API Gateway

Question 1

What Endpoint Types does API Gateway offer?

Answer 1

Edge Optimized (default):

for global clients - requests are touted thourgh CloudFront Edge locations improving latency - Gateway still exists in only one region

Regional:

for clients within the same region - can be manually combined with CloudFront

Private:

only accessable from within the VPC using a VPC endpoint (ENI) - use resource policy to define access

Question 2

What are deployment stages in API GAteway?

Answer 2

making changes to an api does mean they are in effect

we need to erform a “deployment” for changes to take effect

changes are deployed to staged (choose name e.g. dev, test, prod)

each stage has its own config parameters

stages can be rolled back to previous version

Question 3

How do Stage Variables work in api gateway?

Answer 3

just like env vars

they can be used in:

lambda function ARN

http endpoints

parameter mapping templates

stage variables are passed through the context object to lambda functions

Question 4

What are canary deployments in api gateway?

Answer 4

usually used for prod environment

choose the % of traffic the canary channel receives

often used for new deployments

metrics and loggs are seperate

equivalent to blue/green deployment

stage variables can be overwritten with canary

Question 5

How to integrate api gateway with our backend?

Answer 5

Integration Types:

MOCK: api gateway returns a response without calling the backend

HTTP/AWS(LAMBDA & AWS Services): must configure an integration request and an integration response - setup data mapping using mapping templates for the request & response

AWS_PROXY (Lambda Proxy): incoming request from client is input for lambda - the function is responsible for the logic of request & response - No mapping templates, querystringparameters, or headers are passed as arguments

HTTP_PROXY: No mapping template - http request is passed to the backend - http resposne from the backend is forwarded by api gateway to the client

Question 6

When and how are mapping templates used with api gateway?

Answer 6

Can only be used with Integration type: AWS/HTTP

mapping templates can be used to modify requests and responses

rename/modify query string parameters

add headers

Uses Velocity Template Language VLC, for loop etc

filter output results

Question 7

Can Open API or Swagger specs be used with api Gateway?

Answer 7

Yes.

Both use API definitions as code

Import the spec including: method, method request, integration request - method response - aws extensionsfor api gatewayand setup every single option

A current API can be exported as Swagger or Open api spec

Swagger can be written in Json or Yaml

using swagger we can generate skds for our apps

Question 8

How does caching work with API Gateway?

Answer 8

Caching reduces calls to the backend, reducing pressure from the backend

default TTL 300s (0s - 3600s)

Caches are defined at stage level

Possible to overwrite Chache settings on method level

Cache encryption option

Cache capacity between 0.5gb - 237gb

Cache is expensive, use only in prod

Question 9

What is Gateway Cache Invalidation?

Answer 9

Cache invalidation is a process in a computer system whereby entries in a cache are replaced or removed

can be done immediately in the UI

can be done from client side, when client has proper IAM authorization and placing a header in the query to api gateway header: Cache-Control: max-age=0

If there is no InvalidateCache policy or authorization is not required, then every user can invalidate the cache => BAD!

Question 10

What about Usage Plan and API Keys for clients of the API?

Answer 10

Api can be offered to customers ($)

Usage Plan:

who can access one or more deployed api stages and methods

how often and how fast they can access them

uses API keys to identify and meter clients

configure throttling and quota limits on individual client level

API Keys:

alphanummeric string values distributed to your customers

can be used with Usage Plan to control access

Throttling limits are applied to the API Keys

Quotas limits is the overall number of allowed requests

Question 11

WHat is the correct order for API Keys and Usage Plans?

Answer 11

1. Create one or more api, configure the methods to require keys, and deploy to stages
2. Generate or import API keys and distribute them to developers, our customers
3. Create the Usage Plan with the desired throttle and quota limits
4. Associate Api stages and Api keys with the Usage Plan

Question 12

How does Monitoring and Logging work with Api Gateway?

Answer 12

CloudWatch Logs:

Enable CloudWatch Logs at the stage level with log level

Can override settings on a per API basis (e.g. ERROR, DEBUG, INFO)

Log contains information about request/resposne body

X-Ray:

Enable tracing to get extra information about requests in api gateway

X-ray Api GateWay + Lambda gives us the full picture

CloudWatch Metrics:

Metrics are by stage, possibilty to enable detailed metrics

important metrics:

CacheHitCount & CacheMissCount - tell how efficient the cache is

IntegrationLatency: The time between Api Gateway relaying a request to the backend and receives a response from the backend

Latency: The time between Api Gateway receiving a request from a client and sending the response back to the client - includes IntegrationLatency and other Gateway overhead

4xx error (client side) & 5xx error (server side)

Question 13

How das Api Gateway Throttling work?

Answer 13

Account Limit:

Api Gateway throttles all apis in an account after 10000rps across all apis - soft limit that can be increased upon request

429 too many requests - error code

can set stage and method limits

can define usage plans

Question 14

What errors does api gateway return?

Answer 14

4xx client side:

400: Bad Rrequest
403: Access denied, WAF filtered
429: Quota exceeded, throttle

5xx server side:

502: Bad gateway exception, e.g. incompatible output
503: backend unavailable
504: integration failure, e.g. timeout 29s

Question 15

How does CORS work with gateway?

Answer 15

Cross Origin Resource Sharing

must be enabled to receive calls from another domain

Th OPTIONS pre-flight request must contain the following headers:

Access-Control-Allow-Methods

Access-Control-Allow-Headers

Access-Control-Allow-Origin

CORS can be enabled through the console

Question 16

How does Authorization and Authentication work with API Gateway?

Answer 16

IAM Permission:

User & Roles to authenticate

Policies to authorize

Good to provide access within AWS

Leverages “Sig v4” capability where IAM credentials are in headers

Resource Policies:

Mainuse: Cross Account Access

Allow for specific source IP address

Allow for VPC endpoint (e.g. only)

Cognito:

Gateway verifies identity automatically from Cognito

No custom implementation required

Authneitcation: Cognito User Pools

Authorization: API Gateway Methods

uses temp token validation

Lambda Authorizer:

Token based authorizer (JWT or OAuth)

A request-parameter based Lambda Authorizer (headers, query string, stage var)

Lambda must return an IAM policy for the user, policy is cached

Authentication: External

Authorization: Lambda function

client uses 3rd party authentication system’s token

lambda function has to check token validity, e.g. from 3rd party authorizer

Question 17

HTTP API vs. REST API

Answer 17

HTTP API:

low latency

cost effective

AWS Lambda proxy apis

HTTp proxy apis

only proxy integrations

private integration apis

support OIDC and OAuth 2.0 authorization

supports CORS

No usage plans or API keys

REST API:

All features

except OIDC and OAuth 2.0 authorization

Question 18

Websocket APIs

Answer 18

A websocket is a two-way communivation between a client’s browser and a web-server

Server pushes information to the user without the user requesting it

enables stateful application use cases

used for financial trading, games, chats

Can work with any type of integration API Gateway has as a baclend, e.g. DynamoDB, Lambda, http endpoints

Question 19

How does websocket work?

Answer 19

websocket url:

wss://[uniqueid].execute-api.[region].amazonaws.com/[stage-name]

Client server Messaging

client connects to websocket api gateway and establishes a persistent connection to it, this invokes a lambda function and pass on a connectionid, which remains persistent as long as the client is conncted and passed on to other services

Messages, aka frames are sent to the server through the persistent connection, this invokes a new lambda function

Server client Messaging

Connection URL callback is called by lambda using IAM: Sig v4 and the client’s connectionid, sending messages to the client

The connection url offers the following methods:

POST: Send message from server to connected client

GET Gets connection status of connected client

DELETE: disconnects the client

Question 20

How does websocket routing work with api gateway?

Answer 20

Incoming data from the client to the API

incoming json messages are routed to different backend

if no routes => send to $default

I request a route selection expression to select the field on JSON to route from

example: $request.bodyaction

The result is evaluated against route keys available in my gateway

the route is then connected to the backend configured in api gateway

Question 21

Gateway Architecture

Answer 21

We can create a single interface for microservices in our company

Use Api endpoints with various resources

Apply a simple domain name with SSL certificates

Can apply forwarding and transformation rules at the Api Gateway level