How to Expose Knative Services via Alibaba Cloud API Gateway and Internal SLB
This guide shows how to bind an Istio gateway to an internal SLB, create a Knative service, and configure Alibaba Cloud API Gateway with VPC authorization, constant parameters, and authentication to securely publish a production‑grade Knative service.
In production, API Gateway can protect internal services, provide unified authentication, rate‑limiting and monitoring, allowing developers to focus on business logic.
Bind Istio gateway to an internal SLB
Create an internal SLB and bind it to the Istio ingress gateway using the following Service definition:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: "intranet"
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway-intranet
namespace: istio-system
spec:
externalTrafficPolicy: Cluster
ports:
- name: status-port
port: 15020
protocol: TCP
targetPort: 15020
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: tls
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
sessionAffinity: None
type: LoadBalancerAfter creation, the SLB address (e.g., 192.168.0.23) can be viewed in the Alibaba Cloud Container Service console under the istio-system namespace.
Create a Knative service
In the console, create a Knative service named helloworld. Verify it works with a curl request:
# curl -H "Host:helloworld.default.example.com" http://192.168.0.23
Hello World!Configure the API Gateway
1. Create a group in the API Gateway console and enable a public domain (or a secondary domain) for testing.
2. Create a VPC authorization so the API can reach the internal SLB. Set the VPC ID and the SLB instance ID (e.g., knative-test).
3. Create an application for Alibaba Cloud APP authentication, naming it knative.
4. Create the API :
Choose “API” → “Create API”. Set security to “Alibaba Cloud APP” and enable AppCode authentication.
Define the request path as “/” and protocol as HTTP/HTTPS.
Set the backend type to “VPC” and select the VPC authorization created earlier.
Add a constant parameter: Header Host = helloworld.default.example.com.
5. Publish the API to the “online” environment.
6. Authorize the API by adding the knative application in the API’s “Authorization Info”.
7. Test the API using the “Debug API” feature; the response should return “Hello World!”.
Summary
By linking an internal SLB to the Istio gateway, creating a Knative service, and configuring Alibaba Cloud API Gateway with VPC authorization, constant parameters and proper authentication, you can expose a production‑grade Knative service securely and with full lifecycle management.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Alibaba Cloud Native
We publish cloud-native tech news, curate in-depth content, host regular events and live streams, and share Alibaba product and user case studies. Join us to explore and share the cloud-native insights you need.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.