AWS API Gateway – Rest API

1. What is a REST API?

REST is an abbreviation for REpresentational State Transfer. When a REST API is called, the server will send the representation of the requested resource’s state. The state of the resource can be in a JSON, XML or HTML format.

REST API is a stateless protocol.

2. What is a Websocket API?

The WebSocket API provides a two-way interactive communication session between the client apps and backend. The backend can send callback messages to the clients. It is a stateful protocol.

Suitable for real time applications like

  • Real-time Feeds
  • Sports / Event Updates
  • Multiplayer Gaming
  • Multimedia Chat
3. What are the different types of APIs in AWS API Gateway?
  1. HTTP API
  2. WebSocket API
  3. Rest API
  4. Rest API Private
4. API Endpoint types
  • Regional: Intended for clients in the same region
  • Private: Can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint, which is an endpoint network interface (ENI) that you create in your VPC
  • Edge Optimized: Best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence
5. Explain Request and Response Flow

  • Method request: defines the parameters and body that must be sent in requests
  • Method response: defines status codes, headers and body models that can be expected in responses
  • Integration request: Maps the body of a route request or the parameters and body of a method request to the formats required by the backend.
  • Integration response: Maps the status codes, headers, and payload that are received from the backend to the response format that is returned to a client app

Example:

Reference: https://aws.amazon.com/blogs/machine-learning/creating-a-machine-learning-powered-rest-api-with-amazon-api-gateway-mapping-templates-and-amazon-sagemaker/

6. Method request

Authorizers:

  • IAM Authorization: IAM roles and policies to control who can create and manage your APIs, in addition to who can invoke them. IAM authorization for HTTP API routes is the best choice for internal or private APIs called by other AWS services like AWS Lambda.
  • Lambda Authorization : A Lambda function which API Gateway calls for an authorization check when a client makes a request to an HTTP API route
  • Cognito: Use cognito user pool to control who can access the API

Request Validator

  • Certain actions in api backends , like lambda functions , require mandatory values in requestBody, headers or in queryString. But sometimes the front end clients would not send the data or send in the wrong format, in those cases lambda would fail. It would be very beneficial if we can fail the request before it reaches the backend. Request validator does exactly that, it can validate query string params, headers and / or request body before sending the request to the backend

API Key required

  • Identify the application / user that’s making a call to the API and checks whether the calling application / user has been granted access to call the API
  • By associating a usage plan for the api key, we can throttle the number of requests the application/ user can make as per the plan.
  • Usage plan:
    • A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them
  • Use cases
    • A paid API where a user gets a certain number of calls per month, you can use quota limits to enforce that limit.
  • How do we send the api key in the request?
    • Parameter x-api-key in header
    • Authorizer
7. Method Response

8. Integration request

Integration Types:

  1. Lambda: Executes lambda function
  2. HTTP: Call HTTP endpoints hosted on AWS Elastic Beanstalk, Amazon EC2, and also non-AWS hosted HTTP based operations that are accessible via the public Internet
  3. AWS Service: Integrate API Gateway with other AWS services directly – for example, you could expose an API method in API Gateway that sends data directly to Amazon Kinesis.
  4. VPC Link :
    1. The API Gateway private integration makes it simple to expose your HTTP/HTTPS resources within an Amazon VPC for access by clients outside of the VPC.
    2. You can proxy requests to backend HTTP/HTTPS resources running in your Amazon VPC by setting up Private Integrations using VPC Links. The API Gateway private integration makes it simple to expose your HTTP/HTTPS resources within an Amazon VPC for access by clients outside of the VPC.
  5. Mock: Allows you to specify a mapping template to generate static content to be returned, helping you mock your APIs before the backend is ready
9. Integration response
10. Stages

An API stage is a logical reference to a lifecycle state of your API (for example, dev, prod, beta, or v2)

  • Cache: When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint
  • Throttle: Prevents API from being overwhelmed by too many requests
  • WAF: AWS WAF protects APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
  • Stage Variables:
  • Call a different backend for each stage: You can use the same API setup with a different endpoint at each stage by resetting the stage variable value to the corresponding URLs.
    • Example: In the integration lambda function field, instead of specifying lambda we can provide ${stageVariables.lbfunc}. API read lbfunc value defined at the stage and call that lambda
  • Pass stage-specific metadata to backend in a query parameter expression
  • Canary: In a canary deployment, you partially deploy a new software feature and shift some percentage of traffic to a new version of the application. This allows you to verify stability and reduce risk associated with the new release. After gaining confidence in the new version, you continually increment traffic until all traffic flows to the new release.
    • Steps
      • Enable Canary for the stage
      • Do changes to the API configuration
      • Deploy changes to the Canary enabled stage

11. Resource Policy

API Gateway resource policies allow API to be securely invoked by:

  • Users from a specified AWS account.
  • Specified source IP address ranges or CIDR blocks.
  • Specified virtual private clouds (VPCs) or VPC endpoints (in any account).
12. Client Certificates

To ensure HTTP requests to your back-end services are originating from API Gateway, you can use Client Certificates to verify the requester’s authenticity.

13. VPC Links

VPC links enable you to create private integrations that connect your APIs to private resources in a VPC, such as NLB, ELB or Amazon ECS container-based applications.

14. Custom domain names

we can set up user-friendly urls for apis. For example we can map https://api.example.com/myservice to AWS generated url https://api-id.execute-api.region.amazonaws.com/stage