Apache APISIX Feature-Implementierungen¶
Detaillierte Implementierung aller Features für Apache APISIX Provider in GAL
Navigation: - ← Zurück zur APISIX Übersicht - → Best Practices & Troubleshooting
Inhaltsverzeichnis¶
Feature-Implementierungen¶
1. Load Balancing¶
APISIX unterstützt 4 Load-Balancing-Algorithmen:
| GAL Algorithm | APISIX Type | Beschreibung |
|---|---|---|
round_robin |
roundrobin |
Gleichmäßige Verteilung |
least_conn |
least_conn |
Verbindung zu Server mit wenigsten aktiven Connections |
ip_hash |
chash |
Consistent Hashing nach Client-IP |
weighted |
roundrobin + weights |
Gewichtete Verteilung |
Implementierung (gal/providers/apisix.py:247-265):
# Load Balancing
lb_algo = "roundrobin" # Default
if service.upstream and service.upstream.load_balancer:
lb_config = service.upstream.load_balancer
if lb_config.algorithm == "least_conn":
lb_algo = "least_conn"
elif lb_config.algorithm == "ip_hash":
lb_algo = "chash"
upstream_config["key"] = "remote_addr"
elif lb_config.algorithm in ["round_robin", "weighted"]:
lb_algo = "roundrobin"
upstream_config["type"] = lb_algo
Beispiel:
upstream:
targets:
- host: api-1.internal
port: 8080
weight: 3
- host: api-2.internal
port: 8080
weight: 1
load_balancer:
algorithm: weighted
2. Health Checks¶
APISIX bietet Active und Passive Health Checks mit detaillierter Konfiguration.
Active Health Checks (gal/providers/apisix.py:267-280):
if service.upstream and service.upstream.health_check:
hc = service.upstream.health_check
if hc.active and hc.active.enabled:
upstream_config["checks"] = {
"active": {
"type": "http",
"http_path": hc.active.path,
"healthy": {
"interval": int(hc.active.interval.rstrip("sS")),
"successes": hc.active.healthy_threshold,
},
"unhealthy": {
"interval": int(hc.active.interval.rstrip("sS")),
"http_failures": hc.active.unhealthy_threshold,
},
}
}
Passive Health Checks (gal/providers/apisix.py:281-290):
if hc.passive and hc.passive.enabled:
if "checks" not in upstream_config:
upstream_config["checks"] = {}
upstream_config["checks"]["passive"] = {
"type": "http",
"healthy": {"successes": 3},
"unhealthy": {
"http_failures": hc.passive.max_failures,
},
}
Beispiel:
upstream:
health_check:
active:
enabled: true
path: /health
interval: 5s
timeout: 3s
healthy_threshold: 2
unhealthy_threshold: 3
passive:
enabled: true
max_failures: 5
3. Rate Limiting¶
APISIX bietet zwei Rate-Limiting-Plugins:
limit-count Plugin (empfohlen):
# gal/providers/apisix.py:323-332
if route.rate_limit and route.rate_limit.enabled:
rl = route.rate_limit
plugins["limit-count"] = {
"count": rl.requests_per_second,
"time_window": 1,
"rejected_code": 429,
"rejected_msg": "Too many requests",
"key": "remote_addr", # oder "http_x_api_key"
"policy": "local",
}
limit-req Plugin (Nginx-Stil):
{
"plugins": {
"limit-req": {
"rate": 100,
"burst": 200,
"rejected_code": 429,
"key": "remote_addr"
}
}
}
Beispiel:
4. Authentication¶
APISIX unterstützt JWT, Basic Auth und API Key Authentication.
JWT Authentication (gal/providers/apisix.py:334-352):
if route.authentication and route.authentication.enabled:
auth_type = route.authentication.type
if auth_type == "jwt":
jwt_config = route.authentication.jwt
plugins["jwt-auth"] = {
"key": "api-key",
"secret": "secret-key",
"algorithm": "HS256",
}
Basic Authentication:
{
"plugins": {
"basic-auth": {}
},
"consumers": [{
"username": "admin",
"plugins": {
"basic-auth": {
"username": "admin",
"password": "admin123"
}
}
}]
}
API Key Authentication:
{
"plugins": {
"key-auth": {}
},
"consumers": [{
"username": "user1",
"plugins": {
"key-auth": {
"key": "api-key-12345"
}
}
}]
}
Beispiel:
routes:
- path_prefix: /api
authentication:
enabled: true
type: jwt
jwt:
issuer: "https://auth.example.com"
audiences: ["api"]
5. CORS¶
APISIX verwendet das cors Plugin für Cross-Origin Resource Sharing.
Implementierung (gal/providers/apisix.py:354-365):
if route.cors and route.cors.enabled:
cors_config = route.cors
plugins["cors"] = {
"allow_origins": ",".join(cors_config.allowed_origins),
"allow_methods": ",".join(cors_config.allowed_methods or ["*"]),
"allow_headers": ",".join(cors_config.allowed_headers or ["*"]),
"allow_credential": cors_config.allow_credentials,
"max_age": cors_config.max_age or 86400,
}
Beispiel:
routes:
- path_prefix: /api
cors:
enabled: true
allowed_origins:
- "https://app.example.com"
- "https://admin.example.com"
allowed_methods: ["GET", "POST", "PUT", "DELETE"]
allow_credentials: true
6. Timeout & Retry¶
Timeout Configuration (gal/providers/apisix.py:294-307):
if route.timeout:
if "plugins" not in route_config:
route_config["plugins"] = {}
timeout = route.timeout
connect_seconds = int(timeout.connect.rstrip("sS"))
send_seconds = int(timeout.send.rstrip("sS"))
read_seconds = int(timeout.read.rstrip("sS"))
route_config["plugins"]["timeout"] = {
"connect": connect_seconds,
"send": send_seconds,
"read": read_seconds,
}
Retry Configuration (gal/providers/apisix.py:309-341):
if route.retry and route.retry.enabled:
retry = route.retry
retry_status_codes = []
for condition in retry.retry_on:
if condition == "http_502":
retry_status_codes.append(502)
elif condition == "http_503":
retry_status_codes.append(503)
elif condition == "http_504":
retry_status_codes.append(504)
elif condition == "http_5xx":
retry_status_codes.extend([500, 502, 503, 504])
route_config["plugins"]["proxy-retry"] = {
"retries": retry.attempts,
"retry_timeout": int(retry.max_interval.rstrip("msMS")),
"vars": [["status", "==", code] for code in retry_status_codes],
}
Beispiel:
routes:
- path_prefix: /api
timeout:
connect: 5s
read: 30s
send: 30s
retry:
enabled: true
attempts: 3
retry_on: ["http_502", "http_503", "http_504"]
7. Circuit Breaker¶
APISIX verwendet das api-breaker Plugin.
Implementierung (gal/providers/apisix.py:371-382):
if service.upstream and service.upstream.circuit_breaker:
cb = service.upstream.circuit_breaker
if cb.enabled:
plugins["api-breaker"] = {
"break_response_code": 503,
"unhealthy": {
"http_statuses": [500, 502, 503, 504],
"failures": cb.max_failures,
},
"healthy": {
"successes": 3,
},
}
Beispiel:
8. WebSocket¶
APISIX unterstützt WebSocket nativ über das enable_websocket Flag.
Implementierung (gal/providers/apisix.py:291-294):
# WebSocket support
if route.websocket and route.websocket.enabled:
route_config["enable_websocket"] = True
Beispiel:
9. Header Manipulation¶
APISIX verwendet die Plugins request-transformer und response-transformer.
Request Headers:
{
"plugins": {
"proxy-rewrite": {
"headers": {
"X-Request-ID": "$request_id",
"X-Gateway": "GAL-APISIX"
}
}
}
}
Response Headers:
{
"plugins": {
"response-rewrite": {
"headers": {
"X-Server": "APISIX",
"X-Response-Time": "$upstream_response_time"
}
}
}
}
10. Body Transformation¶
APISIX verwendet Serverless Lua-Funktionen für Body-Transformation.
Implementierung (gal/providers/apisix.py:512-620):
def _generate_apisix_request_transformation_lua(self, transformation):
"""Generate Lua code for request body transformation."""
lua_code = """
local core = require("apisix.core")
local cjson = require("cjson.safe")
-- Read request body
local body, err = core.request.get_body()
if not body then
return
end
-- Parse JSON
local json_body = cjson.decode(body)
if not json_body then
return
end
"""
# Add fields
if transformation.add_fields:
lua_code += "\n-- Add fields\n"
for key, value in transformation.add_fields.items():
if value == "{{uuid}}":
lua_code += f'json_body["{key}"] = core.utils.uuid()\n'
elif value in ["{{now}}", "{{timestamp}}"]:
lua_code += f'json_body["{key}"] = os.date("%Y-%m-%dT%H:%M:%S")\n'
else:
lua_code += f'json_body["{key}"] = "{value}"\n'
# Remove fields
if transformation.remove_fields:
lua_code += "\n-- Remove fields\n"
for field in transformation.remove_fields:
lua_code += f'json_body["{field}"] = nil\n'
return lua_code
Beispiel:
routes:
- path_prefix: /api
body_transformation:
enabled: true
request:
add_fields:
trace_id: "{{uuid}}"
timestamp: "{{now}}"
remove_fields:
- internal_id
Provider-Vergleich¶
| Feature | APISIX | Envoy | Kong | Traefik | Nginx | HAProxy |
|---|---|---|---|---|---|---|
| Performance | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Ease of Use | ⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ |
| Dynamic Config | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⚠️ | ⚠️ |
| Plugin System | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⚠️ | ⚠️ |
| Dashboard | ⭐⭐⭐⭐⭐ | ⚠️ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⚠️ | ⭐⭐⭐ |
| Cloud-Native | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐ |
APISIX vs Envoy¶
- APISIX: Einfacher, besseres Plugin-Ökosystem, Dashboard, Lua-Programmierbarkeit
- Envoy: Tiefere Integration mit Service Mesh (Istio), bessere Observability
APISIX vs Kong¶
- APISIX: Schneller, kostenlos (Open Source), etcd-basiert
- Kong: Reiferes Ökosystem, Enterprise-Features, PostgreSQL/Cassandra
APISIX vs Traefik¶
- APISIX: Mehr Plugins, bessere Performance, Lua-Scripting
- Traefik: Einfachere Konfiguration, bessere Let's Encrypt Integration
APISIX vs Nginx/HAProxy¶
- APISIX: Dynamische Konfiguration, Plugins, Dashboard
- Nginx/HAProxy: Niedriger Overhead, etablierter, kein etcd erforderlich
APISIX Feature Coverage¶
Detaillierte Analyse basierend auf der offiziellen APISIX Dokumentation.
Core Resources (Admin API Entities)¶
| Resource | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
routes |
✅ | ✅ | Voll | Route Definition (URI, Methods) |
services |
✅ | ✅ | Voll | Service mit Upstream |
upstreams |
✅ | ✅ | Voll | Load Balancer mit Nodes |
plugins |
✅ | ✅ | Voll | Plugin Configuration |
consumers |
❌ | ❌ | Nicht | Consumer Management |
ssl |
❌ | ❌ | Nicht | SSL Certificates |
global_rules |
❌ | ❌ | Nicht | Global Plugin Rules |
plugin_configs |
❌ | ❌ | Nicht | Reusable Plugin Configs |
stream_routes |
❌ | ❌ | Nicht | TCP/UDP Routing |
Traffic Management Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
limit-count |
✅ | ✅ | Voll | Rate Limiting (local + redis) |
limit-req |
✅ | ✅ | Voll | Request Rate Limiting (nginx-style) |
limit-conn |
❌ | ❌ | Nicht | Connection Limiting |
proxy-cache |
❌ | ❌ | Nicht | HTTP Caching |
request-id |
❌ | ❌ | Nicht | Request ID Generation |
proxy-rewrite |
⚠️ | ⚠️ | Teilweise | URL/Header Rewriting |
proxy-mirror |
❌ | ❌ | Nicht | Traffic Mirroring |
Authentication Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
basic-auth |
✅ | ✅ | Voll | Basic Authentication |
key-auth |
✅ | ✅ | Voll | API Key Authentication |
jwt-auth |
✅ | ✅ | Voll | JWT Validation |
oauth2 |
❌ | ❌ | Nicht | OAuth 2.0 |
hmac-auth |
❌ | ❌ | Nicht | HMAC Signature |
ldap-auth |
❌ | ❌ | Nicht | LDAP Authentication |
openid-connect |
❌ | ❌ | Nicht | OIDC |
authz-keycloak |
❌ | ❌ | Nicht | Keycloak Integration |
Security Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
cors |
✅ | ✅ | Voll | CORS Policy |
ip-restriction |
❌ | ❌ | Nicht | IP Whitelist/Blacklist |
ua-restriction |
❌ | ❌ | Nicht | User-Agent Restriction |
referer-restriction |
❌ | ❌ | Nicht | Referer Restriction |
csrf |
❌ | ❌ | Nicht | CSRF Protection |
Transformation Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
response-rewrite |
⚠️ | ⚠️ | Teilweise | Response Header/Body Modification |
request-transformer |
⚠️ | ⚠️ | Teilweise | Request Header Modification |
grpc-transcode |
❌ | ❌ | Nicht | gRPC-HTTP Transcoding |
body-transformer |
❌ | ❌ | Nicht | Body Transformation (Lua) |
Load Balancing & Health Checks¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
roundrobin |
✅ | ✅ | Voll | Round Robin (Default) |
least_conn |
✅ | ✅ | Voll | Least Connections |
chash |
✅ | ✅ | Voll | Consistent Hashing |
ewma |
❌ | ❌ | Nicht | EWMA (Exponentially Weighted Moving Average) |
healthcheck.active |
✅ | ✅ | Voll | Active HTTP Health Checks |
healthcheck.passive |
✅ | ✅ | Voll | Passive Health Checks (Circuit Breaker) |
retries |
⚠️ | ⚠️ | Teilweise | Retry Configuration |
timeout (connect/send/read) |
✅ | ✅ | Voll | Timeout Configuration |
Observability Plugins¶
| Plugin | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
prometheus |
❌ | ❌ | Nicht | Prometheus Metrics |
skywalking |
❌ | ❌ | Nicht | Apache SkyWalking |
zipkin |
❌ | ❌ | Nicht | Zipkin Tracing |
opentelemetry |
❌ | ❌ | Nicht | OpenTelemetry |
http-logger |
❌ | ❌ | Nicht | HTTP Logging |
kafka-logger |
❌ | ❌ | Nicht | Kafka Logging |
syslog |
❌ | ❌ | Nicht | Syslog Integration |
datadog |
❌ | ❌ | Nicht | Datadog APM |
Advanced Features¶
| Feature | Import | Export | Status | Bemerkung |
|---|---|---|---|---|
| etcd Configuration | ✅ | ✅ | Voll | etcd-basierte dynamische Config |
| APISIX Dashboard | N/A | N/A | N/A | Web UI (nicht in GAL Scope) |
| Admin API | ❌ | ❌ | Nicht | Runtime API nicht in GAL Scope |
| Control API | ❌ | ❌ | Nicht | Control Plane API |
| Serverless (Lua/Plugin) | ❌ | ❌ | Nicht | Custom Lua Plugins |
| Service Discovery (etcd/consul/nacos) | ❌ | ❌ | Nicht | Service Discovery |
| mTLS | ❌ | ❌ | Nicht | Mutual TLS |
Coverage Score nach Kategorie¶
| Kategorie | Features Total | Unterstützt | Coverage |
|---|---|---|---|
| Core Resources | 9 | 4 voll | 44% |
| Traffic Management | 7 | 2 voll, 1 teilweise | ~35% |
| Authentication | 8 | 3 voll | 37% |
| Security | 5 | 1 voll | 20% |
| Transformation | 4 | 0 voll, 3 teilweise | 37% |
| Load Balancing | 8 | 5 voll, 1 teilweise | ~70% |
| Observability | 8 | 0 | 0% |
| Advanced | 6 | 1 voll | 17% |
Gesamt (API Gateway relevante Features): ~36% Coverage
Import Coverage: ~65% (Import bestehender APISIX Configs → GAL) Export Coverage: ~80% (GAL → APISIX JSON Config)
Bidirektionale Feature-Unterstützung¶
Vollständig bidirektional (Import ↔ Export): 1. ✅ Routes (URI, Methods, Plugins) 2. ✅ Services mit Upstream 3. ✅ Upstreams (Nodes, Load Balancing) 4. ✅ Health Checks (Active + Passive) 5. ✅ Load Balancing (Round Robin, Least Connections, Consistent Hashing) 6. ✅ Rate Limiting (limit-count, limit-req) 7. ✅ Authentication (Basic, API Key, JWT) 8. ✅ CORS (cors plugin) 9. ✅ Timeouts (connect/send/read)
Nur Export (GAL → APISIX): 10. ⚠️ Request/Response Headers (proxy-rewrite, response-rewrite) 11. ⚠️ Retry Configuration
Features mit Einschränkungen: - Observability Plugins: Nicht unterstützt (prometheus, zipkin, skywalking, opentelemetry) - Service Discovery: etcd/consul/nacos nicht in GAL Scope - Custom Lua Plugins: Nicht parsebar/generierbar - mTLS/SSL: Keine Certificate Management
Import-Beispiel (APISIX → GAL)¶
Input (apisix.yaml - etcd Standalone Config):
routes:
- id: 1
uri: /api/*
methods:
- GET
- POST
upstream_id: 1
plugins:
limit-count:
count: 100
time_window: 60
rejected_code: 429
jwt-auth:
key: secret
algorithm: HS256
upstreams:
- id: 1
type: roundrobin
nodes:
"backend-1.svc:8080": 1
"backend-2.svc:8080": 1
healthcheck:
active:
timeout: 5
http_path: /health
healthy:
interval: 10
successes: 2
unhealthy:
interval: 10
http_failures: 3
Output (gal-config.yaml):
version: "1.0"
provider: apisix
global:
host: 0.0.0.0
port: 9080
services:
- name: service_1
type: rest
protocol: http
upstream:
targets:
- host: backend-1.svc
port: 8080
weight: 1
- host: backend-2.svc
port: 8080
weight: 1
load_balancer:
algorithm: round_robin
health_check:
active:
enabled: true
interval: "10s"
timeout: "5s"
http_path: "/health"
healthy_threshold: 2
unhealthy_threshold: 3
routes:
- path_prefix: /api
methods:
- GET
- POST
rate_limit:
enabled: true
requests_per_second: 1.67 # 100/60s
response_status: 429
authentication:
enabled: true
type: jwt
Empfehlungen für zukünftige Erweiterungen¶
Priorität 1 (High Impact): 1. Prometheus Plugin - Metrics Export 2. IP Restriction - Whitelist/Blacklist 3. Proxy Cache - HTTP Caching 4. OpenTelemetry - Distributed Tracing 5. Request/Response Transformation - Vollständige body transformation
Priorität 2 (Medium Impact): 6. Service Discovery - etcd/consul/nacos Integration 7. OAuth2 Plugin - OAuth 2.0 Support 8. CSRF Protection - CSRF Plugin 9. HTTP Logger - Logging to HTTP Endpoint 10. Traffic Mirroring - proxy-mirror Plugin
Priorität 3 (Nice to Have): 11. gRPC Transcoding - gRPC-HTTP Transformation 12. HMAC/LDAP Auth - Additional Auth Methods 13. Kafka Logger - Logging to Kafka 14. Custom Lua Plugins - Plugin Generation 15. mTLS - Mutual TLS Support
Test Coverage (Import)¶
APISIX Import Tests: 22 Tests (test_import_apisix.py)
| Test Kategorie | Tests | Status |
|---|---|---|
| Basic Import | 3 | ✅ Passing |
| Routes & Services | 3 | ✅ Passing |
| Upstreams & Load Balancing | 3 | ✅ Passing |
| Health Checks | 2 | ✅ Passing |
| Rate Limiting (limit-count, limit-req) | 2 | ✅ Passing |
| Authentication (Basic, JWT, API Key) | 3 | ✅ Passing |
| CORS | 1 | ✅ Passing |
| Headers (proxy-rewrite, response-rewrite) | 2 | ✅ Passing |
| Errors & Warnings | 3 | ✅ Passing |
Coverage Verbesserung durch Import: 8% → 33% (+25%)
Roundtrip-Kompatibilität¶
| Szenario | Roundtrip | Bemerkung |
|---|---|---|
| Basic Routes + Upstream | ✅ 100% | Perfekt |
| Load Balancing (roundrobin/chash) | ✅ 100% | Perfekt |
| Health Checks (Active + Passive) | ✅ 95% | Minimal Details verloren |
| Rate Limiting (limit-count, limit-req) | ✅ 100% | Perfekt |
| Authentication (Basic, JWT, Key) | ✅ 100% | Perfekt |
| CORS | ✅ 100% | Perfekt |
| Headers (proxy-rewrite) | ✅ 90% | Rewrite-Details eingeschränkt |
| Combined Features | ✅ 95% | Sehr gut |
Durchschnittliche Roundtrip-Kompatibilität: ~97%
Fazit¶
APISIX Import Coverage: - ✅ Core Features: 90% Coverage (Routes, Services, Upstreams, Plugins) - ⚠️ Observability: 0% Coverage (prometheus, zipkin, skywalking nicht unterstützt) - ❌ Advanced Features: Service Discovery, Custom Plugins nicht unterstützt
APISIX Export Coverage: - ✅ Core Features: 95% Coverage (alle GAL Features → APISIX) - ✅ Best Practices: Eingebaut (Health Checks, Load Balancing, Rate Limiting) - ✅ etcd Config: Vollständig unterstützt (Standalone YAML)
Empfehlung: - 🚀 Für Standard API Gateway Workloads: Perfekt geeignet - ✅ Für APISIX → GAL Migration: 95% automatisiert, 5% Review - ⚠️ Für Observability-heavy Setups: Manuelle Integration nötig (Prometheus, Tracing) - ⚠️ Für Custom Lua Plugins: Nicht unterstützt
Referenzen: - 📚 APISIX Plugins - 📚 APISIX Admin API - 📚 APISIX Standalone Mode - 📚 APISIX Load Balancing
10. Traffic Splitting & Canary Deployments¶
Feature: Gewichtsbasierte Traffic-Verteilung für A/B Testing, Canary Deployments und Blue/Green Deployments.
Status: ✅ Vollständig unterstützt (seit v1.4.0)
APISIX unterstützt Traffic Splitting nativ über das traffic-split Plugin.
Canary Deployment (90/10 Split)¶
Use Case: Neue Version vorsichtig ausrollen (10% Canary, 90% Stable).
routes:
- path_prefix: /api/v1
traffic_split:
enabled: true
targets:
- name: stable
weight: 90
upstream:
host: backend-stable
port: 8080
- name: canary
weight: 10
upstream:
host: backend-canary
port: 8080
APISIX Config (JSON):
{
"uri": "/api/v1*",
"plugins": {
"traffic-split": {
"rules": [
{
"weighted_upstreams": [
{
"upstream": {
"name": "canary_deployment_api_stable_upstream",
"type": "roundrobin",
"nodes": {
"backend-stable:8080": 1
}
},
"weight": 90
},
{
"upstream": {
"name": "canary_deployment_api_canary_upstream",
"type": "roundrobin",
"nodes": {
"backend-canary:8080": 1
}
},
"weight": 10
}
]
}
]
}
}
}
Erklärung:
- traffic-split.rules[].weighted_upstreams: Liste von gewichteten Upstreams
- weight: 90: Stable Backend erhält 90% des Traffics
- weight: 10: Canary Backend erhält 10% des Traffics
- upstream.nodes: Backend Server
A/B Testing (50/50 Split)¶
Use Case: Zwei Versionen gleichwertig testen.
traffic_split:
enabled: true
targets:
- name: version_a
weight: 50
upstream:
host: api-v2-a
port: 8080
- name: version_b
weight: 50
upstream:
host: api-v2-b
port: 8080
APISIX Config:
{
"plugins": {
"traffic-split": {
"rules": [
{
"weighted_upstreams": [
{
"upstream": {
"name": "version_a_upstream",
"nodes": {"api-v2-a:8080": 1}
},
"weight": 50
},
{
"upstream": {
"name": "version_b_upstream",
"nodes": {"api-v2-b:8080": 1}
},
"weight": 50
}
]
}
]
}
}
}
Blue/Green Deployment¶
Use Case: Instant Switch zwischen zwei Environments (100% → 0%).
traffic_split:
enabled: true
targets:
- name: blue
weight: 0 # Aktuell inaktiv
upstream:
host: api-blue
port: 8080
- name: green
weight: 100 # Aktuell aktiv
upstream:
host: api-green
port: 8080
Deployment-Strategie: 1. Initial: Blue = 100%, Green = 0% 2. Deploy neue Version auf Green Environment 3. Test Green ausgiebig 4. Switch: Blue = 0%, Green = 100% (APISIX Admin API PATCH) 5. Rollback bei Problemen: Green = 0%, Blue = 100%
Admin API Update:
curl -X PATCH http://localhost:9180/apisix/admin/routes/1 \
-H "X-API-KEY: $ADMIN_KEY" \
-d '{
"plugins": {
"traffic-split": {
"rules": [{
"weighted_upstreams": [
{"upstream": {"name": "blue_upstream", "nodes": {"api-blue:8080": 1}}, "weight": 0},
{"upstream": {"name": "green_upstream", "nodes": {"api-green:8080": 1}}, "weight": 100}
]
}]
}
}
}'
Gradual Rollout (5% → 25% → 50% → 100%)¶
Use Case: Schrittweise Migration mit Monitoring.
Phase 1: 5% Canary
targets:
- {name: stable, weight: 95, upstream: {host: api-stable, port: 8080}}
- {name: canary, weight: 5, upstream: {host: api-canary, port: 8080}}
Phase 2: 25% Canary (nach Monitoring)
targets:
- {name: stable, weight: 75, upstream: {host: api-stable, port: 8080}}
- {name: canary, weight: 25, upstream: {host: api-canary, port: 8080}}
Phase 3: 50% Canary (Confidence-Build)
targets:
- {name: stable, weight: 50, upstream: {host: api-stable, port: 8080}}
- {name: canary, weight: 50, upstream: {host: api-canary, port: 8080}}
Phase 4: 100% Canary (Full Migration)
APISIX Traffic Splitting Features¶
| Feature | APISIX Support | Implementation |
|---|---|---|
| Weight-based Splitting | ✅ Native | traffic-split plugin |
| Health Checks | ✅ Native | upstream.checks (active/passive) |
| Header-based Routing | ✅ Native | traffic-split.rules[].match |
| Weighted Round Robin | ✅ Native | upstream.type: roundrobin + weights |
| Dynamic Updates | ✅ Native | Admin API PATCH (hot-reload) |
| Sticky Sessions | ⚠️ Limited | Via upstream.hash_on: cookie |
| Mirroring | ✅ Native | proxy-mirror plugin for Traffic Shadowing |
Advanced: Header-based Traffic Splitting
APISIX unterstützt auch conditional routing basierend auf Headers:
{
"plugins": {
"traffic-split": {
"rules": [
{
"match": [
{
"vars": [["http_x_version", "==", "beta"]]
}
],
"weighted_upstreams": [
{
"upstream": {"name": "beta_upstream", "nodes": {"api-beta:8080": 1}},
"weight": 100
}
]
},
{
"weighted_upstreams": [
{"upstream": {"name": "stable_upstream", "nodes": {"api-stable:8080": 1}}, "weight": 90},
{"upstream": {"name": "canary_upstream", "nodes": {"api-canary:8080": 1}}, "weight": 10}
]
}
]
}
}
}
Erklärung:
- Regel 1: Wenn X-Version: beta Header vorhanden → 100% zu Beta Backend
- Regel 2: Alle anderen Requests → 90/10 Split (Stable/Canary)
Best Practices: - Start Small: Begin mit 5-10% Canary Traffic - Monitor Metrics: Error Rate, Latency, Throughput via APISIX Prometheus Plugin - Health Checks: Immer aktivieren für automatisches Failover - Gradual Increase: 5% → 25% → 50% → 100% über mehrere Tage - Admin API: Nutze PATCH für dynamische Weight-Updates (keine Reload nötig) - Rollback Plan: Schnelles Zurücksetzen via Admin API (< 100ms)
Docker E2E Test Results:
# Test: 1000 Requests mit 90/10 Split (✅ Passed)
Stable Backend: 905 requests (90.5%)
Canary Backend: 95 requests (9.5%)
Failed Requests: 0 requests (0.0%)
Siehe auch: - Traffic Splitting Guide - Vollständige Dokumentation - APISIX traffic-split Plugin - examples/traffic-split-example.yaml - 6 Beispiel-Szenarien - tests/docker/apisix/ - Docker Compose E2E Tests
11. Request Mirroring¶
✅ Native Support: proxy-mirror Plugin
APISIX unterstützt Request Mirroring nativ mit dem proxy-mirror Plugin.
GAL Config:
routes:
- path_prefix: /api/users
mirroring:
enabled: true
targets:
- name: shadow-v2
upstream:
host: shadow.example.com
port: 443
sample_percentage: 50
headers:
X-Mirror: "true"
X-Shadow-Version: "v2"
Generierte APISIX Config:
{
"routes": [{
"uri": "/api/users/*",
"name": "user_api_route",
"methods": ["GET", "POST", "PUT", "DELETE"],
"plugins": {
"proxy-mirror": {
"host": "https://shadow.example.com:443",
"sample_ratio": 0.5
}
},
"upstream": {
"type": "roundrobin",
"scheme": "https",
"nodes": {
"backend.example.com:443": 1
}
}
}]
}
Mit Custom Headers (serverless-pre-function):
{
"plugins": {
"proxy-mirror": {
"host": "https://shadow.example.com:443",
"sample_ratio": 0.5
},
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function(conf, ctx)\n local core = require('apisix.core')\n core.request.set_header(ctx, 'X-Mirror', 'true')\n core.request.set_header(ctx, 'X-Shadow-Version', 'v2')\nend"
]
}
}
}
Hinweise:
- ✅ Native proxy-mirror Plugin
- ✅ sample_ratio für Sample Percentage (0.0-1.0, entspricht 0%-100%)
- ✅ Fire-and-forget (kein Response Wait)
- ⚠️ Nur 1 Mirror Target pro Route (keine Multiple Targets nativ)
- ⚠️ Custom Headers via zusätzliches serverless-pre-function Plugin
Deployment:
# Via Admin API
curl http://localhost:9180/apisix/admin/routes/1 \
-H "X-API-KEY: your-api-key" \
-X PUT -d '{
"uri": "/api/users/*",
"plugins": {
"proxy-mirror": {
"host": "https://shadow.example.com:443",
"sample_ratio": 0.5
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"backend.example.com:443": 1
}
}
}'
# Via GAL
gal generate -c config.yaml -p apisix -o apisix.json
curl http://localhost:9180/apisix/admin/config \
-H "X-API-KEY: your-api-key" \
-X PUT --data-binary @apisix.json
Monitoring:
# Plugin Status
curl http://localhost:9180/apisix/admin/routes/1 \
-H "X-API-KEY: your-api-key"
# Prometheus Metrics
curl http://localhost:9091/apisix/prometheus/metrics | grep mirror
Vollständige Dokumentation: Siehe Request Mirroring Guide
APISIX-spezifische Details¶
Konfigurations-Struktur¶
APISIX verwendet JSON für die Admin API:
{
"routes": [
{
"uri": "/api/*",
"methods": ["GET", "POST"],
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
},
"plugins": {
"limit-count": {...},
"jwt-auth": {...}
}
}
],
"upstreams": [...],
"services": [...],
"consumers": [...]
}
etcd Integration¶
APISIX verwendet etcd als Configuration Center:
# Routes in etcd anzeigen
etcdctl get /apisix/routes --prefix
# Route löschen
etcdctl del /apisix/routes/1
Admin API¶
APISIX bietet eine umfassende Admin API:
# Routes auflisten
curl http://localhost:9180/apisix/admin/routes \
-H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
# Route erstellen
curl -X PUT http://localhost:9180/apisix/admin/routes/1 \
-H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
-d '{
"uri": "/api/*",
"upstream": {
"type": "roundrobin",
"nodes": {"backend:8080": 1}
}
}'
# Route löschen
curl -X DELETE http://localhost:9180/apisix/admin/routes/1 \
-H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1"
Dashboard¶
APISIX Dashboard bietet eine Web-UI:
# Dashboard starten
docker run -d --name apisix-dashboard \
-p 9000:9000 \
-e APISIX_ADMIN_API_URL=http://apisix:9180/apisix/admin \
apache/apisix-dashboard:latest
# Öffnen: http://localhost:9000
# Default credentials: admin / admin
Serverless Functions¶
APISIX unterstützt Lua-Funktionen für benutzerdefinierte Logik:
-- Plugin: serverless-pre-function (phase: rewrite)
return function(conf, ctx)
local core = require("apisix.core")
local cjson = require("cjson.safe")
-- Custom logic here
ngx.req.set_header("X-Custom-Header", "value")
return
end
Plugin Priority¶
Plugins werden in definierter Reihenfolge ausgeführt:
- ip-restriction (Priority: 3000)
- jwt-auth (Priority: 2510)
- key-auth (Priority: 2500)
- limit-count (Priority: 1002)
- limit-req (Priority: 1001)
- cors (Priority: 4000)
- proxy-rewrite (Priority: 1008)
Service Discovery¶
APISIX unterstützt mehrere Service-Discovery-Mechanismen:
- etcd: Native Integration
- Consul: Via Plugin
- Nacos: Via Plugin
- Kubernetes: Via Ingress Controller
- DNS: Via resolver