WisarWisar
Dasturlash kitobi/9-QISM — Arxitektura30 daqiqa

9.8-bob: API Gateway va service discovery

9-QISM — Arxitektura va ilg'or backend · 8-mavzu


1. Kirish va motivatsiya

Xizmatlar qanday gaplashishini 9.6-bob va event naqshlarini 9.7-bob bildik. Endi mikroservis arxitekturasining ikki muhim infratuzilma qismini — API Gateway (yagona kirish nuqtasi) va service discovery (xizmatlar bir-birini topishi) — chuqur o'rganamiz. 8.16'da Gateway'ni qisman ko'rdik; endi to'liq: nega Gateway, u nima qiladi, BFF (Backend for Frontend), va xizmatlar dinamik muhitda (Kubernetes — har deploy'da IP o'zgaradi) bir-birini qanday topadi.

Muammo: mikroservis arxitekturasida o'nlab xizmat bor. Mijoz (mobil/veb) ularning har biriga to'g'ridan murojaat qilsa — kaos: mijoz qaysi xizmat qayerda ekanini bilishi kerak, har biriga alohida auth, CORS, rate limit (takror), va ichki tuzilma tashqariga oshkor bo'ladi (xavfsizlik). API Gateway buni hal qiladi — mijoz uchun yagona eshik: u so'rovni qabul qiladi, autentifikatsiya qiladi, kerakli xizmatga yo'naltiradi, javoblarni birlashtiradi. Va xizmatlar bir-birini topishi uchun (IP doim o'zgaradi) — service discovery.

Bu bob: API Gateway (nega, nima qiladi — chuqur), Gateway vazifalari (routing, auth, rate limit, aggregation), BFF (har mijoz turi uchun maxsus gateway), Gateway vs Service Mesh, service discovery (xizmatlar bir-birini topishi), client-side vs server-side discovery, service registry (Consul/Eureka/Kubernetes), va health check. Bu bob 8.16 (Gateway), 9.5 (mikroservis), 8.9 (auth), 10 (Kubernetes) bilan bog'liq. Bu — mikroservis infratuzilmasining yuragi.

O'xshatish: API Gatewaykatta biznes-markaz qabulxonasi (resepshn). Mehmon (mijoz) har bo'limga (xizmatga) to'g'ridan kirmaydi — avval qabulxonaga keladi: u yerda hujjat tekshiriladi (auth), navbat boshqariladi (rate limit), kerakli bo'limga yo'naltiriladi (routing), va ba'zan bir necha bo'limdan ma'lumot yig'ib beriladi (aggregation). Mehmon ichki tuzilmani bilmaydi (xona raqamlari, qaysi xodim qayerda — yashirin). Service discoveryichki telefon kitobi: xodimlar (xizmatlar) ko'chib yuradi (IP o'zgaradi), lekin telefon kitobi (registry) doim yangilanadi — kim qayerda ekanini biladi (qo'lda emas). Qabulxona + telefon kitobi = tartibli, xavfsiz, moslashuvchan bino.

Nega muhim?

  • Yagona kirish — mijoz uchun bitta eshik (kaos emas).
  • Markazlashgan — auth, rate limit, CORS (har xizmatda takror emas).
  • Service discovery — dinamik muhit (IP o'zgaradi — Kubernetes).
  • Mikroservis infratuzilmasi — Gateway + discovery (asos).

2. Nazariya — chuqur tushuntirish

2.1. API Gateway muammosi (nega kerak)

text
  GATEWAYSIZ (mijoz har xizmatga to'g'ridan):
  Mijoz ── User Service (auth? CORS? rate limit?)
       ├── Order Service (auth TAKROR? CORS TAKROR?)
       ├── Product Service (...)
       └── Payment Service (ichki tuzilma OSHKOR — xavfsizlik!)
   Har xizmatda auth/CORS/rate limit takror; mijoz tuzilmani biladi;
     ko'p endpoint; ichki o'zgarish mijozni buzadi

  GATEWAY BILAN (yagona eshik):
  Mijoz ── API Gateway ── kerakli xizmat
            (auth, rate limit, routing, CORS — BIR JOYDA)
   Markazlashgan; mijoz tuzilmani bilmaydi; bitta endpoint

API Gateway muammosi: Gateway'siz mijoz har xizmatga to'g'ridan murojaat qiladi auth/CORS/rate limit har xizmatda takror (8.9, 5.20), mijoz ichki tuzilmani biladi (xavfsizlik — ichki o'zgarish mijozni buzadi), ko'p endpoint. Gateway bilan — yagona eshik: auth/rate limit/routing/CORS bir joyda (markazlashgan), mijoz ichki tuzilmani bilmaydi (yashirin), bitta endpoint. Bu — mikroservisda Gateway majburiyligining sababi (cross-cutting concerns markazlashtirish).

2.2. API Gateway vazifalari

text
  API GATEWAY NIMA QILADI (cross-cutting concerns):
   Routing — so'rovni kerakli xizmatga yo'naltirish (/users  User Svc)
   Autentifikatsiya — token tekshirish (8.9 — bir joyda, har xizmatda emas)
   Rate limiting — so'rov cheklash (5.20, 8.16 — DoS himoyasi)
   Request aggregation — bir necha xizmatdan ma'lumot yig'ish 2.4-bob
   CORS, SSL termination (HTTPS — bir joyda)
   Logging/monitoring (markazlashgan kuzatuv — 10)
   Caching (umumiy javoblar — 8.15)
   Request/response transformatsiya (format moslashtirish)
   Load balancing (xizmat nusxalariga taqsimlash)

API Gateway vazifalari (cross-cutting concerns — har xizmatga tegishli umumiy ishlar): routing (kerakli xizmatga), auth (token bir joyda — 8.9), rate limiting (DoS — 5.20), aggregation (ko'p xizmat ma'lumoti — 2.4), CORS/SSL, logging/monitoring (10), caching 8.15-bob, transformatsiya, load balancing. Bularni har xizmatda takrorlash o'rniga — Gateway'da bir joyda (DRY — 9.1). Xizmatlar faqat biznes mantiqqa e'tibor beradi (auth/CORS Gateway'da). Gateway — "front door" (oldingi eshik).

2.3. Gateway turlari va vositalar

text
  GATEWAY VOSITALARI:
  - Tayyor: Kong, Nginx, Traefik, AWS API Gateway, Apache APISIX
     ishlab chiqarish-tayyor (auth, rate limit plugin'lar)
  - Maxsus (custom): NestJS Gateway 8.16-bob — to'liq nazorat
  - Service Mesh (Istio/Linkerd): xizmatlararo (sidecar — 2.6)

   Oddiy: tayyor (Kong/Nginx); maxsus mantiq: custom (NestJS);
    juda katta: service mesh (qo'shimcha)

Gateway vositalari: tayyor (Kong, Nginx, Traefik, AWS API Gateway, APISIX — ishlab chiqarish-tayyor, plugin'lar — auth/rate limit); custom (NestJS Gateway — 8.16 — to'liq nazorat, maxsus mantiq); service mesh (Istio/Linkerd — xizmatlararo — 2.6). Tanlov: oddiy tayyor (Kong/Nginx — kam kod); maxsus biznes mantiq custom (NestJS); juda katta tizim service mesh. Ko'p loyiha uchun tayyor Gateway yetadi (g'ildirakni qayta ixtiro qilmaslik).

2.4. Request aggregation (javoblarni birlashtirish)

text
  AGGREGATION — bir so'rovga bir necha xizmatdan ma'lumot:

  Mijoz: "buyurtma sahifasi" (1 so'rov)
   Gateway:
      ├ Order Service (buyurtma)
      ├ User Service (mijoz)
      └ Product Service (mahsulotlar)
   birlashtirilgan javob (mijoz 1 so'rov yubordi, Gateway 3 ta qildi)

   Mijoz 1 so'rov (under-fetching yo'q — mobil uchun muhim)
   Gateway murakkablashadi (yoki BFF — 2.5; yoki GraphQL — 8.17)

Request aggregation (javoblarni birlashtirish): mijoz bitta so'rov yuboradi (buyurtma sahifasi), Gateway bir necha xizmatdan ma'lumot yig'ib birlashtiradi (order + user + products). Mijoz 1 so'rov (under-fetching yo'q — mobil/sekin tarmoq uchun muhim — REST'ning under-fetching muammosi — 8.17: 2.2). Lekin Gateway murakkablashadi (yoki BFF — 2.5, yoki GraphQL — 8.17 — aggregation uchun ideal). Aggregation — mijoz tajribasi (kam so'rov).

2.5. BFF (Backend for Frontend)

text
  BFF — har MIJOZ TURI uchun maxsus Gateway:

  Mobil ilova ── Mobil BFF (ixcham javob — bandwidth/kichik ekran)
  Veb sayt   ── Veb BFF (boy ma'lumot — desktop)
  Admin panel── Admin BFF (ko'proq ruxsat, batafsil)
                     │
                     ▼ (har BFF ichki xizmatlarga)
                User, Order, Product Services

   Har mijoz o'z ehtiyojiga mos javob (mobil — kam; veb — ko'p)
   Mijoz mantig'i BFF'da (frontend jamoasi boshqaradi)
   Bir umumiy Gateway hammaga mos kelmaganda (mobil ≠ veb)

BFF (Backend for Frontend — Gateway naqshi): har mijoz turi uchun maxsus Gateway. Mobil BFF (ixcham javob — bandwidth/kichik ekran), veb BFF (boy ma'lumot — desktop), admin BFF (ko'proq ruxsat). Nega: bir umumiy Gateway hamma mijozga mos kelmaydi (mobil kam ma'lumot, veb ko'p — bir javob ikkalasiga noqulay). Har BFF mijoz ehtiyojiga moslaydi (transformatsiya, filtr). Frontend jamoasi BFF'ni boshqaradi (Conway — 9.5: 2.5). Ko'p turli mijoz bo'lganda foydali.

2.6. Gateway vs Service Mesh

text
  API GATEWAY — "North-South" (tashqi  ichki):
  Mijoz (tashqi)  Gateway  xizmatlar
   auth, rate limit, routing (tashqi so'rovlar)

  SERVICE MESH — "East-West" (xizmat  xizmat — ichki):
  Xizmat A  [sidecar proxy]  Xizmat B (har xizmat yonida proxy)
   ichki aloqa: retry, circuit breaker 9.6-bob, mTLS, tracing
   Istio, Linkerd (Kubernetes — 10)

   Ular RAQOBATCHI EMAS — birga (Gateway tashqi, Mesh ichki)
   Kichik tizim: faqat Gateway; katta: Gateway + Mesh

Gateway vs Service Mesh: Gateway — "North-South" (tashqiichki — mijoz so'rovlari: auth/rate limit/routing); Service Mesh (Istio/Linkerd) — "East-West" (xizmatxizmat ichki — sidecar proxy: retry/circuit breaker/mTLS/tracing — 9.6). Ular raqobatchi emas — birga ishlaydi (Gateway tashqi eshik, Mesh ichki aloqa). Kichik tizim: faqat Gateway (yetadi); juda katta (ko'p xizmat): Gateway + Mesh. Service mesh — qo'shimcha murakkablik (faqat katta tizimga — 9.5).

2.7. Service Discovery muammosi (xizmatlar bir-birini topishi)

text
  MUAMMO: xizmatlar IP'si DOIM O'ZGARADI (dinamik muhit):
  - Kubernetes har deploy'da yangi IP (10)
  - Auto-scaling — yangi nusxalar qo'shiladi/o'chadi
  - Xizmat ko'chadi (boshqa server)

   Hardcode IP (http://192.168.1.5:3001) — deploy'da buziladi!

  SERVICE DISCOVERY — xizmatlar bir-birini DINAMIK topadi:
  - Service registry — "kim qayerda" jadvali (doim yangi)
  - Xizmat ro'yxatdan o'tadi (register); boshqalar topadi (discover)

Service Discovery muammosi: xizmatlar IP'si doim o'zgaradi (Kubernetes har deploy'da yangi IP, auto-scaling yangi nusxa, ko'chish — 10). Hardcode IP (http://192.168.1.5) — deploy'da buziladi (eng keng xato). Service discovery — xizmatlar bir-birini dinamik topadi: service registry ("kim qayerda" jadvali — doim yangilanadi), xizmat register (ro'yxatdan o'tadi), boshqalar discover (topadi). Dinamik muhitda majburiy (statik IP ishlamaydi).

2.8. Client-side vs Server-side discovery

text
  CLIENT-SIDE DISCOVERY:
  Xizmat A  registry'dan B manzilini SO'RAYDI  to'g'ridan B'ga
   Kam tarmoq sakrash;  har xizmat discovery mantig'i (klient)

  SERVER-SIDE DISCOVERY:
  Xizmat A  load balancer/Gateway  registry  B
   Klient oddiy (discovery — infra ishi);  qo'shimcha sakrash
   Kubernetes Service (DNS) — server-side (eng keng, oson)

   Kubernetes'da: Service DNS (order-service:3001) — discovery avtomatik
   IP o'zgaradi, lekin DNS nomi barqaror (Kubernetes hal qiladi)

Client-side vs server-side discovery: client-side (xizmat registry'dan manzilni so'rab, to'g'ridan — kam sakrash, lekin har xizmat discovery mantig'i); server-side (load balancer/Gateway registry orqali — klient oddiy, lekin qo'shimcha sakrash). Kubernetes Service (DNS) — server-side, eng keng: xizmat DNS nomi (order-service:3001) barqaror, IP o'zgaradi lekin Kubernetes DNS'ni yangilaydi (discovery avtomatik — qo'lda registry kerak emas). Kubernetes'da discovery — built-in (10). Bu — zamonaviy eng oson usul.

2.9. Service Registry (Consul, Eureka, Kubernetes)

text
  SERVICE REGISTRY — "kim qayerda" markaziy jadvali:
  - Consul (HashiCorp): registry + health + KV + DNS
  - Eureka (Netflix): Java dunyosi (Spring)
  - Kubernetes: built-in (Service + DNS — eng keng — 10)
  - etcd, Zookeeper: pastroq daraja

  ISH JARAYONI:
  1. Xizmat ishga tushadi  registry'ga REGISTER (men shu manzilda)
  2. Health check — registry sog'lom xizmatlarni biladi 2.10-bob
  3. Boshqa xizmat  registry'dan SO'RAYDI (B qayerda?)
  4. Xizmat o'chsa  registry'dan chiqariladi (deregister)

   Kubernetes ishlatayotgan bo'lsangiz — built-in (qo'shimcha registry kerak emas)

Service Registry ("kim qayerda" markaziy jadvali): Consul (HashiCorp — registry+health+DNS), Eureka (Netflix/Java), Kubernetes (built-in — Service+DNS — eng keng — 10), etcd/Zookeeper (pastroq). Ish: xizmat ishga tushadi register health check 2.10-bob boshqalar so'raydi o'chsa deregister. Kubernetes ishlatsangiz — registry built-in (qo'shimcha Consul/Eureka kerak emas — Service+DNS hal qiladi). Bu — eng zamonaviy yondashuv (10). Consul — Kubernetes'siz yoki multi-cloud.

2.10. Health check (sog'lom xizmatlar)

text
  HEALTH CHECK — xizmat "tirik va sog'lom"mi (registry/load balancer uchun):
  - /health endpoint 8.15-bob — xizmat javob beradimi
  - Liveness: tirikmi (yiqilsa — qayta ishga tushirish)
  - Readiness: so'rov qabul qilishga tayyormi (DB ulanganmi, warm-up)

   Registry/Gateway faqat SOG'LOM xizmatlarga yo'naltiradi
   Kasal xizmat — chiqariladi (so'rov yuborilmaydi — circuit breaker — 9.6)

  Kubernetes: livenessProbe + readinessProbe (avtomatik — 10)

Health check (sog'lom xizmatlar — registry/load balancer uchun): /health endpoint 8.15-bob, liveness (tirikmi — yiqilsa qayta ishga tushirish), readiness (so'rov qabul qilishga tayyormi — DB ulangan, warm-up tugagan). Registry/Gateway faqat sog'lom xizmatlarga yo'naltiradi (kasal — chiqariladi, so'rov yuborilmaydi — circuit breaker 9.6 bilan). Kubernetes — livenessProbe+readinessProbe (avtomatik — 10). Health check — ishonchlilikning asosi (kasal xizmatga so'rov bormaydi).

2.11. Gateway xavfsizligi va ishonchliligi (14)

text
   Auth Gateway'da (token tekshirish — 8.9 — bir joyda — 2.2)
   Rate limiting (DoS himoyasi — 5.20, 8.16)
   SSL/TLS termination (HTTPS — Gateway'da)
   Ichki xizmatlar tashqaridan YOPIQ (faqat Gateway orqali)
   Gateway — single point of failure  HA (ko'p nusxa, load balancer)
   Request validation (Gateway'da — ichki xizmatga toza)
   Monitoring/tracing (markazlashgan — barcha so'rov o'tadi — 10)
   Gateway yiqilsa — hammasi yiqiladi  yuqori mavjudlik (HA) majburiy

Gateway xavfsizligi/ishonchliligi (14): auth Gateway'da (bir joyda — 2.2), rate limiting (DoS — 5.20), SSL/TLS termination, ichki xizmatlar tashqaridan yopiq (faqat Gateway orqali — xavfsizlik), request validation, monitoring/tracing (markaziy — barcha so'rov o'tadi — 10). Gateway — single point of failure (yiqilsa hammasi) yuqori mavjudlik (HA) majburiy (ko'p nusxa + load balancer). Gateway markaziy — kuchli (markazlashtirish), lekin kritik (ishonchli bo'lishi shart). HA — Gateway uchun majburiy.

2.12. Best practices (Gateway/discovery)

text
  GATEWAY:
   Yagona kirish (auth/rate limit/routing markazlashgan — 2.1, 2.2)
   Tayyor vosita (Kong/Nginx) yoki custom (NestJS) — ehtiyojga 2.3-bob
   BFF (ko'p mijoz turi — 2.5); aggregation (kam so'rov — 2.4)
   Ichki xizmatlar yopiq (faqat Gateway — 2.11)
   HA (single point of failure — ko'p nusxa — 2.11)

  DISCOVERY:
   Hardcode IP'dan qoch (dinamik discovery — 2.7)
   Kubernetes Service DNS (built-in — eng oson — 2.8, 2.9)
   Health check (sog'lom xizmat — 2.10)
   Consul/Eureka (Kubernetes'siz — 2.9)

2.13. Protokol tarjimasi va transformatsiya (REST gRPC)

text
  PROTOKOL TARJIMASI — Gateway tashqi va ichki protokolni "tarjima" qiladi:

  Mijoz (brauzer/mobil) ── REST/JSON (HTTP/1.1) ── Gateway
                                                      │ ichki: gRPC/Protobuf 9.6-bob
                                                      ▼
                                              User, Order Services (gRPC)

   Tashqi: REST/JSON (brauzer tushunadi, oddiy, universal)
   Ichki: gRPC (tez, binar, tiplangan — xizmatlararo — 9.6)
   Gateway JSON'ni Protobuf'ga (va aksincha) tarjima qiladi

  TRANSFORMATSIYA — so'rov/javob shaklini o'zgartirish:
  - Request: header qo'shish (X-User-Id — auth'dan), yo'l qayta yozish
    (/v1/users  /users), body normallashtirish
  - Response: ichki maydonlarni yashirish (parol_hash, internal_id),
    format moslashtirish (mobil uchun soddalashtirish — BFF 2.5)

Protokol tarjimasi: Gateway tashqi protokol (REST/JSON — brauzer/mobil universal tushunadi) bilan ichki protokol (gRPC/Protobuf — tez, binar, tiplangan xizmatlararo aloqa — 9.6) o'rtasida tarjimon vazifasini bajaradi. Mijoz REST yuboradi, Gateway uni gRPC'ga aylantirib ichki xizmatga uzatadi, javobni yana JSON'ga qaytaradi. Bu tashqi mijozni ichki texnologiyadan ajratadi (mijoz gRPC bilmaydi — faqat REST ko'radi). Transformatsiya: Gateway so'rov/javob shaklini o'zgartiradi — so'rovga header qo'shadi (X-User-Id — auth token'dan olib), yo'lni qayta yozadi (/v1/users ichki /users), javobdan ichki/maxfiy maydonlarni (parol_hash, internal_id) olib tashlaydi. Transformatsiya — mijoz va ichki xizmat shartnomasini bir-biridan mustaqil qiladi (biri o'zgarsa, Gateway moslaydi — ikkinchisi tegilmaydi).

2.14. Load balancing algoritmlari (yuk taqsimlash)

text
  LOAD BALANCING — so'rovni bir necha xizmat NUSXASIGA taqsimlash:

  Gateway/LB ──┬── Order Svc #1
               ├── Order Svc #2   (3 nusxa — yuk bo'linadi)
               └── Order Svc #3

  ALGORITMLAR:
  - Round-robin: navbat bilan (#1, #2, #3, #1... — eng oddiy, teng)
  - Least-connections: eng kam faol ulanishga (nomutanosib yuk uchun)
  - Weighted: og'irlik bilan (kuchli server #1  2x, kuchsiz #3  1x)
  - IP-hash: bir mijoz IP  doim bir nusxa (sticky — sessiya uchun)
  - Random: tasodifiy (oddiy, katta miqyosda teng taqsimlanadi)

   Sog'lom nusxalarga (health check 2.10) — kasal chiqariladi
   Caching/sessiya bilan bog'liq (IP-hash — 9.9 load balancing chuqur)

Load balancing algoritmlari (yuk taqsimlash — bir xizmatning bir necha nusxasiga so'rovlarni bo'lish): round-robin (navbat bilan #1#2#3#1 — eng oddiy, nusxalar teng bo'lsa yaxshi), least-connections (ayni damda eng kam faol ulanishga — so'rovlar turli davomiylikda bo'lsa mos), weighted (og'irlik bilan — kuchli serverga ko'proq, masalan #1 ikki barobar), IP-hash (bir mijoz IP'si doim bir nusxaga — "sticky session", sessiya xotirada bo'lsa kerak), random (tasodifiy — katta miqyosda amalda teng). Load balancer faqat sog'lom nusxalarga yuboradi (health check — 2.10 — kasal nusxa navbatdan chiqariladi). IP-hash'dan qochish yaxshiroq — sessiyani stateless qiling (JWT/Redis — 5.20), shunda har nusxa bir xil ishlaydi (haqiqiy gorizontal miqyoslash). Load balancing algoritmlari 9.9'da (keyingi bob) chuqurroq ochiladi.

2.15. Ro'yxatdan o'tish usullari va DNS-based discovery

text
  RO'YXATDAN O'TISH (registration) — kim registry'ga yozadi:

  SELF-REGISTRATION — xizmat O'ZI yozadi:
  Xizmat ishga tushadi  registry'ga o'zini register (Consul kliyent — 2.9)
   Oddiy (tashqi komponent kerak emas)
   Xizmatga discovery mantig'i "aralashadi" (kod ichida register/deregister)

  THIRD-PARTY REGISTRATION — TASHQI komponent yozadi (registrar):
  Registrar (orkestrator) xizmatni kuzatadi  registry'ga yozadi/o'chiradi
   Xizmat "toza" (discovery bilmaydi — biznes mantiqqa e'tibor)
   Qo'shimcha komponent (lekin Kubernetes buni O'ZI qiladi)
   Kubernetes: pod ishga tushsa, Service/endpoint AVTOMATIK (3rd-party)

  DNS-BASED DISCOVERY — registry DNS orqali:
  Xizmat B'ni topish = DNS so'rov (order-service  IP)
   Universal (har til DNS'ni biladi — maxsus kliyent kerak emas)
   Kubernetes kube-dns, Consul DNS interfeysi (2.8)

Ro'yxatdan o'tish usullari: self-registration — xizmat o'zini registry'ga yozadi (ishga tushganda register, o'chganda deregister — Misol 7 Consul). Oddiy, lekin xizmat kodiga discovery mantig'i aralashadi. Third-party registrationtashqi komponent (registrar/orkestrator) xizmatlarni kuzatib, registry'ni o'zi yangilaydi. Xizmat "toza" qoladi (discovery'ni bilmaydi — faqat biznes mantiq). Kubernetes aynan third-party ishlaydi: pod ishga tushganda, Kubernetes uning endpoint'ini avtomatik Service'ga qo'shadi (xizmat hech nima qilmaydi). DNS-based discovery — topish oddiy DNS so'rovi orqali (order-service nomi joriy IP): universal (har dasturlash tili DNS'ni tushunadi — maxsus kutubxona kerak emas). Kubernetes kube-dns/CoreDNS va Consul'ning DNS interfeysi shu asosda ishlaydi 2.8-bob. Zamonaviy tavsiya: third-party + DNS-based (Kubernetes) — xizmat kodiga eng kam aralashuv.

2.16. Kubernetes service discovery (Service, kube-dns) — 10-QISM

text
  KUBERNETES DISCOVERY (built-in — qo'shimcha registry kerak emas):

  1. Deployment  Pod'lar (har biri o'z IP'si, o'zgaruvchan)
  2. Service  Pod'lar oldida BARQAROR nom + ClusterIP:
       apiVersion: v1
       kind: Service
       metadata: { name: order-service }
       spec:
         selector: { app: order }        # shu yorliqli pod'lar
         ports: [{ port: 3002 }]
  3. kube-dns/CoreDNS  "order-service" nomini ClusterIP'ga hal qiladi
  4. Boshqa xizmat: http://order-service:3002 (nom barqaror — IP emas)

   Service = registry + load balancer + DNS (hammasi bitta)
   Pod o'lsa/scale bo'lsa — Service endpoint'ni avtomatik yangilaydi
   To'liq: 10-QISM (Kubernetes)

Kubernetes service discovery (10-QISM cross-ref): Kubernetes'da discovery built-in — alohida Consul/Eureka kerak emas. Pod'lar (xizmat nusxalari) o'zgaruvchan IP'ga ega, lekin ular ustidagi Service obyekti barqaror nom va ClusterIP beradi. kube-dns (CoreDNS) order-service nomini joriy ClusterIPga hal qiladi, u esa sog'lom pod'larga yuk taqsimlaydi. Kubernetes Service bir vaqtning o'zida registry + load balancer + DNS — uchtasi birga. Pod o'lganda yoki scale bo'lganda, Kubernetes Service'ning endpoint ro'yxatini avtomatik yangilaydi (xizmat kodi tegilmaydi — third-party registration, 2.15). Shuning uchun Kubernetes muhitida http://order-service:3002 yozish yetarli — bu bob'dagi Consul/Eureka mexanizmini Kubernetes o'z ichiga oladi. To'liq tafsilot 10-QISMDA.

2.17. TLS/mTLS va Gateway anti-pattern'lar

text
  TLS (bir tomonlama) — SERVER o'zini isbotlaydi (HTTPS):
  Mijoz  [TLS]  Gateway (sertifikat: "men haqiqiy gateway")
   Gateway'da SSL termination: HTTPS shu yerda tugaydi 2.11-bob

  mTLS (o'zaro TLS) — IKKALA tomon isbotlaydi (ichki xizmatlararo):
  Xizmat A  [mTLS]  Xizmat B (ikkalasi ham sertifikat ko'rsatadi)
   "Zero trust" — ichki tarmoqda ham ishonch yo'q (2.6 service mesh)
   Istio/Linkerd mTLS'ni AVTOMATIK beradi (sidecar — 2.6)

  ANTI-PATTERN'LAR (Gateway'da QILMANG):
   Biznes mantiq Gateway'da (narx hisoblash, buyurtma qoidasi)
      Gateway faqat yo'naltiradi; biznes mantiq XIZMATDA (9.1, 9.5)
   Bitta ulkan Gateway (God object) — hamma narsa unda
   Gateway'ni SPOF qilib qoldirish (HA'siz — 2.11)
   Har o'zgarishda Gateway'ni deploy (mahkam bog'lanish)

TLS/mTLS: TLS (bir tomonlama — HTTPS) da faqat server o'zini sertifikat bilan isbotlaydi; mijozGateway aloqasi shifrlanadi va Gateway'da SSL termination bo'ladi 2.11-bob. mTLS (o'zaro TLS) da ikkala tomon ham sertifikat ko'rsatadi — bu ichki xizmatlararo aloqada ishlatiladi ("zero trust" — ichki tarmoqqa ham ko'r-ko'rona ishonilmaydi). Har xizmatga qo'lda sertifikat qo'yish o'rniga service mesh (Istio/Linkerd — 2.6) mTLS'ni sidecar orqali avtomatik beradi. Gateway anti-pattern'lari ( qilmang): (1) biznes mantiqni Gateway'ga solish — narx hisoblash, buyurtma qoidasi Gateway'da bo'lmasin, ular xizmatda turishi kerak (Gateway faqat cross-cutting: routing/auth/rate limit — 9.1 SRP); (2) hamma narsani o'z ichiga olgan ulkan "God" Gateway; (3) Gateway'ni HA'siz SPOF holida qoldirish 2.11-bob; (4) har mayda o'zgarishda Gateway'ni qayta deploy qilishga majbur qiladigan mahkam bog'lanish. Oltin qoida: Gateway "yupqa" bo'lsin — u yo'naltiradi va cross-cutting bajaradi, aql (biznes mantiq) xizmatlarda qoladi.


3. Sintaksis — tez ma'lumotnoma

text
GATEWAY 2.2-bob: routing + auth + rate limit + aggregation + CORS (markaziy)
BFF 2.5-bob: har mijoz turi (mobil/veb/admin) — maxsus gateway
Gateway vs Mesh 2.6-bob: Gateway (tashqi N-S); Mesh (ichki E-W)

Protokol 2.13-bob: tashqi REST/JSON  ichki gRPC/Protobuf (Gateway tarjima)
Load balancing 2.14-bob: round-robin / least-conn / weighted / IP-hash / random

DISCOVERY 2.7-bob: registry (kim qayerda) — register/discover/deregister
Registration 2.15-bob: self (xizmat o'zi) vs third-party (Kubernetes avtomatik)
Kubernetes 2.16-bob: Service + kube-dns (order-service:3001 — barqaror nom)
Health 2.10-bob: /health — liveness + readiness
TLS 2.17-bob: TLS (server) vs mTLS (ikkala tomon — zero trust)

3.1. Gateway vositalari taqqoslash

Vosita Tur Til/muhit Kuchli tomoni Qachon
Kong Tayyor (Nginx+Lua) Til-agnostik Boy plugin ekotizimi, DB/DB-siz Umumiy, plugin ko'p kerak
KrakenD Tayyor (Go) Til-agnostik Stateless, aggregation'ga kuchli, tez Yuqori yuk, aggregation
Nginx Tayyor (reverse proxy) Til-agnostik Yengil, keng tarqalgan, sinovdan o'tgan Oddiy routing/SSL/LB
Traefik Tayyor (Go) Til-agnostik Auto-discovery, Kubernetes-native Konteyner/Kubernetes
AWS API Gateway Boshqariladigan (cloud) Til-agnostik Serverless, boshqarish yo'q, Lambda AWS ekotizim
Ocelot Kutubxona (.NET) C#/.NET .NET ichida, kodda nazorat .NET mikroservis
NestJS (custom) Custom Node/TS To'liq nazorat, maxsus mantiq Node stack, maxsus ehtiyoj

Taqqoslash izohi: Kong — eng keng plugin ekotizimi (auth/rate limit/transform tayyor). KrakenD — stateless va aggregation'ga ixtisoslashgan (Go — tez). Nginx — yengil, oddiy routing/SSL/load balancing uchun klassik. Traefik — konteyner/Kubernetes muhitida xizmatlarni avtomatik aniqlaydi (label orqali). AWS API Gateway — boshqariladigan (infratuzilma tashvishi yo'q, Lambda bilan integratsiya). Ocelot — .NET dunyosi uchun kutubxona (kodda). NestJS custom — to'liq nazorat kerak bo'lganda (Misol 1). Umumiy tavsiya: standart ehtiyojga tayyor vosita (Kong/Traefik — g'ildirakni qayta ixtiro qilmaslik), maxsus biznes-aggregatsiya mantig'i kerak bo'lsagina custom (NestJS).


4. Batafsil kod namunalari

Misol 1 — NestJS API Gateway (8.16 davomi — 2.1, 2.2)

typescript
// API Gateway — yagona kirish (auth, routing)
@Controller()
export class GatewayController {
  constructor(
    @Inject("USER_SERVICE") private userClient: ClientProxy,
    @Inject("ORDER_SERVICE") private orderClient: ClientProxy,
  ) {}

  // Routing + auth (Gateway'da — bir joyda — 2.2)
  @Get("users/:id")
  @UseGuards(JwtAuthGuard)                            // AUTH Gateway'da (8.9 — har xizmatda emas)
  getUser(@Param("id") id: string) {
    return this.userClient.send({ cmd: "user.get" }, id);   // routing  User Svc (9.6)
  }

  @Post("orders")
  @UseGuards(JwtAuthGuard)
  @Throttle({ default: { limit: 10, ttl: 60000 } })  // RATE LIMIT Gateway'da (5.20)
  createOrder(@Body() dto: any, @CurrentUser() user) {
    return this.orderClient.send({ cmd: "order.create" }, { ...dto, userId: user.id });
  }
}
//  Auth/rate limit BIR JOYDA (Gateway) — ichki xizmatlar faqat biznes mantiq

Misol 2 — Request aggregation (2.4)

typescript
// Bir so'rovga bir necha xizmatdan (under-fetching yo'q — 2.4)
@Get("orders/:id/full")
@UseGuards(JwtAuthGuard)
async buyurtmaToliq(@Param("id") id: string) {
  // Parallel (Promise.all — tez — 9.6)
  const [order, user, products] = await Promise.all([
    firstValueFrom(this.orderClient.send({ cmd: "order.get" }, id)),
    firstValueFrom(this.userClient.send({ cmd: "user.get" }, /* userId */)),
    firstValueFrom(this.productClient.send({ cmd: "products.byOrder" }, id)),
  ]);
  // Birlashtirilgan javob (mijoz 1 so'rov yubordi — 2.4)
  return { ...order, user, products };
}
//  Mijoz 1 so'rov, Gateway 3 ta qildi (mobil uchun muhim — kam so'rov)
//  murakkab aggregation  GraphQL afzal (8.17)

Misol 3 — BFF (mobil vs veb — 2.5)

typescript
// Mobil BFF — ixcham javob (bandwidth)
@Controller("mobile")
export class MobileBffController {
  @Get("products")
  async products() {
    const products = await firstValueFrom(this.productClient.send({ cmd: "products.all" }, {}));
    // Mobil uchun IXCHAM (faqat kerakli maydonlar — 2.5)
    return products.map((p) => ({ id: p.id, nom: p.nom, narx: p.narx, rasm: p.thumbnail }));
  }
}

// Veb BFF — boy ma'lumot (desktop)
@Controller("web")
export class WebBffController {
  @Get("products")
  async products() {
    const products = await firstValueFrom(this.productClient.send({ cmd: "products.all" }, {}));
    // Veb uchun BOY (to'liq ma'lumot — 2.5)
    return products;   // barcha maydon (tavsif, sharhlar, o'xshash...)
  }
}
//  Har mijoz o'z ehtiyojiga mos (mobil kam, veb ko'p — 2.5)

Misol 4 — Kong Gateway (tayyor vosita — 2.3)

yaml
# kong.yml — deklarativ Gateway (auth, rate limit — plugin)
services:
  - name: user-service
    url: http://user-service:3001        # service discovery (DNS — 2.8)
    routes:
      - paths: ["/users"]
    plugins:
      - name: jwt                         # AUTH (plugin — kod yozmasdan)
      - name: rate-limiting               # RATE LIMIT
        config: { minute: 60 }
      - name: cors

  - name: order-service
    url: http://order-service:3002
    routes:
      - paths: ["/orders"]
    plugins:
      - name: jwt
#  Tayyor Gateway — plugin bilan (kod kam — 2.3); custom mantiq kerak bo'lsa NestJS

Misol 5 — Service discovery: Kubernetes DNS (2.8)

typescript
// Kubernetes — Service DNS (IP emas, BARQAROR nom — 2.8)
//  Hardcode IP (deploy'da buziladi)
// const userUrl = "http://192.168.1.5:3001";

//  Kubernetes Service DNS (barqaror — IP o'zgarsa ham nom bir xil)
@Module({
  imports: [
    ClientsModule.register([
      {
        name: "USER_SERVICE",
        transport: Transport.TCP,
        options: { host: "user-service", port: 3001 },   // DNS nom (Kubernetes — 2.8)
      },
    ]),
  ],
})
export class GatewayModule {}
//  "user-service" — Kubernetes Service nomi (DNS)  joriy sog'lom IP'ga (avtomatik — 2.9)
//  IP o'zgaradi, deploy bo'ladi, scale bo'ladi — nom o'zgarmaydi (discovery avtomatik)

Misol 6 — Health check (liveness/readiness — 2.10)

typescript
// Health endpoint (Kubernetes probe + Gateway — 2.10, 8.15)
@Controller("health")
export class HealthController {
  constructor(
    private health: HealthCheckService,
    private db: TypeOrmHealthIndicator,
    private redis: RedisHealthIndicator,
  ) {}

  @Get("live")                                        // LIVENESS — tirikmi
  @HealthCheck()
  liveness() {
    return this.health.check([]);                     // oddiy — jarayon javob beradimi
  }

  @Get("ready")                                       // READINESS — tayyormi (2.10)
  @HealthCheck()
  readiness() {
    return this.health.check([
      () => this.db.pingCheck("database"),            // DB ulanganmi
      () => this.redis.checkHealth("redis"),          // Redis tayyormi
    ]);
  }
}
// Kubernetes: livenessProbe  /health/live; readinessProbe  /health/ready (10)
//  readiness FALSE  Gateway/registry so'rov yubormaydi (warm-up/DB uzilgan)

Misol 7 — Consul service discovery (Kubernetes'siz — 2.9)

typescript
// Consul — xizmat ro'yxatdan o'tadi (register) va topadi (discover)
import Consul from "consul";

@Injectable()
export class ServiceRegistry implements OnModuleInit, OnModuleDestroy {
  private consul = new Consul({ host: "consul" });
  private serviceId = `order-service-${process.pid}`;

  async onModuleInit() {
    // REGISTER — men shu manzildaman (2.9)
    await this.consul.agent.service.register({
      id: this.serviceId, name: "order-service",
      address: process.env.HOST, port: 3002,
      check: { http: "http://localhost:3002/health/ready", interval: "10s" },   // health (2.10)
    });
  }
  async onModuleDestroy() {
    await this.consul.agent.service.deregister(this.serviceId);   // chiqish (2.9)
  }

  // DISCOVER — boshqa xizmatni topish
  async topish(name: string): Promise<{ host: string; port: number }> {
    const services = await this.consul.health.service({ service: name, passing: true });   // sog'lom
    const s = services[0].Service;
    return { host: s.Address, port: s.Port };
  }
}

Misol 7b — Protokol tarjimasi va transformatsiya (2.13)

typescript
// Gateway: tashqi REST/JSON ni ichki gRPC ga TARJIMA qiladi (2.13)
@Controller("users")
export class UserGatewayController {
  // gRPC kliyent (ichki xizmat — 9.6)
  constructor(@Inject("USER_GRPC") private grpc: ClientGrpc) {}
  private svc: any;
  onModuleInit() { this.svc = this.grpc.getService("UserService"); }

  @Get(":id")
  @UseGuards(JwtAuthGuard)
  async getUser(@Param("id") id: string, @CurrentUser() user) {
    // 1) TASHQI: REST/JSON so'rov keldi (brauzer/mobil)
    // 2) TARJIMA: gRPC chaqiruvi (Protobuf — ichki, tez — 2.13, 9.6)
    const res = await firstValueFrom(
      this.svc.getUser({ id, requestedBy: user.id }),   // headerichki maydon (transform)
    );
    // 3) RESPONSE TRANSFORM: ichki/maxfiy maydonlarni OLIB TASHLASH (2.13)
    const { parol_hash, internal_notes, ...ochiq } = res;
    return ochiq;   // mijoz faqat ochiq maydonlarni ko'radi
  }
}
//  Mijoz REST ko'radi, ichkarida gRPC (mijoz ichki texnologiyani bilmaydi — 2.13)
//  parol_hash/internal_notes tashqariga CHIQMAYDI (javob transformatsiyasi)

Misol 7c — Load balancing (Nginx — algoritmlar — 2.14)

nginx
# Nginx upstream — bir xizmatning KO'P nusxasiga yuk taqsimlash (2.14)
upstream order_service {
    # ALGORITM tanlash (biri):
    least_conn;                      # eng kam ulanishga 2.14-bob — round-robin default
    # ip_hash;                       # sticky: bir IP  bir nusxa (sessiya — 2.14)

    server order-1:3002 weight=2;    # WEIGHTED — kuchli server 2x yuk (2.14)
    server order-2:3002 weight=1;
    server order-3:3002 weight=1 max_fails=3 fail_timeout=30s;  # health (2.10)
}

server {
    listen 443 ssl;                  # TLS termination (HTTPS — 2.11, 2.17)
    location /orders {
        proxy_pass http://order_service;   # LB qilingan xizmatga
        proxy_set_header X-Real-IP $remote_addr;   # header transform (2.13)
    }
}
#  least_conn/ip_hash/weighted — yuk profiliga qarab (2.14)
#  max_fails — kasal nusxa vaqtincha chiqariladi (health — 2.10)

Misol 7d — mTLS ichki xizmatlararo (zero trust — 2.17)

yaml
# Istio — ichki xizmatlararo mTLS AVTOMATIK (sidecar — 2.6, 2.17)
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: shop
spec:
  mtls:
    mode: STRICT        # IKKALA tomon ham sertifikat MAJBUR (mTLS — 2.17)
#  Xizmat kodi TEGILMAYDI — Istio sidecar mTLS'ni o'zi qiladi (2.6)
#  "Zero trust": ichki tarmoqda ham har aloqa isbotlanadi (2.17)

Misol 7e — API kompozitsiya vs GraphQL federation (17-bob cross-ref)

text
  IKKI YO'L — ko'p xizmat ma'lumotini bitta javobga 2.4-bob:

  1) API KOMPOZITSIYA (Gateway aggregation — 2.4, Misol 2):
     Gateway KODDA bir necha xizmatni chaqiradi  qo'lda birlashtiradi
      Oddiy, aniq nazorat
      Har yangi kombinatsiyaga Gateway kodini yozish (qo'lda)

  2) GraphQL FEDERATION (17-bob):
     Har xizmat o'z GraphQL sxemasini beradi (subgraph)
     Gateway (Apollo Router) sxemalarni BIRLASHTIRADI (supergraph)
     Mijoz bitta so'rovda kerakli maydonlarni SO'RAYDI (deklarativ)
      Mijoz kerakligini oladi (over/under-fetching yo'q — 8.17)
      Yangi kombinatsiya — Gateway kodisiz (sxema hal qiladi)
      Qo'shimcha murakkablik (GraphQL, federation sozlash)

   Oddiy/kam kombinatsiya  API kompozitsiya (bu bob, 2.4)
   Ko'p mijoz, ko'p turli kombinatsiya  GraphQL federation (17-bob)

Misol 8 — Gateway xavfsizligi (ichki yopiq — 2.11)

text
  GATEWAY XAVFSIZLIK ARXITEKTURASI:

  Internet (tashqi)
       │ HTTPS
       ▼
  ┌─────────────┐
  │ API Gateway │   auth, rate limit, SSL 2.11-bob — YAGONA tashqi nuqta
  └──────┬──────┘
         │ ichki tarmoq (private — tashqaridan YOPIQ)
   ┌─────┼─────┐
   ▼     ▼     ▼
  User  Order  Product    ichki xizmatlar (internetdan KO'RINMAYDI)
        Services            (faqat Gateway orqali — 2.11)

   Ichki xizmatlar — private tarmoqda (firewall, Kubernetes NetworkPolicy)
   Faqat Gateway public; xizmatlar to'g'ridan murojaat qilib bo'lmaydi

Misol 9 — Gateway HA (single point of failure — 2.11)

text
  GATEWAY — single point of failure  HA (yuqori mavjudlik):

           Internet
              │
       ┌──────────────┐
       │Load Balancer │   Gateway oldida (Nginx/cloud LB — 10)
       └──────┬───────┘
        ┌─────┼─────┐
        ▼     ▼     ▼
     Gateway Gateway Gateway    KO'P nusxa (biri yiqilsa, boshqasi — 2.11)
        └─────┼─────┘
              ▼
        ichki xizmatlar

   Gateway yiqilsa hammasi yiqiladi  ko'p nusxa + load balancer
   Health check 2.10-bob — kasal Gateway'ni chiqaradi

Misol 10 — To'liq mikroservis infratuzilma

text
  TO'LIQ ARXITEKTURA (Gateway + discovery + xizmatlar):

  Mijoz (mobil/veb)
       │ HTTPS
       ▼
  Load Balancer  API Gateway (auth, rate limit, routing — 2.2)
                       │ (service discovery — DNS — 2.8)
        ┌──────────────┼──────────────┐
        ▼ gRPC         ▼ gRPC          ▼ gRPC
     User Svc      Order Svc       Product Svc
     /health       /health         /health       health check 2.10-bob
     (register)    (register)      (register)     registry/K8s DNS 2.9-bob
                       │ event (Kafka — 9.6, 9.7)
                       ▼
                 Notification, Analytics (asinxron)

  Komponentlar:
  - Load Balancer (Gateway HA — 2.11)
  - API Gateway (yagona kirish — 2.1)
  - Service Discovery (K8s DNS / Consul — 2.8, 2.9)
  - Health check (sog'lom — 2.10)
  - gRPC (ichki — 9.6) + event (async — 9.7)

5. To'g'ri va noto'g'ri holatlar

1) Mijoz har xizmatga to'g'ridan

text
 Gateway'siz (auth takror, tuzilma oshkor — 2.1)
 API Gateway (yagona kirish)

2) Hardcode IP

text
 http://192.168.1.5 (deploy'da buziladi — 2.7)
 service discovery (DNS / registry)

3) Auth har xizmatda

text
 har xizmat token tekshiradi (takror — 2.2)
 Gateway'da (bir joyda)

4) Gateway HA'siz

text
 bitta Gateway (yiqilsa hammasi — 2.11)
 ko'p nusxa + load balancer

5) Ichki xizmatlar ochiq

text
 xizmatlar internetdan ko'rinadi (xavfsizlik — 2.11)
 private tarmoq (faqat Gateway public)

6) Biznes mantiq Gateway'da

text
 narx hisoblash/buyurtma qoidasi Gateway'da (God object — 2.17)
 Gateway yupqa (routing/auth); biznes mantiq xizmatda (9.1)

7) Sticky session (IP-hash) ga bog'lanib qolish

text
 sessiya xizmat xotirasida  IP-hash majbur (miqyoslash qiyin — 2.14)
 stateless sessiya (JWT/Redis)  har nusxa teng (round-robin — 2.14)

6. Keng tarqalgan xatolar va yechimlari

Xato 1 — Deploy'dan keyin xizmat topilmadi

Sababi: hardcode IP 2.7-bob. Yechimi: service discovery (DNS).

Xato 2 — Gateway bottleneck (sekin)

Sababi: bitta Gateway, og'ir mantiq. Yechimi: HA (ko'p nusxa); yengil Gateway.

Xato 3 — Kasal xizmatga so'rov ketdi

Sababi: health check yo'q 2.10-bob. Yechimi: liveness/readiness probe.

Xato 4 — Ichki xizmat tashqaridan hujum

Sababi: xizmatlar ochiq 2.11-bob. Yechimi: private tarmoq + NetworkPolicy.

Xato 5 — Aggregation sekin

Sababi: ketma-ket so'rov 2.4-bob. Yechimi: Promise.all (parallel); GraphQL.

Xato 6 — Gateway yiqildi, hammasi to'xtadi

Sababi: single point of failure 2.11-bob. Yechimi: HA (load balancer + ko'p nusxa).

Xato 7 — Gateway "semirib" ketdi (biznes mantiq to'plandi)

Sababi: biznes qoidalar Gateway'ga solingan (anti-pattern — 2.17). Yechimi: mantiqni xizmatga ko'chir; Gateway faqat cross-cutting (routing/auth/rate limit).

Xato 8 — Ichki maxfiy maydon javobda chiqib ketdi

Sababi: javob transformatsiyasi yo'q (parol_hash uzatildi — 2.13). Yechimi: Gateway'da response transform (faqat ochiq maydonlar — Misol 7b).

Xato 9 — Bir nusxa ortiqcha yuklandi, boshqalari bo'sh

Sababi: noto'g'ri LB algoritmi yoki sticky (IP-hash — 2.14). Yechimi: least-connections/weighted; sessiyani stateless qil.


7. Integratsiya — bu mavzu stack'ning qayerida uchraydi

  • Mikroservis (8.16, 9.5): Gateway.
  • Auth 8.9-bob: Gateway'da.
  • Rate limit 5.20-bob: Gateway'da.
  • gRPC/queue 9.6-bob: ichki aloqa.
  • Health 8.15-bob: check.
  • Kubernetes (10): Service, kube-dns, probe 2.16-bob.
  • Load balancing 9.9-bob: algoritmlar chuqur 2.14-bob.
  • GraphQL (8.17, 17): aggregation, federation (Misol 7e).
  • Service mesh 2.6-bob: mTLS, East-West 2.17-bob.
  • Frontend (11): BFF.

8. Eng yaxshi amaliyotlar (best practices)

  • Yagona kirish (auth/rate limit/routing markazlashgan — 2.1, 2.2).
  • Tayyor vosita yoki custom (ehtiyojga — Kong/NestJS — 2.3).
  • BFF (ko'p mijoz turi — 2.5); aggregation (kam so'rov — 2.4).
  • Ichki xizmatlar yopiq (faqat Gateway — 2.11).
  • Gateway HA (single point of failure — 2.11).
  • Hardcode IP'dan qoch (discovery — 2.7).
  • Kubernetes Service DNS (built-in — eng oson — 2.8).
  • Health check (liveness/readiness — 2.10).
  • Consul/Eureka (Kubernetes'siz — 2.9); third-party + DNS-based (Kubernetes — 2.15).
  • Gateway vs Mesh (tashqi vs ichki — 2.6); mTLS ichkarida (zero trust — 2.17).
  • Gateway yupqa — biznes mantiq xizmatda (anti-pattern'dan qoch — 2.17).
  • Protokol tarjimasi (tashqi REST, ichki gRPC — 2.13); ichki maydonlarni javobdan yashir 2.13-bob.

9. Amaliy loyiha: "API Gateway + Service Discovery"

Gateway va discovery'ni amalda mustahkamlash.

Maqsad

Mikroservis uchun to'liq Gateway: routing, auth, rate limit, aggregation, BFF, discovery, health.

Talablar (requirements)

  1. Gateway: routing + auth + rate limit (Misol 1, 2.2).
  2. Aggregation: ko'p xizmat ma'lumoti (Misol 2, 2.4).
  3. BFF: mobil vs veb (Misol 3, 2.5).
  4. Tayyor vosita (muqobil): Kong config (Misol 4, 2.3).
  5. Protokol tarjimasi: RESTgRPC + transformatsiya (Misol 7b, 2.13).
  6. Load balancing: algoritm tanlash (Misol 7c, 2.14).
  7. Service discovery: Kubernetes DNS (Misol 5, 2.8, 2.16).
  8. Health check: liveness/readiness (Misol 6, 2.10).
  9. Consul (muqobil): register/discover (Misol 7, 2.9, 2.15).
  10. mTLS: ichki zero trust (Misol 7d, 2.17).
  11. Xavfsizlik: ichki yopiq (Misol 8, 2.11).
  12. HA: ko'p nusxa + LB (Misol 9, 2.11).
  13. To'liq infratuzilma: hammasi birga (Misol 10).

Maslahatlar (hint)

  • Auth Gateway'da (2.2, 3-holat).
  • Discovery (hardcode emas — 2.7, 1-xato).
  • Health check (2.10, 3-xato).
  • Aggregation parallel (2.4, 5-xato).
  • Ichki yopiq (2.11, 5-holat).
  • Gateway HA (2.11, 6-xato).

"Tayyor" mezonlari (acceptance criteria)

  • Gateway (routing/auth/rate limit).
  • Aggregation.
  • BFF.
  • Tayyor vosita.
  • Protokol tarjimasi/transformatsiya.
  • Load balancing algoritmi.
  • Service discovery.
  • Health check.
  • Consul.
  • mTLS (ichki).
  • Xavfsizlik (ichki yopiq).
  • HA.
  • To'liq infratuzilma.

Yechim kodi ataylab berilmagan — bu loyihani o'zingiz yozib ko'ring.


10. Xulosa va keyingi bobga ko'prik

Bu bobda API Gateway va service discovery'ni chuqur o'rgandik:

  • API Gateway (yagona kirish — 2.1); vazifalar (routing/auth/rate limit/aggregation — 2.2); vositalar taqqoslash (2.3, 3.1); aggregation 2.4-bob; BFF 2.5-bob; Gateway vs Mesh 2.6-bob; protokol tarjimasi/transformatsiya 2.13-bob; load balancing algoritmlari 2.14-bob.
  • Service discovery (dinamik IP — 2.7); client/server-side 2.8-bob; registry (Consul/Eureka/Kubernetes — 2.9); ro'yxatdan o'tish (self/third-party, DNS-based — 2.15); Kubernetes discovery (Service/kube-dns — 2.16); health check 2.10-bob.
  • Xavfsizlik/HA 2.11-bob, TLS/mTLS va anti-pattern'lar 2.17-bob — Gateway kritik (single point of failure); biznes mantiq Gateway'da bo'lmasin.

Keyingi bob — 9.9: Caching strategiyalari, scalability, load balancing. Gateway/discovery'ni bildik; endi tizimni tez va katta yukka chidamli qiladigan mavzularni — caching strategiyalari (chuqur — 8.15 davomi), scalability (vertikal/gorizontal), load balancing — chuqur o'rganamiz.


Foydalanilgan rasmiy/ishonchli manbalar

  • Microservices.io (Chris Richardson) — API Gateway, Backend for Frontend, Client-side/Server-side Service Discovery, Service Registry, Self/Third-party Registration naqshlari
  • Kubernetes rasmiy hujjatlari — Service, DNS for Services and Pods (CoreDNS/kube-dns), Liveness/Readiness/Startup Probes
  • HashiCorp Consul rasmiy hujjatlari — Service Registration, Health Checks, DNS interfeysi
  • Kong rasmiy hujjatlari — Gateway, plugin arxitekturasi (JWT, rate limiting, CORS)
  • KrakenD rasmiy hujjatlari — API Gateway, endpoint aggregation
  • Traefik rasmiy hujjatlari — Provider-based service discovery
  • Nginx rasmiy hujjatlari — HTTP load balancing (round-robin, least_conn, ip_hash, weighted), upstream health checks
  • AWS API Gateway Developer Guide — boshqariladigan API Gateway
  • Istio rasmiy hujjatlari — Mutual TLS (PeerAuthentication), sidecar arxitekturasi
  • NestJS rasmiy hujjatlari — Microservices (@nestjs/microservices, ClientProxy, gRPC transport), Terminus (health checks)
  • Sam Newman, "Building Microservices" (2nd ed., O'Reilly) — API Gateway, BFF, service discovery boblari
  • gRPC rasmiy hujjatlari — Protocol Buffers, protokol tarjimasi konteksti
  • Apollo GraphQL rasmiy hujjatlari — Federation (subgraph/supergraph — API kompozitsiya muqobili)

Izohlar (0)

Izoh yozish uchun kiring.

  • Hozircha izoh yo'q. Birinchi bo'ling!
9.8-bob: API Gateway va service discovery — Wisar