AWS API Gateway

AWS API Gateway

  • AWS API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale.
  • API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
  • API Gateway has no minimum fees or startup costs and charges only for the API calls received and the amount of data transferred out.
  • API Gateway acts as a proxy to the configured backend operations.
  • API Gateway scales automatically to handle the amount of traffic the API receives.
  • API Gateway exposes HTTPS endpoints only for all the APIs created. It does not support unencrypted (HTTP) endpoints.
  • APIs built on API Gateway can accept any payloads sent over HTTP with typical data formats including JSON, XML, query string parameters, and request headers.
  • API Gateway can communicate to multiple backends
    • Lambda functions
    • AWS Step functions state machines
    • HTTP endpoints exposed through Elastic Beanstalk, ELB or EC2 servers
    • Non AWS hosted HTTP based operations accessible via public Internet
  • API Gateway endpoints are always public to the Internet and do not run within a VPC. Proxy requests to backend operations also need to be publicly accessible on the Internet.

AWS API Gateway

API Gateway helps with several aspects of creating and managing APIs

  • Metering
    • automatically meters traffic to the APIs and lets you extract utilization data for each API key.
    • define plans that meter, restrict third-party developer access, configure throttling, and quota limits on a per API key basis
  • Security
    • helps remove authorization concerns from the backend code
    • allows leveraging of AWS administration and security tools, such as IAM and Cognito, to authorize access to APIs
    • can verify signed API calls on your behalf using the same methodology AWS uses for its own APIs.
    • supports custom authorizers written as Lambda functions and verify incoming bearer tokens.
    • automatically protects the backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3).
  • Resiliency
    • helps manage traffic with throttling so that backend operations can withstand traffic spikes.
    • helps improve the performance of the APIs and the latency end users experience by caching the output of API calls to avoid calling the backend every time.
  • Operations Monitoring
    • integrates with CloudWatch and provides a metrics dashboard to monitor calls to API services
    • integrates with CloudWatch Logs to receive errors, access or debug logs
    • provides backend performance metrics covering API calls, latency data and error rates.
  • Lifecycle Management
    • allows multiple API versions and multiple stages (development, staging, production etc.) for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.
    • saves the history of the deployments, which allows rollback of a stage to a previous deployment at any point, using APIs or console.
  • Designed for Developers
    • allows specifying a mapping template to generate static content to be returned, helping you mock APIs before the backend is ready
    • helps reduce cross-team development effort and time-to-market for applications and allows dependent teams to begin development while backend processes are still built.

API Gateway Features

  • Support for stateful (WebSocket) and stateless (HTTP and REST) APIs.
  • Powerful, flexible authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
  • Developer portal for publishing your APIs.
  • Canary release deployments for safely rolling out changes.
  • CloudTrail logging and monitoring of API usage and API changes.
  • CloudWatch access logging and execution logging, including the ability to set alarms.
  • Ability to use AWS CloudFormation templates to enable API creation.
  • Support for custom domain names.
  • Integration with AWS WAF for protecting your APIs against common web exploits.
  • Integration with AWS X-Ray for understanding and triaging performance latencies.

API Gateway Throttling and Caching

API Gateway Throttling and Caching

  • Throttling
    • API Gateway provides throttling at multiple levels including global and by service calls and limits can be set for standard rates and bursts.
    • It tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response.
    • Throttling ensures that API traffic is controlled to help the backend services maintain performance and availability.
  • Caching
    • API Gateway provides API result caching by provisioning an API Gateway cache and specifying its size in gigabytes.
    • Caching helps improve performance and reduces the traffic sent to the back end.
    • API Gateway handles the request in the following manner
      • If caching is not enabled and throttling limits have not been applied, then all requests pass through to the backend service until the account level throttling limits are reached.
      • With throttling limits defined, the API Gateway will shed necessary amount of requests and send only the defined limit to the back-end
      • If a cache is configured, the API Gateway will return a cached response for duplicate requests for a customizable time, but only if under configured throttling limits. It caches responses from the endpoint for a specified time-to-live (TTL) period, in seconds
  • API Gateway does not arbitrarily limit or throttle invocations to the backend operations and all requests that are not intercepted by throttling and caching settings are sent to your backend operations.

API Gateway Endpoint Types

Edge-optimized API Endpoints

  • An edge-optimized API endpoint is best for geographically distributed clients and is the default endpoint type for API Gateway REST APIs.
  • API requests are routed to the nearest CloudFront Point of Presence (POP).
  • Edge-optimized APIs capitalize the names of HTTP headers (for example, Cookie).
  • CloudFront sorts HTTP cookies in natural order by cookie name before forwarding the request to your origin.
  • Any custom domain name used for an edge-optimized API applies across all regions.

Regional API Endpoints

  • A regional API endpoint is intended for clients in the same region.
  • When a client running on an EC2 instance calls an API in the same region, or when an API is intended to serve a small number of clients with high demands, a regional API reduces connection overhead.
  • For a regional API, any custom domain name used is specific to the region where the API is deployed. If you deploy a regional API in multiple regions, it can have the same custom domain name in all regions.
  • Regional API endpoints pass all header names through as-is.

Private API Endpoints

  • A private API endpoint is an API endpoint that can only be accessed from VPC using an interface VPC endpoint.
  • Private API endpoints pass all header names through as-is.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You are running a mobile media application and are considering API Gateway for the client entry point. What benefits would this provide? Choose 2 answers
    1. Caching API responses
    2. IP blacklisting
    3. Intrusion prevention
    4. Load balancing
    5. Throttling traffic

References

32 thoughts on “AWS API Gateway

  1. Hi,

    I found these two statements contradictory, could you please elaborate.

    API Gateway expose HTTPS endpoints only
    and
    APIs built on API Gateway can accept any payloads sent over HTTP

    1. API gateways supports on HTTPS endpoints. For the data types that it can accept, it accepts any datatype that can be sent over HTTP like json, xml, headers or query strings etc.

  2. Hi Jaye,

    We need something about same origin policy and CORS, Pls do update if possible.

    Regards
    Venkatesan.K

  3. I’d guess hat the answer to the practice question is wrong? “Intrusion prevention” is marked, but I think “Caching API responses” would be correct.

      1. Hi,

        are these answers correct for the above practice question, please confirm as i saw D and E are correct please explain

          1. Thanks for your prompt response …can you please provide the answer for the below questions.
            1. You’ve been tasked with choosing a datastore to persist GPS coordinates for a new app. The service needs consistent, singledigit-
            millisecond latency at any scale. Which AWS service meets your requirements?
            A. Amazon Redshift
            B. Amazon DynamoDB
            C. Amazon S3
            D. Amazon RDS

            is answer is B or D please confirm

            Your company’s IT policies mandate that all critical data must be duplicated in two physical locations at least 100 miles apart.
            Which storage option meets this requirement?
            A. Two Amazon S3 buckets in different regions
            B. One Amazon S3 bucket
            C. One Amazon Glacier archive
            D. Two Amazon S3 buckets in the same region

            is answer A or B please confirm

            Thanks in advance

  4. Hi Sita, for the first the Question 1 answer is B.

    Here is the reference – https://aws.amazon.com/dynamodb/

    Amazon DynamoDB is a nonrelational database that delivers reliable performance at any scale. It’s a fully managed, multi-region, multi-master database that provides consistent single-digit millisecond latency, and offers built-in security, backup and restore, and in-memory caching.

    1. Hi Sujatha,
      Thanks for the confirmation….
      Do you have any idea for the second question
      Thanks in advance

  5. at least 100 miles apart – means anything more than 100 miles is ok. So answer “Two Amazon S3 buckets in different regions” is corrrect”.

  6. For the Second Question, the correct answer is…”B” … Because S3 stores your data in multiple facilities (Which is separated more than 100 miles) in the same region.

    1. If you check Singapore in google map you can see the distances between 2 zones must be less then 100 miles in SG region.

  7. Hi,

    Which of the below services are automatically integrated with API Gateway?

    A. CloudFront
    B. Lamda
    C. S3
    D. RDS

    I think A is the ans. Jayendra can you please help on this.

    1. CloudWatch is a metric monitoring tool, it does not monitor API calls but the metrics which can be used for monitoring, alerting and taking actions on it.
      CloudTrail is the one to monitor the API calls.

  8. Hi Jayendra,
    Mobile client requires data from several application layer interfaces to populate its user interface.what can application team use to decouplethe client interface from underlying services behind them.
    Would answer be API Gateway or application load balancer?

    1. API Gateway with a microservices architecture based on Lambda can work for you. ALB is more of an load balancer for underlying application.

  9. HI Jayendra, can you help about this:

    A user is testing a new service that receives location updates from 3,600 rental cars every hour.
    Which service will collect data and automatically scale to accommodate production workload?
    A. Amazon EC2
    B. Amazon Kinesis Firehose
    C. Amazon EBS
    D. Amazon API Gateway

    1. Only Kinesis make sense here as the service to be able to capture data. Although 3600/hour is not great amount of data.

        1. Kinesis is build for big data capture and ingestion service. However its not a managed service and you need to provision it accordingly.

  10. Hey,

    I was looking for CORS configuration on API Gateway, unable to find clear explanation on this anywhere. So if you can update this content that would be helpful.
    Thanks in advance.

Comments are closed.