{"id":63,"date":"2026-04-12T17:00:49","date_gmt":"2026-04-12T17:00:49","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-api-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-middleware\/"},"modified":"2026-04-12T17:00:49","modified_gmt":"2026-04-12T17:00:49","slug":"alibaba-cloud-api-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-middleware","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-api-gateway-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-middleware\/","title":{"rendered":"Alibaba Cloud API Gateway Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Middleware"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Middleware<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>API Gateway<\/strong> is a managed middleware service that helps you publish, secure, control, and observe APIs that sit between your clients (web, mobile, partners, IoT devices) and your backend services (ECS, ACK\/Kubernetes, Function Compute, microservices, or any HTTP endpoint).<\/p>\n\n\n\n<p>In simple terms: <strong>API Gateway gives you a stable API front door<\/strong>. Clients call the gateway; the gateway applies authentication, throttling, routing, and logging; then it forwards requests to your backend and returns responses to the client.<\/p>\n\n\n\n<p>Technically, API Gateway is a fully managed API reverse-proxy and policy enforcement layer. It supports building API groups, defining routes, publishing to stages, applying access control and traffic limits, binding custom domains\/HTTPS certificates, and integrating with logging\/monitoring. It is commonly used as the \u201cedge\u201d API layer in modern Alibaba Cloud architectures.<\/p>\n\n\n\n<p>The problem it solves is common in real systems: <strong>without a gateway<\/strong>, every backend service has to implement authentication, rate limiting, CORS, request validation, logging, and version\/stage management\u2014leading to duplicated code, inconsistent controls, and higher operational risk. API Gateway centralizes these concerns.<\/p>\n\n\n\n<blockquote>\n<p>Service naming note (important): Alibaba Cloud also offers <strong>Cloud Native API Gateway<\/strong> as part of <strong>Microservices Engine (MSE)<\/strong> for Kubernetes\/microservice-native traffic management. This tutorial focuses on <strong>Alibaba Cloud API Gateway<\/strong> (the service explicitly named \u201cAPI Gateway\u201d). If you are choosing between the two, see the comparison section and <strong>verify current product positioning in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is API Gateway?<\/h2>\n\n\n\n<p><strong>Official purpose (scope-aligned):<\/strong> Alibaba Cloud API Gateway is designed to help you <strong>create, publish, manage, and secure APIs<\/strong> and to expose backend services to internal teams, external developers, or partners in a controlled way.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (practical view)<\/h3>\n\n\n\n<p>API Gateway typically provides:\n&#8211; <strong>API publishing and lifecycle management<\/strong> (create, test, publish, update)\n&#8211; <strong>Routing and backend integration<\/strong> (HTTP endpoints, Alibaba Cloud services\u2014capabilities depend on region\/edition; verify)\n&#8211; <strong>Access control and authentication<\/strong> (e.g., app-based access using keys\/secrets; methods vary by configuration; verify)\n&#8211; <strong>Traffic management<\/strong> (rate limiting\/throttling)\n&#8211; <strong>Observability<\/strong> (access logs and monitoring integrations)\n&#8211; <strong>Custom domains and HTTPS<\/strong> (bind domain + certificate)\n&#8211; <strong>Stage-based release workflow<\/strong> (commonly TEST\/RELEASE stages; verify your console terminology)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual model)<\/h3>\n\n\n\n<p>While exact console labels can evolve, API Gateway commonly organizes resources like:\n&#8211; <strong>API Group<\/strong>: A logical container for related APIs (often mapped to a product\/domain).\n&#8211; <strong>API<\/strong>: A route + method + request\/response definition + backend mapping.\n&#8211; <strong>Stage\/Environment<\/strong>: A published deployment target (for example TEST and RELEASE).\n&#8211; <strong>App (consumer application)<\/strong>: Represents a calling client identity for authorization and quota control.\n&#8211; <strong>Traffic Control \/ Throttling policy<\/strong>: Limits QPS or request rate based on policies (names vary).\n&#8211; <strong>Domain + Certificate<\/strong>: Custom domain binding and TLS termination.\n&#8211; <strong>Logging\/Monitoring<\/strong>: Integrations to Alibaba Cloud logging and metrics services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service type and scope<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service type:<\/strong> Managed gateway middleware (control plane + data plane operated by Alibaba Cloud).<\/li>\n<li><strong>Scope:<\/strong> <strong>Regional<\/strong> in practice\u2014you create and operate API Gateway resources in a chosen Alibaba Cloud region.<br\/>\n  The control plane is in the console; the runtime endpoints are typically region-specific.<\/li>\n<li><strong>Account scope:<\/strong> Resources belong to an Alibaba Cloud account (and can be delegated via RAM).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>API Gateway commonly sits in front of:\n&#8211; <strong>Compute:<\/strong> ECS, Function Compute, ACK (Kubernetes), Microservices Engine (MSE) backends, or any reachable HTTP service.\n&#8211; <strong>Networking:<\/strong> VPC, SLB (Classic Load Balancer \/ Server Load Balancer), PrivateLink (depending on design; verify).\n&#8211; <strong>Security\/IAM:<\/strong> RAM for management access; gateway-level auth for API consumers; optional WAF patterns via domain fronting (design-dependent; verify).\n&#8211; <strong>Observability:<\/strong> Log Service (SLS) and CloudMonitor are frequently used for access logging and metrics.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use API Gateway?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster partner onboarding:<\/strong> Provide stable, documented endpoints with consistent access controls.<\/li>\n<li><strong>Productize internal services:<\/strong> Wrap internal microservices into a controlled public API product.<\/li>\n<li><strong>Reduce operational burden:<\/strong> Centralize common API concerns instead of duplicating them in every service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Decouple clients from backends:<\/strong> Backend URLs can change without breaking clients if the gateway contract stays stable.<\/li>\n<li><strong>Standardize auth and throttling:<\/strong> Enforce consistent patterns across many services.<\/li>\n<li><strong>Simplify versioning and staged rollout:<\/strong> Publish to TEST\/RELEASE stages and promote changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Central logging and monitoring:<\/strong> A single layer to inspect traffic patterns and errors.<\/li>\n<li><strong>Controlled exposure:<\/strong> Reduce accidental public exposure of internal services by forcing access through a managed entrypoint.<\/li>\n<li><strong>Better troubleshooting:<\/strong> Gateway logs plus backend logs help pinpoint failures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized access control:<\/strong> Limit who can call what, and apply IP allow\/deny patterns.<\/li>\n<li><strong>TLS termination:<\/strong> Enforce HTTPS and manage certificates at the edge.<\/li>\n<li><strong>Auditable management actions:<\/strong> Use RAM + ActionTrail (verify current integrations) to trace administrative changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed scaling:<\/strong> Avoid self-running Nginx\/Kong clusters just to enforce policies.<\/li>\n<li><strong>Traffic shaping:<\/strong> Throttling prevents sudden spikes from taking down backends.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose API Gateway<\/h3>\n\n\n\n<p>Choose API Gateway when you need:\n&#8211; A managed API front door for HTTP APIs\n&#8211; Centralized policy enforcement (auth\/throttling\/logging)\n&#8211; Controlled publishing workflow (stages)\n&#8211; Custom domain + HTTPS for APIs<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should <em>not<\/em> choose it<\/h3>\n\n\n\n<p>Avoid or reconsider when:\n&#8211; You need deep Kubernetes-native ingress\/gateway features (service mesh, advanced L7 routing) and you already standardize on MSE\/Ingress controllers\u2014consider <strong>MSE Cloud Native API Gateway<\/strong> or <strong>ACK Ingress<\/strong> (verify which fits).\n&#8211; You require protocols beyond what API Gateway supports in your region\/edition (for example WebSocket\/streaming\/gRPC). <strong>Verify protocol support<\/strong> before committing.\n&#8211; You have extremely latency-sensitive workloads where an extra hop is unacceptable and controls are handled elsewhere (rare, but possible).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is API Gateway used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fintech and payments:<\/strong> API exposure with strict throttling and auditing<\/li>\n<li><strong>E-commerce:<\/strong> Mobile\/web API consolidation, partner integrations<\/li>\n<li><strong>SaaS and B2B platforms:<\/strong> Tenant-aware APIs and partner API programs<\/li>\n<li><strong>Gaming:<\/strong> Stable API endpoints for clients and services<\/li>\n<li><strong>IoT and manufacturing:<\/strong> Device-to-cloud API mediation (HTTP-based)<\/li>\n<li><strong>Education and media:<\/strong> Public APIs for apps and integrations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building internal developer platforms<\/li>\n<li>API product teams managing public APIs<\/li>\n<li>DevOps\/SRE teams centralizing edge controls<\/li>\n<li>Security teams enforcing consistent access policies<\/li>\n<li>Application teams that need an API facade for microservices<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monolith-to-microservices migrations (gateway as a facade)<\/li>\n<li>Multi-backend systems (one API surface, many services)<\/li>\n<li>\u201cBackend for Frontend\u201d (BFF) patterns<\/li>\n<li>Hybrid deployments (on-prem\/other cloud backends exposed via gateway) \u2014 <strong>verify network connectivity and security controls<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> Stable custom domains, strict auth, throttling, logging to SLS, dashboards\/alerts.<\/li>\n<li><strong>Dev\/Test:<\/strong> Rapid iterations using TEST stage, mock backends, relaxed policies, short retention logs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Alibaba Cloud API Gateway is commonly a strong fit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Public API front door for microservices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many microservices expose inconsistent endpoints and security controls.<\/li>\n<li><strong>Why API Gateway fits:<\/strong> Provides a single edge entrypoint, consistent auth\/throttling, and routing to multiple backends.<\/li>\n<li><strong>Example:<\/strong> <code>\/users\/*<\/code> routes to a user service; <code>\/orders\/*<\/code> routes to an order service; clients see one domain.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Partner API program with controlled access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You need to expose partner APIs with quotas and keys.<\/li>\n<li><strong>Why it fits:<\/strong> App-based consumer identity and traffic control policies can be applied per API\/app (capability varies; verify).<\/li>\n<li><strong>Example:<\/strong> A logistics partner gets an app credential and a 50 QPS limit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Safe exposure of an internal VPC backend<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Backend runs in a VPC and must not be directly exposed to the public internet.<\/li>\n<li><strong>Why it fits:<\/strong> API Gateway can act as the only public entrypoint while connecting to private backends (VPC connectivity features must be configured; verify).<\/li>\n<li><strong>Example:<\/strong> An internal ECS inventory service remains private; gateway exposes <code>\/inventory\/query<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Controlled migration from monolith to services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Clients depend on existing endpoints, but you\u2019re breaking the backend apart.<\/li>\n<li><strong>Why it fits:<\/strong> The gateway maintains stable endpoints while routing behind the scenes.<\/li>\n<li><strong>Example:<\/strong> <code>\/api\/v1\/profile<\/code> still works while the backend shifts from monolith to a new service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Mobile app API with CORS and consistent headers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Multiple backend teams struggle with CORS and header consistency.<\/li>\n<li><strong>Why it fits:<\/strong> Central policy layer; can standardize headers and enable CORS (feature availability\/config varies; verify).<\/li>\n<li><strong>Example:<\/strong> Frontend uses one domain; gateway adds consistent security headers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) API mocking for frontend development<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Frontend teams need stable responses before backend is ready.<\/li>\n<li><strong>Why it fits:<\/strong> API Gateway can support mock responses in some configurations (verify in your console\/docs).<\/li>\n<li><strong>Example:<\/strong> <code>\/products<\/code> returns a predefined JSON payload for early UI testing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Rate limiting to protect expensive backends<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A backend call triggers costly compute\/DB queries and needs protection from spikes.<\/li>\n<li><strong>Why it fits:<\/strong> Throttling policies stop abusive or accidental traffic.<\/li>\n<li><strong>Example:<\/strong> Limit <code>\/report\/generate<\/code> to 1 RPS per app and 10 RPS global.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Centralized access logging for audit and incident response<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You can\u2019t easily answer \u201cwho called what, when\u201d across multiple services.<\/li>\n<li><strong>Why it fits:<\/strong> Gateway access logs provide consistent request metadata; can ship to SLS for search\/alerts (verify integration steps).<\/li>\n<li><strong>Example:<\/strong> Security team queries SLS logs for suspicious IPs and endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Multi-environment release workflow (TEST \u2192 RELEASE)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> API changes need safe testing before production.<\/li>\n<li><strong>Why it fits:<\/strong> Stages let you publish\/test and then promote to release.<\/li>\n<li><strong>Example:<\/strong> Publish to TEST stage, run automated tests, then publish to RELEASE.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) API facade for legacy systems<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Legacy systems can\u2019t easily support modern API concerns.<\/li>\n<li><strong>Why it fits:<\/strong> Gateway handles TLS\/auth\/throttling while legacy backend remains unchanged.<\/li>\n<li><strong>Example:<\/strong> An old ERP system is wrapped with <code>\/erp\/*<\/code> APIs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Multi-team governance and standardization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Different teams publish APIs with inconsistent naming\/versioning and no central control.<\/li>\n<li><strong>Why it fits:<\/strong> Standard API group structure, tagging, and centralized policies.<\/li>\n<li><strong>Example:<\/strong> Platform team mandates naming rules and log retention policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Controlled third-party webhook ingestion<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> You need to receive webhook traffic safely and forward internally.<\/li>\n<li><strong>Why it fits:<\/strong> Gateway can validate expected patterns, enforce throttling, and forward to processing backend.<\/li>\n<li><strong>Example:<\/strong> Payment provider webhooks hit <code>\/webhooks\/payments<\/code>, gateway forwards to a processing service.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Feature availability can vary by region\/edition and console updates. When in doubt, <strong>verify in official docs<\/strong> for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">API definition and management (groups, routes, stages)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you define APIs (path + method + parameters) and publish them to stages\/environments.<\/li>\n<li><strong>Why it matters:<\/strong> Provides lifecycle control and reduces risky \u201cchange in place\u201d deployments.<\/li>\n<li><strong>Practical benefit:<\/strong> You can test changes in a TEST stage before moving to RELEASE.<\/li>\n<li><strong>Caveats:<\/strong> Stage model and naming may differ; confirm current workflow in the console.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Backend integration (HTTP backends and Alibaba Cloud services)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Forwards requests to a configured backend (commonly an HTTP endpoint; some service integrations may be supported).<\/li>\n<li><strong>Why it matters:<\/strong> Separates API contract from backend implementation.<\/li>\n<li><strong>Practical benefit:<\/strong> Move from one backend URL\/service to another without changing clients.<\/li>\n<li><strong>Caveats:<\/strong> Private backend connectivity requires explicit networking configuration (VPC-related). Verify supported backend types.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Authentication and authorization for API consumers (app-based access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Controls who can call APIs using a consumer identity (often modeled as an \u201cApp\u201d).<\/li>\n<li><strong>Why it matters:<\/strong> Prevents anonymous abuse and enables per-consumer quota controls.<\/li>\n<li><strong>Practical benefit:<\/strong> Give partners unique credentials and revoke them independently.<\/li>\n<li><strong>Caveats:<\/strong> The exact auth methods (signature, tokens, headers) depend on your selected auth type. Use console-generated SDKs\/debug tools where available to avoid signing mistakes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Traffic throttling \/ rate limiting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Limits request rate (QPS\/RPS) to protect backends and enforce fair use.<\/li>\n<li><strong>Why it matters:<\/strong> Backends often fail under sudden bursts; throttling provides a safety barrier.<\/li>\n<li><strong>Practical benefit:<\/strong> Prevent an accidental client retry storm from taking down a database.<\/li>\n<li><strong>Caveats:<\/strong> Throttling is not a substitute for backend scaling and proper retries; also verify whether limits apply per app, per API, per stage, or globally.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/response mapping and parameter handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Maps incoming request parameters\/headers\/path variables to the backend request.<\/li>\n<li><strong>Why it matters:<\/strong> Helps standardize API contracts while adapting to legacy backend requirements.<\/li>\n<li><strong>Practical benefit:<\/strong> Expose <code>\/v1\/users\/{id}<\/code> while backend expects <code>GET \/user?id=...<\/code>.<\/li>\n<li><strong>Caveats:<\/strong> Overusing mapping can hide complexity; keep API contracts clear and documented.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Custom domain binding and HTTPS (TLS termination)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you expose APIs on your own domain and terminate HTTPS using a certificate.<\/li>\n<li><strong>Why it matters:<\/strong> Production APIs should use your brand domain and HTTPS.<\/li>\n<li><strong>Practical benefit:<\/strong> <code>api.example.com<\/code> instead of a provider endpoint; centralized certificate management.<\/li>\n<li><strong>Caveats:<\/strong> Certificates are managed separately (often via Alibaba Cloud SSL Certificate service). Domain ownership and DNS must be configured correctly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Logging and monitoring integrations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Collects access logs and metrics; can integrate with Alibaba Cloud services like Log Service (SLS) and CloudMonitor.<\/li>\n<li><strong>Why it matters:<\/strong> APIs are production-critical; you need latency, errors, and traffic insights.<\/li>\n<li><strong>Practical benefit:<\/strong> Build dashboards for 4xx\/5xx rates and top endpoints; alert on anomalies.<\/li>\n<li><strong>Caveats:<\/strong> Logging has storage\/ingestion costs in SLS; plan retention and sampling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">API documentation and SDK generation (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Helps consumers understand how to call your API; some gateways offer SDK generation from API definitions.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces integration time and signing\/auth errors.<\/li>\n<li><strong>Practical benefit:<\/strong> Provide a downloadable SDK to partners.<\/li>\n<li><strong>Caveats:<\/strong> Generated SDKs can lag behind changes; version and distribute responsibly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Access control rules (IP allow\/deny, referer, etc. where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Restricts API calls based on IP ranges or other request attributes.<\/li>\n<li><strong>Why it matters:<\/strong> Adds a defense-in-depth layer.<\/li>\n<li><strong>Practical benefit:<\/strong> Only allow calls from corporate NAT IPs for admin APIs.<\/li>\n<li><strong>Caveats:<\/strong> IP-based rules can break mobile\/roaming clients; avoid using as the only security control.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>API Gateway sits at the edge of your API layer:\n1. Client sends an HTTP request to the gateway endpoint.\n2. Gateway performs policy checks (auth, throttling, access control).\n3. Gateway transforms request (if configured) and routes it to the backend.\n4. Backend responds.\n5. Gateway may transform response (if configured), logs the call, and returns response to client.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane:<\/strong> Console\/API used by admins to create groups\/APIs, configure policies, publish stages, bind domains, and set logging.<\/li>\n<li><strong>Data plane:<\/strong> The runtime gateway endpoints that receive API calls and forward traffic to backends.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RAM (Resource Access Management):<\/strong> Manage who can administer API Gateway resources.<\/li>\n<li><strong>Log Service (SLS):<\/strong> Store and query access logs (and possibly audit logs).<\/li>\n<li><strong>CloudMonitor:<\/strong> Metrics, dashboards, and alerting for gateway health\/traffic.<\/li>\n<li><strong>SSL Certificate service:<\/strong> Store\/manage certificates for custom domains.<\/li>\n<li><strong>VPC networking:<\/strong> Connect to private backends (ECS\/SLB\/internal services). Specific features and steps vary; verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (two layers)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Management access (admins):<\/strong> Controlled by RAM policies and MFA for console users.<\/li>\n<li><strong>API consumer access (callers):<\/strong> Controlled by API Gateway auth settings (for example, app-based credentials and authorization).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Public APIs:<\/strong> Gateway endpoint is internet-accessible; backend can be public or private (if configured).<\/li>\n<li><strong>Private backends:<\/strong> Gateway needs connectivity to VPC resources (often via dedicated configuration such as VPC access). The exact mechanism is product-specific\u2014verify your region\u2019s docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define a standard set of access log fields (request ID, app ID, API name, latency, status).<\/li>\n<li>Set SLS retention by environment (short for dev, longer for prod).<\/li>\n<li>Use tagging and naming conventions for API groups and stages.<\/li>\n<li>Alert on:<\/li>\n<li>Increased 4xx\/5xx<\/li>\n<li>Throttling events<\/li>\n<li>Backend latency spikes<\/li>\n<li>Sudden traffic growth<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Client\\nWeb\/Mobile\/Partner] --&gt;|HTTPS API Call| G[Alibaba Cloud API Gateway]\n  G --&gt;|Policy: Auth\/Throttle\/ACL| G\n  G --&gt;|Forward| B[Backend HTTP Service\\n(ECS\/Function Compute\/ACK)]\n  B --&gt;|Response| G\n  G --&gt;|Response| U\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet\n    C[Clients\\nWeb\/Mobile\/Partners]\n  end\n\n  subgraph Edge\n    DNS[DNS: api.example.com]\n    TLS[HTTPS\/TLS Certificate]\n    AGW[Alibaba Cloud API Gateway\\nStages: TEST\/RELEASE\\nAuth + Throttling + Mapping]\n  end\n\n  subgraph Observability\n    SLS[Log Service (SLS)\\nAccess Logs + Search]\n    CM[CloudMonitor\\nMetrics + Alerts]\n  end\n\n  subgraph VPC[\"VPC (Private Backends)\"]\n    SLB[Server Load Balancer \/ NLB\\n(backend entrypoint)]\n    ECS[ECS Services\\nor ACK Ingress]\n    FC[Function Compute\\n(Async\/Sync handlers)]\n    DB[(RDS\/PolarDB)]\n  end\n\n  C --&gt; DNS --&gt; AGW\n  TLS --&gt; AGW\n\n  AGW --&gt;|Private connectivity (verify mechanism)| SLB\n  SLB --&gt; ECS\n  ECS --&gt; DB\n\n  AGW --&gt; FC\n\n  AGW --&gt; SLS\n  AGW --&gt; CM\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Before starting, ensure you have:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with billing enabled (pay-as-you-go or subscription depending on your chosen API Gateway offering\/edition).<\/li>\n<li>If your organization uses consolidated billing, ensure your account\/project can create API Gateway resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A RAM user\/role with permissions to manage API Gateway resources.<br\/>\n  Minimum typically includes actions for creating API groups\/APIs, publishing, and configuring domains\/logging.<\/li>\n<li>If you will enable logging or certificates:<\/li>\n<li>Permissions for <strong>Log Service (SLS)<\/strong> project\/logstore creation and read<\/li>\n<li>Permissions for <strong>SSL Certificates<\/strong> management (if binding custom domain)<\/li>\n<\/ul>\n\n\n\n<p>Because RAM policy names and required actions can change, <strong>verify required RAM policies in official docs<\/strong> for API Gateway and related services:\n&#8211; RAM overview: https:\/\/www.alibabacloud.com\/help\/en\/resource-access-management\/latest\/what-is-ram<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A terminal with <code>curl<\/code> for calling APIs.<\/li>\n<li>Optional: a REST client like Postman (useful for testing).<\/li>\n<li>Optional: Alibaba Cloud CLI for broader account tasks (not required for the core lab).<\/li>\n<li>CLI: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a region where <strong>API Gateway<\/strong> is available. Availability can differ by region.<\/li>\n<li>Keep backend services (if any) in the same region to reduce latency and egress costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas \/ limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limits can apply to:<\/li>\n<li>Number of API groups\/APIs\/apps<\/li>\n<li>QPS and traffic control policies<\/li>\n<li>Custom domain bindings<\/li>\n<li>Check the quota\/limits section in official docs for your region\/edition. If you hit limits, request a quota increase (if supported).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (optional)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Log Service (SLS)<\/strong> if you want access logs stored centrally.<\/li>\n<li><strong>SSL Certificate service<\/strong> if you want a custom domain with HTTPS.<\/li>\n<li>A backend service (Function Compute\/ECS\/ACK) if you want a non-mock real backend.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Alibaba Cloud API Gateway pricing can vary by <strong>region<\/strong>, <strong>edition<\/strong>, and <strong>billing mode<\/strong>. Do not rely on a single fixed price; always confirm in the official pricing page for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing resources (verify current URLs)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Product page: https:\/\/www.alibabacloud.com\/product\/api-gateway  <\/li>\n<li>Pricing page (verify current): https:\/\/www.alibabacloud.com\/pricing\/detail\/api-gateway  <\/li>\n<li>Alibaba Cloud pricing overview: https:\/\/www.alibabacloud.com\/pricing<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical for gateways)<\/h3>\n\n\n\n<p>Depending on the current SKU\/edition, pricing commonly includes:\n&#8211; <strong>Instance\/edition fees<\/strong> (for example, shared vs dedicated capacity models)\n&#8211; <strong>API call volume<\/strong> (requests per month)\n&#8211; <strong>Data transfer<\/strong> (especially outbound internet traffic and cross-region egress)\n&#8211; <strong>Custom domain \/ certificate costs<\/strong> (certificate service fees may apply)\n&#8211; <strong>Logging costs<\/strong> (SLS ingestion + storage + query)\n&#8211; <strong>Backend costs<\/strong> (ECS\/Function Compute\/ACK + database costs)<\/p>\n\n\n\n<p>Because Alibaba Cloud can offer multiple billing modes and editions, <strong>verify which dimensions apply to your chosen API Gateway edition<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Alibaba Cloud services sometimes include trials or limited free quotas in specific programs. <strong>Verify in the official pricing page<\/strong> whether API Gateway has a free tier, trial, or promotional quota in your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers (what usually surprises teams)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>High request volume:<\/strong> Even small per-request charges add up at scale.<\/li>\n<li><strong>Logging retention:<\/strong> Storing all access logs for long periods can become a material cost in SLS.<\/li>\n<li><strong>Outbound data transfer:<\/strong> API responses leaving the region\/internet can incur egress fees.<\/li>\n<li><strong>Dedicated capacity:<\/strong> If you choose dedicated instances\/specs, you pay for reserved capacity regardless of utilization.<\/li>\n<li><strong>Backend amplification:<\/strong> Gateway can increase backend load if clients retry aggressively\u2014rate limit and implement idempotency.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SLS query costs<\/strong> if analysts run frequent full-scan queries.<\/li>\n<li><strong>Certificates<\/strong> for custom domains and rotation operational effort.<\/li>\n<li><strong>Cross-service network traffic<\/strong> if gateway and backend are in different zones\/regions (avoid cross-region unless required).<\/li>\n<li><strong>WAF\/security add-ons<\/strong> (if you place WAF\/CDN in front of your API domain).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>stages<\/strong> to separate dev\/test from production and reduce dev logging retention.<\/li>\n<li>Enable <strong>throttling<\/strong> early to prevent unexpected spikes and cost blow-ups.<\/li>\n<li>Keep gateway and backends in the <strong>same region<\/strong>.<\/li>\n<li>Use <strong>sampling<\/strong> or selective logging in dev (where acceptable) and keep full logs for prod with appropriate retention.<\/li>\n<li>Prefer <strong>mock<\/strong> or lightweight backends for dev\/testing to reduce compute cost.<\/li>\n<li>Review API payload sizes; compress responses where appropriate (verify feature support and client compatibility).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A low-cost starter setup typically includes:\n&#8211; One API group and a small number of APIs\n&#8211; Low monthly request volume (development\/testing)\n&#8211; Minimal logging retention or small log volume in SLS\n&#8211; No custom domain (use default gateway endpoint) initially<\/p>\n\n\n\n<p>The actual amount depends on region and SKU. Use the official pricing page and your expected request volume to estimate.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, plan for:\n&#8211; Peak QPS and steady-state QPS (capacity and throttling policies)\n&#8211; Multiple APIs and stages\n&#8211; Custom domain + certificate lifecycle\n&#8211; Full access logs shipped to SLS with a defined retention period\n&#8211; Alerts\/dashboards (CloudMonitor)\n&#8211; Potential multi-region strategy (if required) and associated egress<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a small but realistic API published through Alibaba Cloud API Gateway. It uses a <strong>mock backend<\/strong> (lowest cost and simplest) so you can validate gateway behavior without deploying compute.<\/p>\n\n\n\n<p>If your console does not support mock backends in your region\/edition, use an HTTP backend (for example, a simple public echo service or your own Function Compute HTTP endpoint). <strong>Verify backend type support in the API creation wizard.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create an API Group in Alibaba Cloud API Gateway<\/li>\n<li>Create and publish one API endpoint (GET <code>\/hello<\/code>)<\/li>\n<li>Apply basic traffic control (throttling)<\/li>\n<li>Test the API invocation from your terminal<\/li>\n<li>(Optional) Enable authorization using an App<\/li>\n<li>Validate via logs\/metrics (where available)<\/li>\n<li>Clean up all resources<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will create:\n1. An <strong>API Group<\/strong> (container)\n2. An <strong>API<\/strong> (route + method + backend)\n3. A <strong>Stage publish<\/strong> (TEST, then optionally RELEASE)\n4. A <strong>Traffic control<\/strong> policy\n5. (Optional) An <strong>App<\/strong> and authorization binding\n6. (Optional) <strong>Access logging<\/strong> integration (SLS)<\/p>\n\n\n\n<p>Expected end state:\n&#8211; You can call the API endpoint and get a JSON\/text response\n&#8211; You can confirm throttling works by sending bursts\n&#8211; You can remove everything cleanly<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Open the API Gateway console and choose a region<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Sign in to Alibaba Cloud Console.<\/li>\n<li>Open API Gateway:\n   &#8211; Product page: https:\/\/www.alibabacloud.com\/product\/api-gateway<br\/>\n   &#8211; Console entry (URL can vary): <strong>verify from the product page<\/strong>.<\/li>\n<li>Select a <strong>Region<\/strong> (pick the region closest to you and where you run backends).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You are in the API Gateway console for your chosen region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create an API Group<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In API Gateway console, find <strong>API Groups<\/strong> (or similar).<\/li>\n<li>Click <strong>Create Group<\/strong>.<\/li>\n<li>\n<p>Fill in:\n   &#8211; <strong>Group Name:<\/strong> <code>demo-hello-api<\/code>\n   &#8211; <strong>Description:<\/strong> <code>Demo API group for hello endpoint<\/code>\n   &#8211; Optional tags (recommended):  <\/p>\n<ul>\n<li><code>env=dev<\/code> <\/li>\n<li><code>owner=&lt;yourname&gt;<\/code> <\/li>\n<li><code>cost-center=learning<\/code><\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Create the group.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The API Group <code>demo-hello-api<\/code> exists and is listed in the console.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a traffic control (throttling) policy<\/h3>\n\n\n\n<p>Traffic control is usually configured as a separate resource and then attached to APIs\/stages.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the API Gateway console, locate <strong>Traffic Control<\/strong> (or \u201cFlow Control\u201d \/ \u201cThrottle\u201d).<\/li>\n<li>\n<p>Create a policy:\n   &#8211; <strong>Name:<\/strong> <code>demo-low-qps<\/code>\n   &#8211; <strong>Limit:<\/strong> Choose a small value for testing (for example, a low QPS).<br\/>\n<strong>Do not copy a specific number from this tutorial if your console uses different semantics\u2014follow the UI guidance.<\/strong><\/p>\n<\/li>\n<li>\n<p>Save it.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> A traffic control policy exists and can be referenced by APIs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create an API (GET \/hello) with a mock backend<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go back to your API Group <code>demo-hello-api<\/code>.<\/li>\n<li>Click <strong>Create API<\/strong>.<\/li>\n<li>Choose an API type supported by your console (commonly <strong>REST<\/strong> or <strong>HTTP<\/strong> API).<\/li>\n<li>\n<p>Configure <strong>Frontend (Request)<\/strong>:\n   &#8211; <strong>Method:<\/strong> <code>GET<\/code>\n   &#8211; <strong>Path:<\/strong> <code>\/hello<\/code>\n   &#8211; <strong>Protocol:<\/strong> <code>HTTP<\/code> or <code>HTTPS<\/code> (depending on console options)<\/p>\n<\/li>\n<li>\n<p>Configure <strong>Backend<\/strong>:\n   &#8211; Choose <strong>Mock<\/strong> backend (if available).\n   &#8211; Set the mock response body to something like:\n     <code>json\n     {\"message\":\"Hello from Alibaba Cloud API Gateway\"}<\/code>\n   &#8211; Set the response content-type to <code>application\/json<\/code> if the UI provides it.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p>If mock is not available, choose an <strong>HTTP backend<\/strong> and set:\n   &#8211; Backend URL: a reachable endpoint (your own backend is best).\n   &#8211; Method mapping: GET \u2192 GET.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\">\n<li>\n<p>Configure <strong>Policies<\/strong>:\n   &#8211; Attach traffic control policy <code>demo-low-qps<\/code> to the API (or plan to attach on publish if that\u2019s the model).\n   &#8211; Authentication: for the first run, choose <strong>No Authentication<\/strong> (to keep the initial call simple).<br\/>\n     You will add App-based auth in a later optional step.<\/p>\n<\/li>\n<li>\n<p>Save the API.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The API definition exists inside the API group.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Publish the API to a TEST stage<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Find the API you created (<code>GET \/hello<\/code>).<\/li>\n<li>Click <strong>Publish<\/strong>.<\/li>\n<li>Choose <strong>Stage:<\/strong> <code>TEST<\/code> (or the equivalent stage name shown in your console).<\/li>\n<li>Confirm publish.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> The API is deployed to the TEST stage and the console shows an <strong>Invoke URL<\/strong> (or domain + path) for TEST.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Invoke the API from your terminal (curl)<\/h3>\n\n\n\n<p>Because endpoint formats can vary and may include group identifiers, <strong>copy the exact invoke URL from the console<\/strong>.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>Copy the TEST invoke URL from the API details page. It should represent something like:\n   &#8211; <code>https:\/\/&lt;gateway-domain&gt;\/&lt;stage&gt;\/hello<\/code> or\n   &#8211; <code>https:\/\/&lt;group-specific-domain&gt;\/hello<\/code> (formats vary)<\/p>\n<\/li>\n<li>\n<p>Call it with <code>curl<\/code>:\n   <code>bash\n   curl -i \"https:\/\/&lt;PASTE-YOUR-INVOKE-URL-HERE&gt;\"<\/code><\/p>\n<\/li>\n<li>\n<p>Confirm you receive a <code>200 OK<\/code> (or expected status) and the JSON body:\n   <code>json\n   {\"message\":\"Hello from Alibaba Cloud API Gateway\"}<\/code><\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> You successfully invoke your API through Alibaba Cloud API Gateway.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Verify throttling works (send a burst)<\/h3>\n\n\n\n<p>Send multiple requests quickly. You can do this from a shell:<\/p>\n\n\n\n<pre><code class=\"language-bash\">URL=\"https:\/\/&lt;PASTE-YOUR-INVOKE-URL-HERE&gt;\"\nfor i in $(seq 1 50); do\n  code=$(curl -s -o \/dev\/null -w \"%{http_code}\" \"$URL\")\n  echo \"$i $code\"\ndone\n<\/code><\/pre>\n\n\n\n<p>If your throttle is low, you may see:\n&#8211; <code>200<\/code> responses for some requests, then\n&#8211; <code>429<\/code> or another throttling-related code for excess requests (exact status\/headers may vary).<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can observe throttling behavior consistent with your traffic control policy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8 (Optional but recommended): Enable App-based authorization<\/h3>\n\n\n\n<p>In production, you rarely want anonymous access. This step introduces an <strong>App<\/strong> (consumer identity) and authorizes it to call the API.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In API Gateway console, create an <strong>App<\/strong>:\n   &#8211; Name: <code>demo-caller-app<\/code>\n   &#8211; Note the generated <strong>AppKey\/AppSecret<\/strong> (or similar credentials) shown by the console.<\/li>\n<li>Authorize the app to call your API:\n   &#8211; In the API Group or API settings, locate <strong>Authorization<\/strong> \/ <strong>App Authorization<\/strong>.\n   &#8211; Bind <code>demo-caller-app<\/code> to your API or group (scope depends on console).<\/li>\n<li>Update API auth type:\n   &#8211; Edit the API and set authentication to the app-based auth option offered by the console (naming varies).<\/li>\n<li>Republish to TEST stage.<\/li>\n<\/ol>\n\n\n\n<p><strong>How to test without implementing signing manually:<\/strong>\n&#8211; Use the console\u2019s <strong>API Debugging<\/strong> feature (often available on the API details page). It can apply the correct auth\/signature automatically when you select an App.\n&#8211; Alternatively, if the console offers <strong>SDK generation<\/strong>, generate a client SDK and run the provided sample. This reduces the risk of signing mistakes.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Anonymous calls are rejected; authorized calls succeed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9 (Optional): Enable access logging to Log Service (SLS)<\/h3>\n\n\n\n<p>If your edition supports it, enable access logs to SLS for queryable audit\/troubleshooting.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open <strong>Log Service (SLS)<\/strong> and create:\n   &#8211; A <strong>Project<\/strong> (for example <code>apigw-demo-logs<\/code>)\n   &#8211; A <strong>Logstore<\/strong> (for example <code>access-log<\/code>)<\/li>\n<li>In API Gateway console:\n   &#8211; Enable access logging and point to your SLS project\/logstore (exact steps vary\u2014verify in docs).<\/li>\n<li>Invoke the API a few times.<\/li>\n<li>In SLS, query recent logs and confirm you see requests with fields like status code, latency, path, and client IP (fields vary).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> API access logs appear in SLS and can be queried.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist to confirm the lab is successful:\n&#8211; [ ] API Group exists (<code>demo-hello-api<\/code>)\n&#8211; [ ] API exists (GET <code>\/hello<\/code>)\n&#8211; [ ] API published to TEST stage\n&#8211; [ ] <code>curl<\/code> returns expected response\n&#8211; [ ] Throttling triggers when you exceed configured limits\n&#8211; [ ] (Optional) App auth rejects anonymous requests\n&#8211; [ ] (Optional) SLS contains access logs for your calls<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>HTTP 404 Not Found<\/strong>\n   &#8211; Cause: Wrong invoke URL, wrong stage, or path mismatch (<code>\/hello<\/code> vs <code>\/hello\/<\/code>).\n   &#8211; Fix: Copy invoke URL exactly from console; confirm published stage.<\/p>\n<\/li>\n<li>\n<p><strong>HTTP 403 Forbidden<\/strong>\n   &#8211; Cause: Auth enabled but request not signed \/ app not authorized \/ IP restrictions.\n   &#8211; Fix: Use console debug tool with the correct App; confirm app authorization binding; temporarily remove restrictive ACLs to isolate.<\/p>\n<\/li>\n<li>\n<p><strong>HTTP 429 Too Many Requests<\/strong>\n   &#8211; Cause: Throttling policy too strict for your test loop.\n   &#8211; Fix: Increase QPS limit or slow down loop; validate policy attachment scope.<\/p>\n<\/li>\n<li>\n<p><strong>HTTP 5xx errors<\/strong>\n   &#8211; Cause: Backend misconfiguration (if using HTTP backend), timeouts, unreachable backend.\n   &#8211; Fix: For mock backend, verify mock response config; for HTTP backend, test backend URL directly and confirm connectivity.<\/p>\n<\/li>\n<li>\n<p><strong>No logs in SLS<\/strong>\n   &#8211; Cause: Logging not enabled, wrong project\/logstore, or RAM permissions missing.\n   &#8211; Fix: Verify logging configuration and RAM permissions; confirm you are looking in the correct region\/project.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges:\n1. Unpublish or delete the API (if required by console workflow).\n2. Delete the API from the API Group.\n3. Delete the API Group <code>demo-hello-api<\/code>.\n4. Delete the traffic control policy <code>demo-low-qps<\/code>.\n5. Delete the App <code>demo-caller-app<\/code> (optional).\n6. If you enabled SLS:\n   &#8211; Delete the logstore and project (or reduce retention).\n7. If you bound a custom domain\/certificate:\n   &#8211; Unbind the domain and manage certificate lifecycle appropriately.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Design stable API contracts:<\/strong> Treat the gateway API as a product interface; version explicitly (<code>\/v1<\/code>, <code>\/v2<\/code>) rather than breaking existing clients.<\/li>\n<li><strong>Use stages for controlled releases:<\/strong> Keep TEST and RELEASE behavior consistent; automate promotion when possible.<\/li>\n<li><strong>Keep mapping rules simple:<\/strong> Prefer clean backend APIs; use mapping mainly for compatibility.<\/li>\n<li><strong>Plan for multi-region only when required:<\/strong> API gateways are typically regional. Multi-region implies DNS strategy, replication of config, and careful key management.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use RAM least privilege:<\/strong> Separate roles:<\/li>\n<li>API Gateway admins (manage APIs)<\/li>\n<li>Read-only observers (view metrics\/logs)<\/li>\n<li>CI\/CD publisher role (publish APIs, no billing changes)<\/li>\n<li><strong>Enable MFA for privileged users.<\/strong><\/li>\n<li><strong>Restrict who can bind custom domains\/certificates:<\/strong> Domain changes can cause outages.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control log retention:<\/strong> Keep prod logs long enough for audit; keep dev logs short.<\/li>\n<li><strong>Throttle early:<\/strong> Prevent cost spikes and backend overload.<\/li>\n<li><strong>Avoid cross-region backends:<\/strong> Reduces latency and egress charges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Minimize response payload size:<\/strong> Smaller payloads reduce latency and egress cost.<\/li>\n<li><strong>Use sensible timeouts:<\/strong> Too low causes false failures; too high ties up resources. Align gateway and backend timeouts.<\/li>\n<li><strong>Prefer keep-alive and efficient backend endpoints<\/strong> (handled mostly by platform, but ensure backend supports it).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Make backend calls idempotent<\/strong> for retry scenarios (especially POST where applicable).<\/li>\n<li><strong>Return consistent error formats<\/strong> (document error codes).<\/li>\n<li><strong>Graceful degradation:<\/strong> Use cached responses or fallback behavior if supported and appropriate (verify caching features).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Define SLOs:<\/strong> latency, error rate, availability per API.<\/li>\n<li><strong>Alert on leading indicators:<\/strong> throttling events, latency p95\/p99, 5xx rate.<\/li>\n<li><strong>Standardize naming\/tagging:<\/strong> include <code>env<\/code>, <code>team<\/code>, <code>service<\/code>, <code>owner<\/code>, <code>data-classification<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain an API catalog: group owners, contacts, change windows.<\/li>\n<li>Require documentation before publishing to RELEASE.<\/li>\n<li>Use a change review process for:<\/li>\n<li>auth changes<\/li>\n<li>throttling changes<\/li>\n<li>backend URL changes<\/li>\n<li>domain\/certificate changes<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Admin\/management plane:<\/strong> Controlled by Alibaba Cloud <strong>RAM<\/strong>. Use role-based access and least privilege.<\/li>\n<li><strong>API consumer plane:<\/strong> Controlled by API Gateway\u2019s configured authentication and authorization mode.<\/li>\n<li>Prefer authenticated access for production.<\/li>\n<li>Issue separate credentials per consumer app\/partner.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In transit:<\/strong> Use <strong>HTTPS<\/strong> for client-to-gateway traffic. Bind a custom domain and certificate for production.<\/li>\n<li><strong>Gateway-to-backend encryption:<\/strong> Use HTTPS to backend endpoints when possible, especially across public networks. For private networking, still prefer TLS for sensitive data (verify backend and gateway support).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid exposing backends publicly when a gateway exists\u2014keep backends private in VPC if possible.<\/li>\n<li>If you must use public backends:<\/li>\n<li>Restrict backend security groups to only allow gateway egress IPs if documented\/available (verify).<\/li>\n<li>Use backend authentication too (defense-in-depth).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat AppKey\/AppSecret as secrets:<\/li>\n<li>Store in a secrets manager or secure CI variable store<\/li>\n<li>Rotate periodically<\/li>\n<li>Never commit to source control<\/li>\n<li>For custom domains\/certs, protect private keys and restrict certificate management permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and retain:<\/li>\n<li>Gateway access logs (SLS)<\/li>\n<li>Administrative action logs (ActionTrail or equivalent\u2014verify)<\/li>\n<li>Correlate gateway request IDs with backend logs for incident response.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data residency: choose region aligned to your compliance needs.<\/li>\n<li>PII: avoid logging sensitive headers\/body; mask or omit where possible (verify logging controls).<\/li>\n<li>Retention: define retention policies per environment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Leaving production APIs as \u201cNo Authentication\u201d<\/li>\n<li>Over-relying on IP allowlists for mobile\/public clients<\/li>\n<li>Binding a custom domain without strong TLS settings and renewal process<\/li>\n<li>Logging sensitive payloads into SLS without retention\/masking controls<\/li>\n<li>Too-broad RAM permissions for API publishing and domain binding<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Require authentication for all production APIs.<\/li>\n<li>Use throttling and WAF-like protections where appropriate (gateway policies, upstream WAF\/CDN patterns).<\/li>\n<li>Implement request validation in backends even if the gateway enforces policies.<\/li>\n<li>Document incident playbooks: credential revoke, throttling adjustments, rollback via stage.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because limits can differ by region\/edition, treat these as common categories and <strong>verify specifics in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitation categories<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional scope:<\/strong> APIs are typically deployed per region; multi-region requires duplication and DNS strategy.<\/li>\n<li><strong>Quota constraints:<\/strong> number of groups, APIs, apps, domain bindings, and max QPS may be limited by edition\/spec.<\/li>\n<li><strong>Auth complexity:<\/strong> App-based signature schemes can be error-prone if implemented manually\u2014prefer console debug\/SDK generation when available.<\/li>\n<li><strong>Timeout alignment:<\/strong> Gateway timeouts must match backend timeouts; mismatch leads to 504\/5xx or stuck connections.<\/li>\n<li><strong>Logging cost and volume:<\/strong> Access logs can be high-volume; careless retention can increase costs.<\/li>\n<li><strong>Backend reachability:<\/strong> Private backend integration requires correct VPC connectivity configuration; misconfiguration manifests as 5xx errors.<\/li>\n<li><strong>Change management:<\/strong> Updating an API without a stage\/testing process can break clients quickly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>High egress due to large responses<\/li>\n<li>SLS ingestion\/storage\/query costs<\/li>\n<li>Dedicated capacity charges even when idle (if applicable to your SKU)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some clients\/proxies handle headers differently; if your auth uses custom headers, test thoroughly.<\/li>\n<li>CORS behavior varies by configuration; verify preflight handling for browsers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from self-managed gateways (Kong\/Nginx) requires mapping:<\/li>\n<li>routes<\/li>\n<li>auth policies<\/li>\n<li>rate limits<\/li>\n<li>custom plugins (may not have direct equivalents)<\/li>\n<li>Plan parallel run: keep old gateway live while validating new endpoints.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Alibaba Cloud offers multiple ways to expose and control APIs. Here is a practical comparison.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud API Gateway<\/strong><\/td>\n<td>Managed API publishing and policy enforcement for HTTP APIs<\/td>\n<td>Managed ops, stages, consumer app auth, throttling, logging integrations<\/td>\n<td>Feature set depends on edition\/region; may be less flexible than self-managed plugins<\/td>\n<td>You want a managed gateway with standardized controls<\/td>\n<\/tr>\n<tr>\n<td><strong>MSE Cloud Native API Gateway<\/strong> (Alibaba Cloud)<\/td>\n<td>Kubernetes\/microservice-native gateway use cases<\/td>\n<td>Better alignment with cloud-native traffic patterns (verify exact capabilities)<\/td>\n<td>Different product scope and pricing; migration effort<\/td>\n<td>You run ACK\/microservices and want a gateway designed for cloud-native stacks<\/td>\n<\/tr>\n<tr>\n<td><strong>ACK Ingress (NGINX\/ALB Ingress Controller)<\/strong><\/td>\n<td>Kubernetes north-south traffic for services<\/td>\n<td>Great for cluster ingress, flexible routing, standard K8s model<\/td>\n<td>Not an API product layer; weaker API consumer management<\/td>\n<td>You primarily need ingress for Kubernetes workloads<\/td>\n<\/tr>\n<tr>\n<td><strong>Server Load Balancer (SLB\/ALB\/NLB)<\/strong><\/td>\n<td>L4\/L7 load balancing<\/td>\n<td>High performance, simple<\/td>\n<td>Not an API management solution<\/td>\n<td>You only need load balancing, not API policies<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed Kong \/ Apache APISIX \/ NGINX<\/strong><\/td>\n<td>Full control and plugin ecosystem<\/td>\n<td>Maximum customization, multi-cloud portability<\/td>\n<td>You operate everything (scaling, upgrades, HA, security)<\/td>\n<td>You need custom plugins or full portability and can operate the platform<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS API Gateway<\/strong> (other cloud)<\/td>\n<td>API management on AWS<\/td>\n<td>Deep AWS integration<\/td>\n<td>Different cloud, migration\/networking complexity<\/td>\n<td>Your workloads are primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure API Management<\/strong> (other cloud)<\/td>\n<td>Enterprise API mgmt on Azure<\/td>\n<td>Strong enterprise governance<\/td>\n<td>Cost\/complexity<\/td>\n<td>Your workloads are primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Apigee \/ Google API Gateway<\/strong> (other cloud)<\/td>\n<td>Enterprise API mgmt on Google Cloud<\/td>\n<td>Strong API product features (Apigee)<\/td>\n<td>Cost\/complexity<\/td>\n<td>You need Apigee-level enterprise API product features<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Partner APIs for a retail platform<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A retailer needs to expose order status and inventory APIs to logistics partners. They must enforce quotas, audit access, and avoid exposing internal services directly.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>API Gateway as the public entrypoint with custom domain <code>partners-api.example.com<\/code><\/li>\n<li>App identities per partner with throttling policies<\/li>\n<li>Backend services in VPC behind an internal load balancer<\/li>\n<li>Access logs to SLS, alerts in CloudMonitor<\/li>\n<li>Separate TEST and RELEASE stages with controlled promotion<\/li>\n<li><strong>Why API Gateway was chosen:<\/strong><\/li>\n<li>Managed policy enforcement (auth, throttling)<\/li>\n<li>Centralized logs for audit<\/li>\n<li>Reduced operational overhead vs self-managed gateway cluster<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster partner onboarding with consistent credentials and quotas<\/li>\n<li>Reduced security risk by keeping backends private<\/li>\n<li>Better incident response using gateway logs and metrics<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Single API facade for a mobile app<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A small team has a mobile app that calls multiple backends (user service, payments, notifications). They need one stable endpoint, basic throttling, and quick iteration.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>API Gateway with a single API group <code>mobile-api<\/code><\/li>\n<li>Routes like <code>\/v1\/user\/*<\/code>, <code>\/v1\/payments\/*<\/code> forwarding to different HTTP backends<\/li>\n<li>Lightweight throttling to prevent abuse<\/li>\n<li>Minimal logging in dev, full logging in prod<\/li>\n<li><strong>Why API Gateway was chosen:<\/strong><\/li>\n<li>Quick setup without managing infrastructure<\/li>\n<li>Stages support safe release testing<\/li>\n<li>Central throttle reduces risk of accidental cost spikes<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster development and cleaner client configuration<\/li>\n<li>Better visibility into errors and latency<\/li>\n<li>Reduced time spent building auth\/throttle logic into every service<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Alibaba Cloud API Gateway regional or global?<\/strong><br\/>\n   In practice, API Gateway resources are created per <strong>region<\/strong>, and API endpoints are region-associated. Verify the exact endpoint behavior and cross-region options in official docs for your edition.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need an API Gateway if I already have SLB\/ALB?<\/strong><br\/>\n   SLB\/ALB is primarily load balancing. API Gateway adds API-specific features like consumer authorization, throttling policies, stages, and centralized API lifecycle controls.<\/p>\n<\/li>\n<li>\n<p><strong>Can API Gateway call private backends inside a VPC?<\/strong><br\/>\n   Yes in many architectures, but it requires explicit configuration for private connectivity. The mechanism and steps vary\u2014verify \u201cVPC integration\/private backend\u201d in the API Gateway docs for your region.<\/p>\n<\/li>\n<li>\n<p><strong>How do I do authentication for callers?<\/strong><br\/>\n   API Gateway commonly supports an app-based consumer model (AppKey\/AppSecret or similar). The exact signing\/credential usage depends on the selected auth type; use console debug\/SDK generation when possible and verify docs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I expose APIs on my own domain?<\/strong><br\/>\n   Yes, typically by binding a custom domain and attaching an SSL certificate. You must also configure DNS. Verify the exact domain binding workflow in your region\/edition.<\/p>\n<\/li>\n<li>\n<p><strong>Does API Gateway support CORS?<\/strong><br\/>\n   Many API gateways provide CORS support. Confirm current API Gateway settings for CORS\/preflight handling in the official docs or console for your API type.<\/p>\n<\/li>\n<li>\n<p><strong>How do I version APIs?<\/strong><br\/>\n   Common patterns include URI versioning (<code>\/v1\/<\/code>, <code>\/v2\/<\/code>) and stages (TEST\/RELEASE). Stages are not a substitute for client-visible versioning\u2014use both for safe evolution.<\/p>\n<\/li>\n<li>\n<p><strong>How do I roll back a bad API deployment?<\/strong><br\/>\n   Use stages and publish workflow: keep the last known good configuration and republish\/rollback via stage management. The exact rollback mechanics depend on the console experience\u2014verify.<\/p>\n<\/li>\n<li>\n<p><strong>What is the difference between an API Group and an API?<\/strong><br\/>\n   An API Group is a container (product\/domain). An API is a specific endpoint definition (route + method + backend + policies).<\/p>\n<\/li>\n<li>\n<p><strong>How do I monitor API latency and errors?<\/strong><br\/>\n   Use the gateway\u2019s metrics (often via CloudMonitor) and access logs (often via SLS). Create dashboards for p95 latency and 4xx\/5xx, and alert on abnormal changes.<\/p>\n<\/li>\n<li>\n<p><strong>Will API Gateway increase latency?<\/strong><br\/>\n   A gateway adds an extra hop and policy checks, so some added latency is expected. Keeping gateway and backends in the same region and optimizing payload sizes helps.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use API Gateway for internal-only APIs?<\/strong><br\/>\n   Yes, if your architecture supports internal access patterns (for example, private endpoints or VPC access models). Verify internal endpoint options for your SKU.<\/p>\n<\/li>\n<li>\n<p><strong>How do I protect my backend from retry storms?<\/strong><br\/>\n   Combine throttling, sensible client retry policies, and idempotency keys in backends. Throttling alone is not enough.<\/p>\n<\/li>\n<li>\n<p><strong>What happens if I delete an API Group?<\/strong><br\/>\n   Deleting a group typically deletes contained APIs and breaks clients immediately. Use change control and ensure DNS\/domain dependencies are removed first.<\/p>\n<\/li>\n<li>\n<p><strong>Is API Gateway the same as MSE Cloud Native API Gateway?<\/strong><br\/>\n   No. They are separate Alibaba Cloud products with different scopes and target architectures. If you are building on ACK and want deep cloud-native gateway behavior, evaluate MSE Cloud Native API Gateway. Verify current positioning in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to log every request?<\/strong><br\/>\n   For production audit and incident response, logging is strongly recommended, but manage retention\/cost. For dev\/test, reduced retention or selective logging can be reasonable.<\/p>\n<\/li>\n<li>\n<p><strong>How do I estimate cost for my API?<\/strong><br\/>\n   Start with expected monthly requests, average response size, logging volume, and whether you need dedicated capacity. Then validate with the official pricing page and, if available, a calculator.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn API Gateway<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Alibaba Cloud API Gateway Documentation \u2014 https:\/\/www.alibabacloud.com\/help\/en\/api-gateway<\/td>\n<td>Authoritative reference for features, concepts, and configuration steps<\/td>\n<\/tr>\n<tr>\n<td>Product page<\/td>\n<td>Alibaba Cloud API Gateway \u2014 https:\/\/www.alibabacloud.com\/product\/api-gateway<\/td>\n<td>High-level overview, editions, and positioning<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>API Gateway Pricing (verify current) \u2014 https:\/\/www.alibabacloud.com\/pricing\/detail\/api-gateway<\/td>\n<td>Confirms pricing dimensions by region\/edition<\/td>\n<\/tr>\n<tr>\n<td>Getting started (official)<\/td>\n<td>API Gateway \u201cGetting Started\u201d within docs \u2014 https:\/\/www.alibabacloud.com\/help\/en\/api-gateway (navigate to Quick Start\/Getting Started)<\/td>\n<td>Step-by-step onboarding aligned to current console<\/td>\n<\/tr>\n<tr>\n<td>IAM basics<\/td>\n<td>Resource Access Management (RAM) \u2014 https:\/\/www.alibabacloud.com\/help\/en\/resource-access-management\/latest\/what-is-ram<\/td>\n<td>Required for secure admin access and least-privilege operations<\/td>\n<\/tr>\n<tr>\n<td>Logging<\/td>\n<td>Log Service (SLS) documentation \u2014 https:\/\/www.alibabacloud.com\/help\/en\/log-service<\/td>\n<td>Needed to implement access logs, queries, dashboards, retention<\/td>\n<\/tr>\n<tr>\n<td>Monitoring<\/td>\n<td>CloudMonitor documentation \u2014 https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor<\/td>\n<td>Metrics, alerting, and operational monitoring patterns<\/td>\n<\/tr>\n<tr>\n<td>Certificates<\/td>\n<td>SSL Certificates Service \u2014 https:\/\/www.alibabacloud.com\/product\/ssl<\/td>\n<td>Custom domain HTTPS and certificate lifecycle<\/td>\n<\/tr>\n<tr>\n<td>CLI<\/td>\n<td>Alibaba Cloud CLI \u2014 https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-cli\/latest\/what-is-alibaba-cloud-cli<\/td>\n<td>Useful for automation around account tasks (where applicable)<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Alibaba Cloud Architecture Center \u2014 https:\/\/www.alibabacloud.com\/solutions\/architecture<\/td>\n<td>Reference architectures and best practices (search for API\/gateway patterns)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams, developers<\/td>\n<td>DevOps + cloud operations; may include API management patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps fundamentals; may include middleware and deployment practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud engineers, operations teams<\/td>\n<td>Cloud operations practices, monitoring, cost awareness<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers, ops leads<\/td>\n<td>SRE practices: SLOs, monitoring, incident response relevant to API ops<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps<\/td>\n<td>Observability, automation, anomaly detection concepts<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Students, engineers seeking practical training<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps tooling and practices (verify offerings)<\/td>\n<td>DevOps beginners to intermediate<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training (verify offerings)<\/td>\n<td>Teams seeking hands-on assistance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and learning (verify offerings)<\/td>\n<td>Ops teams needing support-style guidance<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact catalog)<\/td>\n<td>API platform design, CI\/CD, observability<\/td>\n<td>Designing API Gateway rollout, logging\/SLS strategy, access controls<\/td>\n<td>https:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and enablement (verify exact catalog)<\/td>\n<td>Training + implementation assistance<\/td>\n<td>API operational readiness, SRE practices, automation<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify exact catalog)<\/td>\n<td>Cloud migration and ops processes<\/td>\n<td>Governance, monitoring, deployment pipelines around API changes<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before API Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTTP fundamentals: methods, status codes, headers, TLS<\/li>\n<li>REST API design basics: resource modeling, versioning, pagination<\/li>\n<li>Networking basics: DNS, domains, certificates, VPC concepts<\/li>\n<li>Basic security: authentication vs authorization, least privilege, secrets handling<\/li>\n<li>Observability basics: logs, metrics, tracing concepts<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after API Gateway<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Advanced API security: OAuth2\/OIDC concepts (even if implemented elsewhere), token lifetimes, key rotation<\/li>\n<li>WAF\/CDN patterns for API protection and caching<\/li>\n<li>Backend resilience: circuit breakers, retries, idempotency, timeouts<\/li>\n<li>CI\/CD for APIs: automated tests, canary releases, contract testing<\/li>\n<li>Multi-region API strategies: DNS routing, failover, data replication<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ DevOps engineer<\/li>\n<li>Platform engineer<\/li>\n<li>SRE \/ operations engineer<\/li>\n<li>Solutions architect<\/li>\n<li>Backend developer \/ API engineer<\/li>\n<li>Security engineer (API security governance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Alibaba Cloud)<\/h3>\n\n\n\n<p>Alibaba Cloud offers role-based certifications (associate\/professional tracks). Certification names and tracks change over time\u2014<strong>verify current Alibaba Cloud certification options<\/strong> on the official certification portal:\n&#8211; https:\/\/edu.alibabacloud.com\/ (verify current certification pages and paths)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a multi-API group for a sample e-commerce system (<code>\/users<\/code>, <code>\/orders<\/code>, <code>\/inventory<\/code>).<\/li>\n<li>Implement staged releases with automated smoke tests for TEST \u2192 RELEASE.<\/li>\n<li>Add throttling policies per consumer app and validate behavior under load.<\/li>\n<li>Centralize access logs in SLS and build dashboards for top APIs, latency, and errors.<\/li>\n<li>Bind a custom domain and implement certificate rotation runbook.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API Gateway:<\/strong> A managed service that exposes APIs, routes requests to backends, and enforces policies like auth and throttling.<\/li>\n<li><strong>Middleware:<\/strong> Software layer between clients and services that provides common capabilities (security, routing, observability).<\/li>\n<li><strong>API Group:<\/strong> A logical container for APIs, often representing a product or domain boundary.<\/li>\n<li><strong>API (Endpoint):<\/strong> A defined route (path + method) with request\/response behavior and backend integration.<\/li>\n<li><strong>Stage (Environment):<\/strong> A deployment target such as TEST or RELEASE used for controlled rollout.<\/li>\n<li><strong>Backend:<\/strong> The service that actually processes the request (ECS app, Function Compute function, Kubernetes service, etc.).<\/li>\n<li><strong>App (Consumer):<\/strong> An identity representing a calling application\/partner used for authorization and quota control.<\/li>\n<li><strong>AppKey\/AppSecret:<\/strong> Credential pair used by some gateway auth schemes; treat as sensitive secrets.<\/li>\n<li><strong>Throttling \/ Rate limiting:<\/strong> Limiting request rate to protect backends and enforce fair usage.<\/li>\n<li><strong>CORS:<\/strong> Cross-Origin Resource Sharing; controls browser-based cross-origin API calls.<\/li>\n<li><strong>TLS\/HTTPS:<\/strong> Encryption in transit between client and gateway (and ideally gateway to backend).<\/li>\n<li><strong>SLS (Log Service):<\/strong> Alibaba Cloud logging service for log ingestion, storage, and query.<\/li>\n<li><strong>CloudMonitor:<\/strong> Alibaba Cloud monitoring service for metrics, dashboards, and alerts.<\/li>\n<li><strong>Idempotency:<\/strong> Property where repeating the same request has the same effect, important for safe retries.<\/li>\n<li><strong>Egress:<\/strong> Outbound data transfer from a cloud region to the internet or another region, often billable.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>API Gateway<\/strong> is a managed <strong>Middleware<\/strong> service for publishing and operating HTTP APIs. It provides a consistent front door for clients, centralizes authentication\/authorization options, enforces throttling, supports staged publishing workflows, and integrates with Alibaba Cloud logging and monitoring.<\/p>\n\n\n\n<p>It matters because it reduces duplicated effort across backend teams and improves security and operational consistency. Cost depends primarily on request volume, capacity\/edition, logging volume (SLS), and outbound data transfer\u2014so start with a small dev setup and add controls like throttling and retention early. Secure deployments should use RAM least privilege for administrators, authenticated access for consumers, HTTPS everywhere practical, and auditable logs.<\/p>\n\n\n\n<p>Use API Gateway when you need a managed, policy-driven API facade; consider alternatives (such as MSE Cloud Native API Gateway or self-managed gateways) when you require cloud-native\/Kubernetes-centric features or custom plugin ecosystems.<\/p>\n\n\n\n<p>Next step: follow the official API Gateway documentation for your region\/edition and extend the lab by adding a real backend (Function Compute or ECS), custom domain + HTTPS, and production-grade logging\/alerts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Middleware<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,11],"tags":[],"class_list":["post-63","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-middleware"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/63","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=63"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/63\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}