API Gateway

• Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain,
monitor, and secure APIs at any scale.
– Together with AWS Lambda, API Gateway forms the app-facing part of the AWS serverless infrastructure.
• Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of
thousands of concurrent API calls, including traffic management, authorization and access control,
monitoring, and API version management.
• With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for
applications to access data, business logic, or functionality from your back-end services
– Such as applications running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS
Lambda, or any web application (public or private).

API Gateway - Pricing

• Amazon API Gateway has no minimum fees or startup costs.
• You pay only for the API calls received and the amount of data transferred out.

API Gateway - API

• An API gateway API is a collection of resources and methods that are integrated with backend HTTP
endpoints, Lambda functions, or other AWS services. The collection can be deployed in one or more stages.
• Permissions to invoke a method are granted using IAM roles and policies or API Gateway custom
authorizers. An API can present a certificate to be authenticated by the backend.
• Typically, API resources are organized in a resource tree according to the application logic.
– Each API resource can expose one or more API methods that must have unique HTTP verbs supported by
API Gateway.
• With Amazon API Gateway, you can provide your clients with a consistent and scalable programming
interface to access three types of endpoints in the backend:
– Invoking AWS Lambda functions,
– Calling other AWS services, and
– Accessing an HTTP website or webpage.
• To do this, you create an API Gateway API to integrate each API method with a backend endpoint.
– Each backend endpoint is associated with an API Gateway integration type.

API Gateway Methods

• Each resource within a REST API can support one or more of the standard HTTP methods.
• You define which verbs should be supported for each resource (GET, POST, PUT, PATCH, DELETE,
HEAD, OPTIONS) and their implementation.
– For example, a GET to the cars resource should return a list of cars.

API Gateway Methods

HTTPS endpoints
• All of the APIs created with Amazon API Gateway expose (to the Clients) HTTPS endpoints only.
– Amazon API Gateway does not support unencrypted (HTTP) endpoints with the clients.
• By default, Amazon API Gateway assigns an internal domain to the API that automatically uses
the Amazon API Gateway certificate.
– When configuring your APIs to run under a custom domain name, you can provide your
own certificate for the domain.
API Gateway – API endpoints (Hostnames of Deployed APIs)
API Gateway supports the following types of API endpoints,
Edge-optimized API endpoint:
• Relies on Amazon Cloudfront distributions, is the default endpoint types
• An edge-optimized API endpoint enables clients to access an API through an Amazon CloudFront distribution.
• API requests are routed to the nearest CloudFront Point of Presence (POP) which typically improves
connection time for geographically diverse clients.

Regional API endpoint:

• It is intended to serve clients, such as EC2 instances, in the same AWS region where the API is deployed.
• Together with Route53 latency-based routing, regional endpoints enable an API developer to deploy an API to
multiple regions using the same regional API endpoint configuration, setting the same custom domain name for
each deployed API

Private API endpoint:

• Runs inside a VPC. Example backend services are EC2, EC2, ELB services and Lambda.
Backend Services
• Amazon API Gateway can execute AWS Lambda functions in your account,
• It can start AWS Step Functions state machines, or
• Call HTTP endpoints hosted on AWS Elastic Beanstalk, Amazon EC2,
• And also non-AWS hosted HTTP based operations that are accessible via the public Internet.
• API Gateway also allows you to specify a mapping template to generate static content to be returned, helping
you mock your APIs before the backend is ready (response from within the API itself – Mock Integration)
• You can also integrate API Gateway with other AWS services directly –
– For example, you could expose an API method in API Gateway that sends data directly to Amazon Kinesis.
API Gateway Benefits/Features
• Robust, secure, and scalable access to backend APIs and Hosts multiple versions and release stages of your APIs
• Create and distribute API Keys to developers
• Use of AWS Sig-v4 to authorize access to APIs
• Throttle and Monitor requests to protect your backend
• Integrates with X-Ray, WAF, CloudWatch and CloudTrail for Protection, Troubleshooting, monitoring and logging
• Manage Cache to store API responses
• SDK Generation for iOS, Android, and JavaScript
• Reduced Latency and Distributed Denial of Service protection through the use of CloudFront
• Request/Response data transformation and API mocking
• Open APIs, API Keys, Usage Plans for 3rd party API developers

API Gateway Features – Throttling/Caching/Scaling

Resiliency
• Through Throttling rules, Amazon API Gateway helps you manage traffic to your back-end systems via throttling
rules that are based on the number of requests per second, for each HTTP method (GET, PUT..) in your APIs.
Caching:
• You can set up a cache with customizable keys and time-to-live (TTL) in seconds for your API data to avoid hitting
your back-end services for each request.
– Enhanced response times and reduces load on backend services
Scaling:
• Amazon API Gateway handles any level of traffic received by an API, so you are free to focus on your business logic
and services rather than maintaining infrastructure.
API Gateway Features – API Versions
API Lifecycle Management -
Multiple Versions of the same REST API
• Amazon API Gateway lets you run multiple versions of the same API simultaneously so that applications
can continue to call previous API versions even after the latest versions are published.
• Amazon API Gateway gives you the ability to clone an existing API to create a new version
– When you are ready to start working on the next major version of your API, you will be able to keep
working on your version 1 and version 2 APIs simultaneously.
• You can determine which version of the API is being accessed/used.

API Gateway – API Multiple Release Stages

API Lifecycle Management
Multiple Release Stages:
• Amazon API Gateway also helps you manage multiple release stages for each API version, such as
alpha, beta, and production.
– Each API stage can be configured to interact with different backend endpoints based on your API setup.
– Specific stages and versions of an API can be associated with a custom domain name and managed
through Amazon API Gateway.
– Stage and version management allow you to easily test new API versions that enhance or add new
functionality to earlier API releases,
• This ensures backward-compatibility as your user communities transition to adopt the latest release.
API Gateway
HTTPS endpoints
• You can create HTTPS endpoints.
– All of the APIs created with Amazon API Gateway expose HTTPS endpoints only.
– Amazon API Gateway does not support unencrypted (HTTP) endpoints.
– By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API
Gateway certificate.
– When configuring your APIs to run under a custom domain name, you can provide your own certificate for the
domain.

API Gateway – AWS Authorization

With Amazon API Gateway, you can optionally set your API methods to require authorization.
• IAM:
– To authorize and verify API requests to AWS services, API Gateway can leverage signature version 4
– Using signature version 4 authentication, you can use Identity and Access Management (IAM) and access policies
to authorize access to your APIs and all your other AWS resources.
• Lambda Authorizers:
– You can also use AWS Lambda functions to verify and authorize bearer tokens such as JWT tokens or SAML
assertions.
• Amazon Cognito User Pools (No authorization – only authentication)
– You can retrieve temporary credentials associated with a role in your AWS account using Amazon Cognito.

API Gateway – Cross Account Access to APIs

When AWS identity and access management is enabled on a specific resource,
• IAM users from different AWS accounts cannot access that resource unless the caller is allowed to assume the
resource owner’s role,
– i.e API Gateway does not currently support cross-account authentication.
API Gateway – API Operations and Monitoring
Monitoring through API Gateway dashboard:
– After an API is deployed and in use, Amazon API Gateway provides you with a REST API dashboard to
visually monitor calls to the services.
• API Gateway also meters utilization by third-party developers, the data is available in the API Gateway
console and through the APIs.

Monitoring through CloudWatch:

• The Amazon API Gateway logs (near real time) back-end performance metrics such as API calls,
Latency, and error rates to AWS CloudWatch in your account
– This allow for the set up of custom CloudWatch alarms on Amazon API Gateway APIs