# API Gateway

**Introduction**

* Can create an API that acts as a “front door” for applications 
* Low cost, scale automatically and serverless

**Feature**

* Supports:
  * Caching
  * API versioning
  * Authorization
  * Traffic management (API keys, request throttling)
  * request / response transformation
  * OpenAPI spec
  * CORS
* Can trigger:
  * HTTP
    * Expose HTTP endpoints in the backend
    * Ex. internal API on premise, ALB, etc. For rate limiting, caching, API key, etc.
  * Lambda function
    * Expose REST API by Lambda
  * AWS Service
    * Integrate with: Step Function for workflow, SQS, SNS, etc (skip Lambda to put message in directly).
    * Expose AWS API through API Gateway
* Endpoint types:
  * Edge-optimized (default): For global clients
    * Requests are routed through the CloudFront Edge locations (improve latency)
    * The API Gateway still lives in only one region
  * Regional:
    * For clients within the same region
    * Could manually combine with CloudFront (more control over the caching strategies and the distribution)
  * Private:
    * Can only be accessed from your VPC using an interface VPC endpoint (ENI)
    * Use a resource-based policy to define access
* Caching:
  * Reduce the calls to backend
  * Default TTL (time to live) is 300 seconds (min: 0s, max: 3600s)
  * Caches are defined per stage
  * Possible to override cache settings per method
  * Clients can invalidate the cache with HTTP header
  * Able to flush (invalidate) the entire cache immediately
  * Can do cache encryption 
  * Cache capacity is between 0.5GB to 237GB
* HTTP Status error code
  * 4xx (Client errors)
    * 400: Bad Request
    * 403: Access Denied, WAF filtered
    * 429: Quota exceeded, Throttle
  * 5xx (Server errors)
    * 502: Bad Gateway Exception, usually for an incompatible output returned from a Lambda proxy integration backend and occasionally for out-of-order invocations due to heavy loads
    * 503: Service Unavailable Exception
    * 504: Gateway Timeout (exceeds 29 s)
* Security
  * Load SSL Certificates and use Route53 to define an Alias
  * IAM policy
    * to invoke a Lambda for example
  * Resourced-based policy
    * control who can access the API
    * Users from AWS accounts, IP, CIDR blocks, VPC, VPC Endpoints
  * CORS (Cross-origin resource sharing)
    * Browser based security
    * [Control which domains (origin) can call your API](https://aws.amazon.com/tw/about-aws/whats-new/2015/11/enable-cors-in-amazon-api-gateway/)
* Authentication
  * IAM based access
    * Good for providing access within your own infrastructure
    * Pass IAM credentials in headers through Sig V4
  * Lambda Authorizer (formerly custom authorizer)
    * Use Lambda to verify a custom OAth / SAML / 3rd party authentication
  * Cognito User Pools
    * Client authentications with Cognito
    * Client passes the token to API Gateway
    * API Gateway know out-of-the-box how to verify to token
* Logging, monitoring and tracing
  * CloudWatch Logs:
    * Enable logging at the Stage level (with log level: ERROR / INFO)
    * Can log full requests / responses data
    * Can send API Gateway Access Logs
    * Can send logs directly into Kinesis Data Firehose (as an alternative to CloudWatch logs)
  * CloudWatch Metrics:
    * Metrics are by Stage, possibility to enable detailed metrics like: IntegraionLatency, Latency, CacheHitCount, CacheMissCount.
  * X-Ray:
    * Enable tracing to get extra information about requests in API Gateway.
    * X-Ray API Gareway + AWS Lambda give you the full picture.
* **Limits**:
  * 29 seconds timeout (cannot increase)
  * 10 MB max upload size (cannot increase)
  * 10,000 RPS (can increase)
* Deployment Stages:
  * API chages are deployed to "Stages"
  * Stages can be rolled back as a history of deployments is kept.
* [Integration with Lambda Exception](https://docs.aws.amazon.com/apigateway/latest/developerguide/handle-errors-in-lambda-integration.html)
  * Method Request / Method Response are part mainly deal with API gateways and they are the API's interface with the API's frontend (a client)
    * Ex. Add the corresponding error codes (400 and 500) on the Method Response in API gateway.
  * Integration Request / Integration Response are the API's interface with the backend. 
    * Ex. Add Integration Responses where regular expression patterns are set such as BadRequest or InternalError. Associate them with HTTP status codes

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4cDbT2F2VmcAohuhSN%2Fuploads%2Fi9Lo7u1CjYqpt2NRbOSf%2Ffile.png?alt=media)

**Architecture discussion**

* Clients use API Gateway to upload file to S3. If the file exceeds 10 MB, the regular approach won't work.
  * Add a Lambda behind API Gateway to generate pre-signed url of S3 and return the url to client application. Then upload the file with pre-signed url.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ysfang82.gitbook.io/development-notes/aws-notes/service/api-gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.