Route to GraphQL servers
Set up routing to your GraphQL APIs, and optionally apply GraphQL policies to the routes.
- First, define the hosts and paths on which clients can access GraphQL servers in a Gloo
RouteTable
resource. - Then, you can apply additional Gloo policies to the routes.
- Prevent malicious requests to your GraphQL servers by specifying a list of allowed queries in a Gloo
GraphQLAllowedQueryPolicy
policy. - Improve network performance by caching GraphQL queries in a Gloo
GraphQLPersistedQueryCachePolicy
policy. - Control the rate of requests to your API and set up external authentication and authorization to protect your API by applying Gloo authentication and rate limit policies.
- Prevent malicious requests to your GraphQL servers by specifying a list of allowed queries in a Gloo
Define routes for GraphQL destinations
Create a RouteTable
resource with a graphql
destination to reference the GraphQLSchema
resource. This route table ensures that all GraphQL queries to a specific path are now handled by the GraphQL server in the gateway. For more information about configuring route tables, see Process and route traffic.
Before you begin: Follow the other GraphQL guides to define an ApiDoc with your GraphQL schema and execute GraphQL requests.
North-south routing
Route requests from clients that are external to your Gloo Mesh Gateway setup.
To test routing to the server:
Get the external address of your ingress gateway. The steps vary depending on the type of load balancer that backs the ingress gateway.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
Note: Depending on your environment, you might see
<pending>
instead of an external IP address. For example, if you are testing locally in kind or minikube, or if you have insufficient permissions in your cloud platform, you can instead port-forward the service port of the ingress gateway:kubectl -n gloo-mesh-gateways port-forward deploy/istio-ingressgateway-1-20 8081
Send a request with a query to the GraphQL endpoint to verify that the request is successfully resolved by the gateway. This example command sends the request to the
/graphql
path and includes a query for the Bookinfo example.
East-west routing
Route requests from clients that are internal to your Gloo setup, such as if you use Gloo Mesh Enterprise. Note that because the GraphQL destination references a GraphQLSchema
resource instead of a service, the value of hosts
is arbitrary, as long as the request from the client app matches the host.
To test routing to the server, choose one of the following options:
- Log in to your client app and send a query to the host and path to verify that the GraphQL server is reachable through the route. For the example route table, you might use this curl command:
curl http://graphql-bookinfo.internal.com/graphql -d '{"query":"query { productsForHome { title ratings {reviewer numStars}} }"}'
- Create a temporary curl pod in the
bookinfo
namespace and send a request to the GraphQL server from your local machine.- Create the curl pod.
kubectl run -it -n bookinfo curl --image=curlimages/curl:7.73.0 --rm -- sh
- Send a request with a query to the GraphQL endpoint to verify that the request is successfully resolved by the gateway. This example command sends the request to the
/graphql
path and includes a query for the Bookinfo example.curl http://graphql-bookinfo.internal.com/graphql -d '{"query":"query { productsForHome { title ratings {reviewer numStars}} }"}'
- Exit the temporary pod. The pod deletes itself.
exit
- Create the curl pod.
Allow only specific GraphQL queries
You can prevent malicious requests to your GraphQL servers by specifying a list of allowed queries. For example, you might know that clients send only a limited set of GraphQL queries to your servers. To prevent your GraphQL servers from resolving potentially malicious requests, you specify that list of expected queries so that the servers immediately return an error for queries that are not in that list.
To get started, create a GraphQLAllowedQueryPolicy
for a GraphQL route.
Cache request queries
To improve network performance for large query strings, the GraphQL filter supports automatic persisted queries. A persisted query consists of the query string and the query’s hash that are cached on the GraphQL server side. When you enable query caching, a client can then send the query hash instead of the full query string, which reduces request sizes. Responses are unaffected. Persisted queries are especially effective when clients send queries as GET requests, because clients can take advantage of the browser cache and integrate with a CDN.
To get started, create a GraphQLPersistedQueryCachePolicy
for a GraphQL route.
Apply authentication and rate limit policies
Because GraphQL is fully integrated with Gloo Mesh Gateway, you can apply other Gloo policies to your GraphQL setup, such as protecting your GraphQL route with external authentication and authorization or controlling the rate of requests to your route. To get started, see the external authentication and authorization and rate limiting policy guides.
Reference
For more information, see the Gloo Mesh Gateway API reference for the RouteTable
CR.