Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Spring Cloud Gateway: Resilience, Security, and Observability

Thomas Vitale
May 12, 2022
Technology
1
270

Spring Cloud Gateway: Resilience, Security, and Observability

Do you want to use a microservices architecture? Are you looking for a solution to manage access to single services from clients? How can you ensure resilience and security for your entire system? Spring Cloud Gateway is a project based on Reactor, Spring WebFlux, and Spring Boot which provides an effective way to route traffic to your APIs and address cross-cutting concerns.

In this session, I'll show you how to configure an API gateway to route traffic to your microservices architecture and implement solutions to improve the resilience of your system with patterns like circuit breakers, retries, fallbacks, and rate limiters using Spring Cloud Circuit Breaker and Resilience4J. Since the gateway is the entry point of your system, it’s also an excellent candidate to implement security concerns like user authentication. I'll show you how to do that with Spring Security, OAuth2, and OpenID Connect, relying on Spring Redis Reactive to manage sessions. Finally, I'll show you how to improve the observability of your system using Spring Boot Actuator and Spring Cloud Sleuth and relying on the Grafana stack.

Thomas Vitale

May 12, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Next-Generation Cloud Native Apps with Spring Boot 3
thomasvitale
0
100
Developer Experience with Spring Boot on Kubernetes
thomasvitale
0
26
Multitenant Mystery - Only Rockers in the Building
thomasvitale
1
110
Developer Experience with Java on Kubernetes
thomasvitale
0
23
Observability and Efficiency with Spring Boot 3
thomasvitale
0
63
Paved Paths to Production – There and Back Again
thomasvitale
1
73
A Paved Path to Production on Kubernetes
thomasvitale
1
84
Spring Cloud Gateway: Resilience, Security, and Observability (Golden Path to SpringOne 2023)
thomasvitale
0
99
Kustomize
thomasvitale
0
19

Other Decks in Technology

See All in Technology
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
180
[DevDojo] 成功するスクラムチームとは
mercari
PRO
0
100
ユーザーストーリーマッピング
kawaguti
PRO
4
860
WOFFの紹介
mmclsntr
0
120
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
1.9k
Por que testes de unidade não são suficientes para seus microsserviços
rponte
1
1.2k
高速な深層学習モデルアーキテクチャ2023
yu4u
2
1.5k
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
170
新リリース:microCMSテンプレート
microcms
1
710
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
310
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.6k
食べログChatGPTプラグイン導入で見えてきた未来:データサイエンティストの向き合い方
moritama1515
PRO
3
420

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
For a Future-Friendly Web
brad_frost
166
8k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
Building an army of robots
kneath
300
41k
Designing with Data
zakiwarfel
92
4.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Robots, Beer and Maslow
schacon
154
7.5k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Building Your Own Lightsaber
phodgson
96
5k

Transcript

  1. Thomas Vitale
    Devoxx UK
    May 12th, 2021
    Spring Cloud Gateway
    Resilience, Security, and Observability
    @vitalethomas

    View Slide

  2. Systematic
    • Software Architect at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • Spring Security and Spring
    Cloud contributor.
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View Slide

  3. API Gateway
    thomasvitale.com @vitalethomas

    View Slide

  4. Scenarios
    Di
    ff
    erent clients need
    di
    ff
    erent APIs
    Cross-cutting concerns in
    distributed systems
    Uni
    fi
    ed interface for
    microservices
    Strangling the monolith
    thomasvitale.com @vitalethomas

    View Slide

  5. $FFRXQW6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJPHPEHUV
    DFFRXQWV
    /RDQ6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNORDQV
    /LEUDU\
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]

    $PHPEHURIWKH/LEUDU\
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]

    View Slide

  6. Reactive Spring
    thomasvitale.com @vitalethomas

    View Slide

  7. Thread-per-request
    thomasvitale.com @vitalethomas
    7KUHDG3RRO
    ,QWHQVLYH
    2SHUDWLRQ
    7KUHDG
    7KUHDG
    7KUHDG
    5HTXHVW
    5HTXHVW
    5HTXHVW
    %ORFNLQJ
    ZDLWIRUUHVXOW
    2QHWKUHDG
    SHUUHTXHVW

    View Slide

  8. Event Loop
    thomasvitale.com @vitalethomas
    ,QWHQVLYH
    2SHUDWLRQ
    1RQ%ORFNLQJ
    QRQZDLWLQJIRUUHVXOW
    -XVWDIHZWKUHDGV
    SURFHVVLQJPXOWLSOH
    UHTXHVWV
    (YHQW/RRS
    (YHQW4XHXH
    5HTXHVW5HVSRQVH
    VFKHGXOH
    HYHQW
    UHJLVWHU
    FDOOEDFN
    RSHUDWLRQ
    FRPSOHWH
    WULJJHU
    FDOOEDFN

    View Slide

  9. thomasvitale.com @vitalethomas

    View Slide

  10. Routing
    thomasvitale.com @vitalethomas

    View Slide

  11. The Architecture
    thomasvitale.com @vitalethomas

    View Slide

  12. Observability
    thomasvitale.com @vitalethomas

    View Slide

  13. grafana.com

    View Slide

  14. View Slide

  15. Monitoring and management
    thomasvitale.com @vitalethomas
    Operating applications in production
    Spring Boot Actuator
    ‣Health (liveness and readiness)


    ‣Metrics (Prometheus, OpenMetrics)


    ‣Flyway, Thread Dumps, Heap Dumps
    Spring Cloud Sleuth


    (Micrometer Tracing)
    ‣Distributed tracing


    ‣Instrumentation


    ‣OpenZipkin and OpenTelemetry

    View Slide

  16. Resilience
    thomasvitale.com @vitalethomas

    View Slide

  17. Retry
    thomasvitale.com @vitalethomas

    View Slide

  18. Retry
    thomasvitale.com @vitalethomas
    %RRN5RXWH 5HWU\ %RRN&RQWUROOHU
    (GJH6HUYLFH %RRN6HUYLFH
    W W W
    6HQG+773UHTXHVW
    5HFHLYH+773HUURU
    5HWU\+773UHTXHVW
    5HFHLYH+773HUURU
    5HWU\+773UHTXHVW
    5HFHLYHVXFFHVVIXOO+773UHVSRQVHDIWHUVHFRQGUHWU\DWWHPSW

    View Slide

  19. Request Rate Limiter
    thomasvitale.com @vitalethomas

    View Slide

  20. Rate Limiter
    thomasvitale.com @vitalethomas
    https://stripe.com/blog/rate-limiters

    View Slide

  21. Circuit Breaker
    thomasvitale.com @vitalethomas

    View Slide

  22. Circuit Breaker
    thomasvitale.com @vitalethomas
    &/26('
    +$/)B23(1
    23(1
    7ULSEUHDNHUZKHQ
    IDLOXUHUDWHDERYH
    WKUHVKROG
    $WWHPSWUHVHWDIWHU
    ZDLWGXUDWLRQ
    7ULSEUHDNHUDIWHU
    IDLOXUHUDWHDERYH
    WKUHVKROG
    5HVHWEUHDNHUZKHQ
    IDLOXUHUDWHEHORZ
    WKUHVKROG

    View Slide

  23. Time Limiter
    thomasvitale.com @vitalethomas

    View Slide

  24. Time Limiter and Fallback
    thomasvitale.com @vitalethomas
    %RRN5RXWH
    7LPH/LPLWHU
    )DOOEDFN
    7LPH/LPLWHU %RRN&RQWUROOHU
    (GJH6HUYLFH %RRN6HUYLFH
    W W W W
    6HQG+773UHTXHVW
    D5HFHLYHVXFFHVVIXOO+773UHVSRQVHZLWKLQWKHWLPHOLPLW
    E7KURZH[FHSWLRQZKHQWLPHRXWH[SLUHVDQGQRIDOOEDFNGHILQHG
    F5HWXUQIDOOEDFNZKHQGHILQHGDQGWLPHRXWH[SLUHV

    View Slide

  25. User Authentication
    thomasvitale.com @vitalethomas

    View Slide

  26. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    $XWK6HUYLFH
    'HOHJDWHVDXWKHQWLFDWLRQWR
    Strategy ?
    Protocol?
    Data Format?

    View Slide

  27. Login
    thomasvitale.com @vitalethomas
    /LEUDU\
    >6RIWZDUH6\[email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]

    $PHPEHURIWKHOLEUDU\
    8VHV
    2$XWK&OLHQW
    2$XWK8VHU
    .H\FORDN
    >&RQWDLQHU:LOG)O\@
    3URYLGHVLGHQWLW\DQGDFFHVV
    PDQDJHPHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV 'HOHJDWHVDXWKHQWLFDWLRQDQG
    WRNHQPDQDJHPHQWWR
    OAuth2 + OIDC

    View Slide

  28. OpenID Connect
    A protocol built on top of OAuth2 that enables

    an application (Client) to verify the identity of

    a user based on the authentication performed

    by a trusted party (Authorization Server).
    thomasvitale.com @vitalethomas

    View Slide

  29. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    ID Token
    ID Token

    View Slide

  30. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    Security context
    propagation ?
    Authorized access?

    View Slide

  31. OAuth2
    An authorization framework that enables an
    application (Client) to obtain limited access to a
    protected resource provided by another
    application (called Resource Server)

    on behalf of a user.
    thomasvitale.com @vitalethomas

    View Slide

  32. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    Access Token
    Access Token

    View Slide

  33. Token Relay
    thomasvitale.com @vitalethomas
    %URZVHU (GJH6HUYLFH %RRN
    6HUYLFH
    $FFHVV7RNHQ
    6HVVLRQ&RRNLH
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    .HHSVPDSSLQJ
    6HVVLRQ!$FFHVV7RNHQ
    OAuth2

    View Slide

  34. Resources
    Source code
    • Sample project:

    • https://github.com/ThomasVitale/devoxx-uk-2022-spring-cloud-
    gateway

    • Spring Cloud Gateway:

    • https://spring.io/projects/spring-cloud-gateway

    • Spring Security, OAuth2, OpenID Connect:

    • https://www.youtube.com/watch?v=g7Dwv1BKnkg

    View Slide

  35. Thomas Vitale
    Devoxx UK
    May 12th, 2021
    Spring Cloud Gateway
    Resilience, Security, and Observability
    @vitalethomas

    View Slide