API GATEWAY

Question 1

Inegrations

Answer 1

Lambda Function: REST API

HTTP: Expose HTTP endpoint
API on premise
ALB on Cloud enviroment
Add rate limit, cache, user auth, api keys

AWS service
Expose any aws api through gateway
auth, deploy public, rate control

Question 2

API gateway endpoint types

Answer 2

Edge Optimized
Cloudfront edge location routing of request
API gateway in one region services multiple others

Regional
Clients in same region
can be integrated with cloudfront for more control
Api clients in one region

Private
Only in VPC, use resource policy to access

Question 3

API Gateway Deployment

Answer 3

Changes not implemented until Deployment, this makes it LIVE

Deployed to Stages: Dev , Prod , TEST

Each stage gets own configuration, can be rolled back as each step of stage is kept.

Question 4

API Breaking Change

Answer 4

Blue/Green deployment of versions, allows stages to be assigned V1 and V2

when new stage deployed, new API url generated, users are directed slowly over to new stage without breaking old stage user sessions. full migration over time.

Question 5

Stage Variables

Answer 5

Stage Variables are similar to ENVIROMENT VARIABLES

Used for items that change often, changing configuration variables.

Usage:
Configure HTTP endpoints dev/test/prod
Pass config parameters to AWS Lambda through mapping templates

Passed to the context object in AWS lambda

Question 6

Stage Variable-> Lambda Alias

Answer 6

Dev Stage -> DEV alias ->Latest lambda function

Test Stage -> Prod Alias -> Lambda V1 (95%) Lambda V2 (5%)
Prod Stage -> Test Alias -> Lambda V2 (100)%

This allows prod to send 5% of traffic over to new stage.

Question 7

API GATEWAY CANARY Deployment

Answer 7

Allows testing of new API gateway

Client traffic moves 95% to the prod stage, then 5% will be directed to canary, this allows testing before offloading 100%

Prod Stage -> V1
Prod Stage Canary -> V2

Allows Blue-Green Deployment

• Allows Separate metric and logs
• override stage variables

Question 8

API gateway integration: MOCK

Answer 8

MOCK: for Development , allows to make gateway to be made without actually sending back responses to backend. enables you to develop your API independently from your backend.

Question 9

API INTEGRATION:

HTTP/AWS Lambda / other services

Answer 9

HTTP/AWS (Lambda / other services)
Custom HTTP
Custom AWS service integration
Configure integration request and integration response
setup data mapping suing mapping templates for request and response. API gateway has power to change request and response.

Question 10

API integration

Answer 10

You choose an API integration type according to the types of integration endpoint you work with and how you want data to pass to and from the integration endpoint.

Question 11

API INTEGRATION:

AWS Proxy

Answer 11

Incoming request is the input to Lambda
Function is responsible for the logic of request/response

NO MAPPING TEMPLATE, cant change HEADERS , or QUERY STRING PARAM, These are passed to lambda function as arguments

Lambda takes invocation, and processes and creates a function response. Work is on backend, API gateway just proxy request through

Question 12

API INTEGRATION:

HTTP Proxy

Answer 12

NO MAPPING TEMPLATE
HTTP request is passed to the backend (ex ALB)
HTTP response from Backend is forwarded by API gateway

Question 13

Mapping Templates (AWS OR HTTP)
NO PROXY

Answer 13

USE: Modify Request and responses

Rename / Modify Query String Parameters
Modify Body Content
Add Headers

Uses Velocity Template Language VTL
Filter output results, and removes unnecessary data.

Question 14

Mapping template example

Answer 14

JSON to XML with soap

Client -JSON-> API -XML->SOAP API
SOAP API -XML-> API -JSON->Client

API gateway:

extract data that comes in by JSON
build soap message based on request data (mapping template)
Call SOAP service with built XML
receive XML
Tranform XML response to JSON back to user.

Question 15

Swagger

Answer 15

API definition as code

Import existing Swagger/ OpenAPI 3.0

Method 
Method Request
Integration Request
Method response
\+AWS extensions for API

Can export current API as Swagger/OPENAPI

Swagger written in YAML or JSON
Swagger can be used to generate SDK for apps

Question 16

CACHING API response

Answer 16

Caching reduce calls to backend

Default TTL is 300, 5 min
MAX is 3600, min is 60

Defined per stage or override per Method

Cache encryption can occur
Size 0.5GB to 237GB

Expensive, only use in production

Question 17

Cache invalidation

Answer 17

Can be flushed entirely
or clients can invalidate

Cache-Control:Max-age=0
Need permissions from IAM
if not impose Inavlidatecache policy or not choose “require auth” option in console then any client can invalidate cache!!!

Question 18

METHOD

Answer 18

The primary or most-commonly-used HTTP verbs (or methods, as they are properly called) are POST, GET, PUT, PATCH, and DELETE. These correspond to create, read, update, and delete (or CRUD) operations, respectively.

In API Gateway, an API method embodies a method request and a method response. You set up an API method to define what a client should or must do to submit a request to access the service at the backend and to define the responses that the client receives in return. … An API method request is an HTTP request.

Question 19

STAGE

Answer 19

A stage is a named reference to a deployment, which is a snapshot of the API. You use a Stage to manage and optimize a particular deployment. For example, you can configure stage settings to enable caching, customize request throttling, configure logging, define stage variables, or attach a canary release for testing.

Question 20

API Usage Plans

Answer 20

Usage plan

Who can access Stage and Method
Speed of Access
What keys are linked to ID clients and meter access
Can Configure throttle limits and quota limits that are enforced on individual client.

Question 21

API Keys

Answer 21

Alphanumeric String, distribute to clients
Can be used with usage plans to control access
Throttle limit is applied to API keys
Quota limits is the overall number of max requests

Question 22

Correct Order for API key

Answer 22

Configure and use a Plan

1. Create API, Configure methods in API to require API Key, Deploy API into stages
2. Generate or import API key to distrbiute application to dev’s or customers who will use key
3. Create usage plan with desired throttle and quota limits
4. Associate API stages and API keys with usage plan!

**Callers of API must supply assigned API key in
X-api-Key Header in requests to API

Question 23

monitor: Cloud watch Logs

Answer 23

Cloudwatch Logging at Stage level , Via Log level

Can override settings on a per API basis

Error: Anything that results in error
Info: anything outgoing or incoming from API
Debug

Log has: information about request / response body

Question 24

Monitor: X-ray Tracing

Answer 24

Enable Tracing to get extra information about request in API gateway

X-ray Gateway + AWS lambda give full picture

Question 25

Cloudwatch Metrics: CachehitCount/CacheMissCount

Answer 25

Efficiency of cache
Hits Good /Dont want low
Misses Bad /Dont want high

Question 26

Cloudwatch Metrics: Count

Answer 26

Total number of API requests in a period

Question 27

Cloudwatch Metrics: Integration Latency

Answer 27

Time:

Between API gateway relays request to backend and when it received response

Question 28

Cloudwatch Metrics: Latency

Answer 28

Time between when API gateway receives request from Client and when it returns back

Integration latency + Api gateway overhead.

Question 29

Throttling

Answer 29

Account limit total
10,000
Soft limit can be changed

In case of throttle: 429 Too many requests, can be retried

Can limit Stage limit & Method Limit to improve performance

Can define Usage plans to throttle per customer

JUST LIKE LAMBDA, ONE BAD API CAN TAKE DOWN ALL REST>

Question 30

4xx error

Answer 30

CLIENT

400 Bad request
403 Access Denied WAF issue
429 Quota Exceeded , Throttle active

Question 31

5cc error

Answer 31

SERVER

502: Bad Gateway, when backend gives back a incomputable answer that cant be sent back.
503: Service Unavailable exception
504: Integration failure: Endpoint request timeout of 29seconds!

Question 32

API CORS

Answer 32

Cross Origin Resource Sharing:

API calls from different domain

can be enabled via console

Question 33

Options for CORS: Preflight requests

Answer 33

Access-Control-Allow-Methods
Access-Control-Allow-headers
Access-Control-Allow-origin

Question 34

HOW cors happens

cross origin: APIexample.com
Origin: ebsiteexample.com

Answer 34

Preflight request will reach out from origin to API Gateway
Options/
Host:Apiexample.com (this is API)
origin:websiteexample.com (This is different domain)

Preflight response will sent back to browser
Access-Control-Allow-origin: websiteexample.com
Access-Control-Allow-Methods: Get, put, delete

Browser sends to API now to make request

Get /
Host: Apiexample.com
Origin: ebsiteexample.com

Question 35

IAM permissions and API

Answer 35

Create IAM policy authorization and attach to user/role

Authentication via IAM
Authorization via IAM policy

Good to provide access within AWS to EC2/lambda

Question 36

IAM permissions from API: Sigv4

Answer 36

Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key.

Question 37

Sigv4 signing process in Header

Answer 37

Client:

Via REST API with Sigv4 Header will send message to API gateway

API GATEWAY: This gateway undergoes policy check with IAM

BACKEND: Policy Check then unlocks access to Lambda Backend.

connection complete.

Question 38

API GATEWAY: Resources policy

Answer 38

WHO CAN ACCESS API:

Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API. You can use API Gateway resource policies to allow your API to be securely invoked by:

For CORS account access, specified AWS account
Specific IP address access
For VPC access endpoint

Question 39

API GATEWAY Security: Cognito Pool

Answer 39

Authentication: Cognito User pool
Authorization: API gateway Methods

Cognito fully manage lifecycle of user , token expires automatically
Verification of id auto from AWS cognito
No custom implementation

1. Cognito User pool: Authenticate and retrieve token to be given to client
2. Client: Rest API and Pass token from above given to API gateway

2A. Token evaluated from Cognito User Token

3. Success will allow access to backend.

Question 40

API Gateway Security: Lambda Authorizer

Answer 40

Authentication: External
Authorization: Lambda Function

Formerly Custom Authorizer

Third Party Auth System: Authentication request received by client, retrieve token

Token is passed to gateway: Via header or Request Params to API gateway

Api Gateway: Context of request plus token sent to LAMBDA AUTHORIZER

Lambda Authorizer: Lambda function verifies token by talking to third party authentication system

If Verified: IAM principal and policy is created
Policy is CACHED, into policy CACHE for future use.

Api gateway will now talk to backend.

Question 41

request parameters

Answer 41

Request parameters are the result of submitting an HTTP request with a query string that specifies the name/value pairs, or of submitting an HTML form that specifies the name/value pairs. The name and the values are always strings. … Parameters are Strings, and generally can be retrieved, but not set.

Question 42

GATEWAY SECURITY SUMMARY

Answer 42

IAM:
roles and user already in account, resource policy for across accounts
handle authenticate/authorization
leverages Sigv4

Custom Authorizer:
Great for Third party tokens
flexible for what iam policy is returned
handle auth verification and authorization in lambda function, we will need to pay for lambda function and results are cached.

cognito user pool
Manage own user pool, google etc.
No code needed
Implement authorization in backend

Question 43

HTTP API

Answer 43

NO AWS LABMDA
NO IAM
NO MOCK
NO USAGE PLANS
NO API KEYS
YES COGNITO
YES OPEN ID / OAUTH 2.0

Low latency, cost effective
Lambda Proxy
Http Proxy
Private Integration

Support OIDC/OAUTH 2.0 authorization (unlike REST)\
built in support for CORS

NO USAGE PLANS AND API KEYS!
NO MAPPING TEMPLATE ALL PROXY

LAMBDA PROXY:
The Lambda proxy integration allows the client to call a single Lambda function in the backend. The function accesses many resources or features of other AWS services, including calling other Lambda functions. … To enable this, the client must follow application protocols enacted by the backend Lambda function.

HTTP proxy: integration enables you to connect an API route to a publicly routable HTTP endpoint

Private Integration:
This is an endpoint network interface that you create in your VPC. Using resource policies, you can allow or deny access to your API from selected VPCs and VPC endpoints

Question 44

REST API usage

Answer 44

Yes to
AWS LAMBDA
IAM
Amazon Cognito

Doesn’t use OpenID connect / Oauth 2.0

Question 45

rest vs http API

Answer 45

HTTP IS CHEAPER AND SIMPLE

Amazon API Gateway announced HTTP APIs, enabling customers to quickly build high performance RESTful APIs that are up to 71% cheaper than REST APIs also available from API Gateway. HTTP APIs are optimized for building APIs that proxy to AWS Lambda functions or HTTP backends, making them ideal for serverless workloads.

Question 46

WEBSOCKET API

Answer 46

PERSISTANT
REAL TIME
DASHBOARD

Two way interaction between browser and server
Server can push info to client
Enables Stateful application

Stateful application use cases:
Real-time application; 
Chat
Games
Financial trading

Works with
AWS services
Other HTTP endpoints