CA API Gateway 9.1

9.4 9.1

Differences Between the Container Gateway and Appliance Gateway

The Container Gateway is similar to the traditional Appliance Gateway, with the following notable differences:
gateway93
The Container Gateway is similar to the traditional Appliance Gateway, with the following notable differences:
 
 
Operational Differences
 
Container Gateway
Appliance Gateway
Compatibility
  • Docker Engine
  • RedHat OpenShift Origin
For more information on compatibility, see Container Gateway Platform Support.
  • Hardware
  • VMware ESXi
  • Amazon AWS
  • Microsoft Azure
Distribution
  • The Policy Manager is available on the CA Support site. For access to the site or to obtain a license, contact your CA sales representative. 
  • Hardware Appliance Gateway is shipped to customer's place of business. Virtual Appliance Gateway is downloaded from the CA Support site that requires an account to access
Deployment
  • Shorter (about a minute) since the container PaaS is already running
  • Does not include a MySQL server
  • Deploys directly onto a Docker host that could be held either inside Docker Engine or OpenShift
  • Longer (2+ minutes) since an operating system needs to be booted first before the Gateway starts
  • Includes a MySQL server
  • Deploys directly onto a cloud computing and platform virtualization software and services such as VMware, ESXi, and Hyper-V server
Configuration
Management
  • Supports management tooling compatible with Docker Engine and RedHat OpenShift
  • More limited integration with virtual machine management systems
Updates
  • Release Builds
  • Monthly Certified Builds
  • Locally updated images by users
  • Gateway Patches
  • Monthly Platform Patches
Health Check
  • Performs health checks through scripts. The script response determines the container's health. It is highly recommended that you design a health check script that is customized for your Container Gateway.
  • Depending on the environment the Container Gateway is running on, see Perform Health Checks in Docker and Perform Health Checks in OpenShift.
Logging
Monitoring
  • Greater flexibility for integration with app and system monitoring solutions.
  • Service metrics is set to disabled by default when operating the Container Gateway in embedded database mode.
  • Self-contained solution; integration requires more customization or design choices.
Diagnostics
  • Tools can be installed using 
    yum
    , which is installed in the Container Gateway. For more information on 
    yum
    , see the Yum documentation.
Security
  • Smaller attack surface with few installed packages and no services other than the Gateway.
  • Larger attack surface due to the larger package set and inherent additional services.
CA Single Sign-On
  • Installed and enabled by default
Firewall rules
  • Firewall rules managed by the container platform. 
  • Configuration of Firewall rules
Networking
  • Full ports management. This includes ports used by Listen Ports. The Container Gateway must be created with the required ports exposed. This can be done by customizing the Container Gateway.
  • Support for multiple network interfaces. This is a limitation on Docker. Use routing and firewall capabilities provided by the container platform instead.
  • Not supported
  • Connectivity to the 
    CA API Gateway
     - XML VPN Client
  • Single node support
  • Cluster-wide protection
  • Container resource management should be done using platform tools
  • Management using the Enterprise Service Manager (ESM) including any administrative task items associated with ESM (Manage ESM User Mappings)
Hardware Security Module (HSM)
  • Not supported
Cluster management
  • Stale gateways are visible from the Policy Manager Dashboard until a scheduled job refreshes the cluster state.
  • Nodes are not added and removed from a cluster constantly
  • Stale gateways are less visible
Backup/Restore
  • Back up by creating derived images and saving your configuration files (for example, the Docker Compose file)
  • Restore by launching the derived image
  • External database is outside of the Container Gateway and maintenance is the responsibility of the customer.
Custom Assertions
Architecture Differences
While the Container Gateway operates largely similar to the Appliance Gateway, differences exists at the architecture level due to the different deployment architectures.
  • When running a container, each container gets its own private file system that differs from the one on the host.
  • Each container gets exactly one network interface that uses Network Address Translation (NAT) through the physical interfaces.
  • There is no MySQL server running in the Container Gateway. Instead, you need to run their own server (such as handling replication setup, backup/restore, and monitoring).
  • The Container Gateway cannot access the hardware layer of the machine. This prevents the use of Hardware Security Modules (HSM).
The differences in architecture result in a change in what you build and/or configure. In the diagram below, the changed areas are highlighted in gray.
Architecture_differences
Architecture_differences
 
 
 
 

Content feedback and comments