API Gateways: Netflix OSS Zuul vs Spring Cloud Gateway

Introduction

An API Gateway is a L7 network traffic gateway which provides simplest yet effective way to route the APIs based on configuration and provide various cross-cutting concerns to APIs like security, monitoring & metrics, and resiliency.

An API Gateway can provide features:

• Security — There could be various types of security mechanism can be implemented at Gateway level like:

A. Authorization: The API authorization is cross-cutting concern which enables protection to APIs against unauthorized access. It can be implemented in various ways like: JSON Web Token (JWT) / JSON Web Encryption (JWE) token based authorization, TLS Certificate based authorization, Basic Key and Secret based authorization etc.

B. Rate Limiting: A Rate Limiting is a mechanism which is used to prevent Distributed Denial of Service (DDoS) attack. In DDoS attack an attacker uses Bots/Automated Agents to generate huge number of traffic on APIs. It will be prevented by putting rate limiting on API to prevent from server and its resources.

C. Intrusion Protection: Intrusion protection is mechanism which are implemented to prevent from Brute Force Attacks (BFAs). In BFAs, the attacker generate the access key / secret / password and tries to access the API in hope to guess the correct secret.

D. Cross-Site Scripting (XSS) Protection: In XSS attack, the attacker uploads malicious script code as part of API input and tries to steal / disturb the API servers with malicious code.

E. Others: There are several other types of protections can easily be implemented at Gateway level like Mutual SSL, Hostname validation, Request Input Validation / SQL Injection Protection etc.

• Traffic Routing — Traffic routing is most important responsibility of API Gateways. The routing are performed based on Traffic filtering which is preformed by using Predicates. Means, all traffic will land to API Gateway, based on configured predicates traffics are filtered and routed to configured destination. There could be various two types of routing:

A. Static Routing : In Static Routing, routes are pre-configured in API Gateway configuration like if traffic comes for context /product/* it will redirect to product-service/* . There could be other type of static router based on header or other request parameters.

B. Dynamic Routing: Dynamic Routing works on algorithm where target is decided dynamically based on written algorithm. Example, Edge routing works on request Geo location e.g. if traffic origin is in US, it will route traffic to US instance of application service so that it can be served speedily. One more example of dynamic routing is, if a service is failing continuously, routing traffic to it can be prevented and routed to responsive API backend.

• Common Activities — The API Gateways are also used for common activities like common cross-cutting concerns (those actions which are required to perform for all APIs. Below are some common activities:

A. Common Exception Handling: A common exception handling is required to maintain the standardization across the APIs and to maintain single point of maintenance.

B. CORS Validation: The origin validation can be implemented at API Gateway level.

C. Request / Response Enhancement: There could be requirement to enhance request or response in application. Like add trace id in requests before routing to API backend service so that failure can be tracked in case of request is served by multiple services.

• Monitoring & Insight — API Gateways can implement monitoring and insight logic very easily. Each access can be logged, the time taken to serve a request can be logged and various other type of metrics can be obtained.

API Gateways are very useful and makes easy development of APIs by handling cross-cutting concerns at it own level.

Below is a typical placement of API Gateway in micro-services based application:

Figure 1: Depicts placement and uses of API Gateways

There are various API Gateways are available from different vendors which can be used. For Java based developers, there are two famous API Gateways (Spring Cloud Gateway and Netflix OSS Gateway) are available which are open-source and can be configured very easily and used. Both supports rich set of features and can be extended with custom functionality using Java. We will be comparing both in subsequent section.

Netflix OSS Gateway vs Spring Cloud Gateway

Before going to compare both, let’s collect important information about these gateways:

Netflix OSS Gateway

Zuul — Zuul is an API Gateway developed by Netflix Open Source Software (OSS). It is the primary Gateway for Netflix which has also been provided as open-source project. Zuul was initially developed on Servlet 2.5 which was a good gateway solution for Servlet based / blocking APIs.

Zuul has also be upgraded with its new version called Zuul 2 which was based on Netty Server supporting reactive request processing model. Below is diagram for Zuul 2 architecture:

Figure 2: Depicting Zuul2 Gateway Architecture

Zuul 2 has great support for reactive programming with below features:

• supports rich set of filters and self-service routing — provides creating rules on any criteria in the request URL, path, query params or headers.
• full support of HTTP/2 connections
• Mutual TLS support — can implement TLS and secure traffic
• Tracks life-cycle events of each request — events can be attached for request request and actions can be performed on events.
• intelligent load-balancing — able to route around failures, slowness, GC issues to increase resiliency, availability and quality of service. It will be provided along with discovery service which keeps tracking of health of business services. 1. Cold Instances — An new instance will be routed with reduced amount of traffic for some time, until they are warmed up. 2. Detect 5xx response code and error rate from each origin services and if error rate is high, it is considered service is in trouble and taken actions to reduce traffic. 3. Zuul observes signals about service utilization and based on utilization metrics, the traffic are throttled for the overloaded service.
• configurable routing — the routes can be created by YAML based configuration

Below are the features which are implemented in Zuul 2 but yet to be provided as open source:

• Websocket and SSE support
• Throttling and rate-limiting
• Brownout filters — for disabling certain CPU intensive when Zuul is overloaded

Spring Cloud Gateway

The Spring Cloud Gateway is relatively new project which has been developed under ‘Spring Cloud’ projects umbrella. It is inspired by Zuul Gateway and developed based on reactive programming on top of Spring WebFlux. It provides various features like:

• Rich set of predicate and filter support — provides various predicates like: path, cookie, time, header, host, method, query, remote address, weight etc. Similar to predicates, it provide number of filters like: Add/Set/Remove/Map Request/Response Headers, Set response code, Redirect, Rewrite etc. filters
• Circuit breakers — supports circuit-breakers based on time and re-direct on failure
• TLS & SSL — TLS and SSL can be configured for Gateway and httpClient inside the Gateway
• Route Metadata — Routes can be configured with metadata which further can be utilized for processing
• Easy integration with discovery service and load balancing
• Easy metrics with Actuator
• Easy cache implementation

Below diagram depicts Spring Cloud Gateway architecture:

Figure 3: Spring Cloud Gateway & its components depiction with request & response flow

Follow the GitHub link for Spring Cloud Gateway Implementation in Kotlin: https://github.com/siddhivinayak-sk/kotlin-projects/tree/master/sk-gateway

Let’s compare on various factors:

• Origin: Zuul has been developed by Netflix OSS as open-source project, very earlier with Servlet 2.5 support as Zuul 1. Now, Netflix OSS team also provided Zuul 2 which is based on Netty and support reactive model. Spring Cloud Gateway has been developed by Spring team and inspired by Zuul based on Spring WebFlux which supports reactive programming from beginning.
• Filter & Predicate: Both supports rich set of filters and predicates. However, there are some filters like Rate Limiter yet to be delivered by Zuul 2 as open-source.
• Performance: Based on comparison and result, Zuul has respectively higher performance. Refer link.
• Spring Adaptation: Since Spring Cloud itself providing a gateway, Zuul has been removed from Spring Gateway component list. Now start.spring.io is listing Spring Cloud Gateway as gateway component.
• Communication technology support: WebSocket & SSE support yet to be provided by Zuul 2. While Spring Cloud Gateway provides full-support for these.

Apart from the above points both serves same purpose. Both can be enriched by adding custom filters, predicates and functionalities.

Conclusion

API Gateways are essential tool to implement cross-cutting concerns especially in micro-services based application. It provides predicate and rules based traffic routing along with additional processing capabilities.

Both Netflix OSS Zuul and Spring Cloud Gateway provide similar routing and filter support. Both (with Zuul 2) supports reactive programming model and non-blocking API calls.

Although, Zuul 2 has good support, SSE and WebSocket support yet to be provided (as per its documentation).

References

• Netflix OSS Zuul — https://github.com/Netflix/zuul
• Netflix OSS Zuul Wiki — https://github.com/Netflix/zuul/wiki
• Spring Cloud Gateway — https://spring.io/projects/spring-cloud-gateway
• Build a Gateway — https://spring.io/guides/gs/gateway/
• Spring Cloud Gateway in Detail — https://cloud.spring.io/spring-cloud-gateway/reference/html/
• Spring Cloud Gateway Example: https://github.com/siddhivinayak-sk/kotlin-projects/tree/master/sk-gateway