Solved: Cloud API Gateway features and capabilities

jfbaro · 08-23-2021 10:47 AM

Hi there,

Please, anyone using Google Cloud API Gateway could help me find the answers to these questions?

Is there any authentication service integration with Google API gateway (similar to Cognito and AWS API GW native integration)? I mean, if an external application is connecting to my Google API GW endpoints and it provides a valid JWT (User Access Token), will Google API GW check if this JWT is legit and still valid (by checking if the right auth provider signed it)?
Would it also have an API to revoke a JWT (even before its TTL is reached)? This would typically happen after a user logout or when our infoSec team detects some suspicious behavior. API GW authentication would be our first layer of protection.
Can API GW be stateless regarding JWT? I mean, by not being coupled (synchronously) to an authentication service, it can independently validate the JWT even if the authentication service is overloaded or out of service for a few minutes.
Does it support API Keys (on top of user-generated JWTs) and rotation of these keys so that every Channel (Mobile APP, Partners, Web sites, etc.) could be easily identified and throttled?
Can we have some managed DDoS and WAF in front of our Google Cloud API GW?
Can we tag different APIs so that we can have a "chart of accounts" to distribute the API costs and generate statistics among different teams/services?
How quickly can Google API GW respond to traffic spikes? What are the hard limits (per GCP project/account)?
Can we add any "logic" to Google API GW? An example would be to check the payload (after JWT and API have been validated) and decide if it should call either microservice A or microservice B;
What else would we need to have to make our API globally resilient? For example, if REGION A is not available, we can (even if we need to do this manually) switch our endpoints to a different REGION B without changes to the client applications.
Is there any plan to have a developer portal that could be automatically generated by "reading" our Google Cloud API GW (or OAS files)?
Is there any plan to support OAS 3.0? As only 2.0 is officially supported at the moment;
Is Google API GW going to be GCP's main API GW in the future? Will it replace (or be as fully featured as) APIGEE but keeping the Serverless design and low price as it does today?

Any help would be really appreciated!

Thanks

josheinhorn

Hi jfbaro, thanks for all these insightful questions! I'm actually one of the eng leads on API Gateway, so I may be able to clarify a few details for you

[...] if an external application is connecting to my Google API GW endpoints and it provides a valid JWT (User Access Token), will Google API GW check if this JWT is legit and still valid (by checking if the right auth provider signed it)?

Yes API Gateway will check the JWT is valid by checking it against the public key provided in the API GW configuration file.

Would it also have an API to revoke a JWT (even before its TTL is reached)? This would typically happen after a user logout or when our infoSec team detects some suspicious behavior. API GW authentication would be our first layer of protection.

I may not understand the question, but I believe there is some misunderstanding of how API GW is validating JWTs: API GW will not cache the token at all; the token is validated for each request using a public key (the public key itself is cached of course). Part of verifying the JWT is checking the token's expiration -- if you want fast revocation, the Identity Provider (the entity signing the JWTs) must set a very short deadline such that clients need to refresh their tokens frequently. Revocation would then be performed at the Identity Provider such that abusive clients would be barred from getting tokens.

As further context, JWT-based authentication is very commonly performed using OIDC, which is a JWT-driven protocol that almost all identity providers implement.

Can API GW be stateless regarding JWT? I mean, by not being coupled (synchronously) to an authentication service, it can independently validate the JWT even if the authentication service is overloaded or out of service for a few minutes.

Yes in fact this is the only way it works; as I mentioned above, the authentication mechanism is to decode the token using a public key which will be exposed by the Identity Provider and asynchronously fetched by the Gateway and only refreshed as needed. As such, there are no synchronous external dependencies for JWT authentication.

Does it support API Keys (on top of user-generated JWTs) and rotation of these keys so that every Channel (Mobile APP, Partners, Web sites, etc.) could be easily identified and throttled?

It does support API Keys (which can be rotated by deletion/creation) however the consumer management system for API Gateway (and Endpoints) is centered around GCP Projects; this makes it very useful for purely internal use cases (web/mobile app) but a poor fit for 3rd party API clients.

Can we have some managed DDoS and WAF in front of our Google Cloud API GW?

Yes - see Global Load Balancing for API Gateway.

Can we tag different APIs so that we can have a "chart of accounts" to distribute the API costs and generate statistics among different teams/services?

There are API consumer driven metrics and logs which in theory could be used to create such a dashboard, but this is not built into the product by any means.

How quickly can Google API GW respond to traffic spikes? What are the hard limits (per GCP project/account)?

There is not an official measurement of traffic spike; as a serverless product, it obviously scales up based on load but it is not intended for "walls of traffic" - anecdotally it can handle smooth ramp ups from 0 to 10k+ requests per second in about 1 minute.

Can we add any "logic" to Google API GW? An example would be to check the payload (after JWT and API have been validated) and decide if it should call either microservice A or microservice B;

No, this is not supported.

What else would we need to have to make our API globally resilient? For example, if REGION A is not available, we can (even if we need to do this manually) switch our endpoints to a different REGION B without changes to the client applications.

It is possible to deploy API Gateway in multiple regions and route to them using Global Load Balancing for API Gateway.

Is there any plan to have a developer portal that could be automatically generated by "reading" our Google Cloud API GW (or OAS files)?

Is there any plan to support OAS 3.0? As only 2.0 is officially supported at the moment;

Is Google API GW going to be GCP's main API GW in the future? Will it replace (or be as fully featured as) APIGEE but keeping the Serverless design and low price as it does today?

For roadmap questions, you may want to follow up with sales and/or look into joining one of Google Cloud trusted tester groups.

Hope that helped!

-Josh

View solution in original post

stefan_adelbert

I'd like to hear the answers to these questions myself. It's a pity that these questions have not be answered by someone from Google.

From my experience with API Gateway, the functionality it quite limited.

Authentication methods supported are API keys and self-signed JWTs. There is some work to do on the client side to create the self-signed JWT - a process that requires a service account key file. A JWT can be revoked before TTL by deleting the key associated with the service account. I believe that API Gateway will validate and cache the validity of a JWT every 5mins, so there might be some lag between deleting the key and the JWT becoming invalid.

There is no option that I'm aware of to implement logic in API Gateway before forwarding a request to a microservice. This would need to be done by a backend "proxy" or router, e.g. Cloud Function.

There are some features that I'm missing:

ability to disable TLS 1.0 and TLS 1.1 support, i.e. SSL policy control like in Cloud Load Balancing (https://cloud.google.com/load-balancing/docs/use-ssl-policies#working_with_ssl_policies)
using log tracing to be able to track a request all the way through the backend in Cloud Logging

Hoping for a response here from someone who has answers!

shuhaib_arkn

-> Monetization Features Are very limited

the postpaid system is incomplete and useful , you need to a make very single integration and also use your own billing and subscription to maintain.
-> Support team is not good and documentation is not good for monetization and multiple bugs in the systems of management apis

josheinhorn

Hi jfbaro, thanks for all these insightful questions! I'm actually one of the eng leads on API Gateway, so I may be able to clarify a few details for you

[...] if an external application is connecting to my Google API GW endpoints and it provides a valid JWT (User Access Token), will Google API GW check if this JWT is legit and still valid (by checking if the right auth provider signed it)?

Yes API Gateway will check the JWT is valid by checking it against the public key provided in the API GW configuration file.

Would it also have an API to revoke a JWT (even before its TTL is reached)? This would typically happen after a user logout or when our infoSec team detects some suspicious behavior. API GW authentication would be our first layer of protection.

I may not understand the question, but I believe there is some misunderstanding of how API GW is validating JWTs: API GW will not cache the token at all; the token is validated for each request using a public key (the public key itself is cached of course). Part of verifying the JWT is checking the token's expiration -- if you want fast revocation, the Identity Provider (the entity signing the JWTs) must set a very short deadline such that clients need to refresh their tokens frequently. Revocation would then be performed at the Identity Provider such that abusive clients would be barred from getting tokens.

As further context, JWT-based authentication is very commonly performed using OIDC, which is a JWT-driven protocol that almost all identity providers implement.

Can API GW be stateless regarding JWT? I mean, by not being coupled (synchronously) to an authentication service, it can independently validate the JWT even if the authentication service is overloaded or out of service for a few minutes.

Yes in fact this is the only way it works; as I mentioned above, the authentication mechanism is to decode the token using a public key which will be exposed by the Identity Provider and asynchronously fetched by the Gateway and only refreshed as needed. As such, there are no synchronous external dependencies for JWT authentication.

Does it support API Keys (on top of user-generated JWTs) and rotation of these keys so that every Channel (Mobile APP, Partners, Web sites, etc.) could be easily identified and throttled?

It does support API Keys (which can be rotated by deletion/creation) however the consumer management system for API Gateway (and Endpoints) is centered around GCP Projects; this makes it very useful for purely internal use cases (web/mobile app) but a poor fit for 3rd party API clients.

Can we have some managed DDoS and WAF in front of our Google Cloud API GW?

Yes - see Global Load Balancing for API Gateway.

Can we tag different APIs so that we can have a "chart of accounts" to distribute the API costs and generate statistics among different teams/services?

There are API consumer driven metrics and logs which in theory could be used to create such a dashboard, but this is not built into the product by any means.

How quickly can Google API GW respond to traffic spikes? What are the hard limits (per GCP project/account)?

There is not an official measurement of traffic spike; as a serverless product, it obviously scales up based on load but it is not intended for "walls of traffic" - anecdotally it can handle smooth ramp ups from 0 to 10k+ requests per second in about 1 minute.

Can we add any "logic" to Google API GW? An example would be to check the payload (after JWT and API have been validated) and decide if it should call either microservice A or microservice B;

No, this is not supported.

What else would we need to have to make our API globally resilient? For example, if REGION A is not available, we can (even if we need to do this manually) switch our endpoints to a different REGION B without changes to the client applications.

It is possible to deploy API Gateway in multiple regions and route to them using Global Load Balancing for API Gateway.

Is there any plan to have a developer portal that could be automatically generated by "reading" our Google Cloud API GW (or OAS files)?

Is there any plan to support OAS 3.0? As only 2.0 is officially supported at the moment;

Is Google API GW going to be GCP's main API GW in the future? Will it replace (or be as fully featured as) APIGEE but keeping the Serverless design and low price as it does today?

For roadmap questions, you may want to follow up with sales and/or look into joining one of Google Cloud trusted tester groups.

Hope that helped!

-Josh

bencalnan

Hi @josheinhorn

Thanks for your message, just a quick question:

Does it support API Keys (on top of user-generated JWTs) and rotation of these keys so that every Channel (Mobile APP, Partners, Web sites, etc.) could be easily identified and throttled?

It does support API Keys (which can be rotated by deletion/creation) however the consumer management system for API Gateway (and Endpoints) is centered around GCP Projects; this makes it very useful for purely internal use cases (web/mobile app) but a poor fit for 3rd party API clients

Is there a GCP product that you would recommend for this particular use case (3rd party APIs)?

Many thanks

Ben