Set Up Tyk Cloud

​

What is Tyk Cloud

• No need to wrestle with infrastructure: You can be up and running within a few clicks. No need for complex deployments or large infrastructure teams.
• Flexible deployment options: Whether you’re a startup or a large enterprise, Tyk Cloud has deployment options to suit your needs. You can scale and manage your API ecosystem easily and efficiently. The control plane is hosted by Tyk in the cloud, in one of the 5 regions available. Meanwhile, the data planes, composed of Tyk Gateways and Redis for temporary storage, can be either hosted by Tyk or managed by you on your infrastructure.
• Geographical freedom: Tyk Cloud allows you to select your preferred AWS location as your home region, ensuring your data and Tyk Gateways are live and secured in the region that suits you best.
• Designed for platform teams: With Tyk Cloud, you can use role-based access control (RBAC) to manage your team structure, as well as multiple environments and multiple organizations.

​

Why Tyk Cloud?

​

Next Level SaaS

​

Quick deployments Wherever you need them

​

Designed for Enterprises

​

Where is Tyk Cloud hosted?

• aws-ap-southeast-1, Singapore
• aws-eu-central-1, Frankfurt, Germany
• aws-eu-west-2, London, UK
• aws-us-east-1, N. Virginia, USA
• aws-us-west-2, Oregon, USA
• aws-ap-southeast-2, Australia

​

Quick Start Tyk Cloud

1. Signing up with Tyk Cloud .
2. Creating your first API using the Tyk Dashboard.
3. Setting up a Policy and Key to secure your APIs.

​

Steps for Setting up Tyk Cloud

1. Create Tyk Cloud Account

2. Get started with your first API with Tyk Dashboard

​

Tyk Cloud Feature Setups

​

Comprehensive Tyk Cloud Setup

• Creating your Tyk Cloud account
• Your first Organization
• Creating your first Team and Environment
• Configuring and deploying your Control Plane and creating your Cloud Data Plane
• Adding and testing your first API
  Comprehensive Tyk Cloud Setup requires access to Tyk Cloud Console (management UI). Please note that free trial users do not have access to the Tyk Cloud Console. To obtain the required access, contact support.

​

Prerequisites

• Team member information including their email address and the role you plan to assign to them.
• We have some specific terminology used within Tyk Cloud. It would be useful to checkout our Glossary so you understand what we are referring to.

​

Hierarchy

​

Complete Cloud Setup Tasks

​

Create an Account

What happens when you create your Tyk Cloud account?

• Assign the account creator as a Billing admin for the Organization. This user role allows you to manage the billing and plans for your org. You can also add other billing admins as required.
• Assign the new account to our 48 hours free trial plan

Creating your first account

• To create your account, you will have to fill in first-level details like your first name, last name and email.
• Then, set up a password for your Tyk Cloud account.
• Following that check the box at the bottom of the page to confirm that you have read and accepted our Terms and Conditions.
• Finally, click Create new account
• After completing the Account Creation form, click Start Organization Setup.

​

Set Up Your Organisation

What is an organization?

• An organization is the main entity for all your data (Environments, APIs, Users, etc)
• An Organization is connected to a single region and once connected, cannot be changed.

Steps to set up your organization

• Step 1 - Name your Organization: Give your organization a name. This is up to you, but most users use their company name.
• Step 2 - Select a Home Region: Select a region from the drop-down list where your Control Plane will be deployed and your data stored. The number of regions available will depend on your license. Further regions can be added as an upgrade option.
  Tyk Cloud can currently be deployed across 2 AWS regions in the USA plus UK, Germany and Singapore. If you have any concerns about Brexit impacting the way you store data you should read AWS regularly updated Brexit statement.

Types of Setups

• Teams
• Environments
• Configuration and deployment of Control Planes and Cloud Data Planes

​

Create Your First Team

What is a team?

• A team is a sub-grouping inside an organization.
• Inside a team, you can define users(team members) and roles(permissions that can be applied to a user or a team of users).

Steps to set up your team

• Step 1 - Name your Team: Give your Team a name. You may find it useful to reflect the names used within your organization.
• Step Two - Invite your Users: Invite your users to your team. You’ll only need their email address and which of the available roles you want to assign to them. This step is optional and can be completed within the dashboard later.

User Roles in Tyk Cloud

• Team member: They can manage deployment activity for the team they are added to.
• Team admin: They can manage deployment activity and users for the team they are added to.
• Organization admin: They can manage deployment activity and users for a single organization.

​

Configure Environment and Deployments

What is an environment?

Steps to set up your environment

• Step 1 - Name your Environment: Give your Environment a name. You may find it useful to reflect the names used within your organization such as Development, Production etc.
• Step 2 - Name your Control Plane: Give your Control Plane a name. Again, this is up to you and you may already have an infrastructure you want to re-create in Tyk Cloud.
• Step 3 - Configure your first Cloud Data Plane: Select the region you want to locate your Cloud Data Plane in from the drop-down list. Your Cloud Data Plane is not confined to the same region as your Organization and Control Plane but the amount of regions you have to choose from can be limited depending on your subscription plan. Give your Cloud Data Plane a name.
  You need to have at least one Cloud Data Plane with a Deployed status connected to your Control Plane.
• Step 4 - Deployment:

1. Click Deploy Control Plane and Create a Cloud Data Plane. You can watch your Control Plane being deployed and your Cloud Data Plane being created. You will then be taken to the Control Plane overview screen within the Tyk Cloud dashboard.
2. From your Control Plane overview you will see the Cloud Data Plane is in a Not Deployed state. Click on your Cloud Data Plane to open its overview.
3. In the top right of your Cloud Data Plane overview, click Not Deployed and choose Deploy from the drop-down.
4. With your Cloud Data Plane successfully deployed, make a note of the tags assigned to your Cloud Data Plane. One tag is “edge” and the other is the location of your Cloud Data Plane. You’ll add a tag when creating your API.

​

Deploy and Add Your First API

Steps to add an API in Tyk Cloud

• Step 1 - Access the Dashboard: Go to the Control Plane overview and click the dashboard link in the Ingress list. You’ll be redirected to the Tyk Dashboard for your Control Plane.
• Step 2 - Add a New API: Click the APIs menu item and then click Add New API.
• Step 3 - Core Settings:
  1. Give Your API a name - We’ll use “my app” for the rest of this Getting Started journey.
  2. Scroll down to the Target URL setting and use the URL https://httpbin.org/
  3. Then scroll down to the Authentication section and select Open(Keyless) to keep things simple for this demo.
  Ensure you configure a valid API Listen path. Root (”/”) listen paths are not supported on Tyk Cloud deployments prior to version v3.2.0.
• Step 4 - Advanced Options:
  1. Click the Advanced Options tab of the API Designer.
  2. Scroll to the Segment Tags (Node Segmentation) setting and add the cloud data plane tag (edge) you saw when creating the Cloud Data Plane.

• Step 5 - Save Your API: Click Save from the API Designer. Your API will now be added to the APIs list and as the next step you’ll access your API from the Gateway Ingress.

​

Test Your API

Steps to test your API

• Step 1 - Access the Gateway Ingress: From the Cloud Data Plane overview, copy the Ingress link and open it in a browser tab. You will get a 404 error.
• Step 2 - Append the URL with your API: You created a API named my app in Task 5. Add /my-app/ to the end of the URL. You should be taken to https://httpbin.org/, which you added as the Target URL for the API in Task 5.

​

View Analytics

Steps to check your API analytics

• Step 1 - Access the Dashboard: You’ll now look at the analytics for the API you created in Task 5.If you’re not still in the Tyk Dashboard for your Control Plane, click the dashboard link in the Control Plane Ingress list. Click the Gateway Dashboard menu item and you can see the successful calls made to your API from the Cloud Data Plane you created.
• Step 2 - Create an Error: From the Cloud Data Plane, make a call that will throw an error. For example, use me-app instead of my-app. You should see the error displayed in the Analytics.

​

Review Your Setup

• We’ve created a new Organization
• We’ve added a Team
• We’ve added an Environment, including a Control Plane and an associated Cloud Data Plane and deployed them
• We’ve added a very simple API to the Control Plane Dashboard and tested it via the first Cloud Data Plane
• We’ve seen the data from the Gateways displayed in the Analytics section of the Control Plane Dashboard

• Managing your Deployments
• Adding Plugins and Middleware to your Control Plane

​

Import Existing APIs

​

API Blueprint is being Deprecated

• Create API Blueprint in JSON format using the Apiary Drafter tool
• Convert API Blueprint to OpenAPI (Swagger) using the Apiary API Elements CLI tool.

​

Import APIs via the Gateway

​

Using API Blueprint

./tyk --import-blueprint=blueprint.json --create-api --org-id=<id> --upstream-target="http://widgets.com/api/"

./tyk --import-blueprint=blueprint.json --for-api=<path> --as-version="version_number"

​

Using Swagger (OpenAPI)

./tyk --import-swagger=petstore.json --create-api --org-id=<id> --upstream-target="http://widgets.com/api/"

./tyk --import-swagger=petstore.json --for-api=<path> --as-version="version_number"

"ignored": [
  {
    "path": "/v1/ignored/with_id/{id}",
    "method_actions": {
      "GET": {
        "action": "reply",
        "code": 200,
        "data": "Hello World",
        "headers": {
          "x-tyk-override": "tyk-override"
        }
      }
    }
  }
],

​

Import APIs via the Dashboard API

​

Import API - Swagger

POST /api/import/swagger/
Host: localhost:3000
authorization:7a7b140f-2480-4d5a-4e78-24049e3ba7f8
{
  "swagger": "{swagger data...}",
  "insert_into_api": false, 
  "api_id": "internal API id",
  "version_name": "yourversionname",
  "upstream_url": "yourupstreamurl"
}

• insert_into_api: If set to true the import will replace an existing API. Setting to false will import into a new API.
• api_id: The internal MongoDB object id for your API.
• version_name: Your versioning convention name for the imported API.
• upstream_url: The URL the API is served by.

{
  "Status": "OK",
  "Message": "API Imported",
  "Meta": "new_api_id"
}

​

Import API - Blueprint

POST /api/import/blueprint/
Host: localhost:3000
authorization:7a7b140f-2480-4d5a-4e78-24049e3ba7f8
{
  "blueprint": "{blueprint data...}",
  "insert_into_api": false, 
  "api_id": "internal API id",
  "as_mock": false,
  "version_name": "yourversionname",
  "upstream_url": "yourupstreamurl"
}

• insert_into_api: If set to true the import will replace an existing API. Setting to false will import into a new API.
• api_id: The internal MongoDB object id for your API.
• as_mock: If set to true, enables our mocking support for Blueprint imported API. See Mocks above for more details.
• version_name: Your versioning convention name for the imported API.
• upstream_url: The URL the API is served by.

{
  "Status": "OK",
  "Message": "API Imported",
  "Meta": "new_api_id"
}

​

Import APIs via the Dashboard UI

1. Select “APIs” from the “System Management” section

2. Click “IMPORT API”

1. From an Existing Tyk API definition
2. From a Apiary Blueprint (JSON) file
3. From a Swagger/OpenAPI (JSON only) file
4. From a SOAP WSDL definition file (new from v1.9)

3. Enter API Information

• Your Upstream Target
• A Version Name (optional)
• An optional Service Name and Port (WSDL only)
• Copy code into the editor

4. Click “Generate API”

​

Creating a new API Version by importing an API Definition using Tyk Dashboard

1. Open the API Designer page and select Import Version from the Options drop-down.

2. Select either OpenAPI (v2.0 or 3.0) or WSDL/XML as your source API
3. You need to add a new API Version Name. Upstream URL is optional.

4. Click Import API.

5. Select the Versions tab and your new version will be available.
6. Open the Endpoint Designer for your API and select your new version from Edit Version.
7. You will see all the endpoints are saved for your new version.

​

Additional Cloud Configuration

​

Manage Environments and Deployments

• Managing Organizations
• Managing Environments
• Managing Control Planes
• Managing Cloud Data Planes

​

Organisations Overview

• Quick Stats
• All Teams
• All Deployments
• All Environments

​

Managing Environments

Prerequisites

• Org Admin
• Team Admin

Adding a New Environment

1. From the Environments screen, click Add Environment
2. Select the team you want to assign to the Environment
3. Give your new Environment a name
4. Click Create

Editing an Existing Environment

• Rename an Environment
• Delete an Environment

1. Click the environment Name from your list

2. Click Edit

3. You can now rename the environment, or delete it from your organization

​

Managing Control Planes

Prerequisites

Adding a new Control Plane

1. From the Deployments screen click Add Deployment (you can also add a Deployment from within an Environment overview)
2. Enter a name for the new Control Plane
3. Select Control Plane from the Type drop-down list
4. Select the Bundle Channel and Version
5. (Optional) Enter a custom domain if required
6. (Optional) Enable plugins if required

Edit Control Planes

• Change the Control Plane name
• Add a custom domain
• Change the Bundle Channel and Bundle Version
• Enable plugins
  The use of custom domains is dependent on your plan

1. From the Deployments screen, click the Control Plane Name from the list
2. Select Edit from the Deployed drop-down list

Upgrade Control Planes

1. Go to the Control Plane settings using the Edit Control Planes instructions and scroll down to the Version section.
2. Select a Bundle Channel.

3. Next, select a Bundle Version.

4. To apply your changes, click the “Save and Re-Deploy” button located at the top right. After a few seconds, you will be redirected to the overview page of the Control Plane and a “Deploying” indicator button will appear.

5. A “Deployed” button indicates a successful upgrade.

​

Managing Cloud Data Plane

Prerequisites

Adding a new Cloud Data Plane

1. From the Deployments screen click Add Deployment
2. Enter a name for the new Gateway
3. Select Cloud Data Plane from the Type drop-down list
4. Select the Bundle Channel and Version
5. (Optional) Enter a custom domain if required
6. (Optional) Enable plugins if required

Edit Cloud Data Planes

• Change the Gateway name
• Add a custom domain
• Change the Bundle Channel and Bundle Version
• Enable plugins
  The use of custom domains is dependent on your plan

1. On the Deployments screen, expand the Control Plane and click on the Cloud Data Plane to access the Cloud Data Plane overview screen.
2. Select Edit from the Deployed drop-down list

Upgrade Cloud Data Planes

1. Go to the Cloud Data Plane settings using the Edit Cloud Data Planes instructions and scroll down to the Version section.
2. Select a Bundle Channel.

3. Next, select a Bundle Version.

4. To apply your changes, click the “Save and Re-Deploy” button located at the top right. After a few seconds, you will be redirected to the overview page of the Control Plane and a “Deploying” indicator button will appear.

5. A “Deployed” button indicates a successful upgrade.

​

Deploy Hybrid Gateways

• as Cloud Gateways: Deployed and managed in Tyk Cloud, in any of our available regions. These are SaaS gateways, so there are no deployment or operational concerns.
• as Hybrid Gateways: This is a self-managed data plane, deployed in your infrastructure and managed by yourself. Your infrastructure can be a public or private cloud, or even your own data center.

Prerequisites

• Tyk Cloud Account, register here if you don’t have one yet: free trial
• A Redis instance for each data plane, used as ephemeral storage for distributed rate limiting, token storage and analytics. You will find instructions for a simple Redis installation in the steps below.
• No incoming firewall rules are needed, as the connection between Tyk Hybrid Gateways and Tyk Cloud is always initiated from the Gateways, not from Tyk Cloud.

Tyk Hybrid Gateway configuration

Deploy with Docker

git clone https://github.com/TykTechnologies/tyk-gateway-docker.git

• rpc_key - Organization ID
• api_key - Tyk Dashboard API Access Credentials of the user created earlier
• connection_string: MDCB connection string
• group_id(optional) - if you have multiple data planes (e.g. in different regions), specify the data plane group (string) to which the gateway you are deploying belongs. The data planes in the same group share one Redis.

{
"rpc_key": "<ORG_ID>",
"api_key": "<API-KEY>",
"connection_string": "<MDCB-INGRESS>:443",
"group_id": "dataplane-europe",
}

• (optional) you can enable sharding to selectively load APIs to specific gateways, using the following:

{
  "db_app_conf_options": {
    "node_is_segmented": true,
    "tags": ["qa", "uat"]
  }
}

{
  "storage": {
        "type": "redis",
        "host": "tyk-redis",
        "port": 6379,
        "username": "",
        "password": "",
        "database": 0,
        "optimisation_max_idle": 2000,
        "optimisation_max_active": 4000
    }
}

- ./tyk.standalone.conf:/opt/tyk-gateway/tyk.conf

- ./tyk.hybrid.conf:/opt/tyk-gateway/tyk.conf

docker compose up -d

curl http://localhost:8080/hello -i

HTTP/1.1 200 OK
Content-Type: application/json
Date: Fri, 17 Mar 2023 12:41:11 GMT
Content-Length: 59

{"status":"pass","version":"4.3.3","description":"Tyk GW"}

Deploy in Kubernetes with Helm Chart

• Kubernetes 1.19+
• Helm 3+
• Connection details to remote control plane from the above section.

• Redis for key storage
• Tyk Pump to send analytics to Tyk Cloud and Prometheus

MDCB_UserKey=9d20907430e440655f15b851e4112345
MDCB_OrgId=64cadf60173be90001712345
MDCB_ConnString=mere-xxxxxxx-hyb.aws-euw2.cloud-ara.tyk.io:443
MDCB_GroupId=your-group-id

NAMESPACE=tyk
APISecret=foo
REDIS_BITNAMI_CHART_VERSION=19.0.2

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update

helm upgrade tyk-redis oci://registry-1.docker.io/bitnamicharts/redis -n $NAMESPACE --create-namespace --install --version $REDIS_BITNAMI_CHART_VERSION

helm upgrade hybrid-dp tyk-helm/tyk-data-plane -n $NAMESPACE --create-namespace \
  --install \
  --set global.remoteControlPlane.userApiKey=$MDCB_UserKey \
  --set global.remoteControlPlane.orgId=$MDCB_OrgId \
  --set global.remoteControlPlane.connectionString=$MDCB_ConnString \
  --set global.remoteControlPlane.groupID=$MDCB_GroupId \
  --set global.secrets.APISecret="$APISecret" \
  --set global.redis.addrs="{tyk-redis-master.$NAMESPACE.svc.cluster.local:6379}" \
  --set global.redis.passSecret.name=tyk-redis \
  --set global.redis.passSecret.keyName=redis-password

Remove hybrid data plane configuration

​

Manage APIs

• Adding APIs to Tyk, including REST and GraphQL APIs
• Applying Quotas and Rate limits via Security Policies and Keys
• Securing your APIs
• Viewing granular Analytics for your Tyk managed APIs
• Transform traffic with the Tyk API Designer
• Add integration options such as SSO and 3rd Party IdentityProviders
• Adding Segment Tags

​

Secure Your APIs

• This is the most secure method to protect your APIs. With Client authorization, you need to add your Tyk Gateway certificates to an allow-list in all your backends and they will then accept access requests only from clients that present these pre authorized certificates. There are a few limitations with this approach: a. Depending on your setup, you might need to add it to every backend service. If you have a Load Balancer (LB), then it can be set at the LB level. b. Sometimes the LBs (like Application Load Balancers) do not support mTLS and then you need to find other solutions, like Request Signing (below). Another option that might be possible, is to front your services or your LB with an L7 API Gateway (Like Tyk!) to do mTLS with the Tyk Cloud Data Planes on Tyk Cloud.
• You need to be able to update the list in case certificates expire or get revoked.

​

Managing Teams and Users

• Managing Teams
• Managing Users
• Available Tyk Cloud User Roles
• Tyk Cloud Single Sign-On (SSO)

​

Managing Teams

• Organization Admin - Can manage all teams in the organization they are a member of.
• Team Admin - Can only manage the team they are a member of.

• Change the team name
• Create or delete a team (Organization Admin only)
• Invite and manage users in a team

Change the Team Name

1. From the Teams screen, select the team name.
2. Click Edit.
3. Change the existing name for the team.
4. Click Save.

Create a New Team

1. From the Admin > Teams screen, click Add Team.
2. Enter a name for the new team that will be added to the organization.
3. Click Create.

Delete a Team

1. From the Teams screen, select the team name.
2. Click Edit.
3. Click Delete Team.
4. You’ll be asked to confirm the deletion. Click Delete Team from the dialog box to confirm, or click Cancel.

​

Managing Users

• Organization Admin - Can manage all users in the organization they are a member of.
• Team Admin - Can only manage the users of the team they are a member of.
  Organization Admins, Team Admins and Team Members are responsible for managing the Tyk Cloud organization hierarchy and deploying/managing stacks, as well as having access to the Tyk Dashboard to manage APIs. Users of Tyk Cloud are usually DevOps, Architects and sometimes Engineers or Managers.You can also add users to the Tyk Dashboard itself instead of inviting them as Tyk Cloud users. These users would likely be your API Developers and Engineers who manage the APIs.

Invite a new user to your team

1. From the Teams screen, select the team name.
2. Click Invite User.
3. Complete the form for the new user.

Editing Existing Users

1. Select the team with the user you want to edit.
2. Click the user name from the team user list.
3. You can change the following details
   • Change the team they are a member of.
   • Change the user role assigned to them.
4. Click Save to update the user info.

Delete a User

1. Select the team with the user you want to edit.
2. Click the user name from the team user list.
3. Click Delete
4. You’ll be asked to confirm the deletion. Click Delete User from the pop-up box to confirm, or click Cancel.

​

Assign User Roles

User Roles within Tyk Cloud

• Billing Admin
• Organization Admin
• Team Admin
• Team Member

Use Case Matrix

Initial Tyk Cloud Account Roles

1. Org admin of the organization
2. Billing admin of the account

​

Configure Single Sign-On (SSO)

Add new SSO profile

Edit SSO profile

Delete SSO profile

​

Manage Accounts and Billing

• The available Tyk Cloud Plans
• Adding Payment Methods
• How to upgrade from the free trial plan
• Managing Billing Admins on your account
• What to do if your account goes into retirement

​

Select a Payment Plan

• Additional Control Planes
• Additional Cloud Data Planes
• Additional Users
• Additional Teams
• Additional Gateway Region (Enterprise Plans only)
• SLA support (varies according to your plan)

Checking the Tyk Cloud status

​

Add Payment Methods

1. Ensure you are logged in to Tyk Cloud UI as a Billing Admin user.
2. Navigate to ACCOUNT & BILLING —> Payment Method. If you lack the necessary user rights, you will be directed to the main OPERATIONS screen (the main login page).
3. Enter your card details and click Save.
4. You’ll see a confirmation that the payment method was successfully added.
   Note about card paymentsCurrently, Tyk Cloud exclusively supports card payments. For alternative payment methods, please contact us.

​

Upgrade Your Free Trial

• Upgrade to a paid plan at any stage of the free trial period.
• Use the free trial period and upgrade after it expires

• Add a payment method to your organization
• Select a new plan from our list

​

Managing Billing Admin

• Add, edit and delete payment methods
• Add further users as Billing Admins
• Upgrade or downgrade plans

Adding a new Billing Admin

• Be an existing Billing Admin
• Be the account creator Organization Admin (this user also has the Billing Admin role assigned to them)

1. Select Account & Billing from the Admin menu (if you only have Billing Admin permissions you will automatically be logged into the Account and Billing area).

2. Select Billing Admins from the Accounts & Billing menu

3. Click Invite Billing Admin

4. Complete the Billing Admin form and click Send Invite

Removing Billing Admin Access

​

Retire Your Account

• Your subscription is manually canceled by a Billing Admin.
• Your periodic subscription payment fails.
• You are on a Free Trial (5 weeks) and have not signed up to a plan before the expiration of the Free Trial.

• Renew a subscription that was manually canceled.
• Update your payment details and any outstanding payments are cleared.
• Update a Free Trial to a paid plan, and payment is successful.

​

Configure Developer Portal from Dashboard

1. From the Control Plane Dashboard, select Pages from the Portal Management menu
2. Click Add Page

3. In the Settings, give your page a name and slug. Below we’ve called it Home
4. Select Check to make this page the Home page
5. Select Default Home page template from the Page type drop-down list
6. You can leave the Registered Fields sections for now

7. Click Save.

​

Further Portal Configuration

​

Configure Custom Domains

​

Custom Domains with Control Planes

• Currently, you can only use one custom domain per Control Plane deployment.
• The custom domain in this case ties to a Tyk Developer Portal. Please set up a CNAME DNS record such that it points to the “Portal” ingress as displayed on your Control Plane deployment page.

​

Custom Domains with Cloud Data Planes

​

How to set up a Custom Domain

1. Create a CNAME DNS record edge.corp.com that points to your Cloud Data Plane ingress (e.g. something-something.aws-euw2.cloud-ara.tyk.io).
2. From your Cloud Data Plane deployment, select Edit from the Status drop-down.

3. Enter edge.corp.com in the Custom Domains field.

4. Click Save and Re-deploy.

​

How our Custom Domain functionality works

​

Configure Plugins

• Python Plugins
• JSVM
• Golang

​

Setup Control Plane

1. You need to enable Plugins on a Control Plane and on a Cloud Data Plane.
2. You need to enter Provider details to enable you to store and access your plugins. For this version of Tyk Cloud, we are supporting Amazon AWS S3. If you haven’t got an AWS S3 account, go to https://aws.amazon.com/s3/ and set one up. You will need the following details to configure SW3 within your Control Plane:
   • Your AWS Key ID
   • Your AWS Secret
   • Your AWS Region
   For this release of Tyk Cloud, you need to enter your AWS Region manually. You also need to consider that uploading a custom plugin bundle to Tyk Cloud results in a new bucket being created for each bundle uploaded. It also requires that Tyk Cloud has permissions in the form of an AWS IAM policy to have create rights on AWS.

• A policy is an entity that, when attached to an identity or resource, defines their permissions. IAM policies define permissions for an action regardless of the method that you use to perform the operation.
• We have included a sample IAM policy that you need to create in AWS to allow the plugin bundle to work. For more information on creating IAM policies, see the AWS Documentation.
  We recommend you restrict your IAM user as much as possible before sharing the credentials with any 3rd party, including Tyk Cloud. See IAM User Permissions for more details.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:DeleteBucket"
            ],
            "Resource": "arn:aws:s3:::mserv-plugin-*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::mserv-plugin-*/*"
        }
    ]
}

​

Uploading your Bundle

1. You need to install the mserv binary according to your local environment from the following repo - https://github.com/TykTechnologies/mserv/releases. Linux and MacOS are supported.
2. From your Control Plane you need the following settings.

• Your Tyk Cloud Control Plane Ingress File Server Endpoint (1)
• Your File Server API Key (2)

./mservctl.macos.amd64

./mservctl.linux.amd64

$ mservctl help
mservctl is a CLI application that enables listing and operating middleware in an Mserv instance.
Use a config file (by default at $HOME/.mservctl.yaml) in order to configure the Mserv to use with the CLI.
Alternatively pass the values with command line arguments, e.g.:
$ mservctl list -e https://remote.mserv:8989
Set TYK_MSERV_LOGLEVEL="debug" environment variable to see raw API requests and responses.
Usage:
  mservctl [command]
Available Commands:
  delete      Deletes a middleware from mserv
  fetch       Fetches a middleware record from mserv
  help        Help about any command
  list        List middleware in mserv
  push        Pushes a middleware to mserv
Flags:
      --config string     config file (default is $HOME/.mservctl.yaml)
  -e, --endpoint string   mserv endpoint
  -h, --help              help for mservctl
  -t, --token string      mserv security token
Use "mservctl [command] --help" for more information about a command.

1. Create a file (we’ll call it python-demo.mservctl.yaml)
2. Copy your Control Plane File Server endpoint URL and use it for your endpoint flag. Remember to prepend it with https://.
3. Copy your File Server API Key and use it for your token flag

endpoint: https://agreeable-native-mgw.usw2.ara-staging.tyk.technology/mserv
token: eyJvcmciOiI1ZWIyOGUwY2M3ZDc4YzAwMDFlZGQ4ZmYiLCJpZCI6ImVmMTZiNGM3Y2QwMDQ3Y2JhMTAxNWIyOTUzZGRkOWRmIiwiaCI6Im11cm11cjEyOCJ9

1. We are going to use the MacOS binary here, just substitute the binary name for the Linx version if using that OS. Note we have our YAML config file in the same directory as our bundle.zip file. Run the following mserv push command:

./mservctl.macos.amd64 --config ~/my-tyk-plugin/python-demo.mservctl.yaml push ~/my-tyk-plugin/bundle.zip

2. You should get confirmation that your middleware has been uploaded to your S3 bucket.

INFO[0000] Using config file:/Users/marksouthee/my-tyk-plugin/python-demo.mservctl.yaml  app=mservctl
Middleware uploaded successfully, ID: 9c9ecec1-8f98-4c3f-88cd-ca3c27599e6b

3. You will notice that the middleware uploaded has been given an ID. We are going to use that ID with an API that allows you to specify specific middlware. You can also check the contents of the middleware you have just uploaded using the mservctl list command. Run:

./mservctl.macos.amd64 --config ~/my-tyk-plugin/python-demo.mservctl.yaml list

4. You will see the list of middleware you have pushed to your S3 Bucket

INFO[0000] Using config file:/Users/marksouthee/my-tyk-plugin/python-demo.mservctl.yaml  app=mservctl
  ID                                    ACTIVE  SERVE ONLY  LAST UPDATE

  9c9ecec1-8f98-4c3f-88cd-ca3c27599e6b  true    false       2020-05-20T15:06:55.901Z

5. If you use the -f flag with the list command, you will see the functions within your middleware listed:

./mservctl.macos.amd64 --config ~/my-tyk-plugin/python-demo.mservctl.yaml list -f

6. As you can see, the 2 middleware hooks specified within your manifest.json are returned:

INFO[0000] Using config file:/Users/marksouthee/my-tyk-plugin/python-demo.mservctl.yaml  app=mservctl
  ID                                    ACTIVE  SERVE ONLY  LAST UPDATE               FUNCTION          TYPE

  9c9ecec1-8f98-4c3f-88cd-ca3c27599e6b  true    false       2020-05-20T15:06:55.901Z
  MyPostMiddleware  Post
  MyAuthMiddleware  CustomKeyCheck

​

Test Middleware

• A Postman API Client from https://www.postman.com/product/api-client/
• Your mserv middleware ID
• The auth value token from your middleware.py code

1. From your Control Plane in Tyk Cloud, click the Ingress > Dashboard link

2. From the Dashboard screen, click APIs from the System Management menu

3. Click Add New API
4. From the API Designer, enter the following in the Core Settings tab:
   • From the API Settings section, give your API a name. We’ll name this example “test”
   • Scroll down to the Authentication section and select Custom authentication (Python, CoProcess and JSVM plugins) from the drop-down menu
   • Select the Allow query parameter as well as header option
5. From the Advanced Settings tab enter the following:
   • In the Plugin Options, enter the Plugin Bundle ID as returned by mservctl. In our example 9c9ecec1-8f98-4c3f-88cd-ca3c27599e6b
   • To propagate your API to all your Cloud Data Plane Tyk Gateways connected to your Control Plane, you need to add the tag edge in the API Segment Tags section
6. Click Save.

1. First, a quick test. Copy the URL of your Cloud Data Plane (Note the “edge” tag in the tags column) and paste it in a browser tab. You should get a 404 page not found error.
2. Then add the “test” endpoint to the URL in your browser tab, so in our example uptight-paddle-gw.usw2.ara.app/test/. You should now see a 403 “error: “forbidden”. This is because your API has Authentication enabled and you haven’t provided the credentials yet.
3. Open up your Postman client:
   • Paste your Gateway URL with the API appended to the request - (uptight-paddle-gw.usw2.ara.app/test/)
   • Click Send. You’ll see the 403 “error: “forbidden response” again
   • In the Headers section in Postman, select Authorization from the Key column. Add some random text in the Value field and click Send. You should again see the 403 error.
   • Now replace the random text with the auth value from your Python code. In our example 47a0c79c427728b3df4af62b9228c8ae and click Send again.
   • You should now see the HTTPB in test page

4. As a further test of your plugin, you can add get to your API request in Postman. So in our example uptight-paddle-gw.usw2.ara.app/test/get. Click Send. This will return all the get requests, including headers. You should see the x-tyk-request: "something" which is the post middleware hook you set up in the Python code.

​

Create a Python Code Bundle

• You need to create the Python code bundle on your locally installed Gateway (not an Tyk Cloud Cloud Data Plane stack).
• You will create 2 files, a manifest file (manifest.json) and the python file (middleware.py)
• You then create a zipped bundle via our Tyk CLI tool that is built in to your local Gateway instance.

mkdir ~/my-tyk-plugin
cd ~/my-tyk-plugin

{
  "custom_middleware": {
    "auth_check": {
      "name": "MyAuthMiddleware"
    },
    "pre": [
      {
        "name": "MyAuthMiddleware"
      }
    ],
    "driver": "python"
  },
  "file_list": [
    "middleware.py"
  ]
}

• You import decorators from the Tyk module that gives us the Hook decorator, and we import Tyk Python API helpers
• You implement a middleware function and register it as a hook. The input includes the request object, the session object, the API meta data and its specification. The hook checks the authorization header for a specified value. In this tutorial we have called it Authorization.

from tyk.decorators import *
from gateway import TykGateway as tyk

@Hook
def MyAuthMiddleware(request, session, metadata, spec):
    auth = request.get_header('Authorization')
    if not auth:
        auth = request.object.params.get('authorization', None)

    if auth == '47a0c79c427728b3df4af62b9228c8ae':
        session.rate = 1000.0
        session.per = 1.0
        metadata["token"] = auth
    return request, session, metadata

@Hook
def MyPostMiddleware(request, session, spec):
    tyk.log("This is my post middleware", "info")
    request.object.set_headers["x-tyk-request"] = "something"
    return request, session

• You create a bundle to cater for a number of plugins connected to the one API, and using a bundle makes this more manageable.
• To bundle your plugin we run the following command in your working directory where your manifest.json and plugin code is.

docker run \
  --rm \
  -v $(pwd):/cloudplugin \
  --entrypoint "/bin/sh" -it \
  -w "/cloudplugin" \
  tykio/tyk-gateway:v3.1.2 \
  -c '/opt/tyk-gateway/tyk bundle build -y'

• A plugin bundle is a packaged version of the plugin, it may also contain a cryptographic signature of its contents. The -y flag tells the Tyk CLI tool to skip the signing process in order to simplify this tutorial. For more information on the Tyk CLI tool, see here.
• You should now have a bundle.zip file in the plugin working directory.
• Next you will configure uploading your plugin bundle file to your Amazon S3 bucket.

​

Add Custom Authentication

1. Firstly you will need a local Tyk Gateway installation that allows you to create your Python plugin bundle. We recommend installing our Self-Managed version on Ubuntu Bionic 18.04.
2. Ensure you have a currently stable Python 3.x version installed
3. You need install the build tools apt-get install -y build-essential
4. Install our required modules:

apt install python3 python3-dev python3-pip
pip3 install protobuf grpcio

​

Deploy Legacy Hybrid Gateways

1. Add the Tyk official Helm repo tyk-helm to your local Helm repository

helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update

2. Then create a new namespace that will be hosting the Tyk Gateways

kubectl create namespace tyk

3. Get the default values.yaml for configuration

helm show values tyk-helm/tyk-hybrid > values.yaml

4. Configure Tyk Gateway and its connection to Tyk Cloud

• gateway.rpc.apiKey - Tyk Dashboard API Access Credentials of the user created earlier
• gateway.rpc.rpcKey - Organization ID
• gateway.rpc.connString - MDCB connection string
• gateway.rpc.group_id(optional) - if you have multiple data plane (e.g. in different regions), specify the data plane group (string) to which the gateway you are deploying belong. The data planes in the same group share one Redis instance.
• gateway.sharding.enabled and gateway.sharding.tags(optional) - you can enable sharding to selectively load APIs to specific gateways, using tags. By default, sharding is disabled and the gateway will load all APIs.

5. Configure the connection to Redis

helm install tyk-redis bitnami/redis -n tyk --version 19.0.2

  Redis(TM) can be accessed on the following DNS names from within your cluster:

    tyk-redis-master.tyk.svc.cluster.local for read/write operations (port 6379)
    tyk-redis-replicas.tyk.svc.cluster.local for read-only operations (port 6379)

  export REDIS_PASSWORD=$(kubectl get secret --namespace tyk tyk-redis -o jsonpath="{.data.redis-password}" | base64 --decode)

• redis.addrs: the name of the Redis instance including the port as set by Bitnami tyk-redis-master.tyk.svc.cluster.local:6379
• redis.pass: password set in redis ($REDIS_PASSWORD). Alternatively, you can use —set flag to set it during helm installation. For example --set redis.pass=$REDIS_PASSWORD.

6. Install Hybrid data plane

helm install tyk-hybrid tyk-helm/tyk-hybrid -f values.yaml -n tyk

At this point, Tyk Hybrid is fully installed and should be accessible.

7. Check that the installation was successful

kubectl get pods -n tyk

NAME                                  READY   STATUS    RESTARTS   AGE
gateway-tyk-hybrid-54b6c498f6-2xjvx   1/1     Running   0          4m27s
tyk-redis-master-0                    1/1     Running   0          47m
tyk-redis-replicas-0                  1/1     Running   0          47m
tyk-redis-replicas-1                  1/1     Running   0          46m
tyk-redis-replicas-2                  1/1     Running   0          46m

kubectl get service -n tyk

NAME                     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
gateway-svc-tyk-hybrid   NodePort    10.96.232.123    <none>        443:32668/TCP   44m
tyk-redis-headless       ClusterIP   None             <none>        6379/TCP        47m
tyk-redis-master         ClusterIP   10.109.203.244   <none>        6379/TCP        47m
tyk-redis-replicas       ClusterIP   10.98.206.202    <none>        6379/TCP        47m

curl http://hostname:8080/hello -i

HTTP/1.1 200 OK
Content-Type: application/json
Date: Fri, 17 Mar 2023 10:35:35 GMT
Content-Length: 234

{
  "status":"pass",
  "version":"4.3.3",
  "description":"Tyk GW",
  "details":{
    "redis": {"status":"pass","componentType":"datastore","time":"2023-03-15T11:39:10Z"},
    "rpc": {"status":"pass","componentType":"system","time":"2023-03-15T11:39:10Z"}}
}

​

Tyk Cloud Monitor Metrics

​

Tyk Cloud Throughput

• Traffic between user → Control Plane
• Traffic between user → Cloud Data Plane
• Traffic between user → Enterprise Developer Portal
• Traffic between user → Mserv (plugin upload)
• Traffic between Control Plane → Cloud Data Plane cross region
• Traffic between Cloud Data Plane → Mserv cross region
• Traffic between Control Plane → Portal cross region

• Hybrid traffic is currently not counted
• Traffic between Control Plane → Cloud Data Plane in the same region
• Traffic between Cloud Data Plane → Mserv in the same region
• Traffic between Control Plane → Portal in the same region

​

Tyk Cloud Storage

​

Tyk Cloud Telemetry

​

Available Telemetry Providers

• Datadog
• Dynatrace
• New Relic
• Elastic
• Custom
  Before diving into the configuration details, please note that Telemetry is an add-on feature in Tyk Cloud. To enable this capability for your account, please contact our support team. Our team will help you activate this feature and ensure you have access to all the Telemetry options.

​

Enabling Telemetry in Tyk Cloud

1. Configure a provider/backend at organization level.
2. Enable/Disable telemetry option while creating/updating a Cloud Data Plane.
   Before diving into the configuration details, please note that Telemetry is an add-on feature in Tyk Cloud. To enable this capability for your account, please contact our support team. Our team will help you activate this feature and ensure you have access to all the Telemetry options.

Steps for Configuring Telemetry Provider in Tyk Cloud

1. Choosing Your Provider In the Tyk Cloud Console, select Telemetry option. You’ll see a grid displaying all supported backends/providers. Click on your preferred backend/provider to begin the configuration process.
   Only a single provider/backend can be configured at any given time.
   
2. Configuring Basic Elements Every telemetry backend shares these fundamental settings:
   1. Connection Toggle: This switch activates or deactivates your telemetry export. When enabled, Tyk will start sending monitoring data to your chosen platform.
   2. Sampling Rate: This setting determines what percentage of your API traffic data gets sent to your monitoring platform. The default is 10%, which means Tyk will send data for one out of every ten API calls.
3. Configuring Optional Settings Beyond the basic settings, you can customize your telemetry with two optional features:
   1. Tags to Add to the Traces : Add custom labels to your telemetry data to make it easier to analyze. For example:
      Copy

      Ask AI

      environment:production
      region:europe
      team:api-gateway
      

   2. Fields to Filter : Specify which data fields should be excluded from your telemetry. This is useful for ensuring sensitive information doesn’t get sent to your monitoring platform.
4. Configuring Provider-Specific Configuration Each monitoring platform has its own requirements for connection. Let’s explore what you’ll need for each:
   • Datadog
   • Dynatrace
   • New Relic
   • Elastic
   • Custom

   • Provider Site: Enter your Datadog URL (like us5.datadoghq.com). To obtain your URL, refer to the following docs.
   • API Key: Enter your Datadog API key. To obtain your API Key, refer to the following docs. Example: A Datadog setup might look like:
     Copy

     Ask AI

     Provider Site: us5.datadoghq.com
     API Key: your-datadog-api-key
     

     

Configure Telemetry Export in Cloud Data Plane Deployments

1. Enable Datadog Connection
   • Toggle switch to enable/disable Datadog monitoring for this specific Cloud Data Plane deployment
2. Sampling Rate Override
   • Choose what percentage of API traffic to monitor (default: 10%)
   The sampling level can be configured at both the organization level (while setting up the provider) and the Cloud Data Plane. The configuration at the Cloud Data Plane will override the organization-level settings.
3. Verifying Cloud Data Plane Configuration As shown in the below image, you should observe Telemetry Export to be enabled:

​

Tyk Dashboard Audit Logs

​

What are Audit Logs?

• User actions and administrative operations
• API changes and configurations
• Authentication and authorisation events
• System access and modifications
• Response status codes and timestamps

​

Enabling Audit Logs for Control Plane Deployments

How to Enable Audit Logging

1. Contact Your Account Manager: Audit logging must be enabled at the subscription level. Reach out to your Tyk account manager to add this feature to your plan.
2. Enable via Tyk Cloud UI: Once the feature is available in your subscription, you can enable audit logging directly from the Tyk Cloud console:
   • Navigate to your Control Plane deployment
   • Select Edit from the deployment options
   • Enable the Audit Logging option
   • Save and redeploy your Control Plane

Viewing and Accessing Audit Logs

​

Storage Size Caps

• Storage Limits: A size cap is applied to audit logs based on your subscription plan
• Automatic Cleanup: When the storage limit is reached, the oldest logs are automatically removed to make space for new entries.

​

Tyk Cloud MDCB Supported versions

​

Track Usage

How to check metrics

​

Troubleshooting Tyk Cloud

​

FAQs

• Add the edge tag to your API to connect it to all Cloud Data Planes within the Control Plane.
• Add the location tag to your API to connect it to only Cloud Data Planes with that location within the Control Plane.

​

Glossary