API Gateway Flashcards
What Endpoint Types does API Gateway offer?
Edge Optimized (default):
for global clients - requests are touted thourgh CloudFront Edge locations improving latency - Gateway still exists in only one region
Regional:
for clients within the same region - can be manually combined with CloudFront
Private:
only accessable from within the VPC using a VPC endpoint (ENI) - use resource policy to define access
What are deployment stages in API GAteway?
making changes to an api does mean they are in effect
we need to erform a “deployment” for changes to take effect
changes are deployed to staged (choose name e.g. dev, test, prod)
each stage has its own config parameters
stages can be rolled back to previous version
How do Stage Variables work in api gateway?
just like env vars
they can be used in:
lambda function ARN
http endpoints
parameter mapping templates
stage variables are passed through the context object to lambda functions
What are canary deployments in api gateway?
usually used for prod environment
choose the % of traffic the canary channel receives
often used for new deployments
metrics and loggs are seperate
equivalent to blue/green deployment
stage variables can be overwritten with canary
How to integrate api gateway with our backend?
Integration Types:
MOCK: api gateway returns a response without calling the backend
HTTP/AWS(LAMBDA & AWS Services): must configure an integration request and an integration response - setup data mapping using mapping templates for the request & response
AWS_PROXY (Lambda Proxy): incoming request from client is input for lambda - the function is responsible for the logic of request & response - No mapping templates, querystringparameters, or headers are passed as arguments
HTTP_PROXY: No mapping template - http request is passed to the backend - http resposne from the backend is forwarded by api gateway to the client
When and how are mapping templates used with api gateway?
Can only be used with Integration type: AWS/HTTP
mapping templates can be used to modify requests and responses
rename/modify query string parameters
add headers
Uses Velocity Template Language VLC, for loop etc
filter output results
Can Open API or Swagger specs be used with api Gateway?
Yes.
Both use API definitions as code
Import the spec including: method, method request, integration request - method response - aws extensionsfor api gatewayand setup every single option
A current API can be exported as Swagger or Open api spec
Swagger can be written in Json or Yaml
using swagger we can generate skds for our apps
How does caching work with API Gateway?
Caching reduces calls to the backend, reducing pressure from the backend
default TTL 300s (0s - 3600s)
Caches are defined at stage level
Possible to overwrite Chache settings on method level
Cache encryption option
Cache capacity between 0.5gb - 237gb
Cache is expensive, use only in prod
What is Gateway Cache Invalidation?
Cache invalidation is a process in a computer system whereby entries in a cache are replaced or removed
can be done immediately in the UI
can be done from client side, when client has proper IAM authorization and placing a header in the query to api gateway header: Cache-Control: max-age=0
If there is no InvalidateCache policy or authorization is not required, then every user can invalidate the cache => BAD!
What about Usage Plan and API Keys for clients of the API?
Api can be offered to customers ($)
Usage Plan:
who can access one or more deployed api stages and methods
how often and how fast they can access them
uses API keys to identify and meter clients
configure throttling and quota limits on individual client level
API Keys:
alphanummeric string values distributed to your customers
can be used with Usage Plan to control access
Throttling limits are applied to the API Keys
Quotas limits is the overall number of allowed requests
WHat is the correct order for API Keys and Usage Plans?
- Create one or more api, configure the methods to require keys, and deploy to stages
- Generate or import API keys and distribute them to developers, our customers
- Create the Usage Plan with the desired throttle and quota limits
- Associate Api stages and Api keys with the Usage Plan
How does Monitoring and Logging work with Api Gateway?
CloudWatch Logs:
Enable CloudWatch Logs at the stage level with log level
Can override settings on a per API basis (e.g. ERROR, DEBUG, INFO)
Log contains information about request/resposne body
X-Ray:
Enable tracing to get extra information about requests in api gateway
X-ray Api GateWay + Lambda gives us the full picture
CloudWatch Metrics:
Metrics are by stage, possibilty to enable detailed metrics
important metrics:
CacheHitCount & CacheMissCount - tell how efficient the cache is
IntegrationLatency: The time between Api Gateway relaying a request to the backend and receives a response from the backend
Latency: The time between Api Gateway receiving a request from a client and sending the response back to the client - includes IntegrationLatency and other Gateway overhead
4xx error (client side) & 5xx error (server side)
How das Api Gateway Throttling work?
Account Limit:
Api Gateway throttles all apis in an account after 10000rps across all apis - soft limit that can be increased upon request
429 too many requests - error code
can set stage and method limits
can define usage plans
What errors does api gateway return?
4xx client side:
400: Bad Rrequest
403: Access denied, WAF filtered
429: Quota exceeded, throttle
5xx server side:
502: Bad gateway exception, e.g. incompatible output
503: backend unavailable
504: integration failure, e.g. timeout 29s
How does CORS work with gateway?
Cross Origin Resource Sharing
must be enabled to receive calls from another domain
Th OPTIONS pre-flight request must contain the following headers:
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Access-Control-Allow-Origin
CORS can be enabled through the console
How does Authorization and Authentication work with API Gateway?
IAM Permission:
User & Roles to authenticate
Policies to authorize
Good to provide access within AWS
Leverages “Sig v4” capability where IAM credentials are in headers
Resource Policies:
Mainuse: Cross Account Access
Allow for specific source IP address
Allow for VPC endpoint (e.g. only)
Cognito:
Gateway verifies identity automatically from Cognito
No custom implementation required
Authneitcation: Cognito User Pools
Authorization: API Gateway Methods
uses temp token validation
Lambda Authorizer:
Token based authorizer (JWT or OAuth)
A request-parameter based Lambda Authorizer (headers, query string, stage var)
Lambda must return an IAM policy for the user, policy is cached
Authentication: External
Authorization: Lambda function
client uses 3rd party authentication system’s token
lambda function has to check token validity, e.g. from 3rd party authorizer
HTTP API vs. REST API
HTTP API:
low latency
cost effective
AWS Lambda proxy apis
HTTp proxy apis
only proxy integrations
private integration apis
support OIDC and OAuth 2.0 authorization
supports CORS
No usage plans or API keys
REST API:
All features
except OIDC and OAuth 2.0 authorization
Websocket APIs
A websocket is a two-way communivation between a client’s browser and a web-server
Server pushes information to the user without the user requesting it
enables stateful application use cases
used for financial trading, games, chats
Can work with any type of integration API Gateway has as a baclend, e.g. DynamoDB, Lambda, http endpoints
How does websocket work?
websocket url:
wss://[uniqueid].execute-api.[region].amazonaws.com/[stage-name]
Client server Messaging
client connects to websocket api gateway and establishes a persistent connection to it, this invokes a lambda function and pass on a connectionid, which remains persistent as long as the client is conncted and passed on to other services
Messages, aka frames are sent to the server through the persistent connection, this invokes a new lambda function
Server client Messaging
Connection URL callback is called by lambda using IAM: Sig v4 and the client’s connectionid, sending messages to the client
The connection url offers the following methods:
POST: Send message from server to connected client
GET Gets connection status of connected client
DELETE: disconnects the client
How does websocket routing work with api gateway?
Incoming data from the client to the API
incoming json messages are routed to different backend
if no routes => send to $default
I request a route selection expression to select the field on JSON to route from
example: $request.bodyaction
The result is evaluated against route keys available in my gateway
the route is then connected to the backend configured in api gateway
Gateway Architecture
We can create a single interface for microservices in our company
Use Api endpoints with various resources
Apply a simple domain name with SSL certificates
Can apply forwarding and transformation rules at the Api Gateway level
