Apollo Gateway Scaling Up/Down - Subgraph - Gateway Encrypted Communication?


I have few questions regarding the apollo gateway setup in an AWS VPC

  1. Do you support encrypted communication between subgraph and gateway via https?
  2. Do you register a load balancer like ELB to be able to scale up and scale down the subgraphs easily?
    Is there a better way to avoid the loadbalancer network hop in the architecture and allow to scale up and down subgraph instances without downtime?

Sure! You can use https:// and it will just work assuming that the subgraphs themselves have valid TLS certificates! If you’re self-signing certificates for subgraphs, you’ll need to provide those to your Gateway via standard Node.js mechanisms (e.g., via the NODE_EXTRA_CA_CERTS env variable).

Of course, depending on your configuration, you might also employ sidecar infrastructure that handles this for you (e.g., often times service meshes will handle the TLS encryption for you) which can offer a performance benefit since it’s handled out of process by a dedicated process. You’ll see functionality like this offered by Linkerd, Envoy Proxy, etc.

I would recommend using whatever your infrastructure’s equivalent of an appropriate load balancer (round-robin, even!) in front of the subgraphs rather than expecting the gateway to handle this on its own. This wouldn’t be unlike a Kubernetes service configuration where the K8s controller takes care of monitoring the member pods within a service and routing accordingly (and rescheduling as necessary).

Tools like ELB and Kubernetes do a very good job with and are purpose built for this job; replicating the functionality they offer would be somewhat futile. I wouldn’t necessarily be concerned about the “hop” this introduces when transposing that against the flexibility and reliability that load balancers (and their features) offer in this regard.

Hope this helps!

1 Like