Amazon API Gateway Overview

• Definition: Fully managed service for developers to publish, maintain, monitor, and secure APIs at any scale.
• Supports creating, deploying, and managing RESTful APIs (HTTP APIs or REST APIs) and WebSocket APIs.
• Exposes backend HTTP endpoints, AWS Lambda functions, or other AWS services.
• Together with Lambda, forms the app-facing part of the AWS serverless infrastructure.
• Handles concurrent API calls (traffic management, authorization, monitoring, version management).
• REST APIs use JSON.
• Exposes HTTPS endpoints ONLY; does not support unencrypted endpoints. (Exam Tip!)
• Can present a certificate to be authenticated by the backend.
• Uses CloudFront as the public endpoint for Edge-optimized APIs.
• Supports custom domains and Server Name Indication (SNI).
• Supports API keys and Usage Plans for user identification, throttling, and quota management.
• Permissions granted using IAM roles/policies, API Gateway custom authorizers, or Cognito User Pools.

Key Features & Benefits

• Support for RESTful APIs (HTTP APIs, REST APIs) and WebSocket APIs.
• Private Integrations: Route requests to private resources in your VPC (e.g., ALBs, NLBs, IP-based services in Cloud Map).
• Metering: Define usage plans to meter and restrict third-party developer access (throttling, quotas).
• Security: Multiple tools to authorize access (IAM, Lambda Authorizers, Cognito User Pools).
• Resiliency: Traffic management with throttling to withstand spikes.
• Operations Monitoring: Metrics dashboard (CloudWatch) for API calls.
• Lifecycle Management: Operate multiple API versions and stages simultaneously.
• AWS Authorization: Supports Signature Version 4 for REST/WebSocket APIs, IAM access policies, and authorization with bearer tokens (JWT, SAML) using Lambda functions.

API Endpoint Types

• Hostname format: {api-id}.execute-api.{region}.amazonaws.com.
• Types: Edge-optimized, Regional, or Private.
• Edge-Optimized Endpoint:
  • Default for API Gateway REST APIs. (Exam Tip!)
  • Best for geographically distributed clients.
  • API requests routed to the nearest CloudFront Point of Presence (POP).
  • Capitalizes HTTP headers (e.g., Cookie).
  • Custom domain applies across all regions.
• Regional Endpoint:
  • Intended for clients in the same region.
  • Reduces connection overhead for EC2 instances in the same region or small number of high-demand clients.
  • Custom domain specific to the region where API is deployed. Can have same custom domain in multiple regions (use Route 53 for latency-based routing).
  • Passes all header names through as-is.
• Private Endpoint:
  • Accessed only from your Amazon VPC using an interface VPC endpoint (an ENI created in your VPC). (Exam Tip!)
  • Passes all header names through as-is.

API Types (REST vs. WebSocket)

• API Gateway REST API:
  • Collection of HTTP resources and methods.
  • Integrated with backend HTTP endpoints, Lambda functions, or other AWS services.
  • Deployed in one or more stages. Resources organized in a tree, methods use HTTP verbs (GET, PUT, POST, DELETE, ANY).
• API Gateway WebSocket API:
  • Collection of WebSocket routes and route keys.
  • Integrated with backend HTTP endpoints, Lambda functions, or other AWS services.
  • Deployed in one or more stages. Invoked through frontend WebSocket connections.

Deployments & Stages

• Deployments: A snapshot of the API's resources and methods. Must be created and associated with a stage for access.
• Stages: A logical reference to a lifecycle state of your API (e.g., 'dev', 'prod', 'beta', 'v2'). Identified by API ID and stage name.
• Stage Variables:
  • Like environment variables for API Gateway.
  • Can be used in: Lambda function ARN, HTTP endpoint, parameter mapping templates.
  • Passed to the "context" object in Lambda functions.
  • Used with Lambda aliases for canary deployments (can choose percentage of traffic).

Mapping Templates

• Used to modify request/response bodies and parameters.
• Purpose: Rename parameters, modify body content, add headers, map JSON to XML (or vice versa), filter output results.
• Uses Velocity Template Language (VTL). (Exam Tip!)
• Can be specified in the integration request or integration response.
• Can reference data available at runtime as context and stage variables.
• Can be an identity transform (pass headers/body through as-is).

Caching

• You can provision an API Gateway cache (size in GB) to cache endpoint responses.
• Benefits: Reduces calls to the backend, improves latency.
• TTL (Time to Live): API Gateway caches responses for a specific amount of time. Default 300 seconds (min 0, max 3600).
• Caches are defined per stage.
• Caches can be encrypted.
• Capacity: 0.5GB to 237GB.
• Possible to override cache settings for specific methods.
• Can flush the entire cache immediately.
• Clients can invalidate the cache with the header: Cache-Control: max-age=0.

API Throttling

• API Gateway sets limits on steady-state rate and burst of requests across all APIs in your account.
• Account Limits (soft limits, can be increased):
  • Steady-state request rate: 10,000 requests per second.
  • Maximum concurrent requests: 5,000 requests.
• Exceeding limits results in a 429 Too Many Requests error response. Client should implement retry logic with exponential backoff.
• Types of Throttling Settings:
  • Server-side: Applied across all clients to prevent API/account overwhelm.
  • Per-client: Applied to clients using API keys associated with usage plans.
• Order of Application (most specific to most general): (Exam Tip!)
  1. Per-client per-method throttling limits (set in usage plan for an API stage).
  2. Per-client throttling limits (set in a usage plan).
  3. Default per-method limits and individual per-method limits (set in API stage settings).
  4. Account-level throttling.

Integrations & Method Requests/Responses

• An API method (client-facing) is integrated with an Integration resource (backend-facing).
• Backend endpoints are "integration endpoints".
• Integration Request: Internal interface mapping client request body/parameters to backend format.
• Integration Response: Internal interface mapping backend status codes, headers, payload to client response format.
• Method Request: Public interface defining parameters/body client must send.
• Method Response: Public interface defining status codes, headers, body models client should expect.

Integration Types (Crucial!)

• Choose based on backend type and desired data flow. Set via type property on the Integration resource.
• AWS Integration (AWS):
  • Exposes AWS service actions (e.g., direct DynamoDB API calls, S3).
  • Requires configuring both integration request and integration response (manual data mappings).
• Lambda Proxy Integration (AWS_PROXY):
  • Preferred and highly recommended for integrating with Lambda functions. (Exam Tip!)
  • Streamlined setup: You DO NOT set the integration request or integration response. (Exam Tip!)
  • API Gateway passes the entire incoming request from the client (headers, path variables, query strings, body) as a single JSON event to the Lambda function.
  • Lambda function parses the input and must return a specific output format for API Gateway to respond correctly.
  • Not applicable to other AWS service actions beyond Lambda function invocation.
• HTTP Integration (HTTP):
  • Exposes HTTP endpoints.
  • Requires configuring both integration request and integration response (manual data mappings).
• HTTP Proxy Integration (HTTP_PROXY):
  • Allows client to access backend HTTP endpoints with a streamlined setup.
  • You DO NOT set the integration request or integration response. (Exam Tip!)
  • API Gateway passes the incoming request directly to the HTTP endpoint and the outgoing response directly back to the client.
• Mock Integration (MOCK):
  • API Gateway returns a response without sending the request to the backend.
  • Useful for: API testing, collaborative development (simulating other teams' components), returning CORS-related headers.
  • The API Gateway console integrates the OPTIONS method to support CORS with a mock integration.
  • Gateway responses are also examples of mock integrations.

Usage Plans & API Keys

• Usage Plan: Specifies who can access deployed API stages/methods, and how much/how fast (throttling and quota limits). Enforced on individual client API keys.
• API Keys: Alphanumeric string values distributed to app developers to grant access. Can be used with usage plans or Lambda authorizers. Generated by API Gateway or imported.

Same Origin Policy & CORS

• Same Origin Policy: A web browser security mechanism preventing scripts on one web page from accessing data in a second web page unless they have the same origin (domain, protocol, port). Enforced by web browsers.
• CORS (Cross-Origin Resource Sharing): A mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
  • Can enable CORS on API Gateway if using JavaScript/AJAX.
  • Allows sharing of resources between different domains.
  • If CORS is not enabled, cross-origin requests will be blocked by the browser.
  • Enable CORS on the API resources using the selected methods under API Gateway.
  • API Gateway console automatically sets up the OPTIONS method with a mock integration for CORS preflight requests.

Identity and Access Management (Authorization)

• Several mechanisms for controlling and managing access to an API:
• Resource-based Policies:
  • JSON policy documents attached directly to the API (resource).
  • Control invocation by specified principals (IAM user/role), source IP ranges, VPCs, or VPC endpoints.
  • Apply to all API endpoint types (private, edge-optimized, Regional).
• Standard IAM Roles and Policies (Identity-based Policies):
  • Create IAM policies and attach to users/roles.
  • API Gateway verifies IAM permissions (leverages SigV4).
  • Handles authentication and authorization. Great for users/roles within your AWS account.
• Lambda Authorizers (Custom Authorizers):
  • Use an AWS Lambda function to validate a token (e.g., OAuth, SAML, custom tokens) in the request header. (Exam Tip!)
  • Option to cache the result of the authentication for performance.
  • The Lambda function must return an IAM policy for the user, which API Gateway then uses for authorization.
  • You pay per Lambda invocation. Good for using OAuth, SAML, or 3rd party authentication.
• Amazon Cognito User Pools:
  • Integrate directly with a Cognito User Pool for authentication.
  • Users sign in via Cognito, which issues JWTs. API Gateway validates these JWTs.
  • Provides sign-up/sign-in services, customizable UI, social sign-in, user directory management.

Logging and Monitoring

• API Gateway logs backend performance metrics (API calls, latency, error rates) to CloudWatch (near real-time).
• Monitor through the API Gateway dashboard.
• Meters utilization by third-party developers.
• Integrated with AWS CloudTrail for a full auditable history of changes to your REST APIs (management events: create, modify, delete, deploy APIs).
• Key Metrics to Monitor:
  • IntegrationLatency: Measures responsiveness of the backend.
  • Latency: Measures overall responsiveness of API calls.
  • CacheHitCount, CacheMissCount: Optimize cache capacities.

Open API / Swagger

• Can import existing Swagger / Open API 3.0 definitions (YAML or JSON) to API Gateway.
• Common way of defining REST APIs using API definition as code.
• Can also export current APIs as Swagger / Open API 3.0 definition.
• Use the Import API feature (POST for new API, PUT for update/merge).

Charges

• Pay only when your APIs are in use. No minimum fees or upfront commitments.
• Pay only for API calls received and the amount of data transferred out.
• No data transfer out charges for Private APIs (but AWS PrivateLink charges apply).
• Optional data caching is charged at an hourly rate based on cache size.
• Free tier includes one million API calls per month for up to 12 months.

Important Exam Tips & Tricks

• HTTPS Only: API Gateway always exposes HTTPS endpoints.
• Endpoint Types: Understand the use cases for Edge-optimized (global clients, default), Regional (same-region clients), and Private (VPC only via VPC endpoint).
• Lambda Proxy Integration (AWS_PROXY): This is a huge time-saver for Lambda integrations. Remember it passes the full request to Lambda and expects a specific response format, without requiring manual mapping templates. (Very Common Exam Question!)
• HTTP Proxy Integration (HTTP_PROXY): Similar to Lambda Proxy, it's a pass-through for HTTP backends, no manual mapping templates needed.
• Mapping Templates (VTL): Crucial for transforming requests/responses when not using proxy integrations.
• Caching: Understand its benefits (latency, backend load) and configurable parameters (TTL, per stage, flushable).
• Throttling: Know the account-level limits and the order in which throttling rules are applied. Be prepared for 429 errors and client-side retry logic.
• Authorization Options: Be able to differentiate between IAM (for AWS users/roles), Lambda Authorizers (for custom auth schemes/3rd parties), and Cognito User Pools (for web/mobile app users).
• CORS: Know why it's needed (Same Origin Policy) and how API Gateway helps enable it (especially with OPTIONS method).
• CloudWatch vs. CloudTrail: CloudWatch for performance metrics and operational health. CloudTrail for auditing API management calls.
• Stage Variables: Useful for managing environment-specific configurations (e.g., different backend endpoints for dev/prod).
• Mock Integration: Use for testing and simulating backend responses without actual backend calls.