AMAZON API GATEWAY
CREATE, MAINTAIN, AND SECURE APIS AT ANY SCALE
INTRODUCTION
API Gateway is a fully-managed service that acts as a front
door to your application’s ecosystem.
scale, not only to expose AWS resources like Lambda but
authorization processing (see Authorizers) or request
It's easy to perceive it just as an HTTP mediator between a
client and an internal AWS service like Lambda, but there's
more to explore as it offers a lot of valuable features.
throttling the clients of your APIs by defining
ERROR HANDLING
You request can get rejected by your API for a lot of different
burst sizes: a time-window that can exceed the threshold
reasons. Among other things
services and forward a security context that contains
missing or invalid authorization
payload does not match your validation model
There are different types of authorizers, including the
invalid methods or routes.
By default, API Gateway will return a HTTP 400 Bad
Request response with a message indicating the type of
invalid authentication/authorization by your Authorizers.
failure. e.g. BAD_REQUEST_BODY or INVALID_MEDIA_TYPE.
You’re also able to use response templates to construct
payloads that contain detailed errors by using variable
substitution from the context object of your request.
for and saving boilerplate code at your integration.
M ONITORING
CloudWatch already tracks a lot of metrics for our API
Gateways out of the box, including:
• number of HTTP 4xx and 5xx responses
• execution & integration errors
Integration
• integration latency
Besides that, you can enable API Gateway to write logs to
CloudWatch which will help you to investigate issues with
Free for the first 12 months - every month - per type
your integration.
Third-party apps like Dashbird.io help you to monitor all
of your REST & HTTP API Gateways with just minimal
configuration in a central place - including low-noise
notifications about issues to your favorite channels.
FOUNDATIONS REQUEST FLOW RESPONSE FLOW GATEWAY TYPES
API Gateway allows you to securely create APIs at any The Request Flow is everything that happens before the The Response Flow is everything that comes after the API Gateway comes in three different flavors, offering
integration is triggered, like authentication and integration, like transformations so your clients get an different features and pricing
anything that speaks HTTP.
expected output for the results of your integration. REST - the default and most common type
validation. HTTP - reduced set of features in comparison to REST,
In a nutshell, its built of three major parts but way cheaper and easier to set up
Request Flow - everything that happens before your USAGE PLANS WebSockets - for building real-time applications.
destination is called: Authorize, validate & transform PROXY RESOURCE API keys can be used as a method for rate limiting and
Bind different HTTP requests to a single integration.
Integration - calling the target destination - like a
Lambda function - and actual handling your request
a threshold for the requests per second AUTHORIZERS
Example: /api/v1/customers/{id}
Authorizers enable you to protect your downstream
Response Flow - the post-destination step: transforming
It will bind calls for example t the maximum number of requests for a time-window.
responses for your clients.
/api/v1/customers/88ec6f6f
information about the authenticated identity.
but not t This adds a layer of protection against flooding and misuse.
a or benefits: the request & response flow allows you to
M j
/api/v1/customers/88ec6f6f/orders
default JWT, a Cognito User Pool or a custom Lambda
do a lot without writing much or any code, e.g
Requests which are blocked due to rate-limiting are not function.
use a mapping templates written in the Velocity
You can extend the proxy indicator with a + to capture all billed - this is the same for requests that are rejected due to
Template Language (VTL) to transform input
values that come after.
The default JWT for HTTP Gateway is great to integrate with
authenticate via JWTs with the default JWT Authorizer
Example: /api/v1/{proxy+}
any identity provider supporting OAuth2/OpenID.
Will match for exampl
PROXY INTEGRATION /api/v1/customer RESPONSE HANDLING
️
API Gateway is also able to forward your request as is to /api/v1/order
If you're not using a proxy integration, you need to define REQUEST VALIDATION
integration responses. Those are the counterpart to our Validating requests before they hit your integration comes
a Lambda function via a default mapping template o /api/v1/orders/5aa989ff
integration request in the request flow and transform the with major benefits of reducing the number of invocations
an HTTP endpoint - forwarding your entire request
backend responses into something API Gateway can handle.
... and everything else that's under /api/v1.
The proxy integration makes API Gateway really easy to
This is also done by using VTL. Additionally, you need to
determine if our integration request was successful or if it You’re able to do parameter validation (requiring query
use, but remove some of its powerful features. INTEGRATION
returned an error - also finding out which exact error parameters or headers) as well as payload validation
occurred. (dedicated models for your incoming request payloads,
including the accepted content type or payload
Integration
Request Flow
Response Request
containments).
Method
AWS SERVICE PROXY INGERATION
... and any more services
Request It's also possible to directly integrate your API Gateway to
AWS services like DynamoDB, e.g. to insert, update or delete PRICING
items.
Response Flow
REST: 1m API call
Method
This is useful for simple data ingestion services which then HTTP: 1m API call
Response don't require any operations or maintainance. WebSockets: 1m messages & 750k connection minutes
REST Gateway is much more expensive than HTTP.
API GATEWAY Looking at us-east-1, it is $3.5 vs. $1 per 1m requests,
meaining HTTP gateway is ~71% cheaper.