Table of contents
1.
Introduction
2.
Application Programming Interface (APIs)
2.1.
Creating APIs and services
2.2.
Running APIs and Services
2.3.
Managing APIs and Services
2.4.
Consuming APIs and Services
3.
Checking Status
4.
Rate Limiting
4.1.
Configure rate limits
4.2.
Enforcing rate limiting 
4.3.
Error Handling
5.
Service Management
5.1.
Service Management API Access Control
5.1.1.
IAM Resources
5.1.2.
Managing Access using the Google Cloud console
5.2.
Service Networking API
5.2.1.
Enabling the service using the console
5.2.2.
Enabling the service using the gcloud
5.3.
Service Control API
5.3.1.
Initial Setup
5.3.2.
Test your curl
5.4.
Service Management API
5.4.1.
Initial Setup
5.4.2.
Test with curl
6.
Enabling private services access
7.
Managing Tenant Projects
7.1.
Create a tenant Project
7.2.
Remove a Tenant Project
8.
Frequently Asked Questions
8.1.
What are the major components of Google's Infrastructure?
8.2.
Is GCP IaaS or PaaS?
8.3.
Name the methods that come in google.cloud.location.Locations.
9.
Conclusion
Last Updated: Mar 27, 2024
Easy

Overview of Service Infrastructure

Author Sagar Mishra
1 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Service Infrastructure is a basic framework for developing, controlling, securing, and using APIs and services across businesses. Google APIs, Cloud APIs, Cloud Endpoints, and API Gateway all make use of it. Both service producers and users can take advantage of a variety of capabilities offered by service infrastructures. Examples include authentication, authorization, auditing, rate limitation, analytics, billing, logging, and monitoring.

 

Service Infrastructure

 

In this blog, we will discuss the Overview of Service Infrastructure. This includes Creating and Managing APIs, Rate limiting, Service Networking API, and Managing Tenant Projects.

Application Programming Interface (APIs)

In the "Overview of Service Infrastructure" series, our first topic is APIs. Here, we will learn how to use API services like creating, running, managing, and consuming.

Creating APIs and services

To create a managed service with the help of Service Infrastructure, you need to build a service configuration to specify your service settings and behaviors, such as the service name and API surface. After that, you create your service and register it with Google Cloud by deploying your service configuration to the Service Management API.

Running APIs and Services

Your service needs to make calls to the Service Control API to perform admission control on every request and telemetry reporting on each response. This includes validating API keys and reporting API metrics in order to run a managed service utilizing Service Infrastructure. It enables your service to take advantage of the extensive feature set offered by Google Cloud.

Managing APIs and Services

You can manage your clients by setting up network peering between tenant and consumer projects as a service provider. It is used for creating tenant projects for your customers and controlling the quota limits for your customers. You can do this using the Service Consumer Management API and the Service Networking API.

Consuming APIs and Services

If you are a service client, you can list, enable, and disable APIs and services in your Cloud projects using the Service Usage tool. You can also impose quota restrictions on services used by your Cloud projects or other teams in your company. Both services produced with Cloud Endpoints and services offered by Google are manageable.

Checking Status

In the "Overview of Service Infrastructure" series, our next topic is Checking Status. This explains how to use the Service Infrastructure for managed services, service producers, service consumers, and API key status checks.

The services.check method can be used on a managed service after deployment without requiring further configuration. Details can be found in the services.check reference. You can use the gcurl command to call the services.check method to quickly experiment with the method. 

gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime":"2016-07-31T05:20:00Z",
    "operationName":"google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "operationId": "123e4567-e89b-12d3-a456-426655440000"
}
You can also try this code with Online Python Compiler
Run Code

 

Whether some checks failed or all of them were successful is shown by the check method's response. The absence of the checkErrors field denotes success. If not, the checkErrors field contains a list of invalid checks.

Rate Limiting

In the "Overview of Service Infrastructure" series, our next topic is Rate Limiting. Here, we will learn how to deploy Service Infrastructure to implement rate limiting. 

A managed service can serve more than one service consumer. A managed service frequently uses rate limiting to distribute its capacity among its service consumers in order to safeguard system capacity and guarantee fair usage. You can manage and enforce rate limits using the Service Management and Service Control APIs.

Configure rate limits

A byte of payload or an HTTP request can be chosen as requests by a service. The semantics of a request has no direct effect on the rate-limiting feature. When a Google Cloud project is the service consumer, and the project is identified by an API key, a project id, or a project number, the supported rate limiting is the number of requests per minute per service consumer.

Configure _quota metrics_ and _quota limits_ in the service configuration to use the rate-limiting feature for your service producer project.

Enforcing rate limiting 

Each server part of a managed service needs to regularly call the services.allocateQuota method of the Service Control API to implement rate limits. It is advised that each server uses batching, caching, and predictive logic to increase system performance and reliability.

The below example explains how to call the services.allocateQuota method to check for rate limiting.

gcurl -d '{
  "allocateOperation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "methodName": "google.example.hello.v1.HelloService.GetHello",
    "consumerId": "project:endpointsapis-consumer",
    "quotaMetrics": [{
      "metricName": "endpointsapis.appspot.com/requests",
      "metricValues": [{
        "int64Value": 1
      }]
    }],
    "quotaMode": "NORMAL"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:allocateQuota
{
  "operationId": "123e4567-e89b-12d3-a456-426655440000",
  "quotaMetrics": [
    {
      "metricName": "serviceruntime.googleapis.com/api/consumer/quota_used_count",
      "metricValues": [
        {
          "labels": {
            "/quota_name": "endpointsapis.appspot.com/requests"
          },
          "int64Value": "1"
        }
      ]
    }
  ],
  "serviceConfigId": "2017-09-10r0"
}
You can also try this code with Online Python Compiler
Run Code

Error Handling

Your server should reject the request with an error 429 if the HTTP response code is 200 and the response contains the message "RESOURCE EXHAUSTED QuotaError." All other HTTP response codes most likely indicate a programming error on your server. It is advised that your server keep handling incoming requests while you troubleshoot the issue.

Service Management

Google Service Management permits service producers to publish their services on the Google Cloud Platform so that they can be found and utilized by service customers. Let us discuss all services given by GCP.

Service Management API Access Control

Access to managed services and associated small resources are handled by the Service Management API using Identity and Access Management (Cloud IAM). The IAM resources, roles, and permissions offered by the Service Management API are described on this page, along with how to utilize them to manage access.

IAM Resources

IAM adds IAM policies to resources to limit who is allowed to take what actions on them. The Service Management API uses the following sources to offer its functionality:

  • Service Producer 
    • Managed Service
      • Service Configurations
      • Service Rollouts
      • Service Consumers

Managing Access using the Google Cloud console

  1. In the Google Cloud console, open the Endpoints page.
     
  2. Click on the service that you want to manage access for.
     
  3. On the page's top, click the "PERMISSIONS" link. This turns on and off the info panel.
     
  4. For each service-level role, you can view the list of current members, add new members, and remove existing members from the info panel.

Service Networking API

In the "Overview of Service Infrastructure" series, our next topic is Service Networking API. Google recommends the gcloud command line interface for most operational use cases.

Enabling the service using the console

  1. Go to the Manage resources page and select or create a private services management project.
     
  2. Enable the Service Networking API.

Enabling the service using the gcloud

Activate the Service Networking API:

gcloud services enable servicenetworking.googleapis.com \
    --project=PROJECT_ID

 

Replace the PROJECT_ID with your Google Cloud project ID.

Service Control API

Our next topic in the "Overview of Service Infrastructure" series is Service Control API. Here, we will discuss the basic steps to set up the Service Control API.

Initial Setup

  1. Go to the Google Cloud console, and select the project that your managed service belongs to.
     
  2. Enable Service Control API for the project in the Google Cloud console.
     
  3. For local testing, create a new service account.
     
  4. For the new service account, create a service account key.
     
  5. Grant the roles/servicemanagement.serviceController role for the newly created service account.
     
  6. For interacting with the Google OAuth system, install oauth2l on your local machine.

Test your curl

Step 1: First, verify your initial step.

oauth2l header --json ~/credentials.json cloud-platform

 

  1. You should see output like this If your initial setup is correct:
    Authorization: Bearer y29.xxxxxxx

 

Step 2: For calling Google REST APIs, define a convenient shell alias:

alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json cloud-platform)" -H "Content-Type: application/json" '

 

The set of shell commands that follow shows how to call the Service Control API step-by-step.

# Calling with an invalid service name "invalid.com." For security and privacy
# reasons, the permission check typically happens before other checks.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/invalid.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'invalid.com'.",
    "status": "PERMISSION_DENIED"
  }
}


# Calling without proper permission on a service.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/servicecontrol.googleapis.com:check
{
  "error": {
    "code": 403,
    "message": "Permission 'servicemanagement.services.check' denied on service 'servicecontrol.googleapis.com'.",
    "status": "PERMISSION_DENIED"
  }
}


# Calling with an invalid request.
$ gcurl -d '{}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}


# This and the following call assume that the service, operation name, and
# project being checked are "endpointsapis.appspot.com,"
# "google.example.hello.v1.HelloService.GetHello" and
# "endpointsapis-consumer" correspondingly.
# Change it to the name of your managed service, operation, and project.
# Calling with an invalid request.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime": "2016-06-12T22:00:15Z",
    "operationName": "google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "checkErrors": [
  {
    "code": "SERVICE_NOT_ACTIVATED",
    "detail": "Service 'endpointsapis.appspot.com' is not enabled for consumer 'project:endpointsapis-consumer'."
  }
  ]
}


# Successful call to "services.check" method after the API is enabled for
# the project.
$ gcurl -d '{
  "operation": {
    "operationId": "123e4567-e89b-12d3-a456-426655440000",
    "consumerId": "project:endpointsapis-consumer",
    "startTime":"2016-07-31T05:20:00Z",
    "operationName":"google.example.hello.v1.HelloService.GetHello"
  }
}' https://servicecontrol.googleapis.com/v1/services/endpointsapis.appspot.com:check
{
  "operationId": "123e4567-e89b-12d3-a456-426655440000"
}
You can also try this code with Online Python Compiler
Run Code

Service Management API

Our next topic in the "Overview of Service Infrastructure" series is Service Management API. The simplest way of using the Service Management API is via the gcloud command line interface.

Initial Setup

  1. Visit the Service Accounts page.
     
  2. Click on Select to choose the Google Cloud project.
     
  3. Create a Service Account.
     
  4. Go to the API Credentials page.
     
  5. Create a service account key for your new service account. Check Creating and Managing Service Account Keys to learn more.
     
  6. For interacting with the Google OAuth system, install oauth2l on your local machine.
     

Test with curl

Step 1: First, verify your initial step.

$ oauth2l header --json ~/credentials.json cloud-platform

 

Step 2: You should see output like this after finishing the OAuth flow:

Authorization: Bearer y29.xxxxxxx

 

Step 3: For calling Google REST APIs, define a convenient shell alias:

$ alias gcurl='curl -H "$(oauth2l header --json ~/credentials.json cloud-platform)" -H "Content-Type: application/json"'

 

Step 4: Try listing public accessible services:

$ gcurl https://servicemanagement.googleapis.com/v1/services

 

The setup is successful if you see a list of services.

Enabling private services access

The provision of resources with either private (RFC 1918) or public IP addresses is something that service producers can permit service consumers to do. Consumer access to private services is required if they want to use private IP addresses.

There are some general network topologies required to enable private services access for your managed service. 

  • Tenancy units
  • Service Networking
  • Network Topology

Managing Tenant Projects

In the "Overview of Service Infrastructure" series, our last topic is Managing Tenant Projects. Here, we will study how to create and remove Tenant projects.

Create a tenant Project

We have to call the services.tenancyUnits.addProject method To create a tenant project and add it to a tenancy unit.

Using the REST API, the example that follows adds a new tenant project with the tag tag1 to a tenancy unit:

POST https://serviceconsumermanagement.googleapis.com/v1/services/your-service.example.com/projects/12345678901/tenancyUnits/absdef:addProject

 

To verify that the project creation process was successful, you can query the long-running operation that this call returns.

Remove a Tenant Project

Call the services.tenancyUnits.removeProject method to remove a tenant project with the tag abc as shown in the below example:

POST https://serviceconsumermanagement.googleapis.com/v1/services/your-service.example.com/projects/12345678901/tenancyUnits/absdef:removeProject

 

This call includes the following data:

{"tag":"abc"}

 

With this operation, the project lien is removed. The project, along with all of its resources, is deleted. And any related metadata is also removed from the tenancy unit.

Frequently Asked Questions

What are the major components of Google's Infrastructure?

Some major Google Infrastructure components are:

  • Big Data components
  • Storage and Database components
  • Compute engines such as App Engine, Kubernetes, etc
  • Management tools like Trace, logging, and debugger

Is GCP IaaS or PaaS?

Although it initially started with PaaS, GCP now offers IaaS as well. Clients can execute workloads on Google's physical hardware using the Infrastructure as a Service (IaaS) product known as Google Compute Engine (GCE). On Google infrastructure, you may build and run virtual computers using Google Compute Engine.

Name the methods that come in google.cloud.location.Locations.

There are mainly two methods that come inside google.cloud.location.Locations:

  • GetLocation: It is used to gather information about a location.
     
  • ListLocations: It makes the list of information about the supported location.

Conclusion

We have discussed the topic of Overview of Service Infrastructure. We have seen how to work on Service Infrastructure. We also discussed Rate limiting, Service Networking API, Managing Tenant Projects, and many more.

We hope this blog has helped you enhance your knowledge of "Overview of Service Infrastructure." If you want to learn more, check out our articles Overview of Cloud CodeOverview of Cloud SchedulerOverview of a log based metric, and many more on our platform Coding Ninjas Studio.

But suppose you have just started your learning process and are looking for questions from tech giants like Amazon, Microsoft, Uber, etc. In that case, you must look at the problemsinterview experiences, and interview bundle for placement preparations.

However, you may consider our paid courses to give your career an edge over others!

Happy Learning!

thankyou

Live masterclass