Articles in this section

Given a project that there are five microservices, is there any way to make four private and just one public?

Hannes Van Zyl
Updated

In a microservices architecture on Upsun, you can control the public visibility of your services by managing their exposure in the routes configuration. To keep specific microservices private while exposing only one as a public entry point, you must define which services are mapped to external URLs and which remain internal.

Internal vs. External Visibility

By default, every application defined in your project is isolated. A microservice only becomes "public" when it is explicitly mapped to a URL in the routes section in the .upsun/config.yaml file. If an app is not included in this file, it remains private and is only accessible to other services within the same project environment.

Execution Method

To configure a project with one public microservice and four private ones, follow these steps:

  1. Define All Services: Ensure all five microservices are defined in your project with their respective application blocks in .upsun/config.yaml.

  2. Establish Relationships: For the private services to be useful, the public service (and potentially other private services) must be able to communicate with them. In the .upsun/config.yaml section of the calling service, define a relationship to the private service:

     

    relationships:
    internal-api: "private-service-name:http"

  3. Configure Selective Routing: In your routes configuration, only create an entry for the microservice you wish to expose. Do not add entries for the four private services.

     

    "https://{default}/":
    type: upstream
    upstream: "public-service-name:http"

The Rule

On Platform.sh, routing is explicit. Any service not defined as an upstream in your routes configuration is automatically private. These private services are accessible only via the internal network using the hostnames and credentials provided in the PLATFORM_RELATIONSHIPS environment variable of the services that depend on them. This ensures a secure architecture where your internal logic and data processing remain shielded from the public internet, while your gateway or frontend remains the sole point of entry.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.