9.8-bob: API Gateway va service discovery
9-QISM — Arxitektura va ilg'or backend · 8-mavzu
1. Kirish va motivatsiya
Xizmatlar qanday gaplashishini 9.6-bob va event naqshlarini 9.7-bob bildik. Endi mikroservis arxitekturasining ikki muhim infratuzilma qismini — API Gateway (yagona kirish nuqtasi) va service discovery (xizmatlar bir-birini topishi) — chuqur o'rganamiz. 8.16'da Gateway'ni qisman ko'rdik; endi to'liq: nega Gateway, u nima qiladi, BFF (Backend for Frontend), va xizmatlar dinamik muhitda (Kubernetes — har deploy'da IP o'zgaradi) bir-birini qanday topadi.
Muammo: mikroservis arxitekturasida o'nlab xizmat bor. Mijoz (mobil/veb) ularning har biriga to'g'ridan murojaat qilsa — kaos: mijoz qaysi xizmat qayerda ekanini bilishi kerak, har biriga alohida auth, CORS, rate limit (takror), va ichki tuzilma tashqariga oshkor bo'ladi (xavfsizlik). API Gateway buni hal qiladi — mijoz uchun yagona eshik: u so'rovni qabul qiladi, autentifikatsiya qiladi, kerakli xizmatga yo'naltiradi, javoblarni birlashtiradi. Va xizmatlar bir-birini topishi uchun (IP doim o'zgaradi) — service discovery.
Bu bob: API Gateway (nega, nima qiladi — chuqur), Gateway vazifalari (routing, auth, rate limit, aggregation), BFF (har mijoz turi uchun maxsus gateway), Gateway vs Service Mesh, service discovery (xizmatlar bir-birini topishi), client-side vs server-side discovery, service registry (Consul/Eureka/Kubernetes), va health check. Bu bob 8.16 (Gateway), 9.5 (mikroservis), 8.9 (auth), 10 (Kubernetes) bilan bog'liq. Bu — mikroservis infratuzilmasining yuragi.
O'xshatish: API Gateway — katta biznes-markaz qabulxonasi (resepshn). Mehmon (mijoz) har bo'limga (xizmatga) to'g'ridan kirmaydi — avval qabulxonaga keladi: u yerda hujjat tekshiriladi (auth), navbat boshqariladi (rate limit), kerakli bo'limga yo'naltiriladi (routing), va ba'zan bir necha bo'limdan ma'lumot yig'ib beriladi (aggregation). Mehmon ichki tuzilmani bilmaydi (xona raqamlari, qaysi xodim qayerda — yashirin). Service discovery — ichki telefon kitobi: xodimlar (xizmatlar) ko'chib yuradi (IP o'zgaradi), lekin telefon kitobi (registry) doim yangilanadi — kim qayerda ekanini biladi (qo'lda emas). Qabulxona + telefon kitobi = tartibli, xavfsiz, moslashuvchan bino.
Nega muhim?
- Yagona kirish — mijoz uchun bitta eshik (kaos emas).
- Markazlashgan — auth, rate limit, CORS (har xizmatda takror emas).
- Service discovery — dinamik muhit (IP o'zgaradi — Kubernetes).
- Mikroservis infratuzilmasi — Gateway + discovery (asos).
2. Nazariya — chuqur tushuntirish
2.1. API Gateway muammosi (nega kerak)
GATEWAYSIZ (mijoz har xizmatga to'g'ridan):
Mijoz ── User Service (auth? CORS? rate limit?)
├── Order Service (auth TAKROR? CORS TAKROR?)
├── Product Service (...)
└── Payment Service (ichki tuzilma OSHKOR — xavfsizlik!)
Har xizmatda auth/CORS/rate limit takror; mijoz tuzilmani biladi;
ko'p endpoint; ichki o'zgarish mijozni buzadi
GATEWAY BILAN (yagona eshik):
Mijoz ── API Gateway ── kerakli xizmat
(auth, rate limit, routing, CORS — BIR JOYDA)
Markazlashgan; mijoz tuzilmani bilmaydi; bitta endpointAPI Gateway muammosi: Gateway'siz mijoz har xizmatga to'g'ridan murojaat qiladi auth/CORS/rate limit har xizmatda takror (8.9, 5.20), mijoz ichki tuzilmani biladi (xavfsizlik — ichki o'zgarish mijozni buzadi), ko'p endpoint. Gateway bilan — yagona eshik: auth/rate limit/routing/CORS bir joyda (markazlashgan), mijoz ichki tuzilmani bilmaydi (yashirin), bitta endpoint. Bu — mikroservisda Gateway majburiyligining sababi (cross-cutting concerns markazlashtirish).
2.2. API Gateway vazifalari
API GATEWAY NIMA QILADI (cross-cutting concerns):
Routing — so'rovni kerakli xizmatga yo'naltirish (/users User Svc)
Autentifikatsiya — token tekshirish (8.9 — bir joyda, har xizmatda emas)
Rate limiting — so'rov cheklash (5.20, 8.16 — DoS himoyasi)
Request aggregation — bir necha xizmatdan ma'lumot yig'ish 2.4-bob
CORS, SSL termination (HTTPS — bir joyda)
Logging/monitoring (markazlashgan kuzatuv — 10)
Caching (umumiy javoblar — 8.15)
Request/response transformatsiya (format moslashtirish)
Load balancing (xizmat nusxalariga taqsimlash)API Gateway vazifalari (cross-cutting concerns — har xizmatga tegishli umumiy ishlar): routing (kerakli xizmatga), auth (token bir joyda — 8.9), rate limiting (DoS — 5.20), aggregation (ko'p xizmat ma'lumoti — 2.4), CORS/SSL, logging/monitoring (10), caching 8.15-bob, transformatsiya, load balancing. Bularni har xizmatda takrorlash o'rniga — Gateway'da bir joyda (DRY — 9.1). Xizmatlar faqat biznes mantiqqa e'tibor beradi (auth/CORS Gateway'da). Gateway — "front door" (oldingi eshik).
2.3. Gateway turlari va vositalar
GATEWAY VOSITALARI:
- Tayyor: Kong, Nginx, Traefik, AWS API Gateway, Apache APISIX
ishlab chiqarish-tayyor (auth, rate limit plugin'lar)
- Maxsus (custom): NestJS Gateway 8.16-bob — to'liq nazorat
- Service Mesh (Istio/Linkerd): xizmatlararo (sidecar — 2.6)
Oddiy: tayyor (Kong/Nginx); maxsus mantiq: custom (NestJS);
juda katta: service mesh (qo'shimcha)Gateway vositalari: tayyor (Kong, Nginx, Traefik, AWS API Gateway, APISIX — ishlab chiqarish-tayyor, plugin'lar — auth/rate limit); custom (NestJS Gateway — 8.16 — to'liq nazorat, maxsus mantiq); service mesh (Istio/Linkerd — xizmatlararo — 2.6). Tanlov: oddiy tayyor (Kong/Nginx — kam kod); maxsus biznes mantiq custom (NestJS); juda katta tizim service mesh. Ko'p loyiha uchun tayyor Gateway yetadi (g'ildirakni qayta ixtiro qilmaslik).
2.4. Request aggregation (javoblarni birlashtirish)
AGGREGATION — bir so'rovga bir necha xizmatdan ma'lumot:
Mijoz: "buyurtma sahifasi" (1 so'rov)
Gateway:
├ Order Service (buyurtma)
├ User Service (mijoz)
└ Product Service (mahsulotlar)
birlashtirilgan javob (mijoz 1 so'rov yubordi, Gateway 3 ta qildi)
Mijoz 1 so'rov (under-fetching yo'q — mobil uchun muhim)
Gateway murakkablashadi (yoki BFF — 2.5; yoki GraphQL — 8.17)Request aggregation (javoblarni birlashtirish): mijoz bitta so'rov yuboradi (buyurtma sahifasi), Gateway bir necha xizmatdan ma'lumot yig'ib birlashtiradi (order + user + products). Mijoz 1 so'rov (under-fetching yo'q — mobil/sekin tarmoq uchun muhim — REST'ning under-fetching muammosi — 8.17: 2.2). Lekin Gateway murakkablashadi (yoki BFF — 2.5, yoki GraphQL — 8.17 — aggregation uchun ideal). Aggregation — mijoz tajribasi (kam so'rov).
2.5. BFF (Backend for Frontend)
BFF — har MIJOZ TURI uchun maxsus Gateway:
Mobil ilova ── Mobil BFF (ixcham javob — bandwidth/kichik ekran)
Veb sayt ── Veb BFF (boy ma'lumot — desktop)
Admin panel── Admin BFF (ko'proq ruxsat, batafsil)
│
▼ (har BFF ichki xizmatlarga)
User, Order, Product Services
Har mijoz o'z ehtiyojiga mos javob (mobil — kam; veb — ko'p)
Mijoz mantig'i BFF'da (frontend jamoasi boshqaradi)
Bir umumiy Gateway hammaga mos kelmaganda (mobil ≠ veb)BFF (Backend for Frontend — Gateway naqshi): har mijoz turi uchun maxsus Gateway. Mobil BFF (ixcham javob — bandwidth/kichik ekran), veb BFF (boy ma'lumot — desktop), admin BFF (ko'proq ruxsat). Nega: bir umumiy Gateway hamma mijozga mos kelmaydi (mobil kam ma'lumot, veb ko'p — bir javob ikkalasiga noqulay). Har BFF mijoz ehtiyojiga moslaydi (transformatsiya, filtr). Frontend jamoasi BFF'ni boshqaradi (Conway — 9.5: 2.5). Ko'p turli mijoz bo'lganda foydali.
2.6. Gateway vs Service Mesh
API GATEWAY — "North-South" (tashqi ichki):
Mijoz (tashqi) Gateway xizmatlar
auth, rate limit, routing (tashqi so'rovlar)
SERVICE MESH — "East-West" (xizmat xizmat — ichki):
Xizmat A [sidecar proxy] Xizmat B (har xizmat yonida proxy)
ichki aloqa: retry, circuit breaker 9.6-bob, mTLS, tracing
Istio, Linkerd (Kubernetes — 10)
Ular RAQOBATCHI EMAS — birga (Gateway tashqi, Mesh ichki)
Kichik tizim: faqat Gateway; katta: Gateway + MeshGateway vs Service Mesh: Gateway — "North-South" (tashqiichki — mijoz so'rovlari: auth/rate limit/routing); Service Mesh (Istio/Linkerd) — "East-West" (xizmatxizmat ichki — sidecar proxy: retry/circuit breaker/mTLS/tracing — 9.6). Ular raqobatchi emas — birga ishlaydi (Gateway tashqi eshik, Mesh ichki aloqa). Kichik tizim: faqat Gateway (yetadi); juda katta (ko'p xizmat): Gateway + Mesh. Service mesh — qo'shimcha murakkablik (faqat katta tizimga — 9.5).
2.7. Service Discovery muammosi (xizmatlar bir-birini topishi)
MUAMMO: xizmatlar IP'si DOIM O'ZGARADI (dinamik muhit):
- Kubernetes har deploy'da yangi IP (10)
- Auto-scaling — yangi nusxalar qo'shiladi/o'chadi
- Xizmat ko'chadi (boshqa server)
Hardcode IP (http://192.168.1.5:3001) — deploy'da buziladi!
SERVICE DISCOVERY — xizmatlar bir-birini DINAMIK topadi:
- Service registry — "kim qayerda" jadvali (doim yangi)
- Xizmat ro'yxatdan o'tadi (register); boshqalar topadi (discover)Service Discovery muammosi: xizmatlar IP'si doim o'zgaradi (Kubernetes har deploy'da yangi IP, auto-scaling yangi nusxa, ko'chish — 10). Hardcode IP (
http://192.168.1.5) — deploy'da buziladi (eng keng xato). Service discovery — xizmatlar bir-birini dinamik topadi: service registry ("kim qayerda" jadvali — doim yangilanadi), xizmat register (ro'yxatdan o'tadi), boshqalar discover (topadi). Dinamik muhitda majburiy (statik IP ishlamaydi).
2.8. Client-side vs Server-side discovery
CLIENT-SIDE DISCOVERY:
Xizmat A registry'dan B manzilini SO'RAYDI to'g'ridan B'ga
Kam tarmoq sakrash; har xizmat discovery mantig'i (klient)
SERVER-SIDE DISCOVERY:
Xizmat A load balancer/Gateway registry B
Klient oddiy (discovery — infra ishi); qo'shimcha sakrash
Kubernetes Service (DNS) — server-side (eng keng, oson)
Kubernetes'da: Service DNS (order-service:3001) — discovery avtomatik
IP o'zgaradi, lekin DNS nomi barqaror (Kubernetes hal qiladi)Client-side vs server-side discovery: client-side (xizmat registry'dan manzilni so'rab, to'g'ridan — kam sakrash, lekin har xizmat discovery mantig'i); server-side (load balancer/Gateway registry orqali — klient oddiy, lekin qo'shimcha sakrash). Kubernetes Service (DNS) — server-side, eng keng: xizmat DNS nomi (
order-service:3001) barqaror, IP o'zgaradi lekin Kubernetes DNS'ni yangilaydi (discovery avtomatik — qo'lda registry kerak emas). Kubernetes'da discovery — built-in (10). Bu — zamonaviy eng oson usul.
2.9. Service Registry (Consul, Eureka, Kubernetes)
SERVICE REGISTRY — "kim qayerda" markaziy jadvali:
- Consul (HashiCorp): registry + health + KV + DNS
- Eureka (Netflix): Java dunyosi (Spring)
- Kubernetes: built-in (Service + DNS — eng keng — 10)
- etcd, Zookeeper: pastroq daraja
ISH JARAYONI:
1. Xizmat ishga tushadi registry'ga REGISTER (men shu manzilda)
2. Health check — registry sog'lom xizmatlarni biladi 2.10-bob
3. Boshqa xizmat registry'dan SO'RAYDI (B qayerda?)
4. Xizmat o'chsa registry'dan chiqariladi (deregister)
Kubernetes ishlatayotgan bo'lsangiz — built-in (qo'shimcha registry kerak emas)Service Registry ("kim qayerda" markaziy jadvali): Consul (HashiCorp — registry+health+DNS), Eureka (Netflix/Java), Kubernetes (built-in — Service+DNS — eng keng — 10), etcd/Zookeeper (pastroq). Ish: xizmat ishga tushadi register health check 2.10-bob boshqalar so'raydi o'chsa deregister. Kubernetes ishlatsangiz — registry built-in (qo'shimcha Consul/Eureka kerak emas — Service+DNS hal qiladi). Bu — eng zamonaviy yondashuv (10). Consul — Kubernetes'siz yoki multi-cloud.
2.10. Health check (sog'lom xizmatlar)
HEALTH CHECK — xizmat "tirik va sog'lom"mi (registry/load balancer uchun):
- /health endpoint 8.15-bob — xizmat javob beradimi
- Liveness: tirikmi (yiqilsa — qayta ishga tushirish)
- Readiness: so'rov qabul qilishga tayyormi (DB ulanganmi, warm-up)
Registry/Gateway faqat SOG'LOM xizmatlarga yo'naltiradi
Kasal xizmat — chiqariladi (so'rov yuborilmaydi — circuit breaker — 9.6)
Kubernetes: livenessProbe + readinessProbe (avtomatik — 10)Health check (sog'lom xizmatlar — registry/load balancer uchun):
/healthendpoint 8.15-bob, liveness (tirikmi — yiqilsa qayta ishga tushirish), readiness (so'rov qabul qilishga tayyormi — DB ulangan, warm-up tugagan). Registry/Gateway faqat sog'lom xizmatlarga yo'naltiradi (kasal — chiqariladi, so'rov yuborilmaydi — circuit breaker 9.6 bilan). Kubernetes —livenessProbe+readinessProbe(avtomatik — 10). Health check — ishonchlilikning asosi (kasal xizmatga so'rov bormaydi).
2.11. Gateway xavfsizligi va ishonchliligi (14)
Auth Gateway'da (token tekshirish — 8.9 — bir joyda — 2.2)
Rate limiting (DoS himoyasi — 5.20, 8.16)
SSL/TLS termination (HTTPS — Gateway'da)
Ichki xizmatlar tashqaridan YOPIQ (faqat Gateway orqali)
Gateway — single point of failure HA (ko'p nusxa, load balancer)
Request validation (Gateway'da — ichki xizmatga toza)
Monitoring/tracing (markazlashgan — barcha so'rov o'tadi — 10)
Gateway yiqilsa — hammasi yiqiladi yuqori mavjudlik (HA) majburiyGateway xavfsizligi/ishonchliligi (14): auth Gateway'da (bir joyda — 2.2), rate limiting (DoS — 5.20), SSL/TLS termination, ichki xizmatlar tashqaridan yopiq (faqat Gateway orqali — xavfsizlik), request validation, monitoring/tracing (markaziy — barcha so'rov o'tadi — 10). Gateway — single point of failure (yiqilsa hammasi) yuqori mavjudlik (HA) majburiy (ko'p nusxa + load balancer). Gateway markaziy — kuchli (markazlashtirish), lekin kritik (ishonchli bo'lishi shart). HA — Gateway uchun majburiy.
2.12. Best practices (Gateway/discovery)
GATEWAY:
Yagona kirish (auth/rate limit/routing markazlashgan — 2.1, 2.2)
Tayyor vosita (Kong/Nginx) yoki custom (NestJS) — ehtiyojga 2.3-bob
BFF (ko'p mijoz turi — 2.5); aggregation (kam so'rov — 2.4)
Ichki xizmatlar yopiq (faqat Gateway — 2.11)
HA (single point of failure — ko'p nusxa — 2.11)
DISCOVERY:
Hardcode IP'dan qoch (dinamik discovery — 2.7)
Kubernetes Service DNS (built-in — eng oson — 2.8, 2.9)
Health check (sog'lom xizmat — 2.10)
Consul/Eureka (Kubernetes'siz — 2.9)2.13. Protokol tarjimasi va transformatsiya (REST gRPC)
PROTOKOL TARJIMASI — Gateway tashqi va ichki protokolni "tarjima" qiladi:
Mijoz (brauzer/mobil) ── REST/JSON (HTTP/1.1) ── Gateway
│ ichki: gRPC/Protobuf 9.6-bob
▼
User, Order Services (gRPC)
Tashqi: REST/JSON (brauzer tushunadi, oddiy, universal)
Ichki: gRPC (tez, binar, tiplangan — xizmatlararo — 9.6)
Gateway JSON'ni Protobuf'ga (va aksincha) tarjima qiladi
TRANSFORMATSIYA — so'rov/javob shaklini o'zgartirish:
- Request: header qo'shish (X-User-Id — auth'dan), yo'l qayta yozish
(/v1/users /users), body normallashtirish
- Response: ichki maydonlarni yashirish (parol_hash, internal_id),
format moslashtirish (mobil uchun soddalashtirish — BFF 2.5)Protokol tarjimasi: Gateway tashqi protokol (REST/JSON — brauzer/mobil universal tushunadi) bilan ichki protokol (gRPC/Protobuf — tez, binar, tiplangan xizmatlararo aloqa — 9.6) o'rtasida tarjimon vazifasini bajaradi. Mijoz REST yuboradi, Gateway uni gRPC'ga aylantirib ichki xizmatga uzatadi, javobni yana JSON'ga qaytaradi. Bu tashqi mijozni ichki texnologiyadan ajratadi (mijoz gRPC bilmaydi — faqat REST ko'radi). Transformatsiya: Gateway so'rov/javob shaklini o'zgartiradi — so'rovga header qo'shadi (
X-User-Id— auth token'dan olib), yo'lni qayta yozadi (/v1/usersichki/users), javobdan ichki/maxfiy maydonlarni (parol_hash,internal_id) olib tashlaydi. Transformatsiya — mijoz va ichki xizmat shartnomasini bir-biridan mustaqil qiladi (biri o'zgarsa, Gateway moslaydi — ikkinchisi tegilmaydi).
2.14. Load balancing algoritmlari (yuk taqsimlash)
LOAD BALANCING — so'rovni bir necha xizmat NUSXASIGA taqsimlash:
Gateway/LB ──┬── Order Svc #1
├── Order Svc #2 (3 nusxa — yuk bo'linadi)
└── Order Svc #3
ALGORITMLAR:
- Round-robin: navbat bilan (#1, #2, #3, #1... — eng oddiy, teng)
- Least-connections: eng kam faol ulanishga (nomutanosib yuk uchun)
- Weighted: og'irlik bilan (kuchli server #1 2x, kuchsiz #3 1x)
- IP-hash: bir mijoz IP doim bir nusxa (sticky — sessiya uchun)
- Random: tasodifiy (oddiy, katta miqyosda teng taqsimlanadi)
Sog'lom nusxalarga (health check 2.10) — kasal chiqariladi
Caching/sessiya bilan bog'liq (IP-hash — 9.9 load balancing chuqur)Load balancing algoritmlari (yuk taqsimlash — bir xizmatning bir necha nusxasiga so'rovlarni bo'lish): round-robin (navbat bilan #1#2#3#1 — eng oddiy, nusxalar teng bo'lsa yaxshi), least-connections (ayni damda eng kam faol ulanishga — so'rovlar turli davomiylikda bo'lsa mos), weighted (og'irlik bilan — kuchli serverga ko'proq, masalan #1 ikki barobar), IP-hash (bir mijoz IP'si doim bir nusxaga — "sticky session", sessiya xotirada bo'lsa kerak), random (tasodifiy — katta miqyosda amalda teng). Load balancer faqat sog'lom nusxalarga yuboradi (health check — 2.10 — kasal nusxa navbatdan chiqariladi). IP-hash'dan qochish yaxshiroq — sessiyani stateless qiling (JWT/Redis — 5.20), shunda har nusxa bir xil ishlaydi (haqiqiy gorizontal miqyoslash). Load balancing algoritmlari 9.9'da (keyingi bob) chuqurroq ochiladi.
2.15. Ro'yxatdan o'tish usullari va DNS-based discovery
RO'YXATDAN O'TISH (registration) — kim registry'ga yozadi:
SELF-REGISTRATION — xizmat O'ZI yozadi:
Xizmat ishga tushadi registry'ga o'zini register (Consul kliyent — 2.9)
Oddiy (tashqi komponent kerak emas)
Xizmatga discovery mantig'i "aralashadi" (kod ichida register/deregister)
THIRD-PARTY REGISTRATION — TASHQI komponent yozadi (registrar):
Registrar (orkestrator) xizmatni kuzatadi registry'ga yozadi/o'chiradi
Xizmat "toza" (discovery bilmaydi — biznes mantiqqa e'tibor)
Qo'shimcha komponent (lekin Kubernetes buni O'ZI qiladi)
Kubernetes: pod ishga tushsa, Service/endpoint AVTOMATIK (3rd-party)
DNS-BASED DISCOVERY — registry DNS orqali:
Xizmat B'ni topish = DNS so'rov (order-service IP)
Universal (har til DNS'ni biladi — maxsus kliyent kerak emas)
Kubernetes kube-dns, Consul DNS interfeysi (2.8)Ro'yxatdan o'tish usullari: self-registration — xizmat o'zini registry'ga yozadi (ishga tushganda register, o'chganda deregister — Misol 7 Consul). Oddiy, lekin xizmat kodiga discovery mantig'i aralashadi. Third-party registration — tashqi komponent (registrar/orkestrator) xizmatlarni kuzatib, registry'ni o'zi yangilaydi. Xizmat "toza" qoladi (discovery'ni bilmaydi — faqat biznes mantiq). Kubernetes aynan third-party ishlaydi: pod ishga tushganda, Kubernetes uning endpoint'ini avtomatik Service'ga qo'shadi (xizmat hech nima qilmaydi). DNS-based discovery — topish oddiy DNS so'rovi orqali (
order-servicenomi joriy IP): universal (har dasturlash tili DNS'ni tushunadi — maxsus kutubxona kerak emas). Kuberneteskube-dns/CoreDNS va Consul'ning DNS interfeysi shu asosda ishlaydi 2.8-bob. Zamonaviy tavsiya: third-party + DNS-based (Kubernetes) — xizmat kodiga eng kam aralashuv.
2.16. Kubernetes service discovery (Service, kube-dns) — 10-QISM
KUBERNETES DISCOVERY (built-in — qo'shimcha registry kerak emas):
1. Deployment Pod'lar (har biri o'z IP'si, o'zgaruvchan)
2. Service Pod'lar oldida BARQAROR nom + ClusterIP:
apiVersion: v1
kind: Service
metadata: { name: order-service }
spec:
selector: { app: order } # shu yorliqli pod'lar
ports: [{ port: 3002 }]
3. kube-dns/CoreDNS "order-service" nomini ClusterIP'ga hal qiladi
4. Boshqa xizmat: http://order-service:3002 (nom barqaror — IP emas)
Service = registry + load balancer + DNS (hammasi bitta)
Pod o'lsa/scale bo'lsa — Service endpoint'ni avtomatik yangilaydi
To'liq: 10-QISM (Kubernetes)Kubernetes service discovery (10-QISM cross-ref): Kubernetes'da discovery built-in — alohida Consul/Eureka kerak emas. Pod'lar (xizmat nusxalari) o'zgaruvchan IP'ga ega, lekin ular ustidagi Service obyekti barqaror nom va
ClusterIPberadi.kube-dns(CoreDNS)order-servicenomini joriyClusterIPga hal qiladi, u esa sog'lom pod'larga yuk taqsimlaydi. Kubernetes Service bir vaqtning o'zida registry + load balancer + DNS — uchtasi birga. Pod o'lganda yoki scale bo'lganda, Kubernetes Service'ning endpoint ro'yxatini avtomatik yangilaydi (xizmat kodi tegilmaydi — third-party registration, 2.15). Shuning uchun Kubernetes muhitidahttp://order-service:3002yozish yetarli — bu bob'dagi Consul/Eureka mexanizmini Kubernetes o'z ichiga oladi. To'liq tafsilot 10-QISMDA.
2.17. TLS/mTLS va Gateway anti-pattern'lar
TLS (bir tomonlama) — SERVER o'zini isbotlaydi (HTTPS):
Mijoz [TLS] Gateway (sertifikat: "men haqiqiy gateway")
Gateway'da SSL termination: HTTPS shu yerda tugaydi 2.11-bob
mTLS (o'zaro TLS) — IKKALA tomon isbotlaydi (ichki xizmatlararo):
Xizmat A [mTLS] Xizmat B (ikkalasi ham sertifikat ko'rsatadi)
"Zero trust" — ichki tarmoqda ham ishonch yo'q (2.6 service mesh)
Istio/Linkerd mTLS'ni AVTOMATIK beradi (sidecar — 2.6)
ANTI-PATTERN'LAR (Gateway'da QILMANG):
Biznes mantiq Gateway'da (narx hisoblash, buyurtma qoidasi)
Gateway faqat yo'naltiradi; biznes mantiq XIZMATDA (9.1, 9.5)
Bitta ulkan Gateway (God object) — hamma narsa unda
Gateway'ni SPOF qilib qoldirish (HA'siz — 2.11)
Har o'zgarishda Gateway'ni deploy (mahkam bog'lanish)TLS/mTLS: TLS (bir tomonlama — HTTPS) da faqat server o'zini sertifikat bilan isbotlaydi; mijozGateway aloqasi shifrlanadi va Gateway'da SSL termination bo'ladi 2.11-bob. mTLS (o'zaro TLS) da ikkala tomon ham sertifikat ko'rsatadi — bu ichki xizmatlararo aloqada ishlatiladi ("zero trust" — ichki tarmoqqa ham ko'r-ko'rona ishonilmaydi). Har xizmatga qo'lda sertifikat qo'yish o'rniga service mesh (Istio/Linkerd — 2.6) mTLS'ni sidecar orqali avtomatik beradi. Gateway anti-pattern'lari ( qilmang): (1) biznes mantiqni Gateway'ga solish — narx hisoblash, buyurtma qoidasi Gateway'da bo'lmasin, ular xizmatda turishi kerak (Gateway faqat cross-cutting: routing/auth/rate limit — 9.1 SRP); (2) hamma narsani o'z ichiga olgan ulkan "God" Gateway; (3) Gateway'ni HA'siz SPOF holida qoldirish 2.11-bob; (4) har mayda o'zgarishda Gateway'ni qayta deploy qilishga majbur qiladigan mahkam bog'lanish. Oltin qoida: Gateway "yupqa" bo'lsin — u yo'naltiradi va cross-cutting bajaradi, aql (biznes mantiq) xizmatlarda qoladi.
3. Sintaksis — tez ma'lumotnoma
GATEWAY 2.2-bob: routing + auth + rate limit + aggregation + CORS (markaziy)
BFF 2.5-bob: har mijoz turi (mobil/veb/admin) — maxsus gateway
Gateway vs Mesh 2.6-bob: Gateway (tashqi N-S); Mesh (ichki E-W)
Protokol 2.13-bob: tashqi REST/JSON ichki gRPC/Protobuf (Gateway tarjima)
Load balancing 2.14-bob: round-robin / least-conn / weighted / IP-hash / random
DISCOVERY 2.7-bob: registry (kim qayerda) — register/discover/deregister
Registration 2.15-bob: self (xizmat o'zi) vs third-party (Kubernetes avtomatik)
Kubernetes 2.16-bob: Service + kube-dns (order-service:3001 — barqaror nom)
Health 2.10-bob: /health — liveness + readiness
TLS 2.17-bob: TLS (server) vs mTLS (ikkala tomon — zero trust)3.1. Gateway vositalari taqqoslash
| Vosita | Tur | Til/muhit | Kuchli tomoni | Qachon |
|---|---|---|---|---|
| Kong | Tayyor (Nginx+Lua) | Til-agnostik | Boy plugin ekotizimi, DB/DB-siz | Umumiy, plugin ko'p kerak |
| KrakenD | Tayyor (Go) | Til-agnostik | Stateless, aggregation'ga kuchli, tez | Yuqori yuk, aggregation |
| Nginx | Tayyor (reverse proxy) | Til-agnostik | Yengil, keng tarqalgan, sinovdan o'tgan | Oddiy routing/SSL/LB |
| Traefik | Tayyor (Go) | Til-agnostik | Auto-discovery, Kubernetes-native | Konteyner/Kubernetes |
| AWS API Gateway | Boshqariladigan (cloud) | Til-agnostik | Serverless, boshqarish yo'q, Lambda | AWS ekotizim |
| Ocelot | Kutubxona (.NET) | C#/.NET | .NET ichida, kodda nazorat | .NET mikroservis |
| NestJS (custom) | Custom | Node/TS | To'liq nazorat, maxsus mantiq | Node stack, maxsus ehtiyoj |
Taqqoslash izohi: Kong — eng keng plugin ekotizimi (auth/rate limit/transform tayyor). KrakenD — stateless va aggregation'ga ixtisoslashgan (Go — tez). Nginx — yengil, oddiy routing/SSL/load balancing uchun klassik. Traefik — konteyner/Kubernetes muhitida xizmatlarni avtomatik aniqlaydi (label orqali). AWS API Gateway — boshqariladigan (infratuzilma tashvishi yo'q, Lambda bilan integratsiya). Ocelot — .NET dunyosi uchun kutubxona (kodda). NestJS custom — to'liq nazorat kerak bo'lganda (Misol 1). Umumiy tavsiya: standart ehtiyojga tayyor vosita (Kong/Traefik — g'ildirakni qayta ixtiro qilmaslik), maxsus biznes-aggregatsiya mantig'i kerak bo'lsagina custom (NestJS).
4. Batafsil kod namunalari
Misol 1 — NestJS API Gateway (8.16 davomi — 2.1, 2.2)
// API Gateway — yagona kirish (auth, routing)
@Controller()
export class GatewayController {
constructor(
@Inject("USER_SERVICE") private userClient: ClientProxy,
@Inject("ORDER_SERVICE") private orderClient: ClientProxy,
) {}
// Routing + auth (Gateway'da — bir joyda — 2.2)
@Get("users/:id")
@UseGuards(JwtAuthGuard) // AUTH Gateway'da (8.9 — har xizmatda emas)
getUser(@Param("id") id: string) {
return this.userClient.send({ cmd: "user.get" }, id); // routing User Svc (9.6)
}
@Post("orders")
@UseGuards(JwtAuthGuard)
@Throttle({ default: { limit: 10, ttl: 60000 } }) // RATE LIMIT Gateway'da (5.20)
createOrder(@Body() dto: any, @CurrentUser() user) {
return this.orderClient.send({ cmd: "order.create" }, { ...dto, userId: user.id });
}
}
// Auth/rate limit BIR JOYDA (Gateway) — ichki xizmatlar faqat biznes mantiqMisol 2 — Request aggregation (2.4)
// Bir so'rovga bir necha xizmatdan (under-fetching yo'q — 2.4)
@Get("orders/:id/full")
@UseGuards(JwtAuthGuard)
async buyurtmaToliq(@Param("id") id: string) {
// Parallel (Promise.all — tez — 9.6)
const [order, user, products] = await Promise.all([
firstValueFrom(this.orderClient.send({ cmd: "order.get" }, id)),
firstValueFrom(this.userClient.send({ cmd: "user.get" }, /* userId */)),
firstValueFrom(this.productClient.send({ cmd: "products.byOrder" }, id)),
]);
// Birlashtirilgan javob (mijoz 1 so'rov yubordi — 2.4)
return { ...order, user, products };
}
// Mijoz 1 so'rov, Gateway 3 ta qildi (mobil uchun muhim — kam so'rov)
// murakkab aggregation GraphQL afzal (8.17)Misol 3 — BFF (mobil vs veb — 2.5)
// Mobil BFF — ixcham javob (bandwidth)
@Controller("mobile")
export class MobileBffController {
@Get("products")
async products() {
const products = await firstValueFrom(this.productClient.send({ cmd: "products.all" }, {}));
// Mobil uchun IXCHAM (faqat kerakli maydonlar — 2.5)
return products.map((p) => ({ id: p.id, nom: p.nom, narx: p.narx, rasm: p.thumbnail }));
}
}
// Veb BFF — boy ma'lumot (desktop)
@Controller("web")
export class WebBffController {
@Get("products")
async products() {
const products = await firstValueFrom(this.productClient.send({ cmd: "products.all" }, {}));
// Veb uchun BOY (to'liq ma'lumot — 2.5)
return products; // barcha maydon (tavsif, sharhlar, o'xshash...)
}
}
// Har mijoz o'z ehtiyojiga mos (mobil kam, veb ko'p — 2.5)Misol 4 — Kong Gateway (tayyor vosita — 2.3)
# kong.yml — deklarativ Gateway (auth, rate limit — plugin)
services:
- name: user-service
url: http://user-service:3001 # service discovery (DNS — 2.8)
routes:
- paths: ["/users"]
plugins:
- name: jwt # AUTH (plugin — kod yozmasdan)
- name: rate-limiting # RATE LIMIT
config: { minute: 60 }
- name: cors
- name: order-service
url: http://order-service:3002
routes:
- paths: ["/orders"]
plugins:
- name: jwt
# Tayyor Gateway — plugin bilan (kod kam — 2.3); custom mantiq kerak bo'lsa NestJSMisol 5 — Service discovery: Kubernetes DNS (2.8)
// Kubernetes — Service DNS (IP emas, BARQAROR nom — 2.8)
// Hardcode IP (deploy'da buziladi)
// const userUrl = "http://192.168.1.5:3001";
// Kubernetes Service DNS (barqaror — IP o'zgarsa ham nom bir xil)
@Module({
imports: [
ClientsModule.register([
{
name: "USER_SERVICE",
transport: Transport.TCP,
options: { host: "user-service", port: 3001 }, // DNS nom (Kubernetes — 2.8)
},
]),
],
})
export class GatewayModule {}
// "user-service" — Kubernetes Service nomi (DNS) joriy sog'lom IP'ga (avtomatik — 2.9)
// IP o'zgaradi, deploy bo'ladi, scale bo'ladi — nom o'zgarmaydi (discovery avtomatik)Misol 6 — Health check (liveness/readiness — 2.10)
// Health endpoint (Kubernetes probe + Gateway — 2.10, 8.15)
@Controller("health")
export class HealthController {
constructor(
private health: HealthCheckService,
private db: TypeOrmHealthIndicator,
private redis: RedisHealthIndicator,
) {}
@Get("live") // LIVENESS — tirikmi
@HealthCheck()
liveness() {
return this.health.check([]); // oddiy — jarayon javob beradimi
}
@Get("ready") // READINESS — tayyormi (2.10)
@HealthCheck()
readiness() {
return this.health.check([
() => this.db.pingCheck("database"), // DB ulanganmi
() => this.redis.checkHealth("redis"), // Redis tayyormi
]);
}
}
// Kubernetes: livenessProbe /health/live; readinessProbe /health/ready (10)
// readiness FALSE Gateway/registry so'rov yubormaydi (warm-up/DB uzilgan)Misol 7 — Consul service discovery (Kubernetes'siz — 2.9)
// Consul — xizmat ro'yxatdan o'tadi (register) va topadi (discover)
import Consul from "consul";
@Injectable()
export class ServiceRegistry implements OnModuleInit, OnModuleDestroy {
private consul = new Consul({ host: "consul" });
private serviceId = `order-service-${process.pid}`;
async onModuleInit() {
// REGISTER — men shu manzildaman (2.9)
await this.consul.agent.service.register({
id: this.serviceId, name: "order-service",
address: process.env.HOST, port: 3002,
check: { http: "http://localhost:3002/health/ready", interval: "10s" }, // health (2.10)
});
}
async onModuleDestroy() {
await this.consul.agent.service.deregister(this.serviceId); // chiqish (2.9)
}
// DISCOVER — boshqa xizmatni topish
async topish(name: string): Promise<{ host: string; port: number }> {
const services = await this.consul.health.service({ service: name, passing: true }); // sog'lom
const s = services[0].Service;
return { host: s.Address, port: s.Port };
}
}Misol 7b — Protokol tarjimasi va transformatsiya (2.13)
// Gateway: tashqi REST/JSON ni ichki gRPC ga TARJIMA qiladi (2.13)
@Controller("users")
export class UserGatewayController {
// gRPC kliyent (ichki xizmat — 9.6)
constructor(@Inject("USER_GRPC") private grpc: ClientGrpc) {}
private svc: any;
onModuleInit() { this.svc = this.grpc.getService("UserService"); }
@Get(":id")
@UseGuards(JwtAuthGuard)
async getUser(@Param("id") id: string, @CurrentUser() user) {
// 1) TASHQI: REST/JSON so'rov keldi (brauzer/mobil)
// 2) TARJIMA: gRPC chaqiruvi (Protobuf — ichki, tez — 2.13, 9.6)
const res = await firstValueFrom(
this.svc.getUser({ id, requestedBy: user.id }), // headerichki maydon (transform)
);
// 3) RESPONSE TRANSFORM: ichki/maxfiy maydonlarni OLIB TASHLASH (2.13)
const { parol_hash, internal_notes, ...ochiq } = res;
return ochiq; // mijoz faqat ochiq maydonlarni ko'radi
}
}
// Mijoz REST ko'radi, ichkarida gRPC (mijoz ichki texnologiyani bilmaydi — 2.13)
// parol_hash/internal_notes tashqariga CHIQMAYDI (javob transformatsiyasi)Misol 7c — Load balancing (Nginx — algoritmlar — 2.14)
# Nginx upstream — bir xizmatning KO'P nusxasiga yuk taqsimlash (2.14)
upstream order_service {
# ALGORITM tanlash (biri):
least_conn; # eng kam ulanishga 2.14-bob — round-robin default
# ip_hash; # sticky: bir IP bir nusxa (sessiya — 2.14)
server order-1:3002 weight=2; # WEIGHTED — kuchli server 2x yuk (2.14)
server order-2:3002 weight=1;
server order-3:3002 weight=1 max_fails=3 fail_timeout=30s; # health (2.10)
}
server {
listen 443 ssl; # TLS termination (HTTPS — 2.11, 2.17)
location /orders {
proxy_pass http://order_service; # LB qilingan xizmatga
proxy_set_header X-Real-IP $remote_addr; # header transform (2.13)
}
}
# least_conn/ip_hash/weighted — yuk profiliga qarab (2.14)
# max_fails — kasal nusxa vaqtincha chiqariladi (health — 2.10)Misol 7d — mTLS ichki xizmatlararo (zero trust — 2.17)
# Istio — ichki xizmatlararo mTLS AVTOMATIK (sidecar — 2.6, 2.17)
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: shop
spec:
mtls:
mode: STRICT # IKKALA tomon ham sertifikat MAJBUR (mTLS — 2.17)
# Xizmat kodi TEGILMAYDI — Istio sidecar mTLS'ni o'zi qiladi (2.6)
# "Zero trust": ichki tarmoqda ham har aloqa isbotlanadi (2.17)Misol 7e — API kompozitsiya vs GraphQL federation (17-bob cross-ref)
IKKI YO'L — ko'p xizmat ma'lumotini bitta javobga 2.4-bob:
1) API KOMPOZITSIYA (Gateway aggregation — 2.4, Misol 2):
Gateway KODDA bir necha xizmatni chaqiradi qo'lda birlashtiradi
Oddiy, aniq nazorat
Har yangi kombinatsiyaga Gateway kodini yozish (qo'lda)
2) GraphQL FEDERATION (17-bob):
Har xizmat o'z GraphQL sxemasini beradi (subgraph)
Gateway (Apollo Router) sxemalarni BIRLASHTIRADI (supergraph)
Mijoz bitta so'rovda kerakli maydonlarni SO'RAYDI (deklarativ)
Mijoz kerakligini oladi (over/under-fetching yo'q — 8.17)
Yangi kombinatsiya — Gateway kodisiz (sxema hal qiladi)
Qo'shimcha murakkablik (GraphQL, federation sozlash)
Oddiy/kam kombinatsiya API kompozitsiya (bu bob, 2.4)
Ko'p mijoz, ko'p turli kombinatsiya GraphQL federation (17-bob)Misol 8 — Gateway xavfsizligi (ichki yopiq — 2.11)
GATEWAY XAVFSIZLIK ARXITEKTURASI:
Internet (tashqi)
│ HTTPS
▼
┌─────────────┐
│ API Gateway │ auth, rate limit, SSL 2.11-bob — YAGONA tashqi nuqta
└──────┬──────┘
│ ichki tarmoq (private — tashqaridan YOPIQ)
┌─────┼─────┐
▼ ▼ ▼
User Order Product ichki xizmatlar (internetdan KO'RINMAYDI)
Services (faqat Gateway orqali — 2.11)
Ichki xizmatlar — private tarmoqda (firewall, Kubernetes NetworkPolicy)
Faqat Gateway public; xizmatlar to'g'ridan murojaat qilib bo'lmaydiMisol 9 — Gateway HA (single point of failure — 2.11)
GATEWAY — single point of failure HA (yuqori mavjudlik):
Internet
│
┌──────────────┐
│Load Balancer │ Gateway oldida (Nginx/cloud LB — 10)
└──────┬───────┘
┌─────┼─────┐
▼ ▼ ▼
Gateway Gateway Gateway KO'P nusxa (biri yiqilsa, boshqasi — 2.11)
└─────┼─────┘
▼
ichki xizmatlar
Gateway yiqilsa hammasi yiqiladi ko'p nusxa + load balancer
Health check 2.10-bob — kasal Gateway'ni chiqaradiMisol 10 — To'liq mikroservis infratuzilma
TO'LIQ ARXITEKTURA (Gateway + discovery + xizmatlar):
Mijoz (mobil/veb)
│ HTTPS
▼
Load Balancer API Gateway (auth, rate limit, routing — 2.2)
│ (service discovery — DNS — 2.8)
┌──────────────┼──────────────┐
▼ gRPC ▼ gRPC ▼ gRPC
User Svc Order Svc Product Svc
/health /health /health health check 2.10-bob
(register) (register) (register) registry/K8s DNS 2.9-bob
│ event (Kafka — 9.6, 9.7)
▼
Notification, Analytics (asinxron)
Komponentlar:
- Load Balancer (Gateway HA — 2.11)
- API Gateway (yagona kirish — 2.1)
- Service Discovery (K8s DNS / Consul — 2.8, 2.9)
- Health check (sog'lom — 2.10)
- gRPC (ichki — 9.6) + event (async — 9.7)5. To'g'ri va noto'g'ri holatlar
1) Mijoz har xizmatga to'g'ridan
Gateway'siz (auth takror, tuzilma oshkor — 2.1)
API Gateway (yagona kirish)2) Hardcode IP
http://192.168.1.5 (deploy'da buziladi — 2.7)
service discovery (DNS / registry)3) Auth har xizmatda
har xizmat token tekshiradi (takror — 2.2)
Gateway'da (bir joyda)4) Gateway HA'siz
bitta Gateway (yiqilsa hammasi — 2.11)
ko'p nusxa + load balancer5) Ichki xizmatlar ochiq
xizmatlar internetdan ko'rinadi (xavfsizlik — 2.11)
private tarmoq (faqat Gateway public)6) Biznes mantiq Gateway'da
narx hisoblash/buyurtma qoidasi Gateway'da (God object — 2.17)
Gateway yupqa (routing/auth); biznes mantiq xizmatda (9.1)7) Sticky session (IP-hash) ga bog'lanib qolish
sessiya xizmat xotirasida IP-hash majbur (miqyoslash qiyin — 2.14)
stateless sessiya (JWT/Redis) har nusxa teng (round-robin — 2.14)6. Keng tarqalgan xatolar va yechimlari
Xato 1 — Deploy'dan keyin xizmat topilmadi
Sababi: hardcode IP 2.7-bob. Yechimi: service discovery (DNS).
Xato 2 — Gateway bottleneck (sekin)
Sababi: bitta Gateway, og'ir mantiq. Yechimi: HA (ko'p nusxa); yengil Gateway.
Xato 3 — Kasal xizmatga so'rov ketdi
Sababi: health check yo'q 2.10-bob. Yechimi: liveness/readiness probe.
Xato 4 — Ichki xizmat tashqaridan hujum
Sababi: xizmatlar ochiq 2.11-bob. Yechimi: private tarmoq + NetworkPolicy.
Xato 5 — Aggregation sekin
Sababi: ketma-ket so'rov 2.4-bob. Yechimi: Promise.all (parallel); GraphQL.
Xato 6 — Gateway yiqildi, hammasi to'xtadi
Sababi: single point of failure 2.11-bob. Yechimi: HA (load balancer + ko'p nusxa).
Xato 7 — Gateway "semirib" ketdi (biznes mantiq to'plandi)
Sababi: biznes qoidalar Gateway'ga solingan (anti-pattern — 2.17). Yechimi: mantiqni xizmatga ko'chir; Gateway faqat cross-cutting (routing/auth/rate limit).
Xato 8 — Ichki maxfiy maydon javobda chiqib ketdi
Sababi: javob transformatsiyasi yo'q (parol_hash uzatildi — 2.13). Yechimi: Gateway'da response transform (faqat ochiq maydonlar — Misol 7b).
Xato 9 — Bir nusxa ortiqcha yuklandi, boshqalari bo'sh
Sababi: noto'g'ri LB algoritmi yoki sticky (IP-hash — 2.14). Yechimi: least-connections/weighted; sessiyani stateless qil.
7. Integratsiya — bu mavzu stack'ning qayerida uchraydi
- Mikroservis (8.16, 9.5): Gateway.
- Auth 8.9-bob: Gateway'da.
- Rate limit 5.20-bob: Gateway'da.
- gRPC/queue 9.6-bob: ichki aloqa.
- Health 8.15-bob: check.
- Kubernetes (10): Service, kube-dns, probe 2.16-bob.
- Load balancing 9.9-bob: algoritmlar chuqur 2.14-bob.
- GraphQL (8.17, 17): aggregation, federation (Misol 7e).
- Service mesh 2.6-bob: mTLS, East-West 2.17-bob.
- Frontend (11): BFF.
8. Eng yaxshi amaliyotlar (best practices)
- Yagona kirish (auth/rate limit/routing markazlashgan — 2.1, 2.2).
- Tayyor vosita yoki custom (ehtiyojga — Kong/NestJS — 2.3).
- BFF (ko'p mijoz turi — 2.5); aggregation (kam so'rov — 2.4).
- Ichki xizmatlar yopiq (faqat Gateway — 2.11).
- Gateway HA (single point of failure — 2.11).
- Hardcode IP'dan qoch (discovery — 2.7).
- Kubernetes Service DNS (built-in — eng oson — 2.8).
- Health check (liveness/readiness — 2.10).
- Consul/Eureka (Kubernetes'siz — 2.9); third-party + DNS-based (Kubernetes — 2.15).
- Gateway vs Mesh (tashqi vs ichki — 2.6); mTLS ichkarida (zero trust — 2.17).
- Gateway yupqa — biznes mantiq xizmatda (anti-pattern'dan qoch — 2.17).
- Protokol tarjimasi (tashqi REST, ichki gRPC — 2.13); ichki maydonlarni javobdan yashir 2.13-bob.
9. Amaliy loyiha: "API Gateway + Service Discovery"
Gateway va discovery'ni amalda mustahkamlash.
Maqsad
Mikroservis uchun to'liq Gateway: routing, auth, rate limit, aggregation, BFF, discovery, health.
Talablar (requirements)
- Gateway: routing + auth + rate limit (Misol 1, 2.2).
- Aggregation: ko'p xizmat ma'lumoti (Misol 2, 2.4).
- BFF: mobil vs veb (Misol 3, 2.5).
- Tayyor vosita (muqobil): Kong config (Misol 4, 2.3).
- Protokol tarjimasi: RESTgRPC + transformatsiya (Misol 7b, 2.13).
- Load balancing: algoritm tanlash (Misol 7c, 2.14).
- Service discovery: Kubernetes DNS (Misol 5, 2.8, 2.16).
- Health check: liveness/readiness (Misol 6, 2.10).
- Consul (muqobil): register/discover (Misol 7, 2.9, 2.15).
- mTLS: ichki zero trust (Misol 7d, 2.17).
- Xavfsizlik: ichki yopiq (Misol 8, 2.11).
- HA: ko'p nusxa + LB (Misol 9, 2.11).
- To'liq infratuzilma: hammasi birga (Misol 10).
Maslahatlar (hint)
- Auth Gateway'da (2.2, 3-holat).
- Discovery (hardcode emas — 2.7, 1-xato).
- Health check (2.10, 3-xato).
- Aggregation parallel (2.4, 5-xato).
- Ichki yopiq (2.11, 5-holat).
- Gateway HA (2.11, 6-xato).
"Tayyor" mezonlari (acceptance criteria)
- Gateway (routing/auth/rate limit).
- Aggregation.
- BFF.
- Tayyor vosita.
- Protokol tarjimasi/transformatsiya.
- Load balancing algoritmi.
- Service discovery.
- Health check.
- Consul.
- mTLS (ichki).
- Xavfsizlik (ichki yopiq).
- HA.
- To'liq infratuzilma.
Yechim kodi ataylab berilmagan — bu loyihani o'zingiz yozib ko'ring.
10. Xulosa va keyingi bobga ko'prik
Bu bobda API Gateway va service discovery'ni chuqur o'rgandik:
- API Gateway (yagona kirish — 2.1); vazifalar (routing/auth/rate limit/aggregation — 2.2); vositalar taqqoslash (2.3, 3.1); aggregation 2.4-bob; BFF 2.5-bob; Gateway vs Mesh 2.6-bob; protokol tarjimasi/transformatsiya 2.13-bob; load balancing algoritmlari 2.14-bob.
- Service discovery (dinamik IP — 2.7); client/server-side 2.8-bob; registry (Consul/Eureka/Kubernetes — 2.9); ro'yxatdan o'tish (self/third-party, DNS-based — 2.15); Kubernetes discovery (Service/kube-dns — 2.16); health check 2.10-bob.
- Xavfsizlik/HA 2.11-bob, TLS/mTLS va anti-pattern'lar 2.17-bob — Gateway kritik (single point of failure); biznes mantiq Gateway'da bo'lmasin.
Keyingi bob — 9.9: Caching strategiyalari, scalability, load balancing. Gateway/discovery'ni bildik; endi tizimni tez va katta yukka chidamli qiladigan mavzularni — caching strategiyalari (chuqur — 8.15 davomi), scalability (vertikal/gorizontal), load balancing — chuqur o'rganamiz.
Foydalanilgan rasmiy/ishonchli manbalar
- Microservices.io (Chris Richardson) — API Gateway, Backend for Frontend, Client-side/Server-side Service Discovery, Service Registry, Self/Third-party Registration naqshlari
- Kubernetes rasmiy hujjatlari — Service, DNS for Services and Pods (CoreDNS/kube-dns), Liveness/Readiness/Startup Probes
- HashiCorp Consul rasmiy hujjatlari — Service Registration, Health Checks, DNS interfeysi
- Kong rasmiy hujjatlari — Gateway, plugin arxitekturasi (JWT, rate limiting, CORS)
- KrakenD rasmiy hujjatlari — API Gateway, endpoint aggregation
- Traefik rasmiy hujjatlari — Provider-based service discovery
- Nginx rasmiy hujjatlari — HTTP load balancing (round-robin, least_conn, ip_hash, weighted), upstream health checks
- AWS API Gateway Developer Guide — boshqariladigan API Gateway
- Istio rasmiy hujjatlari — Mutual TLS (PeerAuthentication), sidecar arxitekturasi
- NestJS rasmiy hujjatlari — Microservices (
@nestjs/microservices, ClientProxy, gRPC transport), Terminus (health checks) - Sam Newman, "Building Microservices" (2nd ed., O'Reilly) — API Gateway, BFF, service discovery boblari
- gRPC rasmiy hujjatlari — Protocol Buffers, protokol tarjimasi konteksti
- Apollo GraphQL rasmiy hujjatlari — Federation (subgraph/supergraph — API kompozitsiya muqobili)
Izohlar (0)
Izoh yozish uchun kiring.
- Hozircha izoh yo'q. Birinchi bo'ling!