Tagged: Gateway

Webinar: Architecting Your Delivery Platform for the API Economy

As enterprise architects meet the growing tide of API demand, where to now for the SOA infrastructures they have invested in over the past 5 years?

In this webinar, Vordel and our guest speaker, Randy Heffner, Vice President and Principal Analyst with Forrester Research, Inc. examine the evolution from SOA to API and outline how enterprise architects can leverage the investments they have made in SOA Application Gateways as part of a SOA infrastructure to ensure their organization efficiently manages their APIs and delivers on the overall API Strategy.

What you will learn:

  • Best practice reference architecture for API Delivery
  • How to leverage existing SOA infrastructure to manage API delivery
  • Identify challenges for securing and managing API delivery

To view this document please





Edge of the Cloud

From www.soatothecloud.com on Wednesday, February 1, 2012 by Mark O’Neill

Steve Coplan from 451 Group tweeted today that “A ‘cloud edge’ device could provide some ability to manage bidirectional flows between on-prem and off-prem infrastructure”.

‘Cloud Edge’ is an excellent way to describe products which links on-premises infrastructure to cloud-based infrastructure. I’d add that as well as managing the data flows in each direction, it’s also important to manage identity in either direction. One of the most exciting products to enable linkage of on-premises and off-premises infrastructure is VMware’s Horizon App Manager. Chris Hoff from Juniper has written a really useful “Quick Ping” piece about HAM (yep, that’s its acronym), explaining that:

What’s “new” with VMware’s Horizon App Manager is that we see the convergence and well-sorted integration of a service-driven federated identity capability that ties together enterprise “web” and “cloud” (*cough*)-based SaaS applications with multi-platform device mobility powered by the underpinnings of freshly-architected virtualization and cloud architecture. All delivered as a service (SaaS) by VMware for $30 per user/per year.
http://www.rationalsurvivability.com/blog/?p=3116

I’ve been using HAM a lot recently, and today I was setting up the Vordel Application Gateway as a Cloud Edge device with VMware’s Horizon App Manager to provide single sign-on from HAM’s SAML and OAuth based model into an on-premises behind-the-firewall app protected by enterprise identity management. From a user’s point of view, they simply click on the app logo, and they are logged in. The user is not aware that the app is on-premises, while other apps they see (e.g. SalesForce) are cloud-based. In fact, the user should not be aware of where the app physically is located. All of this is exciting, and fits well with the vision of “Applications Anywhere” here at Vordel.

It is exciting to see all this convergence. Using a Cloud Edge device to link on-premises to the Cloud, to deploy apps “anywhere”, seems like the future to me. Once users truly do not have to care where their apps are located, on-premises or in the Cloud, then we are beyond the Cloud era and into “applications anywhere”. Cloud edge devices are what makes this possible.


Hide Call-back URL of Asynchronous Web Service

From Blog xmlgateway.blogspot.com

In general synchronous web-services are simpler and more common than asynchronous web services. I like them, because for 99% of cases, the security can be done at the transport level using 2-way SSL. Asynchronous web-services introduce additional security challenges – mainly that messages are likely to be in memory or on disk where the transport is not there to keep the contents of the message secure. The purpose of this post is not to explore the security challenges of using asynchronous web-services, but another complexity – proper handling of web-services callbacks through an intermediary.
Continue reading 


Throttling of Requests

Posted on August 4, 2011 – from Blog enterprisegateway.wordpress.com

I recently saw this great article by Mark O’Neill, CTO at Vordel about throttling. Take a look here http://www.soatothecloud.com/2011/07/how-to-configure-throttling-on-vordel.html.

Mark assumes you have a degree of familiarity with either the Vordel Gateway.

What I’d like to do in this post is focus a little deeper on request throttling, and show how the gateway can help avoid partners and service consumers from overloading your services not just by blocking requests that exceed a certain threshold, but by giving advanced warning of erroneous excessive service consumption.

It is worth taking a few paragraphs to explain the very real value of request throttling, and perhaps to make a brief comparison with SLA management, quota management, traffic shaping and concurrent transaction processing limits.

In the context of gateways being used to virtualise services for external consumption, throttling is primarily concerned with the number of requests made by consumers to the target services. Restrictions take the form of a message count that is incremented and measured over a specific time period. The Vordel gateway provides both coarse and fine grained control of request counts and perhaps more importantly can track the request count based on virtually any index.

image

The throttling filter provides a variety of options for measuring and tracking request counts – the time period unit ranges from seconds, minute, hour, day, and week meaning that it can used to implement quota management as part of a pay-per-use solution.

The number of messages, period and period unit can also specified by parameter substitution – enabling complete decoupling of the throttling limits which could be managed in an external provisioning system or database.

Key to the successful implementation of a request throttling solution of enterprise scale is the ability to maintain a consistent count across multiple gateways in an HA / HA-DR deployment – achieved quite simply here by the use of the gateway’s caching mechanism.

Pay special attention to the “Track per key” setting that allows the request count to be applied to different contexts. In the screen shot above, the wildcard attribute of ${http.request.clientaddr} is being used – fairly obviously this will apply the request count restrictions based on unique IP address value of the calling client. The ability to control the “key” with attributes gives enormous flexibility, and because multiple throttling filters can be linked together in a policy (or circuit) limits can be applied to an incredibly low level. You could for example apply a global request rate limit across all services (good practice for mitigating DoS attacks). Legacy applications that have been “service enabled” may be a little fragile (having never been designed for web volumes) – it would make sense to apply a service wide limit in addition to the global restriction, but independent of the calling client – you could even be operation specific. Most of us are also familiar with the pattern that allows restricted service usage for “free”, and a tiered allowance for those signing up to the “pro” version – a good example of metered service consumption by role. Then there is the hard core application – of quota management by identity (which could be at individual user level or partner organisation).

For the record, throttling should not be confused with SLA (Service Level Agreement) monitoring and management. It may be sensible to offer an SLA within restricted bounds (of request volume) but SLA is more concerned with response times, number of failures (typically non 2xx response codes) etc…

The value here is pretty obvious, by implementing a well considered throttling strategy (which incidentally can be designed once and applied globally) you get the following

  • Protection from request volume based DoS attacks
  • Shielding of vulnerable servers, services (and even specific operations)
  • Service Consumption Metering (billable pay per use services)
  • Optional and conditional routing of excess traffic (maybe expanding into the cloud at peek times
  • Pro-active non-blocking alerting that allows action to be taken before critical limits are reached with built in alert storm protection
  • boundary volumes for tightening SLA agreements

Using externally set parameters means that limits can be changed an applied dynamically (or in extreme cases even scripted!!) you could for example automate the increase of a limit on receipt of payment for a particular partner / customer.

The wealth of functionality in just one filter component is impressive in its own right, and… there’s more… Mark’s blog describes a relatively simple design…. once you reach the throttling limit for the service then future requests are “rejected” until such time as the rate calculation falls below the specified threshold. By introducing a soft limit we have the capability to provide non-blocking alerts that give prior warning of an impending breech .

Working through an example….

1. Basic service throttling

image

The figure above shows rudimentary service throttling (at 100 requests per second is used as an example only). If the number of requests to the service exceed this, then a soap fault will be returned by the gateway and the request is not sent to the target service (blocking).

If we introduce another throttling filter (different key for tracking!) with a lower limit, we can provide an alert to an appropriate party (operations / partner administration contact / account manager or all)

2. Setting a “soft” limit

image

In this example I’ve chosen to set the warning level at 80 requests per second – and changed the key to track by to avoid a double increment with the hard limit filter.

 

 

 

image

At first glance, it looks a little odd – basically we don’t change the policy execution path when we exceed the SOFT limit. This will however show in trace files, real time monitoring and the new Traffic Monitor

3. Take some action on exceeding the SOFT limit

a) For demonstration purposes I’ll use a syslog alert, but it should be obvious at this point that the conditional processing that occurs as a result of a SOFT limit breach is not restricted to syslog alerting – or alerting at all! – setting up an alert

imageimage

Having set up an alert target, it can now be used to flag a soft limit breach… n.b. the alert filter is found in the Monitoring category

image

image

The actual alert configuration is outside the scope of what I want to discuss here, I’ll perhaps cover it in greater detail in a different post

So from the top down …..

If the request being processed causes the 80/s count to be exceeded we follow the failure path (the red line) to the “Alert” filter – my alert is configured to send a message to syslog with details of the service soft limit breech.

In the above policy I have chosen not to put the alert on the critical path, in real terms this means that even if the alert fails then message processing will continue. Then the policy checks the HARD limit which is where we started at step 1… meaning that if the request is over the soft limit but below the hard limit then the alert is sent and the request is processed as desired, only when the hard limit is exceeded are requests blocked.

** The brighter readers of this might observe that this means you could have 20 alerts in a second for each request that is >79 but less than 100 ** essentially an alert storm. Fortunately the alerting filter provides the ability to prevent this by configuring a limit for the number of alerts that can be sent in a given time period…. the clever guys at Vordel think of almost everything


Vordel Ranked as a Leader in SOA Application Gateways by Independent Research Firm

Boston, MA, November 29, 2011 – Vordel, a provider of SOA and Cloud Gateways today announced it has been positioned by Forrester Research, Inc. as a Leader in the firm’s new report, “The Forrester WaveTM: SOA Application Gateways, Q4 2011″ (November 2011). Forrester defined the role of a SOA application gateway as being “…a control point in the network path between a set of SOA services and the consumers that use the services.”

The Vordel Application Gateway acts as a key integration and security gateway to enable enterprises protect their SOA services and manage their Cloud and mobile APIs. Fortune 5,000 enterprises and government agencies around the world rely on Vordel to provide integration, security, control, and acceleration for their applications and SOA.

Leaders were recognized for their “wide-ranging support for message formats and protocols (including FTP) and strong content transformation features … [as well as] strong attack protection and trust enablement security features. Forrester recognized Vordel as a leader whose “… offering is strong overall …with a good global presence … and customer references [that] expressed strong satisfaction with the company and the product.” The report also cited Vordel’s important partnership with Oracle.

“We believe Forrester’s ranking of Vordel as a leader in SOA application gateways is testimony to the strength of our product and our market penetration, said Hugh Carroll, VP Marketing at Vordel. “As organizations seek to extend their SOA services to accommodate their mobile and Cloud strategies, Vordel is proving to be the partner of choice for API Management and Security.”

About Vordel
Vordel delivers fast, safe, connectivity for SOA, Cloud and Mobile Services. Vordel Gateway provides integration, security, governance, and acceleration for enterprise applications and Cloud based services. Vordel Gateway enables Fortune 5000 enterprises and government agencies to extend their enterprise applications and SOA infrastructure beyond the perimeter to enable Cloud based services and mobile computing. Vordel makes it possible to deliver and consume “Applications Anywhere” with IT’s existing applications and infrastructure, without costly upgrades and rewrites. Vordel is an Oracle Platinum Certified Partner. Follow us on twitter and our Blogs

Press Contact Vordel
Hugh Carroll, Vordel
press-info@vordel.com
+353 1 234 2500
+353 86 604 9270

Anne Marie McCallion
ReturnPR
annemarie@returnpr.com
+ 353 86 834 9329