API Gateway is a fully managed API endpoint service that creates, manages, publishes, monitors, secures, and scales APIs. API Gateway can use other AWS services (Lambda, DynamoDB) for compute and store.
- API (Application Programming Interface): Applications use APIs to communicate with other applications.
API Gateway Features
- API Gateway is a service that provides a single endpoint for traffic from all clients interacting with the backend applications running on Lamba or EC2 and services like DynamoDB or Kinesis.
- API Gateway can act as a front door for existing API and can be scaled to meet the demand.
- It supports the serverless, microservice, and even monolithic architecture.
- API Gateway allows you to publish, maintain, secure, and monitor APIs at any scale.
- Supports multiple versions of your APIs
- Pricing is based on the number of API calls, the amount of data transferred, and any caching.
- API Gateway can access some AWS services directly using proxy mode.
- You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services.
- DDoS (Distributed Denial of Service) protection via CloudFront
- Request/Response data transformation (JSON -> XML)
- Can be used with AWS Certificate Manager: free SSL/TLS certificates
- The same-origin-policy is important to secure your API from Cross-Site Scripting (XSS) attacks. CORS (Cross Origin Resource Sharing) is the way to loosen the policy.
- Logging with CloudWatch
- API Gateway logs API calls, latencies, and error rates to CloudWatch.
Supported API Types
REST (Representational State Transfer) APIs
- Optimized for stateless and serverless workloads such as web applications
- real-time, two-way, stateful communications
API Gateway Caching
API Gateway caches the endpoint response to improve the latency for requests.
- API Gateway Caching is used to cache the endpoint’s response per API or per Stage (a cache key).
- Caching is used to improve the latency of the requests to APIs.
- API Gateway caches responses for a specified time-to-live (TTL) period in seconds. The default is 300 seconds (5 mins).
API Gateway Components
- Resource: a logical entity that can be accessed via the resource path (resource URL)
- Method: a method can be associated with a resource and responds to the request (GET, PUT, …)
- Deployment: a snapshot of API’s resources and methods; must be associated with a stage
- Stage: APIs are deployed into stages (different environments: dev, productions); A stage is a snapshot of the API – methods, integration, models, mapping templates, and Lambda authorities. It supports AWS Certificate manager.
API Gateway manages traffic with throttling so that backend applications can withstand traffic spikes and denial of service attacks.
- Throttling rules can be used to set the number of requests per second.
- 10,000 requests per second (rps) per region
- 5,000 concurrent requests across all APIs within an account
- Any request over the limit will receive a 429 HTTP response (Too many requests).
Ex) If there are more than 5K requests per second, 5K requests are handled immediately, and API Gateway throttles the rest within the one-second period.
- CloudWatch can be used to monitor API Gateway activity, usage, and throttling rules.
- Throttling limits can be set for standard rates and burst rates. For example, you can set a standard rate limit of 1,000 requests per second for a specific REST method and also configure a burst rate of 2,000 requests per second for a few seconds.
- The API Gateway Import feature is used to import an API from the external definition file into API Gateway.
- Swagger v2.0 definition files are supported.