API Gateway Flashcards
Wath are API Gateway integrations at a high level?
- Lambda function: Easy way to expose REST API
- HTTP: Internal HTTP API on-prem, ALB
- AWS Service: Any AWS API, i.e. start a Step Function workflow
What are API Gateway endpoint types?
- Edge-Optimized (default)
- Regional
- Private
What is API Gateway Edge-Optimized endpoint type used for?
For global clients
o Requests are routed through the CloudFront Edge locations (improves latency)
o The API Gateway still lives in only one region
What is API Gateway Regional endpoint type used for?
o For clients within the same region
o Could manually combine with CloudFront (more control over the caching strategies and the distribution)
What is API Gateway Private endpoint type used for?
o Can only be accessed from your VPC using an interface VPC endpoint (ENI)
o Use a resource policy to define access
What are API Gateway Deployment Stages?
- Making changes in the API Gateway does not mean they’re effective
- You need to make a “deployment” for them to be in effect
- Changes are deployed to “Stages” (as many as you want)
- Use the naming you like for stages (dev, test, prod)
- Each stage has its own configuration parameters
- Stages can be rolled back as a history of deployments is kept
What are API Gateway stage variables?
- Stage variables are like environment variables for API Gateway
- Use them to change often changing configuration values
Where can be used API Gateway stage variables?
They can be used in:
o Lambda function ARN
o HTTP Endpoint
o Parameter mapping templates
What are API Gateway stage variables use cases?
o Configure HTTP endpoints your stages talk to (dev, test, prod…)
o Pass configuration parameters to AWS Lambda through mapping templates
Set an example of using a API Gateway stage variable in a Lambda function context
LAMBDA_FUNCTION:${stageVariables.STAGE_VAR}
What you need to do in CLI when you set your API Gateway in front of Lambda Function as a stage variable?
You need to run a command in your CLI to update your Lambda resource-based policy
Run that command for each defined N alias, this will create N resource-based policies, one per each alias.
Where are API Gateway configurations available?
at stage level
What possibility you have regarding API Gateway deployments?
Possibility to enable canary deployments for any stage (usually prod)
How does work API Gateway Canary deployment?
- Choose the % of traffic the canary channel receives
- This is blue / green deployment with AWS Lambda & API Gateway
- Possibility to override stage variables for canary
- Metrics & Logs are separate (for better monitoring)
What are 4 API Gateway integration types?
- Mock
- HTTP / AWS (Lambda & AWS Services)
- AWS Proxy (Lambda Proxy)
- HTTP Proxy
What is API Gateway Mock integration type?
API Gateway returns a response without sending the request to the backend
What is API Gateway HTTP / AWS integration type?
o you must configure both the integration request and integration response (modify requests and responses)
o Setup data mapping using mapping templates for the request & response
What is API Gateway AWS Proxy integration type?
o incoming request from the client is the input to Lambda
o The function is responsible for the logic of request / response
o No mapping template, headers, query string parameters… are passed as arguments
What is API Gateway HTTP Proxy integration type?
o No mapping template
o The HTTP request is passed to the backend
o The HTTP response from the backend is forwarded by API Gateway
What are API Gateway Mapping templates?
- Mapping templates can be used to modify request / responses
- Rename / Modify query string parameters
- Modify body content
- Add headers
- Filter output results (remove unnecessary data)
What language is used by API Gateway Mapping Templates?
Velocity Template Language VTL
What can you use to import / export API Gateway Rest APIs?
- Swagger
- OpenAPI
What are API Gateway Cache TTL range values?
Default TTL is 5 minutes (min: 0s, max: 1 hour)
Where do you define API Gateway cache?
at stage level, but it is possible to override cache settings (disable, enable, modify TTL, etc.…) per method
What is API Gateway cache range capacity?
0.5 GB - 237 GB
How much does API Gateway cache cost?
Cache is expensive, makes sense in production, may not make sense in dev / test
It is API Gateway cache encrypted?
you have the option to encrypt it
How can API Gateway cache be invalidated?
Clients can invalidate the cache with header: Cache-Control: max-age=0 + proper IAM authorization
What can happen if you don’t specify an API Gateway invalidation policy?
If you don’t impose an InvalidateCache policy (or choose the Require authorization check box in the console), any client can invalidate the API cache which can result in a disaster
What option do you have if you want to expose your API (Gateway) as an offering to your customers?
You can define an Usage plan
What can you define in an API Gateway Usage plan?
o who can access one or more deployed API stages and methods
o how much and how fast they can access them
o configure throttling limits and quota limits that are enforced on individual client
What are API Gateway API Keys?
alphanumeric string values to distribute to your customers that you can use with usage plans to control access
What need to provide callers of an API Gateway that is using an Usage Plan?
Callers of the API must supply an assigned API key in the x-api-key header in requests to the API
What is used by API Gateway to log and trace?
CloudWatch Logs and X-Ray
At what level can you enable API Gateway logging?
at the stage level, can override settings on a per API basis (ERROR, DEBUG, INFO)
Can you use metrics in API Gateway?
CloudWatch Metrics are by stage, possibility to enable detailed metrics
What are 5 more important API Gateway metrics?
- CacheHitCount
- CacheMissCount
- Count
- IntegrationLatency
- Latency
- 4XXError (client-side) & 5XXError (server-side)
What are CacheHitCount and CacheMissCount metrics in API Gateway?
efficiency of the cache, if CacheHitCount is big then it is efficient
What is Count metric in API Gateway?
The total number API requests in a given period.
What is Integration Latency metric in API Gateway?
The time between when API Gateway relays a request to the backend and when it receives a response from the backend.
What is Latency metric in API Gateway?
The time between when API Gateway receives a request from a client and when it returns a response to the client. The latency includes the integration latency and other API Gateway overhead.
What is API Gateway requests throttling quantity?
API Gateway throttles requests at 10000 requests per second across all API
Soft limit that can be increased upon request
Just like Lambda Concurrency, one API that is overloaded, if not limited, can cause the other APIs to be throttled
In case of API Gateway Throttling what error you get?
429 Too many requests (retriable)
What can you do to improve performance of API Gateway in terms of throttling?
- Can set Stage limit & Method limits to improve performance
- Or you can define Usage Plans to throttle per customer
What means API Gateway 4xx and 5xx errors?
4xx means client errors and 5xx means server errors
What is API Gateway 400 error?
Bad Request
What is API Gateway 403 error?
Access denied, WAF filtered
What is API Gateway 502 error?
Bad Gateway Exception, usually for an incompatible output returned from a Lambda proxy integration backend and occasionally for out-of-order invocations due to heavy loads
What is API Gateway 503 error?
Service Unavailable Exception
What is API Gateway 504 error?
Integration Failure – ex Endpoint Request Timed-out Exception
What is API Gateway request timeout?
API Gateway requests timeout after 29 second maximum
What you need to enable in API Gateway when you receive requests from another domain?
CORS must be enabled when you receive API calls from another domain through the console
What must contain API Gateway to accept CORS requests?
You must create (assisted by API Gateway) an OPTION method which will be used by CORS containing these headers:
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- Access-Control-Allow-Origin
When will not your API Gateway CORS configuration work?
If you API Gateway is in front of a Lambda Proxy this approach will not work. Instead you need to return the Access-Control-Allow-Origin header from the Lambda itself
What methods can you use for security in API Gateway?
- IAM
- Cognito User Pools
- Custom Authorizer (Lambda Authorizer)
What is great for IAM security in API Gateway?
Great for users / roles already within your AWS account, + resource policy for cross account
What leverages API Gateway IAM security?
“Sig v4” capability where IAM credential are in headers: Good to provide access to external users
How can you allow cross account access in API Gateway?
using Resource Policies combined with IAM Security
How does API Gateway IAM security handle Authorization and Authentication?
both are handled by IAM
How does API Gateway Custom Authorizer handle Authorization and Authentication?
Authentication = External (up to you) and Authorization = Lambda function
How does API Gateway Cognito security handle Authorization and Authentication?
Cognito handles authentication, you must implement authorization in the backend
How is API Gateway integrated to Cognito User Pools?
- Cognito fully manages user lifecycle, token expires automatically
- API gateway verifies identity automatically from AWS Cognito
- No custom implementation required
How is API Gateway integrated to Custom Authorizers?
Great for third party Token-based authorizer (bearer token) – ex JWT (JSON Web Token) or Oauth
Lambda must return an IAM policy for the user, result policy is cached
Very flexible in terms of what IAM policy is returned
What are Api Gateway HTTP APIs?
more simple, low cost, Rest APIs are better
What feature is not present in API Gateway REST APIs?
Native OpenID Connect / OAuth 2.0
What is WebSocket?
- Two-way interactive communication between a user’s browser and a server
- Server can push information to the client
- This enables stateful application use cases
What are use cases for API Gateway WebSocket APIs?
real-time applications such as chat applications, collaboration platforms, multiplayer games, and financial trading platforms.
Works with AWS Services (Lambda, DynamoDB) or HTTP endpoints
