API Gateway Overview

admin Application Service

API Gateway

  • We have two type of the API
    • REST API – Representational State Transfer. It uses JSON. It is also used in AWS.
    • SOAP API – The existing one, it uses XML.
  • AS API Gateway is a fully manage services used by the developers to publish, maintain, monitor and secure API at any scale.
  • The code can be in EC2 or in serverless Lambda or DynamoDB.
  • It provides us HTTPS endpoints to define a RESTFUL API.
  • Each API end point can point to different targets.
  • It is scalable.
  • We can track and control usage using the API key.
  • Throttle request to prevent attack.
  • We can maintain multiple version of the API.
  • You can use cloudwatch to monitor the logs of API Gateway.
  • Although API gateway supports REST method, it do support legacy SOAP method. But that will be custom configuration.

Configuring the API

  • Define the API (Container)
  • Define the resources and nested resources (URL paths)
  • For each resources
    • Select the supported HTTP method
    • Set the security
    • Choose target (EC2, Lambda or DyanamoDB)
    • Set request and response transformation.
  • Deploy API to Stage
  • It will use the API gateway domain by default
  • You can use custom domain
  • Now supports AWS certificate manager (get free SSL/TLS certs)

API caching

  • It is very similar to cache, instead of hitting to the target, the frequent requests are cached at endpoint and if someone requests the same information, the cached information is sent back.
  • It has a TTL set.
  • This decreases the latency.

Same-origin policy

  • It is an important concept in web application security.
  • It allows first webpage scripts to access the second page script, only if they are in the same region.
  • This is managed and handled by the browsers
  • This helps in avoiding the XSS attacks
  • This is ignored by tool like Postman and CURL.

CORS Cross-Origin Resource Sharing

  • This is one way in which the server at one end can relax the same origin policy.
  • This will allow the restricted resource on one web application to be shared /requested from another domain outside the domain through which the request is been served.
  • Browser makes an HTTP OPTIONS call for an URL. OPTIONS are GET, PUT, POST
  • Server returns the option that says “These domains are approved to GET this URL”
  • Error – “Origin policy cannot be read at the remote resource “; you will need to enable CORS at the AI Gateway.

Advance API Gateway

  • We can use the API Gateway Import feature to import from an external definition into API gateway.
  • With import API you can either create a new API by submitting a POST request that includes swagger definition in the payload and end point configuration or you can update an existing API by using a PUT request that contains a swagger definition in payload.
  • You can update the existing API definition by overwriting it or you can merge a definition with existing one.
  • You can specify the options in mode query parameter in the request URL.

API throttling

  • By default, API gateway has a steady state request rate to 10000 requests per second.
  • The maximum concurrent request is 5000 request across all API with an account.
  • If the request exceeds 5000 or 10000 limit, you will get an error “429 too many request”