Links: 101 AWS SAA Index
- We use an API Gateway for creating REST APIs. The client will talk to the API gateway and then the API gateway will proxy the request to the lambda.
- We use API gateway as it provides us with a lot of features. These features are not present when you use an ALB.
API Gateway creates RESTful APIs that:
- Are HTTP-based.
- Enable stateless client-server communication.
- Implement standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
API Gateway creates WebSocket APIs that:
- Adhere to the WebSocket protocol, which enables stateful, full-duplex communication between client and server. Route incoming messages based on message content.
So API Gateway supports stateless RESTful APIs as well as stateful WebSocket APIs
- API Gateway + Lambda = No infrastructure to manage.
- You pay only for the API calls you receive and the amount of data transferred out.
- We can handle API versioning (v1,v2..) without breaking the clients.
- Handle different environments (test, dev, prod)
We can handle security (authentication and authorisation) using API Gateway.
We can cache API responses.
- API caching is enabled for a stage (like prod, test etc) and not a method.
Transform and validate requests and responses
We can have per client throttling limits using the API keys.
- Like having different throttling limits for the basic and premium users.
We can also have per method throttling limits.
We can create API keys and do request throttling to protect backend systems.
- Any request over the limit will receive a 429 HTTP (Too many requests) response.
- The requests are failed.
API Gateway Integrations¶
- Lambda functions: for full serverless applications.
- Expose HTTP endpoints in the backend. Example: internal HTTP API on premise
- To add rate limiting, caching, user authentications, API keys, etc...
- AWS Services:
- Expose any AWS API through the API Gateway
- To add authentication, deploy publicly, rate control etc
API Gateway Endpoint Types¶
- For global clients
- Requests are routed through the CloudFront Edge locations (improves latency)
- The API Gateway still lives in only one region
- For clients within the same region
- Could manually combine with CloudFront (more control over the caching strategies and the distribution)
- Can only be accessed from your VPC using an interface VPC endpoint (ENI)
- Use a resource policy to define access
- Create an IAM policy authorisation and attach to User / Role
- Great for users / roles already within your AWS account
- Authentication = IAM | Authorisation = IAM Policy
- Good to provide access within AWS (EC2, Lambda, lAM users...)
- Handles authentication + authorisation
- Leverages Sig v4 capability where IAM credential are in headers
- Token-based authoriser (bearer token) ex JWT (SON Web Token) or Oauth
- Authentication = External | Authorisation = Lambda function
Uses AWS Lambda to validate the token in header being passed
- A request parameter-based Lambda authoriser (headers, query string, stage var)
- Retrieves the token from an external provider, uses the lambda authoriser to validate the token with the external provider and then generate the IAM policy.
Helps to use OAuth / SAML / 3rd party type of authentication
- Lambda must return an IAM policy for the user. Very flexible in what IAM policy is returned.
Cognito User Pools¶
- Cognito fully manages user lifecycle
First the call is to cognito user pools to authenticate and get the token. Once the token is returned it is sent along with the REST API request.
- Cognito has a direct integration with API Gateway so the token sent with the REST request is evaluated.
No custom implementation required
- Authentication = Cognito User Pools | Authorisation = API Gateway Methods
- Cognito only helps with authentication, not authorisation.
Last updated: 2022-05-27