|
| 1 | +--- |
| 2 | +title: How to configure VMware Spring Cloud Gateway with Azure Spring Apps Enterprise tier |
| 3 | +description: Shows you how to configure VMware Spring Cloud Gateway with Azure Spring Apps Enterprise tier. |
| 4 | +author: karlerickson |
| 5 | +ms.author: xiading |
| 6 | +ms.service: spring-cloud |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 11/04/2022 |
| 9 | +ms.custom: devx-track-java, devx-track-azurecli, event-tier1-build-2022 |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure VMware Spring Cloud Gateway |
| 13 | + |
| 14 | +> [!NOTE] |
| 15 | +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. |
| 16 | +
|
| 17 | +**This article applies to:** ❌ Basic/Standard tier ✔️ Enterprise tier |
| 18 | + |
| 19 | +This article shows you how to configure VMware Spring Cloud Gateway with Azure Spring Apps Enterprise tier. |
| 20 | + |
| 21 | +[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. Spring Cloud Gateway for Tanzu handles cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns, and any programming language you choose for API development. |
| 22 | + |
| 23 | +A Spring Cloud Gateway instance routes traffic according to rules. Both *scale in/out* and *up/down* are supported to meet a dynamic traffic load. |
| 24 | + |
| 25 | +VMware Spring Cloud Gateway includes the following features: |
| 26 | + |
| 27 | +- Dynamic routing configuration, independent of individual applications that can be applied and changed without recompilation. |
| 28 | +- Commercial API route filters for transporting authorized JSON Web Token (JWT) claims to application services. |
| 29 | +- Client certificate authorization. |
| 30 | +- Rate-limiting approaches. |
| 31 | +- Circuit breaker configuration. |
| 32 | +- Support for accessing application services via HTTP Basic Authentication credentials. |
| 33 | + |
| 34 | +To integrate with [API portal for VMware Tanzu®](./how-to-use-enterprise-api-portal.md), VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any route configuration additions or changes. |
| 35 | + |
| 36 | +## Prerequisites |
| 37 | + |
| 38 | +- An already provisioned Azure Spring Apps Enterprise tier service instance with VMware Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise tier](quickstart-deploy-apps-enterprise.md). |
| 39 | + |
| 40 | + > [!NOTE] |
| 41 | + > To use VMware Spring Cloud Gateway, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time. |
| 42 | +
|
| 43 | +- [Azure CLI version 2.0.67 or later](/cli/azure/install-azure-cli). |
| 44 | + |
| 45 | +## Configure Spring Cloud Gateway |
| 46 | + |
| 47 | +This section describes how to assign an endpoint to Spring Cloud Gateway and configure its properties. |
| 48 | + |
| 49 | +To view the running state and resources given to Spring Cloud Gateway and its operator, open your Azure Spring Apps instance in the Azure portal, select the **Spring Cloud Gateway** section, and then select **Overview**. |
| 50 | + |
| 51 | +To assign a public endpoint, select **Yes** next to **Assign endpoint**. You'll get a URL in a few minutes. Save the URL to use later. |
| 52 | + |
| 53 | +:::image type="content" source="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-overview.png" alt-text="Screenshot of Azure portal Azure Spring Apps overview page with 'Assign endpoint' highlighted." lightbox="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-overview.png"::: |
| 54 | + |
| 55 | +You can also use Azure CLI to assign the endpoint, as shown in the following command: |
| 56 | + |
| 57 | +```azurecli |
| 58 | +az spring gateway update --assign-endpoint |
| 59 | +``` |
| 60 | + |
| 61 | +## Configure VMware Spring Cloud Gateway metadata |
| 62 | + |
| 63 | +VMware Spring Cloud Gateway metadata is used to automatically generate OpenAPI version 3 documentation so that the [API portal](./how-to-use-enterprise-api-portal.md) can gather information to show the route groups. The available metadata options are described in the following table. |
| 64 | + |
| 65 | +| Property | Description | |
| 66 | +|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
| 67 | +| title | A title describing the context of the APIs available on the Gateway instance. The default value is *Spring Cloud Gateway for K8S*. | |
| 68 | +| description | A detailed description of the APIs available on the Gateway instance. The default value is *Generated OpenAPI 3 document that describes the API routes configured for '\[Gateway instance name\]' Spring Cloud Gateway instance deployed under '\[namespace\]' namespace.*. | |
| 69 | +| documentation | The location of more documentation for the APIs available on the Gateway instance. | |
| 70 | +| version | The version of APIs available on this Gateway instance. The default value is *unspecified*. | |
| 71 | +| serverUrl | The base URL that API consumers will use to access APIs on the Gateway instance. | |
| 72 | + |
| 73 | +> [!NOTE] |
| 74 | +> `serverUrl` is mandatory if you want to integrate with [API portal](./how-to-use-enterprise-api-portal.md). |
| 75 | +
|
| 76 | +Use the following command to configure VMware Spring Cloud Gateway metadata properties: |
| 77 | + |
| 78 | +```azurecli |
| 79 | +az spring gateway update \ |
| 80 | + --api-description "<api-description>" \ |
| 81 | + --api-title "<api-title>" \ |
| 82 | + --api-version "v0.1" \ |
| 83 | + --server-url "<endpoint-in-the-previous-step>" \ |
| 84 | + --allowed-origins "*" |
| 85 | +``` |
| 86 | + |
| 87 | +You can also view or edit these properties in the Azure portal, as shown in the following screenshot. |
| 88 | + |
| 89 | +:::image type="content" source="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-configuration.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps Spring Cloud Gateway page with Configuration pane showing." lightbox="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-configuration.png"::: |
| 90 | + |
| 91 | +## Configure single sign-on (SSO) |
| 92 | + |
| 93 | +VMware Spring Cloud Gateway supports authentication and authorization using single sign-on (SSO) with an OpenID identity provider (IdP) which supports OpenID Connect Discovery protocol. |
| 94 | + |
| 95 | +| Property | Required? | Description | |
| 96 | +|----------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
| 97 | +| `issuerUri` | Yes | The URI that is asserted as its Issuer Identifier. For example, if the `issuer-uri` provided is `https://example.com`, then an OpenID Provider Configuration Request will be made to `https://example.com/.well-known/openid-configuration`. The result is expected to be an OpenID Provider Configuration Response. | |
| 98 | +| `clientId` | Yes | The OpenID Connect client ID provided by your IdP. | |
| 99 | +| `clientSecret` | Yes | The OpenID Connect client secret provided by your IdP. | |
| 100 | +| `scope` | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes allowed by your identity provider. | |
| 101 | + |
| 102 | +To set up SSO with Azure AD, see [How to set up single sign-on with Azure Active Directory for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md). |
| 103 | + |
| 104 | +Use the following command to configure SSO properties for VMware Spring Cloud Gateway: |
| 105 | + |
| 106 | +```azurecli |
| 107 | +az spring gateway update \ |
| 108 | + --client-id <client-id> \ |
| 109 | + --client-secret <client-secret> \ |
| 110 | + --issuer-uri <issuer-uri> \ |
| 111 | + --scope <scope> |
| 112 | +``` |
| 113 | + |
| 114 | +You can also view or edit those properties in the Azure portal, as shown in the following screenshot: |
| 115 | + |
| 116 | +:::image type="content" source="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-sso-configuration.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps Spring Cloud Gateway page with Configuration pane showing including Single Sign On Configuration." lightbox="media/how-to-configure-enterprise-spring-cloud-gateway/gateway-sso-configuration.png"::: |
| 117 | + |
| 118 | +> [!NOTE] |
| 119 | +> Only authorization servers supporting OpenID Connect Discovery protocol are supported. Also, be sure to configure the external authorization server to allow redirects back to the gateway. Refer to your authorization server's documentation and add `https://<gateway-external-url>/login/oauth2/code/sso` to the list of allowed redirect URIs. |
| 120 | +> |
| 121 | +> If you configure the wrong SSO property, such as the wrong password, you should remove the entire SSO property and re-add the correct configuration. |
| 122 | +> |
| 123 | +> After configuring SSO, remember to set `ssoEnabled: true` for the Spring Cloud Gateway routes. |
| 124 | +
|
| 125 | +## Configure cross-origin resource sharing (CORS) |
| 126 | + |
| 127 | +Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. The available CORS configuration options are described in the following table. |
| 128 | + |
| 129 | +| Property | Description | |
| 130 | +|------------------|----------------------------------------------------------------------------------------| |
| 131 | +| allowedOrigins | Allowed origins to make cross-site requests. | |
| 132 | +| allowedMethods | Allowed HTTP methods on cross-site requests. | |
| 133 | +| allowedHeaders | Allowed headers in cross-site request. | |
| 134 | +| maxAge | How long, in seconds, the response from a pre-flight request can be cached by clients. | |
| 135 | +| allowCredentials | Whether user credentials are supported on cross-site requests. | |
| 136 | +| exposedHeaders | HTTP response headers to expose for cross-site requests. | |
| 137 | + |
| 138 | +> [!NOTE] |
| 139 | +> Be sure you have the correct CORS configuration if you want to integrate with the [API portal](./how-to-use-enterprise-api-portal.md). For an example, see the [Configure Spring Cloud Gateway](#configure-spring-cloud-gateway) section. |
| 140 | +
|
| 141 | +## Use service scaling |
| 142 | + |
| 143 | +Customization of resource allocation for Spring Cloud Gateway instances is supported, including vCpu, memory, and instance count. |
| 144 | + |
| 145 | +> [!NOTE] |
| 146 | +> For high availability, a single replica is not recommended. |
| 147 | +
|
| 148 | +The following table describes the default resource usage: |
| 149 | + |
| 150 | +| Component name | Instance count | vCPU per instance | Memory per instance | |
| 151 | +|----------------------------------------------|----------------|-------------------|---------------------| |
| 152 | +| VMware Spring Cloud Gateway | 2 | 1 core | 2Gi | |
| 153 | +| VMware Spring Cloud Gateway operator | 2 | 1 core | 2Gi | |
| 154 | + |
| 155 | +## Next steps |
| 156 | + |
| 157 | +- [How to Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md) |
0 commit comments