API Gateway
- We have two type of the API
- REST API – Representational State Transfer. It uses JSON. It is also used in AWS.
- SOAP API – The existing one, it uses XML.
- AS API Gateway is a fully manage services used by the developers to publish, maintain, monitor and secure API at any scale.
- The code can be in EC2 or in serverless Lambda or DynamoDB.
- It provides us HTTPS endpoints to define a RESTFUL API.
- Each API end point can point to different targets.
- It is scalable.
- We can track and control usage using the API key.
- Throttle request to prevent attack.
- We can maintain multiple version of the API.
- You can use cloudwatch to monitor the logs of API Gateway.
- Although API gateway supports REST method, it do support legacy SOAP method. But that will be custom configuration.
Configuring the API
- Define the API (Container)
- Define the resources and nested resources (URL paths)
- For each resources
- Select the supported HTTP method
- Set the security
- Choose target (EC2, Lambda or DyanamoDB)
- Set request and response transformation.
- Deploy API to Stage
- It will use the API gateway domain by default
- You can use custom domain
- Now supports AWS certificate manager (get free SSL/TLS certs)
API caching
- It is very similar to cache, instead of hitting to the target, the frequent requests are cached at endpoint and if someone requests the same information, the cached information is sent back.
- It has a TTL set.
- This decreases the latency.
Same-origin policy
- It is an important concept in web application security.
- It allows first webpage scripts to access the second page script, only if they are in the same region.
- This is managed and handled by the browsers
- This helps in avoiding the XSS attacks
- This is ignored by tool like Postman and CURL.
CORS Cross-Origin Resource Sharing
- This is one way in which the server at one end can relax the same origin policy.
- This will allow the restricted resource on one web application to be shared /requested from another domain outside the domain through which the request is been served.
- Browser makes an HTTP OPTIONS call for an URL. OPTIONS are GET, PUT, POST
- Server returns the option that says “These domains are approved to GET this URL”
- Error – “Origin policy cannot be read at the remote resource “; you will need to enable CORS at the AI Gateway.
Advance API Gateway
- We can use the API Gateway Import feature to import from an external definition into API gateway.
- With import API you can either create a new API by submitting a POST request that includes swagger definition in the payload and end point configuration or you can update an existing API by using a PUT request that contains a swagger definition in payload.
- You can update the existing API definition by overwriting it or you can merge a definition with existing one.
- You can specify the options in mode query parameter in the request URL.
API throttling
- By default, API gateway has a steady state request rate to 10000 requests per second.
- The maximum concurrent request is 5000 request across all API with an account.
- If the request exceeds 5000 or 10000 limit, you will get an error “429 too many request”
