1. Background
1.1 Problem to be solved
For APISIX 1.* and 2.* versions, the DP (DataPlane) plane and the CP
(ControlPlane) plane reuse the same port (9080) by default. Although
we clearly distinguish the different responsibilities of DP and CP in
the deployment architecture diagram of APISIX, due to the lack of API
gateway architecture understanding and security experience for open
source users, they are not changed to separate deployment methods in
production environments, it makes the user's CP insecure and
vulnerable to attack.
For example, APISIX fixed one security issue, the API caller use the
batch-request plugin to bypass local IP restrictions and directly
access Admin API. Because DP and CP are not deployed separately, the
security of APISIX is greatly reduced.
1.2 The benefits of solving this problem
1. The DP and CP use different listening port(same port is not
allowed), improving security.
2. Make it easier for users to choose the correct deployment way.
3. Reduce the difficulty for users to deploy APISIX DP/CP separately
4. The communication protocol between DP and CP, the communication
protocol between CP and configuration center, the two protocols are no
longer unified. If the communication protocol between the CP and the
configuration center is updated, there is no need to do any update
between the DP and the CP.
2. How to solve the problem
Add new deployment, the users can use it to specify the deployment
role, here is a full example:
```
deployment:
role: traditional # traditional or data_plane
or control_plane
role_traditional:
config_provider: etcd # only supports etcd now
role_control_plan:
config_provider: etcd # only supports etcd now
config_listen: 0.0.0.0:9280 # data plane will connect to
this service for fetching
# config data, eg: route,
service and so on.
role_data_plane:
config_provider: control_plane # control_plane or yaml
control_plane:
host:
- xxxx:9280
- xxxx:9280
timeout: 30 # second
certs: # if the role is data_plane
or control_plane, you need
# to set it. The connection
between the DP and CP is
# via mTLS, this
configuration is used to specify the
# dependent certificates.
# cert: /path/to/ca-cert
# cert_key: /path/to/ca-cert
# ca_cert: /path/to/ca-cert
etcd: # if the role is traditional
or control_plane, you need
# to set it
host:
- http://xxxx
- https://xxxx
prefix: /apisix
timeout: 30
... ...
```
When starting the APISIX service, if APISIX found that some
configurations are not related to the current deployment role (such as
starting in Control plane mode, but configuring Admin API ),an alarm
message will be output during startup, indicating that these
configurations are invalid, and the information will also be recorded
in the error log file.
For role , the user has three options: traditional, data_plane,
control_plane. The different deployment options for users to use
APISIX are summarized here, mainly including these three typical use
cases.
Different users (developers, production users) use APISIX in different
deployment ways.
1. all-in-one:DP + CP were deployed together, all of the services were
run in one instance.
NOTE:
In this mode, when the service starts, a prompt is printed in the
screen output and in the error log:
“The APISIX you started, which enables both the data plane and the
control plane.This deployment mode is not recommended for production
environments."
Demo Configuration:
```
deployment:
role: traditional
role_traditional:
config_provider: etcd
etcd:
host:
- http://xxxx
- http://xxxx
prefix: /apisix
timeout: 30
... ...
```
NOTE:
• We will use same deployment way, only the DP and CP run in one instance.
• Between DP and CP, APISIX will use HTTP protocol, and it uses HTTP
protocol between Admin API and conf server.
• The conf server will listen on `unix: conf/config_listen`.
2. decoupled: DP and CP are deployed independently
data_plane
a. Fetch route data from the control plane, the default port is 9280
b. Before the DP service starts, it will perform a health check on all
CP addresses
▪ If all CP addresses are unavailable, the startup fails and an
exception message is output to the screen.
▪ If at least one CP address is available (eg /status can get a
normal response from the interface), print the unhealthy CP check
result log, and then start the APISIX service.
▪ If all CP addresses are normal, start the APISIX service normally.
c. Handling user requests.
Demo Configuration(DP):
```
deployment:
role: data_plane
role_data_plane:
config_provider: control_plane # control_plane or yaml
control_plane:
host:
- xxxx:9280
- xxxx:9280
timeout: 30
certs:
cert: /path/to/ca-cert
cert_key: /path/to/ca-cert
ca_cert: /path/to/ca-cert
```
control_plane
a. Provide Admin API for Admin user, listening on 9180(default)
b. Provide conf server for data plane and control plane, listening on
9280(default)
Demo Configuration(CP):
```
deployment:
role: control_plane # traditional or
data_plane or control_plane
role_control_plan:
config_provider: etcd
config_listen: 0.0.0.0:9280
etcd:
host:
- https://xxxx
- https://xxxx
prefix: /apisix
timeout: 30
... ...
certs:
cert: /path/to/ca-cert
cert_key: /path/to/ca-cert
ca_cert: /path/to/ca-cert
```
3. standalone: only for data plane, load the route data from local yaml file
Demo Configuration:
```
deployment:
role: data_plane
role_data_plane:
config_provider: yaml # control_plane or yaml
```
There are no changes other than specifying the service as standalone
using role, no more change, same as before.
