
A grpc proxy can be a game-changer for scalable and secure microservices. It allows you to manage traffic and security at the edge of your network.
With a grpc proxy, you can easily add features like load balancing, circuit breaking, and authentication. This can help improve the reliability and performance of your microservices.
For instance, a grpc proxy can distribute traffic across multiple instances of a service, ensuring that no single instance becomes a bottleneck. This is especially useful in cloud-native applications where services are often scaled on demand.
By placing a grpc proxy in front of your microservices, you can also add an extra layer of security to protect against common threats like DDoS attacks.
Recommended read: Verizon Add Second Line to Iphone
Scalability and Performance
The gRPC proxy can significantly reduce the watch load on the etcd server by coalescing multiple client watchers into a single watcher. This can be especially beneficial for deployments with a large number of clients watching the same key.
Assuming N clients watch the same key, one gRPC proxy can reduce the watch load on the etcd server from N to 1. This can lead to a significant decrease in server load and improve overall system performance.
Deploying multiple gRPC proxies can further distribute the server load, making it even more efficient.
For your interest: Grpc Load Balancing
Scalable Watch API
A scalable watch API is crucial for handling large numbers of clients watching the same data. It allows for efficient distribution of server load.
The gRPC proxy plays a key role in this scalability. It coalesces multiple client watchers into a single watcher connected to an etcd server.
Assuming N clients watch the same key, one gRPC proxy can reduce the watch load on the etcd server from N to 1. This significantly decreases the server's workload.
Users can deploy multiple gRPC proxies to further distribute server load. This approach enables efficient handling of a large number of clients.
In an example, three clients watch on key A. The gRPC proxy coalesces the three watchers, creating a single watcher attached to the etcd server.
Recommended read: Cilium Grpc Load Balancing
Scalable Lease API
The Scalable Lease API is a game-changer for heavy lease activity. It reduces the total number of streams on the core cluster from N (where N is the number of clients updating leases) to 1.
A single gRPC proxy can coalesce multiple client lease streams into a single lease keep alive stream, significantly reducing the load on the etcd server. This is especially useful in deployments with many clients updating leases.
To achieve this, a gRPC proxy can be deployed to coalesce the client lease streams, forwarding client-side lease heartbeats to the etcd server. The proxy then returns the responses to the corresponding client streams.
For example, with three clients updating three independent leases, a gRPC proxy can coalesce the three client lease streams into a single lease keep alive stream. This reduces the load on the etcd server from three streams to one.
Consider reading: Grpc Load Testing
Security and Authentication
Tyk Supports secure gRPC proxy connections, in order to do so you only need to attach a certificate to the API that you want to expose just as you do for regular APIs, after that you can consume the service via HTTPS.
Tyk supports Mutual Authentication in gRPC, requiring configuration through Mutual TLS. This is especially useful in an insecure scenario where H2C is used.
You can also use Basic Authentication in gRPC with Tyk, which involves sending credentials in the correct base64 format in an Authorization header from your gRPC client, using Basic base64Encode(username:password).
For your interest: Grpc Authentication
Abusive Clients Protection
In the world of distributed systems, a common problem arises from clients that send requests in rapid succession, potentially overwhelming the server. This is known as abusive clients.
The gRPC proxy has a built-in mechanism to protect against such abuse by caching responses for requests that don't break consistency requirements.
This caching can help shield the etcd server from the impact of abusive clients in tight for loops.
Secure
Tyk Supports secure gRPC proxy connections by attaching a certificate to the API you want to expose, just like for regular APIs.
This allows you to consume the service via HTTPS.
You can confirm the client port is serving HTTPS by checking the connection.
Tyk supports Mutual Authentication in gRPC, which can be configured using Mutual TLS.
In an insecure scenario, you can use H2C.
To test TLS termination, start a gRPC proxy on localhost:12379 by connecting to the etcd endpoint over HTTPS using client certificates.
Then, test the TLS termination by putting a key into the proxy over HTTP.
If this caught your attention, see: Grpc New Client
Proxy Modes and Configuration
There are two proxying modes supported: one to one and one to many. The one to one mode transmits data back and forth without any modifications.
In one to many mode, one client connection gets mapped into multiple upstream connections. This mode requires a special layout of protobuf messages.
Here's a quick rundown of the two proxying modes:
Namespacing
Namespacing allows multiple applications to run on the same etcd cluster without interfering with each other.
To enable namespacing, you can start the proxy with the --namespace flag. This flag translates all client requests to have a user-defined prefix on the keys.
Accesses to the etcd cluster will be under the prefix, and responses from the proxy will strip away the prefix, making it appear as if there is no prefix at all.
You can start the proxy with --namespace to enable namespacing.
Curious to learn more? Check out: When Will Mgm Be Back Online
Modes
There are two proxying modes supported: one to one and one to many. One to one mode transmits data back and forth without any modifications.
In one to one mode, data is passed through unchanged. This mode is straightforward and easy to understand.
One to many mode, on the other hand, maps a single client connection into multiple upstream connections. This can be useful for aggregating results or translating errors into response messages.
To use one to many mode, a special layout of protobuf messages is required. This adds an extra layer of complexity, but can be worth it for certain applications.
Here are the two proxying modes in a quick summary:
Insecure (H2C)
Insecure (H2C) connections can be a viable option for certain scenarios.
You can use h2c, the non-TLS version of HTTP/2, to establish an insecure connection between services.
Tyk supports h2c, which can be enabled at the API level by setting h2c as the protocol in the address of the gRPC server.
To do this, specify h2c in the target_url, for example: h2c://my-grpc-server.com.
Proxying Protocols
Tyk supports gRPC passthrough proxying when using HTTP/2 as a transport, the most common way to deploy gRPC services. This allows you to target specific methods of the gRPC service using the format: /{Service-Name}/{method name}, for example: /google.pubsub.v2.PublisherService/CreateTopic.
To enable this feature, HTTP method is always POST, and gRPC custom request metadata is added as HTTP headers, where metadata key is directly mapped to the HTTP header with the same name.
The gRPC over HTTP2 specification defines the rules on how the gRPC protocol maps to a HTTP request, for more information see.
Here are the prerequisites for enabling gRPC proxying in Tyk:
- Enable HTTP/2 support on the Gateway side, for both incoming and upstream connections, by setting http_server_options.enable_http2 and proxy_enable_http2 to true in your tyk.conf Gateway config file.
- The listen path of the Api should be the same as the gRPC service name, so tyk can route it correctly.
- Ensure that strip_listen_path is set to false in your API, so the route of the gRPC service method is build correctly following the standard: {service_name}/{service_method}.
Start Etcd
To start using etcd, you need to start the etcd gRPC proxy. This can be done with a single command.
The etcd gRPC proxy starts and listens on port 2379. It's a crucial step in using static endpoints.
The proxy forwards client requests to one of the three endpoints provided. This allows you to send requests through the proxy.
You can start the etcd gRPC proxy and begin sending requests through it.
Using H2C
You can set up a gRPC proxy using H2C, which is a simple way to have a working gRPC proxy setup. You'll need a gRPC server, a gRPC client, and an instance of the Tyk Gateway and Dashboard.
A gRPC server is required, and for this example, you can use a server. You'll also need a gRPC client, and you can use grpcurl, which is basically curl but for gRPC.
To configure the Tyk Gateway, you'll need to create an API via the Tyk dashboard with the following configuration. This includes exposing the gRPC server at port 50051.
To test the service, you can consume it via the Tyk Gateway from the command line. The command to test it is: grpcurl -plaintext -proto helloworld.proto -d '{"name": "joe"}' tyk-gateway:8080 helloworld.Greeter/SayHello.
This command should give you a response of: {"message": "Hello joe"}, which means that everything is working as it should.
For your interest: Hotmail Website Not Working
Using HTTPS
You can expose a gRPC service via HTTPS using Tyk.
To do this, you'll need a gRPC server, a gRPC client, a certificate to expose the API via HTTPS, and an instance of Tyk Gateway and Dashboard.
Exposing a gRPC server via HTTPS is a common requirement in Kubernetes environments, where internet traffic goes through Tyk but traffic in the inner cluster is in plain HTTP.
A certificate is required to expose the API via HTTPS. This certificate will be used to encrypt the communication between the client and the server.
Here are the steps to expose a gRPC service via HTTPS using Tyk:
1. Execute the gRPC server with the TLS flag enabled (go run server.go -tls=true).
2. Create the API via the Tyk Dashboard with the correct configuration.
3. Test the solution by sending a request to the Tyk Gateway (grpcurl -proto route_guide.proto -d '{"latitude": 1, "longitude":2}' tyk:8080 routeguide.RouteGuide/GetFeature).
Note that you should not use the -plaintext flag when sending the request, as the goal is to connect via HTTPS.
Check this out: Azure Api Management vs Api Gateway
Monitoring and Health
Monitoring and Health is a crucial aspect of running a gRPC proxy. The proxy exposes /health and Prometheus /metrics endpoints for the etcd members defined by --endpoints.
These endpoints provide valuable insights into the health and performance of your etcd cluster. You can access them to monitor your cluster's metrics and health.
The gRPC proxy also allows you to define an additional URL that will respond to both the /metrics and /health endpoints with the --metrics-addr flag. This can be useful for simplifying your monitoring setup.
Using External Tools
You can use grpcurl, a tool similar to curl but for gRPC, to test your gRPC proxy setup. This is the simplest way to have a working gRPC proxy setup.
grpcurl is a command-line tool that allows you to send gRPC requests and inspect the responses. It's a useful tool for testing and debugging your gRPC proxy setup.
To use grpcurl, you need to have a gRPC server and a gRPC client. You can use the gRPC server from Example 2, which is a simple server that exposes a gRPC service.
You might enjoy: When to Use Grpc
Here's an example of how to use grpcurl to test your gRPC proxy setup:
grpcurl -plaintext -proto helloworld.proto -d '{"name": "joe"}' tyk-gateway:8080 helloworld.Greeter/SayHello
This command sends a gRPC request to the Tyk Gateway at port 8080, using the helloworld.proto file as the protocol buffer definition, with a request body containing the string "joe". The response should be a message with the string "Hello joe".
Note that you need to replace "tyk-gateway" with the hostname or IP address of your Tyk Gateway instance.
You can also use grpcurl to test your gRPC proxy setup with HTTPS. For example:
grpcurl -proto route_guide.proto -d '{"latitude": 1, "longitude":2}' tyk:8080 routeguide.RouteGuide/GetFeature
This command sends a gRPC request to the Tyk Gateway at port 8080, using the route_guide.proto file as the protocol buffer definition, with a request body containing the coordinates 1 and 2. The response should be a message with the feature information.
Remember to replace "tyk" with the hostname or IP address of your Tyk Gateway instance.
Recommended read: Short Message Service Center
Authentication and Authorization
Tyk supports two types of authentication in gRPC: Basic Authentication and Token Based Authentication.
For Basic Authentication, you need to send credentials in the correct base64 format in an Authorization header from your gRPC client, formatted as "Basic base64Encode(username:password)".
To set up Token Based Authentication, you'll need to configure Bearer Tokens in Tyk and then send a token in an Authorization header from your gRPC client.
This allows for secure and efficient communication between your gRPC client and Tyk.
Recommended read: Dropbox Basic Uploader
Basic Authentication
Basic Authentication is a simple yet effective way to secure your API.
Tyk supports Basic Authentication in gRPC, which means you can use it to authenticate your API requests.
To configure Basic Authentication in Tyk, you'll need to follow the instructions in the Basic Authentication section.
Once you've set up your Tyk configuration, you'll need to send credentials in the correct base64 format in an Authorization header from your gRPC client.
The credentials should be in the format of a base64 encoded string, which is created by concatenating your username and password with a colon in between.
For example, you can use the following command to encode your credentials: "Basic base64Encode(username:password)".
Token Based Authentication
Token Based Authentication is a secure way to authenticate users, especially when working with gRPC.
Tyk supports Token Based Authentication in gRPC, so you can rely on its functionality.
To set up Token Based Authentication, you need to configure your Tyk settings.
After that, you just need to send a token in an Authorization header from your gRPC client.
This token will serve as a digital key to verify your identity and grant access to protected resources.
Readers also liked: Cloud Based Web Scraping
Load Balancing and Distribution
Tyk can perform load balancing on gRPC traffic using an approach similar to its native Load Balancing functionality. This approach can be used for both secure and insecure gRPC scenarios.
To configure multiple upstream targets in a secure gRPC scenario, check the "Enable round-robin load balancing" flag in the "Core Settings" section of your API. Define each target as https://grpc.test.example.com:10000, https://grpc.test.example.com:10001, and so on.
For insecure gRPC scenarios, use the same approach but with the H2C scheme instead: h2c://grpc.test.example.com:10000, h2c://grpc.test.example.com:10001, etc.
Expand your knowledge: Azure Service Bus Topic Filter Example
In one to many proxying mode, it's critical to identify the source of each message proxied back from the upstreams. This is achieved by having a repeated list of response messages in the protobuf response message.
To make this work, every response should be a repeated list of response messages so that responses from multiple upstreams can be concatenated to build a combined response from all the upstreams.
Expand your knowledge: Azure Rapid Response
Redirecting and Decoding
In some proxy server scenarios, you may need to decode and obtain the structure object to perform custom processing and then resend it to the remote end.
You can introduce the corresponding client stub module code in the proxy server code, as shown in the example.
To decode and forward data, you need to create a client to connect with the target, read the data through RecvMsg, and serialize it into the structure.
You can add judgment and modification operations on the structure fields, and then forward it to the client.
In a bidirectional streaming scenario, both the server and client perform multiple structure sending and receiving operations through serverStream and clientStream respectively.
Here's an interesting read: Vertical Service Code
Featured Images: pexels.com


