Skip to content

Latest commit

 

History

History
94 lines (71 loc) · 3.72 KB

README.md

File metadata and controls

94 lines (71 loc) · 3.72 KB

API Gateway

  • AWS Lambda + API Gateway: No infrastructure to manage
  • Support for the WebSocket Protocol
  • Handle API versioning (v1, v2…)
  • Handle different environments (dev, test, prod…)
  • Handle security (Authentication and Authorization)
  • Create API keys, handle request throttling
  • Swagger / Open API import to quickly define APIs
  • Transform and validate requests and responses
  • Generate SDK and API specifications
  • Cache API responses

Type of APIs:

  • HTTP API
  • Websocket API
  • REST API
    • Public
    • Private

Lambda Code

Integrations High Level

  • Lambda Function
    • Invoke Lambda function
    • Easy way to expose REST API backed by AWS Lambda
  • HTTP
    • Expose HTTP endpoints in the backend
    • Example: internal HTTP API on premise, Application Load Balancer
    • Why? Add rate limiting, caching, user authentications, API keys, etc
  • AWS Service
    • Expose any AWS API through the API Gateway
    • Example: start an AWS Step Function workflow, post a message to SQS
    • Why? Add authentication, deploy publicly, rate control

AWS Service Integration Kinesis Data Streams example

Service Integration with Kinesis data Stream

Endpoint Types (Deployment types)

  • Edge-Optimized (default): For global clients
    • Requests are routed through the CloudFront Edge locations (improves latency)
    • The API Gateway still lives in only one region
  • Regional: If your user is from the same region of the api gateway
    • For clients within the same region
    • Could manually combine with CloudFront (more control over the caching strategies and the distribution)
  • Private:
    • Can only be accessed from your VPC using an interface VPC endpoint (ENI)
    • Use a resource policy to define access

Security

  • User Authentication through
    • IAM Roles (useful for internal applications)
    • Cognito (identity for external users – example mobile users)
    • Custom Authorizer (your own logic) using lambda
  • Custom Domain Name HTTPS security through integration with AWS Certificate Manager (ACM)
    • If using Edge-Optimized endpoint, then the certificate must be in us-east-1
    • If using Regional endpoint, the certificate must be in the API Gateway region / stage
    • Must setup CNAME or A-alias record in Route 53

Resource Policy

Restrict access from specific public IP addresses

Restrict access from specific VPC Endpoints

Cross VPC Same-Region Access

Cross VPC Access

No VPC peering needed!

Throttling

  • Account Limit

    • API Gateway throttles requests at 10,000 RPS across all APIs
    • Soft limit that can be increased upon request

  • In case of throttling => 429 Too Many Requests (retriable error)

  • Can set Stage limit & Method limits to improve performance

  • Or you can define Usage Plans to throttle per customer

  • Note: One API Gateway that is overloaded and not limited can cause the other APIs to be throttled

AWS Artifacts (Not really a service)

  • Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
  • Artifact Reports - Allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports
  • Artifact Agreements - Allows you to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA) or the Health Insurance Portability and Accountability Act (HIPAA) for an individual account or in your organization
  • Can be used to support internal audit or compliance