Amazon API Gateway
Amazon API Gateway is a fully managed AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. It acts as a “front door” for applications to access data, business logic, or functionality from customers back-end services, such as applications running on Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS) or AWS Elastic Beanstalk, code running on AWS Lambda, or any web application.
- API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an API Gateway API developer, can create APIs for use in their own client applications, or create APIs available to third-party app developers.
- Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management.
- Amazon API Gateway provides developers with a simple, flexible, fully managed, pay-as-you-go service that handles all aspects of creating and operating robust APIs for application back ends.
Amazon Gateway features
Amazon API Gateway has powerful, flexible authentication mechanisms, such as AWS Identity and Access Management policies, Lambda authorizer functions, and Amazon Cognito user pools.
- Using signature version 4 authentication, customers can use AWS Identity, Access Management (IAM), and access policies to authorize access to their APIs and all the other AWS resources.
- Customers can use AWS Lambda functions to verify and authorize bearer tokens such as JWT tokens or SAML assertion.
Amazon API Gateway enables customers to manage traffic of their backend systems by allowing them to set throttling rules based on the number of requests per second for each HTTP method in the APIs.
- Amazon API Gateway handles any level of traffic received by an API. Using REST APIs, customers can set up a cache with customizable keys and time-to-live in seconds for the API data to avoid hitting your backend services for each request.
- Amazon API Gateway provides customers with a dashboard to visually monitor calls to the services. The API Gateway console is integrated with Amazon CloudWatch, means customers get backend performance metrics such as API calls, latency, and error rates.
SERVERLESS DEVELOPER PORTAL
Using a Serverless Developer Portal customers can use to publish Amazon API Gateway, and manage APIs directly from Amazon API Gateway. A developer portal is an application that customers use to make their APIs available to their customers. Once customers publish APIs in a developer portal, their users can:
- Discover which APIs are available.
- Browse your API documentation.
- Register for—and immediately receive—their own API key that can be used to build applications.
- Try out your APIs in the developer portal UI.
- Monitor their own API usage.
Amazon API Gateway publishes updates Serverless Developer Portal applications in the AWS Serverless Application Repository regularly.
- AWS clients can customize and incorporate it into their build and deployment tools. The front end is written in React and is designed to be fully customizable.
After an API is deployed and in use, API Gateway provides customers with a dashboard to visually monitor calls to the services. The API Gateway console is integrated with Amazon CloudWatch, so that customers can get backend performance metrics such as API calls, latency, and error rates.
- Because Amazon API Gateway uses CloudWatch to record monitoring information, AWS clients can set up custom alarms on API Gateway APIs.
- CloudTrail captures all REST API calls for API Gateway as events, including calls from the Amazon API Gateway console and from code calls to the API Gateway APIs.
- By creating a trail, customers can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for API Gateway.
- Using the information collected by CloudTrail, customers can determine the request that was made to Amazon API Gateway, the IP address from which the request was made, who made the request, when it was made, and more.
AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables customers to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that they define.
- AWS WAF is customers first line of defense against web exploits. When AWS WAF is enabled on an API, AWS WAF rules are evaluated before other access control features, such as resource policies, IAM policies, Lambda authorizers, and Amazon Cognito authorizers.
- Customers can use AWS WAF to protect their API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks.
- By creating rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB).
STATEFUL & STATELESS
Amazon API Gateway support for stateful (WebSocket) and stateless (HTTP and REST) APIs. Using HTTP APIs, customers can build APIs for services behind private ALBs, private NLBs, and IP-based services registered in AWS Cloud Map, such as ECS tasks.
- HTTP API: HTTP APIs are optimized for building APIs that proxy to AWS Lambda functions or HTTP backends, making them ideal for serverless workloads. They do not currently offer API management functionality.
- REST API: REST APIs offer API proxy functionality and API management features in a single solution. REST APIs offer API management features such as usage plans, API keys, publishing, and monetizing APIs.
- WebSocket API: WebSocket APIs maintain a persistent connection between connected clients to enable real-time message communication. With WebSocket APIs in API Gateway, AWS customers can define backend integrations with AWS Lambda functions, Amazon Kinesis, or any HTTP endpoint to be invoked when messages are received from the connected clients.
Using Amazon API Gateway, AWS customers can create a custom API to the code running in AWS Lambda and then call the Lambda code from your API. API Gateway can execute AWS Lambda code in their account, start AWS Step Functions state machines, or make calls to AWS Elastic Beanstalk, Amazon EC2, or web services outside of AWS with publicly accessible HTTP endpoints.
- Using the Amazon API Gateway console, customers can define the REST API and its associated resources and methods,
- They can also manage their API lifecycle, generate client SDKs, and view API metrics.
- Using API Gateway, AWS clients can create a custom API to their code running in AWS Lambda and then call the Lambda code from their API.
- Amazon API Gateway can execute AWS Lambda code in your account, start AWS Step Functions state machines, or make calls to AWS Elastic Beanstalk, Amazon EC2, or web services outside of AWS with publicly accessible HTTP endpoints.
Canary release is a software development strategy in which a new version of an API as well as other software is deployed as a canary release for testing purposes. However, the base version (production release) remains deployed as a production release for normal operations on the same stage.
- In a canary release deployment, total API traffic is separated at random into a production release and a canary release with a pre-configured ratio. In average the canary release receives a small percentage of API traffic and the production release takes up the rest.
- By keeping canary traffic small and the selection random, it protects most users from potential bugs in the new version.
- By enabling a canary release customers can use the stage cache to store responses and use cached entries to return results to the next canary requests, within a pre-configured time-to-live (TTL) period.
- In a canary release deployment, the production release and canary release of the API can be associated with the same version or with different versions.
- When they are associated with different versions, responses for production and canary requests are cached separately and the stage cache returns corresponding results for production and canary requests.
- When the production release and canary release are associated with the same deployment, the stage cache uses a single cache key for both types of requests and returns the same response for the same requests from the production release and canary release.
Using AWS X-Ray, customers can trace and analyze user requests as they travel through customers Amazon API Gateway APIs to the underlying services. Amazon API Gateway supports X-Ray tracing for all API Gateway endpoint types: Regional, edge-optimized, and private. They can use X-Ray with Amazon API Gateway in all AWS Regions where X-Ray is available.
- Because X-Ray gives an end-to-end view of an entire request, AWS clients can analyze latencies in their APIs and its backend services.
- They can use an X-Ray service map to view the latency of an entire request and that of the downstream services that are integrated with X-Ray.
- Customers can also configure sampling rules to tell X-Ray which requests to record and at what sampling rates, according to criteria that they specify
API Gateway concept
Amazon API Gateway is an AWS service supports:
- Creating, deploying, and managing a RESTful application programming interface (API) to expose backend HTTP endpoints, AWS Lambda functions, or other AWS services.
- Creating, deploying, and managing a WebSocket API to expose AWS Lambda functions or other AWS services.
- Invoking exposed API methods through the frontend HTTP and WebSocket endpoints.
The metrics reported by API Gateway provide information that AWS customers can analyze in different ways. The following is some common uses for the metrics that are:
- Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.
- Monitor the Latency metrics to measure the overall responsiveness of customers API calls.
- Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.
Amazon API GATEWAY HTTP
A collection of routes and methods that are integrated with backend HTTP endpoints or Lambda functions. Customers can deploy this collection in one or more stages. Each route can expose one or more API methods that have unique HTTP verbs supported by API Gateway.
- AWS customers can use API Gateway for critical production applications, including from simple HTTP proxies to full API management with request transformation, authentication, and validation.
- HTTP APIs focuses on delivering enhanced features, improved performance, and an easier developer experience for customers building with API Gateway.
- There are two Amazon API Gateway namespaces for managing Amazon API Gateway deployments. The API V1 namespace represents REST APIs and API V2 represents WebSocket APIs and the new HTTP APIs.
API GATEWAY WEBSOCKET
A collection of WebSocket routes and route keys that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. So that customers can deploy this collection in one or more stages. API methods are invoked through frontend WebSocket connections that they can associate with a registered custom domain name.
- The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.
- The security model used for this is the origin-based security model commonly used by web browsers. The protocol consists of an opening handshake followed by basic message framing, layered over TCP.
API GATEWAY REST
A REST API in Amazon API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. Customers can use API Gateway features to help them with all aspects of the API lifecycle, from creation through monitoring the production APIs.
- API resources are organized in a resource tree according to the application logic. Each API resource can expose one or more API methods that have unique HTTP verbs supported by API Gateway.
- Representational state transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the Internet.
- Amazon API Gateway REST APIs use a request/response model where a client sends a request to a service and the service responds back synchronously. This kind of model is suitable for many different kinds of applications that depend on synchronous communication.
- Customers can monitor API execution by using CloudWatch, which collects and processes raw data from Amazon API Gateway into readable, near-real-time metrics
- RESTful Web services allow the requesting systems to access and manipulate textual representations of Web resources by using a uniform and predefined set of stateless operations.
Amazon API Gateway Resources
API deployment :- A point-in-time snapshot of your Amazon API Gateway API. To be available for clients to use, the deployment must be associated with one or more API stages.
API developer:- The customers AWS account that owns an Amazon API Gateway deployment (for example, a service provider that also supports programmatic access).
API endpoint:- A hostname for an API in Amazon API Gateway that is deployed to a specific Region. The following types of API endpoints are supported:
- Edge-optimized API endpoint
- Private API endpoint
- Regional API endpoint
API key:- An alphanumeric string that Amazon API Gateway uses to identify an app developer who uses AWS customers REST or WebSocket API.
- API Gateway can generate API keys on customers behalf, or they can import them from a CSV file.
- They can use API keys together with Lambda authorizers or usage plans to control access to your APIs.
App developer:- An app creator who may or may not have an AWS account and interacts with the API that customers, the API developer, have deployed.
- App developers are AWS client customers.
Callback URL:- When a new user is connected to through a WebSocket connection, AWS clients can call an integration in API Gateway to store the client’s callback URL. They can then use that callback URL to send messages to the client from the backend system.
Developer portal:- An application that allows your customers to register, discover, and subscribe to customers API products (API Gateway usage plans), manage their API keys, and view their usage metrics for their APIs.
Proxy integration:- A simplified API Gateway integration configuration. Customers can set up a proxy integration as an HTTP proxy integration or a Lambda proxy integration.
- For HTTP proxy integration, API Gateway passes the entire request and response between the frontend and an HTTP backend.
- For Lambda proxy integration, API Gateway sends the entire request as input to a backend Lambda function. API Gateway then transforms the Lambda function output to a frontend HTTP response.
Quick create:- Using quick create, customers can simplify the created HTTP API. The quick create, that creates an API with a Lambda or HTTP integration has a default catch-all route, and a default stage that is configured to automatically deploy changes.
Regional API endpoint:- The host name of an API that is deployed to the specified Region and intended to serve clients, such as EC2 instances, in the same AWS Region. API requests are targeted directly to the Region-specific API Gateway API without going through any CloudFront distribution.
- AWS customers can apply latency-based routing on Regional endpoints to deploy an API to multiple Regions using the same Regional API endpoint configuration, set the same custom domain name for each deployed API, and configure latency-based DNS records in Route 53 to route client requests to the Region that has the lowest latency.
Route;- A WebSocket route in API Gateway is used to direct incoming messages to a specific integration, such as an AWS Lambda function, based on the content of the message. When customers define the WebSocket API, they specify a route key and an integration backend.
- The route key is an attribute in the message body. When the route key is matched in an incoming message, the integration backend is invoked.
Route request:- The public interface of a WebSocket API method in API Gateway that defines the body that an app developer must send in the requests to access the backend through the API.
Route response:- The public interface of a WebSocket API that defines the status codes, headers, and body models that an app developer should expect from API Gateway.
Usage plan:- A usage plan provides selected API clients with access to one or more deployed REST or WebSocket APIs. Customers can use a usage plan to configure throttling and quota limits, which are enforced on individual client API keys.
WebSocket connection:- API Gateway maintains a persistent connection between clients and API Gateway itself. There is no persistent connection between API Gateway and backend integrations such as Lambda functions. Backend services are invoked as needed, based on the content of messages received from clients.
Edge-optimized API endpoint:- The default hostname of an API Gateway API that is deployed to the specified Region while using a CloudFront distribution to facilitate client access typically from across AWS Regions.
- API requests are routed to the nearest CloudFront Point of Presence (POP), which typically improves connection time for geographically diverse clients.
Integration request:- The internal interface of a WebSocket API route or REST API method in API Gateway, in which customers map the body of a route request or the parameters and body of a method request to the formats required by the backend.
Integration response:- The internal interface of a WebSocket API route or REST API method in API Gateway, in which customers map the status codes, headers, and payload that are received from the backend to the response format that is returned to a client app.
Mapping template:- A script in Velocity Template Language (VTL) that transforms a request body from the frontend data format to the backend data format, or that transforms a response body from the backend data format to the frontend data format.
- Mapping templates can be specified in the integration request or in the integration response.
- They can reference data made available at runtime as context and stage variables.
Method request:- The public interface of a REST API method in API Gateway that defines the parameters and body that an app developer must send in requests to access the backend through the API.
Method response:- The public interface of a REST API that defines the status codes, headers, and body models that an app developer should expect in responses from the API.
Mock integration:- In a mock integration, API responses are generated from API Gateway directly, without the need for an integration backend. As an API developer, you decide how API Gateway responds to a mock integration request. For this, you configure the method’s integration request and integration response to associate a response with a given status code.
Model:- A data schema specifying the data structure of a request or response payload. A model is required for generating a strongly typed SDK of an API. It is also used to validate payloads.
- A model is convenient for generating a sample mapping template to initiate creation of a production mapping template.
Private API endpoint:- An API endpoint that is exposed through interface VPC endpoints and allows a client to securely access private API resources inside a VPC. Private APIs are isolated from the public internet, and they can only be accessed using VPC endpoints for API Gateway that have been granted access.
Private integration:- An API Gateway integration type for a client to access resources inside a customer’s VPC through a private REST API endpoint without exposing the resources to the public internet.