API Gateway
Introduction
Can create an API that acts as a “front door” for applications
Low cost, scale automatically and serverless
Feature
Supports:
Caching
API versioning
Authorization
Traffic management (API keys, request throttling)
request / response transformation
OpenAPI spec
CORS
Can trigger:
HTTP
Expose HTTP endpoints in the backend
Ex. internal API on premise, ALB, etc. For rate limiting, caching, API key, etc.
Lambda function
Expose REST API by Lambda
AWS Service
Integrate with: Step Function for workflow, SQS, SNS, etc (skip Lambda to put message in directly).
Expose AWS API through API Gateway
Endpoint types:
Edge-optimized (default): For global clients
Requests are routed through the CloudFront Edge locations (improve latency)
The API Gateway still lives in only one region
Regional:
For clients within the same region
Could manually combine with CloudFront (more control over the caching strategies and the distribution)
Private:
Can only be accessed from your VPC using an interface VPC endpoint (ENI)
Use a resource-based policy to define access
Caching:
Reduce the calls to backend
Default TTL (time to live) is 300 seconds (min: 0s, max: 3600s)
Caches are defined per stage
Possible to override cache settings per method
Clients can invalidate the cache with HTTP header
Able to flush (invalidate) the entire cache immediately
Can do cache encryption
Cache capacity is between 0.5GB to 237GB
HTTP Status error code
4xx (Client errors)
400: Bad Request
403: Access Denied, WAF filtered
429: Quota exceeded, Throttle
5xx (Server errors)
502: Bad Gateway Exception, usually for an incompatible output returned from a Lambda proxy integration backend and occasionally for out-of-order invocations due to heavy loads
503: Service Unavailable Exception
504: Gateway Timeout (exceeds 29 s)
Security
Load SSL Certificates and use Route53 to define an Alias
IAM policy
to invoke a Lambda for example
Resourced-based policy
control who can access the API
Users from AWS accounts, IP, CIDR blocks, VPC, VPC Endpoints
CORS (Cross-origin resource sharing)
Browser based security
Authentication
IAM based access
Good for providing access within your own infrastructure
Pass IAM credentials in headers through Sig V4
Lambda Authorizer (formerly custom authorizer)
Use Lambda to verify a custom OAth / SAML / 3rd party authentication
Cognito User Pools
Client authentications with Cognito
Client passes the token to API Gateway
API Gateway know out-of-the-box how to verify to token
Logging, monitoring and tracing
CloudWatch Logs:
Enable logging at the Stage level (with log level: ERROR / INFO)
Can log full requests / responses data
Can send API Gateway Access Logs
Can send logs directly into Kinesis Data Firehose (as an alternative to CloudWatch logs)
CloudWatch Metrics:
Metrics are by Stage, possibility to enable detailed metrics like: IntegraionLatency, Latency, CacheHitCount, CacheMissCount.
X-Ray:
Enable tracing to get extra information about requests in API Gateway.
X-Ray API Gareway + AWS Lambda give you the full picture.
Limits:
29 seconds timeout (cannot increase)
10 MB max upload size (cannot increase)
10,000 RPS (can increase)
Deployment Stages:
API chages are deployed to "Stages"
Stages can be rolled back as a history of deployments is kept.
Integration with Lambda Exception
Method Request / Method Response are part mainly deal with API gateways and they are the API's interface with the API's frontend (a client)
Ex. Add the corresponding error codes (400 and 500) on the Method Response in API gateway.
Integration Request / Integration Response are the API's interface with the backend.
Ex. Add Integration Responses where regular expression patterns are set such as BadRequest or InternalError. Associate them with HTTP status codes
Architecture discussion
Clients use API Gateway to upload file to S3. If the file exceeds 10 MB, the regular approach won't work.
Add a Lambda behind API Gateway to generate pre-signed url of S3 and return the url to client application. Then upload the file with pre-signed url.
Last updated
