy integration → 選擇 ALB
2. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-http.html
建立客製化 error response
1. left panel → gateway response → 401→ Override Status Code → 500
  1. Response Body Mapping Template →
```
{
    "error": "maintenance mode"
}
```

建立 resource policy

我們會拒絕 "192.168.1.0/24", "10.0.0.0/16" 來的流量，如此他們就會看到特定回應


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "execute-api:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}",
            "Condition" : {
                "IpAddress": {
                    "aws:SourceIp": [ "192.168.1.0/24", "10.0.0.0/16" ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "execute-api:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}"
        }
    ]
}

調整 Route 53 的設定 → 原本是直接 ALB，改成先到 api gateway
1. 注意，我們專案有三種子網域，都是連接到 ALB，再由 header 去做判斷
  1. api.abc.com
  2. ccc.abc.com
  3. ggg.abc.com

操作及維護性
1. set the DNS record to route traffic the API GW REST API, instead of the EKS Load Balancer directly.
費用
1. Free tier: 100 萬次 REST API 呼叫接收 | 100 萬次 HTTP API 呼叫接收 | 100 萬則訊息 | 750,000 連線分鐘
2. 只計算 API 呼叫
  1. 前 3 億萬個，每百萬 1.29 USD