Gateway Runtimes
Gateway Infrastructure provides all the tools needed to create and manage Gateway Runtime environments where API Proxies will run in the Apinizer platform, manage Kubernetes resources, configure Gateway Engine, configure SSL/TLS certificates, and manage API traffic log connectors.
Module Components
The Gateway Infrastructure module is managed through the following pages:
Creating Gateway Runtime environments, Gateway Engine configuration, environment publishing, and metric monitoring.
Creating and configuring distributed Cache Servers. Cache Servers can run in independent namespaces from Gateway pods.
General settings of Apinizer Platform Gateway Runtime environments, deployment and pod management, monitor and settings.
Connector configuration to send API traffic in Gateway Runtime environments to other environments.
Securely starting Apinizer modules (Manager, Gateway, Portal) with SSL/TLS certificates and providing HTTPS connections.
What is Gateway Runtime?
Gateway Runtime (Environment) is a runtime execution context for API Proxies in an organization. For one or more API Proxies to be accessible, they must be deployed to a Gateway Runtime environment. An API Proxy can be deployed to a single Gateway Runtime environment or to multiple environments.
This appears when the Kubernetes Namespace and Resources are managed with Apinizer option is marked as Active from the System General Settings screen.
A Gateway Runtime environment provides an isolated area as a system resource to run Gateways. It allows creating multiple Gateway Runtime environments in the Apinizer platform.
Gateway Runtime management is performed in two ways:
- Managed by Apinizer: All Kubernetes definitions required for Gateway Runtimes are created and managed through the API Manager screen
- Remote Gateway: Only standard data of existing Kubernetes definitions are recorded in the API Manager screen
Gateway Runtimes and Cache Servers are now created and managed separately. For Cache Server creation and management, see the Distributed Cache page.
:::
Gateway Runtime Roles
A Gateway Runtime environment can be created in different roles as Production, Development/Test.
The point to note here is that for a client to access an API Proxy, it must be deployed to at least one Gateway Runtime environment.
Used to test API Proxies or Applications active in the test environment. Testing can also be done to measure the adequacy of resources in hardware.
If product development is done far from the test environment, it can cause problems in progress.
API Proxies or Applications active in the production environment are used for end users. This environment is designed to carry the load of clients.
Gateway Runtime Architecture
Gateway Runtime is designed to be used in environments where many APIs are spread across multiple teams or projects. The Gateway Runtime concept in Apinizer corresponds exactly to the namespace in Kubernetes.
The Gateway Runtime environment you create and deploy in Apinizer is created as a namespace in Kubernetes. A Gateway Runtime environment contains namespace, deployment, pod, replica set, service, and access URL components.
All Gateway Runtime environments created with the Apinizer Platform are also located within the Kubernetes cluster.
Kubernetes Namespace Concept:
Kubernetes clusters can manage large amounts of unrelated workloads simultaneously. Kubernetes uses a concept called namespace to eliminate the complexity of objects within the cluster.
Namespaces enable grouping objects together and filtering and controlling these groups as a unit. Whether used to apply customized access control policies or to separate all units for a test environment, namespaces are a powerful and flexible structure for managing objects as a group.
Namespaces provide a scope for object names within the cluster. While names within a namespace must be unique, the same name can be used in different namespaces.
For detailed information, see Kubernetes Documentation.
Gateway Runtime Components
Namespace
The Gateway Runtime concept in the Apinizer Platform corresponds to the Namespace concept in the Kubernetes environment.
Log Connectors
Log connector definitions where all API Traffic and requests in the created Gateway Runtime environment will be logged.
Deployment
Gateway Runtime deployment is defined:
- Gateway Runtime (Worker Server): Core module of the Apinizer Platform, responsible for routing all API requests to BackendAPI and works as Policy Enforcement Point. Gateway Runtimes are now managed independently from Cache Servers and can run in different namespaces.
Service
Gateway Runtime Service is created to access the Apinizer Worker pod in Gateway Runtime Deployment. Service is the layer that handles requests coming to all pods. It is located in front of pods in terms of position.
Service information is defined when each Gateway Runtime environment is created. However, it is important that all Apinizer Workers in the cluster are managed with a service. Also, service ports in the Apinizer Platform must be unique. NodePort is used by default and service types other than this are not supported by Apinizer.
Access URL
Access URL is the external access address of the Proxy. It is specified as https://<your-IP-address>. Messages can be sent to Proxies using external access address information.
Gateway Runtime Access Address
An API Proxy can be accessed through the access address of the Gateway Runtime environment it is deployed to.
Access Address Structure
Let the access address of an API Proxy be:
http://demo.apinizer.com/apigateway/myproxy
| Component | Description |
|---|---|
http://demo.apinizer.com/ | Gateway Runtime Environment Access Address |
apigateway/ | Root Context |
myproxy | API Proxy Relative Path |
Access Address Configuration
The access address to be defined for the Gateway Runtime environment is generally the DNS address defined in a load balancer such as WAF or Nginx. Gateway Runtime environments defined in Apinizer correspond to a namespace in Kubernetes. A Kubernetes service of NodePort type is automatically created by Apinizer for access to Apinizer Workers running in the namespace. A service is created with the value entered in Engine Service Port when creating the Gateway Runtime environment.
Example Service Configuration
Example service information to access Apinizer Worker:
If the Engine Service Port value is 30080 (default value and should be different for each Gateway Runtime environment), it should be specified in the DNS definition in your WAF or Nginx server as follows:
http://kubernetes-worker-node-IP:30080/
Gateway Runtime Creation
Images containing general definition information when creating a Gateway Runtime environment are shown below:
Fields containing general definition information when creating a Gateway Runtime environment:
| Field | Description |
|---|---|
| Managed Type (Managed Type) | Determines how the Gateway Runtime will be managed. Managed by Apinizer: Apinizer automatically creates namespace, deployment, service, and all required Kubernetes resources. Remote Gateway: Ensure that your Gateway pod is running and accessible. Apinizer only records connection details and does not manage the deployment. |
| Type (Type) | A value appropriate to the license and the environment used must be selected. Test or Production can be selected. |
| Communication Protocol Type (Communication Protocol Type) | One of HTTP, gRPC, HTTP+Websocket communication protocols can be selected. |
| Name (Name) | The name of the Gateway Runtime environment. Corresponds to the namespace in Kubernetes. |
| Key (Key) | A shortened key specific to the environment used for the created Gateway Runtime environment. |
| Access URL Address (Access URL) | The external access address of API Proxies running within the Gateway Runtime environment. |
| Description (Description) | Can be used for management convenience and important notes. |
| Environment Publishing Access / Projects (Environment Publishing Access / Projects) | Projects where the Gateway Runtime environment can be used can be selected from here, or the selection can be left empty for use in all projects. If one or more projects are selected, they must also be added for use in newly created projects. Default value is unselected. |
| Node List (Node List) | Select which kubernetes servers the created Gateway Runtime environment will run on. |
Namespace Independence:
Gateway pods and Cache Server pods can now run in different Kubernetes namespaces. Gateway pods can access Cache Servers in other namespaces using Kubernetes service discovery (e.g., http://cache-http-service.apinizer-cache.svc.cluster.local:8090). This provides more flexible infrastructure management and allows you to separate Gateway and Cache workloads.
Communication Protocol Type Selection:
The type selected here determines which environment API Proxies can be deployed to:
- REST and SOAP API Proxies → to environments of type HTTP
- gRPC API Proxies → to environments of type gRPC
- Websocket API Proxies → to environments of type HTTP+Websocket
Project Selection: If a project is selected, it means that only API Proxies within that project can be deployed to this environment.
Management API Access Endpoints
You can configure multiple Management API Access Endpoints for Gateway and Cache communication. Each endpoint configuration includes:
| Field | Description |
|---|---|
| Name | A descriptive name for the API endpoint configuration (e.g., "Production Cluster", "DR Site") |
| Gateway Management API Access URL | The health check address of your gateway server. This is where Apinizer Management Console connects to Gateway pods for configuration updates. Example: http://worker-management-api-http-service.prod.svc.cluster.local:8091 |
| Cache Management API Access URL | The health check address of your Cache Server. Gateway pods use this URL to connect to Cache Servers. Example: http://cache-http-service.apinizer-cache.svc.cluster.local:8090 |
Multiple Endpoints:
You can configure multiple Management API endpoints for different scenarios:
- Multi-region deployments: Configure separate endpoints for each region
- High availability: Set up redundant endpoints for failover
- Cluster separation: Use different endpoints for different Kubernetes clusters
When multiple endpoints are configured, you can select which endpoint to use via the environmentClusterName variable in Additional Variables.
Endpoint Configuration:
- Each endpoint must have both Gateway and Cache Management API URLs configured
- URLs should use Kubernetes service discovery format for cross-namespace communication
- Ensure network connectivity between Management Console, Gateway pods, and Cache Server pods
API Proxy Traffic Log Connectors
Log connectors where all API Proxy Traffic and extensions in the Gateway Runtime environment will be logged are defined here.
An image containing API Proxy Traffic Log Connector definitions is shown below:
For more information about adding connectors to the Gateway Runtime environment, see this page.
Gateway Engine Configuration
Gateway engine corresponds to Gateway pods in the Kubernetes environment.
- Gateway engine (
apinizer-worker): The core module of the Apinizer Platform, responsible for routing all API requests to BackendAPI and works as Policy Enforcement Point
Images containing Gateway engine definitions are shown below:
Basic Settings
| Field | Description |
|---|---|
| Count (Count) | The number of Gateway engines corresponds to the "replicas" value in Kubernetes deployment. Specifies the number of Pods that will be created in the Kubernetes Cluster to be created. |
| CPU | The maximum number of CPU cores the pod will use. |
| Memory (Memory) | The maximum memory value the pod will use. |
| Memory Unit (Memory Unit) | The unit of the value required for memory is selected; MB, GB. |
Recommended Values (by Benchmark Tier):
| Tier | CPU | Memory Size | Usage Purpose |
|---|---|---|---|
| W1 | 1 | 2 GB | Test / PoC |
| W2 | 2 | 2 GB | Small production |
| W4 | 4 | 4 GB | Standard production |
| W8 | 8 | 8 GB | High-volume production |
JVM memory and GC settings are automatically configured by the entrypoint based on container resource limits. Heap is allocated at 60% for W1/W2 and 65% for W4/W8. No manual -Xmx/-Xms parameters are needed. For detailed benchmark data and capacity guidance, see the Capacity Planning page.
Service Access Information
- HTTP Enabled (HTTP Enabled): Comes selected by default
- HTTPS Enabled (HTTPS Enabled): This option is also selected if HTTPS is desired, in this case the necessary files for encryption must be uploaded
- mTLS: Can only be selected when HTTPS setting is open since it runs on HTTPS protocol
Keystore and Truststore: When HTTPS protocol is selected, keystore and truststore files can be uploaded in JKS or PFX format.
Service Ports: A service port in the range 30080-32767 is entered. The service will be created as NodePort in Kubernetes.
Gateway Management API Service:
- Create HTTP service for API Gateway Management API access (
httpServiceForManagementAPIEnabled): When enabled, creates a separate HTTP service for Gateway Management API access. This service is used by Apinizer Management Console to communicate with Gateway pods for configuration updates. - Create HTTPS service for API Gateway Management API access (
httpsServiceForManagementAPIEnabled): When enabled, creates a separate HTTPS service for Gateway Management API access. Requires keystore and truststore files to be uploaded. Use this option when secure communication between Management Console and Gateway pods is required.
Management API Services:
These services are separate from the main HTTP/HTTPS services used for API Proxy traffic. They are specifically used for:
- Configuration updates from Management Console to Gateway pods
- Health checks and monitoring
- Management operations
When these services are enabled, you should configure the corresponding URLs in the Management API Access Endpoints section.
gRPC Protocol Specific Settings
If Gateway Management API will communicate with gateway pods over HTTPS:
- The Create HTTPS service for API Gateway Management API access option is selected
- Keystore and truststore files can be uploaded in JKS or PFX format
- Gateway Server Access URL is entered
Example: https://worker-http-service.prod.svc.cluster.local:8443
gRPC Tuning Parameters:
| Variable | Description | Default |
|---|---|---|
tuneGrpcKeepAliveTime | gRPC keep-alive time (seconds) | 120 |
tuneGrpcKeepAliveTimeout | gRPC keep-alive timeout (seconds) | 20 |
tuneGrpcMaxMessageSize | gRPC maximum message size (bytes) | 4194304 (4MB) |
tuneGrpcMaxHeaderListSize | gRPC maximum header list size (bytes) | 8192 |
tuneGrpcMaxConnectionAge | gRPC maximum connection age (seconds) | 3600 |
tuneGrpcMaxConnectionAgeGrace | gRPC maximum connection age grace period (seconds) | 30 |
tuneGrpcMaxConnectionIdle | gRPC maximum connection idle time (seconds) | 300 |
tuneGrpcMaxInboundMessageSize | gRPC maximum inbound message size (bytes) | 4194304 (4MB) |
tuneGrpcMaxInboundMetadataSize | gRPC maximum inbound metadata size (bytes) | 8192 |
tuneGrpcHandshakeTimeout | gRPC handshake timeout (seconds) | 20 |
tuneGrpcPermitKeepAliveTime | gRPC permit keep-alive time (seconds) | 120 |
tuneGrpcThreadPoolSize | gRPC thread pool size | CPU count * 2 |
WebSocket Settings
WebSocket Tuning Parameters:
| Variable | Description | Default |
|---|---|---|
tuneWebsocketIdleTimeout | WebSocket idle timeout (seconds) | 60 |
tuneWebsocketBufferSize | WebSocket buffer size (bytes) | 65536 |
tuneWebsocketTcpNoDelay | WebSocket TCP no delay (true/false) | true |