I did this at my previous company as well. What I love is that if you add auth middleware before you add the proxy it then authenticates the request before it passes it downstream. You can alos add minimal API endpoints and again map them before the proxy then that allows you to override specific endpoints if you need to (for example to map the model to a new contract) and then any other endpoints on that path you did not override gets proxied.
@PelFox We used service accounts so the gateway (YARP minimal API) would do a token exchange for delegated access and then use that JWT. That might not be the best for each use case but it suited us well. Otherwise, you can just proxy the JWT to the downstream then the downstream will also validate the token.
Hi Milan, Would you be able to include a video featuring Ocelot and Yarp? Both are useful tools, with Yarp being more lightweight and Ocelot offering more features. I would recommend using them for a small project that involves handling authentication and authorization in a Gateway and passing headers to the downstream API.
Hi Milan thanks for the video, Can you talk about authentication and authorization options and implementations with reverse proxy? What are the best practices?
I've successfully used Yarp in some of my smaller projects. On a bigger projects or projects with high traffic I've used Traefik and Envoy. They seem to work faster and can process pretty highload
@@MilanJovanovicTech no. Traefik and Envoy are much more feature rich that we used. And we compared benchmarks of other people comparing these reverse proxies
@@MilanJovanovicTech could you cover more Microservices topic from Scratch? Like building a distributive application using Microservices? Would be looking for the same. 🙂
Great video on reverse proxy. When u scale an application to multiple instances, how does Yarp manages db call? There will be still one db for all instances of application.
- Proxy - server that hides internal servers from outside world - Gateway - basically the same as proxy, and you will usually see additional features added - LB - a proxy/gateway routing traffic between multiple API instances
The api gateway can redirect to the generated Swagger UI If you want to "merge" those files, by knowing the address of the API and the path of swagger.json (or yaml) file, you can show them in the api gateway as documents of the swagger UI if you configure a swagger endpoint :)
Milan, can you make a video covering how to use azure cosmos db sql api, with multiple cosmos db accounts/cosmosclient instances? Been something I've been trying to learn.
I have a question regarding the authentication and authorization in the yarp, should it be at the gateway level or the microservices? I mean can we secure only the yarp requests without taking care of secuing the microservices since they are not exposed publically? if it is enough to do it on the Yarp level any idea on how we can do this on specific request and not the entire route?
Typically Gateway will also handle authentication. The services could be left out, if you keep them in a private (closed) network. But in most cases, you need to know who the current user is even in the microservices. So you'll still have some form of authentication, if only verifying the access token.
@@MilanJovanovicTech yeah in our case we dont need to trace the user in the microservice. we only need to authenticate some CUD operations, do you have an idea on how can i secure some endpoints and not the entire route using Yarp? I cant find it in the Yarp documentation.
That is great. But let's consider I want to deploy my services on AWS ECS, or Azure Container Apps, then how this YARP will function ? How Load balancing and high availability will work with ECS or Azure Container Apps with YARP?
- YARP supports load balancing www.milanjovanovic.tech/blog/implementing-an-api-gateway-for-microservices-with-yarp - As for running in a HA setup, you can do a primary-secondary setup
Is YARP just a reverse proxy? Can it be used as a Gateway too? I need to create a Backend For Front-end (BFF) and I need to combine data from different microservices.
@@roberteru25 Thanks for the advise. We prefer sticking with REST (Swagger) for our microservices as these are also publicly exposed to partners. We just have the need to build more BFFs. We already have one for the main website but we are willing to build more for other use cases. I don't really know what would be the best approach for building a Back End For Front-end in .NET.
Hi at ruclips.net/video/UidT7YYu97s/видео.htmlsi=cyo8An6JY--Z_h3H&t=659 you show the create (POST) however you don't show the CreatedAtUrl that is meant to be returned. Since the api doesn't know about the proxy it sets the api url not the proxy's public url. can you comment on that?
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
We can use Ocelot package for the same, Is it Yarp has more features than Ocelot? Which one is better?
i have done that already i also follow you on LInkdin
Hello, explain validation and authentication in microservices using JWT.
How nice it is to watch when a person has good diction and understanding of the issue. He speaks competently. Thank you very much for your work.
Thanks a lot, I appreciate that! :)
I did this at my previous company as well. What I love is that if you add auth middleware before you add the proxy it then authenticates the request before it passes it downstream. You can alos add minimal API endpoints and again map them before the proxy then that allows you to override specific endpoints if you need to (for example to map the model to a new contract) and then any other endpoints on that path you did not override gets proxied.
Might make another video for Auth, could be useful
How do you secure downstream APIs in that case, private networks?
What if underlaying services also need details about the user's claims?
@PelFox
We used service accounts so the gateway (YARP minimal API) would do a token exchange for delegated access and then use that JWT. That might not be the best for each use case but it suited us well. Otherwise, you can just proxy the JWT to the downstream then the downstream will also validate the token.
Hi Milan,
Would you be able to include a video featuring Ocelot and Yarp? Both are useful tools, with Yarp being more lightweight and Ocelot offering more features. I would recommend using them for a small project that involves handling authentication and authorization in a Gateway and passing headers to the downstream API.
Planning on it!
@@MilanJovanovicTech Waiting for it for a long time........!!!!!!!!!
8:12 Transforms followed by {}.
8:29 - [] are used. Thats important!!!
I make a typo here and there
Hi Milan thanks for the video,
Can you talk about authentication and authorization options and implementations with reverse proxy? What are the best practices?
Add middleware to handle authentication and pass the necessary headers to the Service (Actual API).
Sure, that can be one of the next videos! 😁
Thanks!
Thank you very much for the support! 😊
Great video Milan! I've wanted to play with yarp a while now but was intimidated by the time it would take to learn it. You make it seem easy here.
Nope, YARP is too easy to use. Don't waste time and just start building something 😁
I've successfully used Yarp in some of my smaller projects. On a bigger projects or projects with high traffic I've used Traefik and Envoy. They seem to work faster and can process pretty highload
Did you not try YARP on those bigger projects?
@@MilanJovanovicTech no. Traefik and Envoy are much more feature rich that we used. And we compared benchmarks of other people comparing these reverse proxies
Would be awesome to see how this can integrate with kubernetes and also certificates including cert manager in kubernetes.
Found this for the time being: github.com/microsoft/reverse-proxy/blob/main/docs/docfx/articles/kubernetes-ingress.md
This was an easy to follow tutorial which is pretty rare on RUclips. Thank you very much.
Would you also please mention what the use is?
The use of YARP? Load balancing, gateways, reverse proxying. Here are the docs: microsoft.github.io/reverse-proxy/
I also wrote an article: www.milanjovanovic.tech/blog/implementing-an-api-gateway-for-microservices-with-yarp
Great❤, looking for more Microservices related videos Milan 👌
More to come!
@@MilanJovanovicTech could you cover more Microservices topic from Scratch? Like building a distributive application using Microservices? Would be looking for the same. 🙂
@@arghakhanra204 Planning to. This year is for distributed systems :)
@@MilanJovanovicTech Great, looking for it soon 👌🙂
great content as always Milan 👏👏👏
Thanks a lot! :)
Question and any comments from you Milan, what do you think about using NGINX instead of YARP ?
I like it. Used it in some apps. Great and proven reverse proxy solution.
I'd still go with YARP for a new .NET project, though.
@MilanJovanovicTech cool thanks for the info
Interesting library. But I would like to see benchmarks YARP vs Nginx, because I don't want to reinvent the wheel
Microsoft replaced Nginx on Azure App Service for a +80% throughput, I'll see what I can do for the benchmarks
Thank you again.. 10/10
You're very welcome!
Great video on reverse proxy. When u scale an application to multiple instances, how does Yarp manages db call? There will be still one db for all instances of application.
YARP doesn't call the DB at all, it just proxies the requests to the other services - which talk to the DB
Hi Milan, I ran into a problem when Yarp proxying - service refuses connection. Is there any setting should be done? Thanks
It should just "work" - but I really can't tell anything based on a comment
@@MilanJovanovicTech
I resolved the error, had to change "localhost" for "host.docker.internal". Anyway thank you for attention!
Thanks for clear video, just I need to know where is the Authorization model ? and what is the correct flow for it?
Here: learn.microsoft.com/en-us/aspnet/core/security/authorization/introduction?view=aspnetcore-9.0
Milan, what's your PC configuration and what's your monitors' sizes?
24" monitors x2
AMD Ryzen 7 7700X
NVidia GeForce RTX 3060
32GB RAM (DDR5)
is yarp suitable for large request per second for example 3000 reques per second?or we use from ocelot without it
Microsoft is doing 1.9M RPS with YARP. I think it can handle that load :)
Hello, great totoria. Is this an alternative to use mass-transit for microservices communication?
Nope
Have u make a video about docker-compse, how i will add this? - I have try to follow u video but i cant found out how i add docker compose?
Yes: ruclips.net/video/WQFx2m5Ub9M/видео.html
@@MilanJovanovicTech Thanks for link.
There are 3 terms reverse proxy, api gateway and load balancer. I am confused. Can you explain the differences each of that three
- Proxy - server that hides internal servers from outside world
- Gateway - basically the same as proxy, and you will usually see additional features added
- LB - a proxy/gateway routing traffic between multiple API instances
@@MilanJovanovicTech thank you so much
nice video man! I wonder is it possible to configure Swagger on this api gateway (Yarp)
That'd be tricky. Let me look into if there's a good solution these days. I didn't find one a few years ago.
The api gateway can redirect to the generated Swagger UI
If you want to "merge" those files, by knowing the address of the API and the path of swagger.json (or yaml) file, you can show them in the api gateway as documents of the swagger UI if you configure a swagger endpoint :)
Thanks 🙏❤
You're welcome 😊
When would you want this over something like Azure Apim?
Out of cloud, for example
When you don't want to pay thousands of dollars and don't want to manage crappy azure policy files (xml, yes XML).
I know we can have Active health checks for the downstream endpoints... How can we get the output/status of those checks by querying YARP itself???
Need to check, I'd start with YARP docs in the meantime
Thank you, It works!
You're welcome!
Hey Milan, are you posting some sample projects to your github ? As it contains a bit obsolete samples now.
Planning to post a Clean Architecture and Modular monolith template soon. Will be .NET 8, all the best practices, etc.
@@MilanJovanovicTechwow can't wait
What about websocket?
microsoft.github.io/reverse-proxy/articles/websockets.html
so when we use api gateway we loose swagger document , is that ok ?
You still have Swagger on the APIs
Nice tutorial,.Can We have a video about How to build an API Gateway for Microservices with Ocelot?
Great suggestion!
Milan, can you make a video covering how to use azure cosmos db sql api, with multiple cosmos db accounts/cosmosclient instances? Been something I've been trying to learn.
I doubt it, since I don't work on Cosmos DB
Does .NET Aspire provide any native support for API gateway functionalities?
I think they will probably add support for YARP
Hello, explain validation and authentication in microservices using JWT.
Will do
is a mandatory to apply thisusing docker orcan just use individual project as microservices
You can use individual projects
I have a question regarding the authentication and authorization in the yarp, should it be at the gateway level or the microservices? I mean can we secure only the yarp requests without taking care of secuing the microservices since they are not exposed publically? if it is enough to do it on the Yarp level any idea on how we can do this on specific request and not the entire route?
Typically Gateway will also handle authentication. The services could be left out, if you keep them in a private (closed) network. But in most cases, you need to know who the current user is even in the microservices. So you'll still have some form of authentication, if only verifying the access token.
@@MilanJovanovicTech yeah in our case we dont need to trace the user in the microservice. we only need to authenticate some CUD operations, do you have an idea on how can i secure some endpoints and not the entire route using Yarp? I cant find it in the Yarp documentation.
That is great. But let's consider I want to deploy my services on AWS ECS, or Azure Container Apps, then how this YARP will function ? How Load balancing and high availability will work with ECS or Azure Container Apps with YARP?
- YARP supports load balancing www.milanjovanovic.tech/blog/implementing-an-api-gateway-for-microservices-with-yarp
- As for running in a HA setup, you can do a primary-secondary setup
@@MilanJovanovicTech Link returns 404
@@PelFox YT picked up the ) in the end 😅
Hello, Just wondering if you could publish some good advices about working with Excel || Word objects in c#. Would be great! Regards! JK
I doubt it (at least in the short term)
@@MilanJovanovicTech For sure there are more hot topics ;) Just thought about it and yourself while working on current project. Best regards!
Does this work with signalr/blazor server in case of a high availability/replicated backend ?
microsoft.github.io/reverse-proxy/articles/websockets.html
@@MilanJovanovicTech Thank you Milan
Thank you for great tutorial. Looking forward for an enhanced tutorial with Yarp as reverse proxy with authentication.
Great suggestion 👌
Is YARP just a reverse proxy? Can it be used as a Gateway too?
I need to create a Backend For Front-end (BFF) and I need to combine data from different microservices.
Did I not use it as a Gateway in this video?
I also covered load balancing: ruclips.net/video/0RaH9hhOF4g/видео.html
@@MilanJovanovicTech Yes, you did. But how would you map (transform) two differentl endpoints into one?
@@Cesar-qi2jb Create an orchestrator service, then expose the service with grpc, then you can build response from the different APIs
@@roberteru25 Thanks for the advise. We prefer sticking with REST (Swagger) for our microservices as these are also publicly exposed to partners.
We just have the need to build more BFFs. We already have one for the main website but we are willing to build more for other use cases. I don't really know what would be the best approach for building a Back End For Front-end in .NET.
What about authentication?
Works with built-in Auth in ASP.NET Core
Please can i get the github repo for dis to study more
github.com/m-jovanovic/yarp-api-gateway-sample
How to forbid users to call your api's directly instead of using proxy?
Generally you would only give the proxy an external IP and DNS record.
Network rules, you can close your APIs to the outside world, and only let them talk to the Proxy
Hi at ruclips.net/video/UidT7YYu97s/видео.htmlsi=cyo8An6JY--Z_h3H&t=659 you show the create (POST) however you don't show the CreatedAtUrl that is meant to be returned. Since the api doesn't know about the proxy it sets the api url not the proxy's public url. can you comment on that?
You'd need to use the Forwarded URI to make it all work. Might cover that in a future video.
Nice but you speak at speed of light.
🤷♂️
Turn the x2 speed off, lol
I’m brazilian, not fluent in English, and i can understand his speak very well
Kids, please don't use this. API Management products exist for a reason (Azure APIM, AWS API Gateway, MuleSoft, Kong, Gravitee, Apigee...)
If anything, it's good to understand the concepts behind these cloud services
Are you a salesman or something? If I want to use it, I will...
I've posted it before
Where?