部署大使API网关防止DDoS的最佳实践

Question

I need to set up the Ambassador API gateway in front of all my services. Ambassador will be performing multiple actions like rate limiting, logging, DDoS protection, etc.

Especially from DDoS protection point of view, is it best practice to host Ambassador API gateway outside main application Kubernetes cluster? OR to host in separate namespace and have quota limitations on it?

Hosting the API Gateway within same k8s cluster could lead of cluster being overwhelmed because of unwanted traffic but if I host the API gateway on separate k8s cluster application k8s cluster could be saved from such scenario.

Also, can Ambassador API gateway be deployed in non-k8s infra and in HA mode?

Answer 1

As much i know there is two thing

Ambassador API gateway and Edge stack

Ambassador is open source while edge stack is paid version.

You can install the edge stack on VM and linux but for API gateway only YAML and helm are available.

you can put rate-limiting for saving the DDos.

Hosting the API Gateway within same k8s cluster could lead of cluster being overwhelmed because of unwanted traffic but if I host the API gateway on separate k8s cluster application k8s cluster could be saved from such scenario.

you are right in this case but if you are using the K8s you can use node affinity to fix the pods of API gateway on specific nodes or run it as daemon set . Setting up affinity and anti-affinity might help separating out the PODs or application and API gateway.