AWS API Gateway

• AWS API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale.
• API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
• API Gateway has no minimum fees or startup costs and charges only for the API calls received and the amount of data transferred out.
• API Gateway acts as a proxy to the configured backend operations.
• API Gateway scales automatically to handle the amount of traffic the API receives.
• API Gateway exposes HTTPS endpoints only for all the APIs created. It does not support unencrypted (HTTP) endpoints.
• APIs built on API Gateway can accept any payloads sent over HTTP with typical data formats including JSON, XML, query string parameters, and request headers.
• API Gateway supports three types of APIs:
  • REST APIs – Full-featured API management with request/response transformation, caching, usage plans, and API keys.
  • HTTP APIs – Optimized for serverless workloads with up to 71% cost savings and 60% lower latency compared to REST APIs.
  • WebSocket APIs – For real-time, bidirectional communication between clients and backend services.
• API Gateway can communicate to multiple backends
  • Lambda functions
  • AWS Step Functions state machines
  • HTTP endpoints exposed through Elastic Beanstalk, ELB or EC2 servers
  • Non AWS hosted HTTP based operations accessible via public Internet
  • Amazon Bedrock AgentCore Gateway (for AI agent tool interactions via MCP)
• API Gateway endpoints can be public or private:
  • Edge-optimized and Regional endpoints are public to the Internet.
  • Private endpoints can only be accessed from within a VPC using interface VPC endpoints.

API Gateway helps with several aspects of creating and managing APIs

• Metering
  • automatically meters traffic to the APIs and lets you extract utilization data for each API key.
  • define plans that meter, restrict third-party developer access, configure throttling, and quota limits on a per API key basis
• Security
  • helps remove authorization concerns from the backend code
  • allows leveraging of AWS administration and security tools, such as IAM and Cognito, to authorize access to APIs
  • can verify signed API calls on your behalf using the same methodology AWS uses for its own APIs.
  • supports custom authorizers written as Lambda functions and verify incoming bearer tokens.
  • supports mutual TLS (mTLS) authentication for REST and HTTP APIs for enhanced client-server identity verification.
  • supports Signature Version 4A (SigV4a) for REST APIs, enabling multi-region request signing for seamless routing and failover between regions.
  • automatically protects the backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3).
• Resiliency
  • helps manage traffic with throttling so that backend operations can withstand traffic spikes.
  • helps improve the performance of the APIs and the latency end users experience by caching the output of API calls to avoid calling the backend every time.
• Operations Monitoring
  • integrates with CloudWatch and provides a metrics dashboard to monitor calls to API services
  • integrates with CloudWatch Logs to receive errors, access or debug logs
  • provides backend performance metrics covering API calls, latency data and error rates.
  • provides enhanced observability variables in access logs for granular troubleshooting of request errors and latency issues.
• Lifecycle Management
  • allows multiple API versions and multiple stages (development, staging, production etc.) for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.
  • saves the history of the deployments, which allows rollback of a stage to a previous deployment at any point, using APIs or console.
• Designed for Developers
  • allows specifying a mapping template to generate static content to be returned, helping you mock APIs before the backend is ready
  • helps reduce cross-team development effort and time-to-market for applications and allows dependent teams to begin development while backend processes are still built.

API Gateway API Types

REST APIs

• Full-featured API management with the broadest set of capabilities.
• Supports request/response transformation using Velocity Template Language (VTL).
• API keys and usage plans for metering and throttling third-party access.
• Request validation, API caching, and resource policies.
• Private API endpoints accessible only from within a VPC.
• Integration with AWS WAF for web exploit protection.
• Canary release deployments for safe rollouts.
• Supports response streaming (November 2025) – progressively streams response payloads to clients without buffering the entire response.
• Supports private integration with Application Load Balancer directly (November 2025), eliminating the need for an intermediate NLB.
• Pricing: $3.50 per million requests (first 333M), reducing at scale.

HTTP APIs

• Optimized for serverless workloads and HTTP backends.
• Up to 71% cost savings and 60% latency reduction compared to REST APIs.
• Native JWT authorizer support and OpenID Connect/OAuth 2.0 integration.
• Simplified configuration with automatic deployments.
• Supports private integrations with ALB, NLB, and AWS Cloud Map via VPC links.
• Supports mutual TLS (mTLS) authentication.
• Does NOT support: API caching, request/response transformation, API keys/usage plans, resource policies, or private API endpoints.
• Pricing: $1.00 per million requests (first 300M), then $0.90 per million.

WebSocket APIs

• Supports real-time, bidirectional communication between clients and backend services.
• Manages persistent connections and message routing based on message content.
• Supports IAM and Lambda authorization, custom domains, and stage variables.
• Ideal for chat applications, real-time dashboards, and gaming.
• Available in most AWS Regions (expanded to 7 additional regions in 2024).
• Pricing: $1.00 per million messages + $0.25 per million connection minutes.

API Gateway Features

• Support for stateful (WebSocket) and stateless (HTTP and REST) APIs.
• Powerful, flexible authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
• Mutual TLS (mTLS) authentication for client certificate-based identity verification.
• Signature Version 4A (SigV4a) support for multi-region API access patterns.
• API Gateway Portals – fully managed developer portals for API discovery, documentation, and governance (November 2025).
• Canary release deployments for safely rolling out changes.
• CloudTrail logging and monitoring of API usage and API changes.
• CloudWatch access logging and execution logging, including the ability to set alarms.
• Ability to use AWS CloudFormation templates to enable API creation.
• Support for custom domain names.
• Integration with AWS WAF for protecting your APIs against common web exploits.
• Integration with AWS X-Ray for understanding and triaging performance latencies.
• Response streaming for REST APIs – progressively stream response payloads to clients as they become available (November 2025).
• Dynamic routing rules for custom domain names based on HTTP headers and/or URL paths (June 2025).
• Dual-stack (IPv4 and IPv6) endpoint support for REST, HTTP, and WebSocket APIs (March 2025).
• Private integration with Application Load Balancer for REST APIs without requiring an intermediate NLB (November 2025).
• Amazon Bedrock AgentCore Gateway integration for exposing REST APIs to AI agents via MCP (December 2025).

API Gateway Throttling and Caching

• Throttling
  • API Gateway provides throttling at multiple levels including global and by service calls and limits can be set for standard rates and bursts.
  • It tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response.
  • Throttling ensures that API traffic is controlled to help the backend services maintain performance and availability.
• Caching
  • API Gateway provides API result caching by provisioning an API Gateway cache and specifying its size in gigabytes.
  • Caching helps improve performance and reduces the traffic sent to the back end.
  • Caching is available only for REST APIs (not HTTP APIs or WebSocket APIs).
  • API Gateway handles the request in the following manner
    • If caching is not enabled and throttling limits have not been applied, then all requests pass through to the backend service until the account level throttling limits are reached.
    • With throttling limits defined, the API Gateway will shed necessary amount of requests and send only the defined limit to the back-end
    • If a cache is configured, the API Gateway will return a cached response for duplicate requests for a customizable time, but only if under configured throttling limits. It caches responses from the endpoint for a specified time-to-live (TTL) period, in seconds
• API Gateway does not arbitrarily limit or throttle invocations to the backend operations and all requests that are not intercepted by throttling and caching settings are sent to your backend operations.

API Gateway Response Streaming

• API Gateway REST APIs support response streaming, progressively sending response payloads to clients as they become available (November 2025).
• Eliminates the need to buffer complete responses before transmission, improving API responsiveness.
• Responses can be streamed for up to 15 minutes.
• Ideal for streaming LLM (Large Language Model) responses from services like Amazon Bedrock.
• Works with proxy integrations (Lambda proxy and HTTP proxy).
• Reduces time-to-first-byte (TTFB) for large responses.

API Gateway Routing Rules

• Dynamic routing rules enable routing API requests based on HTTP header values, URL base paths, or a combination of both (June 2025).
• Routing rules are associated with custom domain names.
• Each rule has conditions, actions, and a priority:
  • Conditions: Up to two header conditions and one base path condition per rule (evaluated with AND logic).
  • Actions: Route to any stage of any REST API within the same account and region.
  • Priority: Numerical value (1 to 1,000,000); lower number = higher priority.
• Supports wildcard matching in header values for prefix, suffix, and contains patterns.
• Three routing modes:
  • API mappings only – default mode, base path mappings only.
  • Routing rules then API mappings – rules take precedence, unmatched requests fall back to base path mappings.
  • Routing rules only – recommended mode for new domains.
• Use cases: API versioning, A/B testing, canary deployments, cell-based architecture routing, tenant-based routing.
• No additional charges for using routing rules on REST APIs.

API Gateway Endpoint Types

Edge-optimized API Endpoints

Regional API Endpoints

Private API Endpoints

API Gateway Dual-Stack (IPv6) Support

• API Gateway supports dual-stack (IPv4 and IPv6) endpoints for REST, HTTP, and WebSocket APIs, and custom domain names (March 2025).
• Available in all commercial and AWS GovCloud (US) Regions.
• Default IP address type:
  • Regional and edge-optimized APIs: IPv4 (can be changed to dualstack).
  • Private APIs: dualstack only.
• Custom domain names can also be configured for dualstack operation.
• Ensures compliance with IPv6 adoption mandates and supports modern network environments.

API Gateway Private Integrations

• Private integrations allow API Gateway to route requests to backend resources in a VPC without exposing them to the public Internet.
• Uses VPC links to encapsulate connections between API Gateway and VPC resources.
• REST APIs – support private integration with:
  • Network Load Balancers (NLB) via VPC links.
  • Application Load Balancers (ALB) directly (November 2025) – eliminates the need for an intermediate NLB, reducing hops and simplifying architecture.
• HTTP APIs – support private integration with:
  • Application Load Balancers (ALB)
  • Network Load Balancers (NLB)
  • AWS Cloud Map for service discovery
• VPC links are shared across different routes and APIs.

API Gateway Portals

• API Gateway Portals is a fully managed developer portal feature (November 2025).
• Provides a centralized hub for API discovery, documentation, and governance.
• Eliminates the need for static websites, open source solutions, or third-party portal offerings.
• Enables businesses to create AWS-native developer portals.
• Supports publishing APIs as portal products for customer consumption.
• Simplifies API lifecycle management and reduces fragmentation.

API Gateway and AI/MCP Integration

• API Gateway REST APIs can be added as targets for Amazon Bedrock AgentCore Gateway (December 2025).
• Enables AI agents to interact with existing REST APIs using the Model Context Protocol (MCP).
• AgentCore Gateway translates MCP requests into RESTful requests to API Gateway.
• Provides built-in security and observability for AI agent tool interactions.
• Enables intelligent tool discovery through semantic search.
• Allows organizations to expose both new and existing API endpoints to agentic applications without code changes.

API Gateway Security

• Authentication & Authorization
  • IAM Authorization – Use IAM policies with SigV4 or SigV4a signed requests.
  • Lambda Authorizers – Custom authorization logic in Lambda functions; supports token-based and request parameter-based authorizers.
  • Cognito User Pools – JWT token validation with Amazon Cognito.
  • JWT Authorizers (HTTP APIs only) – Native support for any OIDC-compliant identity provider.
  • Mutual TLS (mTLS) – Client certificate-based authentication for REST and HTTP APIs.
  • Resource Policies (REST APIs only) – JSON-based policies to control access by source IP, VPC, or AWS account.
• TLS Security
  • Minimum TLS 1.2 enforced on all API endpoints (completed February 2024).
  • Enhanced TLS security policies available for REST APIs and custom domain names (November 2025).
  • Header remapping feature removed (June 2023) to improve security posture.
• Integration with AWS WAF – Configurable rules to allow, block, or monitor web requests; protects against common web exploits like SQL injection and cross-site scripting.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. You are running a mobile media application and are considering API Gateway for the client entry point. What benefits would this provide? Choose 2 answers
   1. Caching API responses
   2. IP blacklisting
   3. Intrusion prevention
   4. Load balancing
   5. Throttling traffic
2. A company is building a serverless application and needs to choose between API Gateway REST API and HTTP API. The application requires request validation, response caching, and API key management. Which API type should they use?
   1. REST API, because it supports request validation, caching, and API keys/usage plans that HTTP APIs do not offer.
   2. HTTP API, because it is cheaper and supports all features.
   3. Either API type, as they both support the same features.
   4. WebSocket API, as it supports all REST features.
3. A company wants to allow API consumers to access their REST API from IPv6-only clients. What should they configure?
   1. Create a CloudFront distribution in front of the API.
   2. Configure the API Gateway REST API endpoint to use the dualstack IP address type.
   3. Deploy a Network Load Balancer with IPv6 enabled.
   4. Use an HTTP API instead, as only HTTP APIs support IPv6.
4. A development team needs to route API traffic to different backend versions based on a custom HTTP header value without changing URL paths. Which API Gateway feature should they use?
   1. Stage variables
   2. Canary deployments
   3. Base path mappings
   4. Routing rules for custom domain names
5. A company wants to stream responses from their generative AI backend through API Gateway REST API to reduce time-to-first-byte for end users. Which feature enables this?
   1. WebSocket API with callback URL
   2. API Gateway caching with low TTL
   3. Response streaming with proxy integration
   4. Asynchronous Lambda invocation
6. An organization wants to expose their existing REST APIs to AI agents that use the Model Context Protocol (MCP). Which integration enables this?
   1. Direct Lambda integration with MCP libraries
   2. API Gateway WebSocket API
   3. Amazon Bedrock AgentCore Gateway with API Gateway as a target
   4. Amazon EventBridge API destinations
7. A company has REST APIs that need to integrate with backend services running on an ALB in a private VPC. Previously this required an intermediate NLB. Which new feature simplifies this?
   1. HTTP API with ALB private integration
   2. REST API direct private integration with Application Load Balancer
   3. VPC Lattice service network
   4. AWS PrivateLink endpoint service

References

• AWS API Gateway Developer Guide
• Amazon API Gateway Features
• Amazon API Gateway Pricing
• Amazon API Gateway FAQs
• Choose between REST APIs and HTTP APIs