API Gateway

Question 1

What are some examples/use cases of API Gateway Integrations (at a high level)?

Answer 1

Lambda
- invoke lambda function
- easy way to expost REST API backed by Lambda
HTTP
- expose HTTP endpoints int eh backend
- example: internal HTTP API on premises, Application Load Balancer
- can add rate limiting, caching, user authentications, API keys, etc.
AWS service
- expose any AWS API though the gateway (e.g., posting a message to SQS)
- can add authentication, deploy publicly, rate control, etc.

Question 2

What are the three endpoint types?

Answer 2

Edge optimized (default)
- For global clients
- Requests are routed through the CloudFront Edge locations (better latency)
- API Gateway still lives in only one region
Regional
- Clients within the same region
- Could manually combine with CloudFront (more control over caching strategies and distribution)
Private
- Can only be accessed from your VPC using an interface VPC endpoint (ENI)
- Use a resource policy to define access

Question 3

How can you provide user authentication for API Gateway?

Answer 3

• IAM roles (for internal applications)
• Cognito (identity for external users - e.g., mobile users)
• Custom Authorizer (custom logic in a Lambda function)

Question 4

How can you use Custom Domain Name HTTPS security with API Gateway?

Answer 4

Integration with ACM - AWS certificate manager
- If using Edge-Optimized, then certificate must be in us-east-1
- If using Regional, certificate must be in same region as the API Gateway stage region
- Must set up CNAME or A-alias record in Route 53

Question 5

How can you deal with API breaking changes from, say, a new version of a Lambda function?

Answer 5

Upversion your API Gateway stage to a be able to handle this new change - this will generate a new API Gateway URL.

Question 6

What are stage variables, and what is a use case for them?

Answer 6

API Gateway environment variables
- Configure HTTP endpoints your stages talk to (dev, test, prod)
- Pass config params to Lambda through mapping templates

Question 7

How are stage variables passed to a lambda function?

Answer 7

Through the ‘context’ object in Lambda
- Format: ${stageVariables.variableName}

Question 8

How can you use stage variables and lambda aliases to manage lambda deployments?

Answer 8

Separate API Gateway into dev, test and prod stages
- Use stage variables to pass in the correct lambda alias to each stage (i.e., prod alias to prod stage)
- Can use the alias in prod to direct a small portion of traffic to the test lambda function (e.g., to test a V2 function)

Question 9

What is a method to safely test new stage deployments in prod?

Answer 9

Enable canary deployment
- Choose the % of traffic the canary channel receives
- Gives separate metrics and logs for the canary stage
- Can override stage variables for canary
Equivalent of a blue/green deployment for Lambda and API Gateway

Question 10

What is Integration Type MOCK?

Answer 10

API Gateway returns a response without sending the request to the backend

Question 11

What is Integration Type HTTP / AWS?

Answer 11

Integration with Lambda & AWS Services
- Must configure both integration request and response
- Setup data mapping using mapping templates for the request and response

Question 12

What is Integration Type AWS_PROXY?

Answer 12

Lambda proxy
- Request from client is the input to the lambda
- Function is responsible for the logic of request/response
- No mapping template, headers, query string params: these are passed as arguments

Question 13

What is Integration Type HTTP_PROXY?

Answer 13

• No mapping template
• HTTP request passed to backend, and response from the backend is forwarded by API Gateway
• Possibility to add HTTP Headers (such as an API key, so that it does not need to be passed in via the client)

Question 14

What is a mapping template, and where can it be used?

Answer 14

Used to modify request / responses
- rename / modify query string params
- modify body content
- add headers
- filter output results
- Content-Type must be set to application/json or application/xml

Question 15

What is a use-case of mapping templates?

Answer 15

• Transform a REST API request (JSON) to a SOAP API request (XML) for use with a SOAP service
• Rename query string parameter variable names

Question 16

What is Open API Spec, and how does it relate to API Gateway?

Answer 16

Common way of defining REST APIs, using API definition as code
- Can import existing OpenAPI 3.0 spec into API Gateway
- Can export current API as OpenAPI spec

Question 17

How can you reduce unnecessary calls to the backend with API Gateway?

Answer 17

Configure API Gateway to perform basic validation of an API request before proceeding with the integration request
- If validation fails, returns a 400 error to the caller
- Checks that required request params are in the URI, query string and headers of an incoming request are included an non-blank
- Checks if the payload adheres to a configured JSON Schema request model

Question 18

How can you reduce the number of calls to the backend for different methods/stages?

Answer 18

Enable caching
- Caches are defined per stage (and very expensive, so makes sense in production but not other envs)
- Can override caching config on a per method basis

Question 19

How can you allow specific clients to invalidate a cache?

Answer 19

Include in the request the header: Cache-Control: max-age=0
- Requires proper IAM authorization
- If you don’t impose an InvalidateCache policy (i.e., request authorization), any client can invalidate the API cache

Question 20

How can you make your API available to customers?

Answer 20

Usage plans
- Who can access one or more deployed stages and methods
- Configure throttling limits and quota limits per client
- Use API keys to identify API clients and meter access
API keys
- Alphanumeric string values to distribute to customers
- Throttling and quota limits are applied to API keys
- Associate API stages and API keys with a usage plan

Question 21

How can you check if your API Gateway cache is working properly?

Answer 21

Enable logging to CloudWatch, and review CacheHitCount and CacheHitMiss metrics

Question 22

How can you check the total number of API Gateway requests?

Answer 22

‘Count’ metric in CloudWatch

Question 23

How can you check how long it is taking for the backend to reply to an API Gateway request?

Answer 23

Check the IntegrationLatency metric - measure time between the request sent to the backend and the response received.

Question 24

How can you check the total time taken for API Gateway to respond to a request from a client?

Answer 24

Latency metric - total API Gateway overhead (including IntegrationLatency)

Question 25

How can you ensure that one stage does not use up too much of the account request limit?

Answer 25

Set stage limits/method limits on request count

Question 26

How does API Gateway throttling relate to Lambda Concurrency?

Answer 26

If one API is overloaded (and not limited), other APIs become throttled as well (same with Lambda concurrency limits)

Question 27

How should you provide access to API Gateway from within AWS (i.e., from another service/IAM user)?

Answer 27

Create an IAM policy authorization and attach to a User/Role
- Leverages ‘Sig v4’ capability wher IAM credentials are in headers of request (API Gateway then decrypts credentials and performs policy check)

IAM handles Authentication, IAM policy handles authorization

Question 28

Give a use case for using a resource policy to allow access to API Gateway.

Answer 28

• Allow for Cross Account Access (combine with IAM security)
• Allow for a specific source IP address
• Allow for a VPC endpoint

Question 29

How does a Lambda authorizer (custom authorizer) work, and when might you use it?

Answer 29

Token-based authorizer (bearer token) - e.g., JWT, Oauth
- request parameter-based lambda authorizer (headers, query string, stage var)
- Lambda must return an IAM policy for the user, result policy is cached

Used when you want to use a third party to perform your authorization (not IAM or Cognito User Pools)

Authentication is External, Lambda function output determines authorization

Question 30

What AWS service can handle security around API Gateway, and how?

Answer 30

Cognito User Pools
- Manages user lifecycle, token expires automatically
- API Gateway verifies identity automatically from Cognito
- No custom implementation required

Cognito handles Authentication, API Gateway Methods handle Authorization

Question 31

What is the difference between HTTP APIs and REST APIs?

Answer 31

HTTP APIs
- Cheaper, low latency
- No data mapping, resource policies, usage plans and API keys

Question 32

What is WebSocket?

Answer 32

Two way interactive communication between users browser and server
- Server can push information to the client
- Enables stateful application use cases

Question 33

What is a use case of WebSocket?

Answer 33

Real-time applications such as chat, collaboration, multiplayer games, financial trading platforms

Question 34

How does API Gateway send messages to a client (server to client messaging) using WebSocket?

Answer 34

When the client initially connects, the connectionId is persisted in DDB
- To send a message to the client, use the Connection URL callback with the connectionId attached (via HTTP POST with IAM Sig v4)

Question 35

How can you route different JSON messages to different backend when using WebSocket?

Answer 35

Request a ‘route selection expression’, e.g., $request.body.action would grab the value on the action item
- Result of this expression is evaluated against route keys available in your API Gateway (if no expression, then value at $default is used)