AWS API Gateway

Question 1

Amazon API Gateway

Answer 1

API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale.

API Gateway supports the following:

• Creating, deploying, and managing a REST application programming interface (API) to expose backend HTTP endpoints, AWS Lambda functions, or other AWS services.
• Creating, deploying, and managing a WebSocket API to expose AWS Lambda functions or other AWS services.
• Invoking exposed API methods through the frontend HTTP and WebSocket endpoints.

Question 2

All the APIs created with Amazon API Gateway expose HTTPS endpoints only (does not support unencrypted endpoints) ? T/F

Answer 2

True

Question 3

CloudFront is used as the public endpoint for API Gateway ? T/F

Answer 3

True

Question 4

Permissions to invoke a method are granted using IAM roles and policies or API Gateway custom authorizers ? T/F

Answer 4

True

Question 5

API Gateway Certificate Concepts ?

Answer 5

By default API Gateway assigns an internal domain that automatically uses the API Gateway certificates.

When configuring your APIs to run under a custom domain name you can provide your own certificate.

Question 6

What are Amazon API Gateway core Features ?

Answer 6

Support for RESTful APIs and WebSocket APIs

• With API Gateway, you can create RESTful APIs using either HTTP APIs or REST APIs

Private integrations with AWS ELB & AWS Cloud Map

• With API Gateway, you can route requests to private resources in your VPC. Using HTTP APIs, you can build APIs for services behind private ALBs, private NLBs, and IP-based services registered in AWS Cloud Map, such as ECS tasks.

Metering

• Define plans that meter and restrict third-party developer access to APIs.

Security

• API Gateway provides multiple tools to authorize access to APIs and control service operation access.

Resiliency

• Manage traffic with throttling so that backend operations can withstand traffic spikes.

Operations Monitoring

• API Gateway provides a metrics dashboard to monitor calls to services.

Lifecycle Management

• Operate multiple API versions and multiple stages for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.

AWS Authorization

• Support for signature version 4 for REST APIs and WebSocket APIs, IAM access policies, and authorization with bearer tokens (e.g., JWT, SAML) using Lambda functions.

Question 7

What is an Endpoint ?

Answer 7

An API endpoint type is a hostname for an API in API Gateway that is deployed to a specific region.

The hostname is of the form {api-id}.execute-api.{region}.amazonaws.com.

The API endpoint type can be edge-optimized, regional, or private, depending on where most of your API traffic originates from.

Question 8

What is Edge-Optimized Endpoint ?

Answer 8

An edge-optimized API endpoint is best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP). This is the default endpoint type for API Gateway REST APIs.

Edge-optimized APIs capitalize the names of HTTP headers (for example, Cookie).

CloudFront sorts HTTP cookies in natural order by cookie name before forwarding the request to your origin. For more information about the way CloudFront processes cookies, see Caching Content Based on Cookies.

Any custom domain name that you use for an edge-optimized API applies across all regions.

Question 9

What is a Regional Endpoint ?

Answer 9

• A regional API endpoint is intended for clients in the same region.
• When a client running on an EC2 instance calls an API in the same region, or when an API is intended to serve a small number of clients with high demands, a regional API reduces connection overhead.
• For a regional API, any custom domain name that you use is specific to the region where the API is deployed.
• If you deploy a regional API in multiple regions, it can have the same custom domain name in all regions.
• You can use custom domains together with Amazon Route 53 to perform tasks such as latency-based routing.
• Regional API endpoints pass all header names through as-is.

Question 10

What is a Private Endpoint ?

Answer 10

A private API endpoint is an API endpoint that can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint, which is an endpoint network interface (ENI) that you create in your VPC.

Private API endpoints pass all header names through as-is.

Question 11

Define API Gateway REST API ?

Answer 11

A collection of HTTP resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services.

This collection can be deployed in one or more stages.

Typically, API resources are organized in a resource tree according to the application logic.

Each API resource can expose one or more API methods that have unique HTTP verbs supported by API Gateway.

Question 12

What is API Gateway WebSocket API ?

Answer 12

A collection of WebSocket routes and route keys that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services.

The collection can be deployed in one or more stages.

API methods are invoked through frontend WebSocket connections that you can associate with a registered custom domain name.

Question 13

What is Stages and Stage variables ?

Answer 13

A stage is a logical reference to a lifecycle state of your REST or WebSocket API (for example, ‘dev’, ‘prod’, ‘beta’, ‘v2’).

API stages are identified by API ID and stage name.

Question 14

Stage variables can be used in ?

Answer 14

Stage variables can be used in:

• Lambda function ARN.
• HTTP endpoint.
• Parameter mapping templates.

Stage variables are passed to the “context” object in Lambda.

Stage variables are used with Lambda aliases.

You can create a stage variable to indicate the corresponding Lambda alias.

You can create canary deployments for any stage – choose the % of traffic the canary channel receives.

Question 15

Use cases for stage variables ?

Answer 15

Use cases for stage variables ?

• Configure HTTP endpoints your stages talk to (dev, test, prod etc.).
• Pass configuration parameters to AWS Lambda through mapping templates.

Question 16

What is a Mapping Template

Answer 16

• Mapping templates can be used to modify request / responses.
• Rename parameters.
• Modify body content.
• Add headers.
• Map JSON to XML for sending to backend or back to client.
• Uses Velocity Template Language (VTL).
• Filter output results (remove unnecessary data).

Question 17

Caching principles, explain ?

Answer 17

You can add caching to API calls by provisioning an Amazon API Gateway cache and specifying its size in gigabytes.

Caching allows you to cache the endpoint’s response.

Caching can reduce the number of calls to the backend and improve the latency of requests to the API.

API Gateway caches responses for a specific amount of time (time to live or TTL).

The default TTL is 300 seconds (min 0, max 3600).

Caches are defined per stage.

You can encrypt caches.

The cache capacity is between 0.5GB to 237GB.

It is possible to override cache settings for specific methods.

You can flush the entire cache (invalidate it) immediately if required.

Clients can invalidate the cache with the header: Cache-Control: max-age=0 .

Question 18

What are the API throttling limits ?

Answer 18

By default API Gateway limits the steady-state request rate to 10,000 requests per second.

The maximum concurrent requests is 5,000 requests across all APIs within an AWS account.

If you go over 10,000 requests per second or 5,000 concurrent requests you will receive a 429 Too Many Requests error response

Question 19

Amazon API Gateway provides two basic types of throttling-related settings ?

Answer 19

Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests.

Per-client throttling limits are applied to clients that use API keys associated with your usage policy as a client identifier.

Question 20

API Gateway throttling-related settings are applied in the following order ?

Answer 20

1. Per-client per-method throttling limits that you set for an API stage in a usage plan.
2. Per-client throttling limits that you set in a usage plan.
3. Default per-method limits and individual per-method limits that you set in API stage settings.
4. Account-level throttling.

Question 21

AWS Integration Methodology

Answer 21

In AWS integration, you must configure both the integration request and integration response and set up necessary data mappings from the method request to the integration request, and from the integration response to the method response.

Question 22

What is AWS_PROXY Integration ?

Answer 22

This type of integration lets an API method be integrated with the Lambda function invocation action with a flexible, versatile, and streamlined integration setup.

This integration relies on direct interactions between the client and the integrated Lambda function.

With this type of integration, also known as the Lambda proxy integration, you do not set the integration request or the integration response.

API Gateway passes the incoming request from the client as the input to the backend Lambda function.

Question 23

HTTP Integration, what is it ?

Answer 23

This type of integration lets an API expose HTTP endpoints in the backend.

With the HTTP integration, also known as the HTTP custom integration, you must configure both the integration request and integration response.

You must set up necessary data mappings from the method request to the integration request, and from the integration response to the method response.

Question 24

What is HTTP_PROXY Integration ?

Answer 24

The HTTP proxy integration allows a client to access the backend HTTP endpoints with a streamlined integration setup on single API method.

You do not set the integration request or the integration response.

API Gateway passes the incoming request from the client to the HTTP endpoint and passes the outgoing response from the HTTP endpoint to the client.

Question 25

MOCK Integration, what is it ?

Answer 25

This type of integration lets API Gateway return a response without sending the request further to the backend.

This is useful for API testing because it can be used to test the integration set up without incurring charges for using the backend and to enable collaborative development of an API.

In collaborative development, a team can isolate their development effort by setting up simulations of API components owned by other teams by using the MOCK integrations.

It is also used to return CORS-related headers to ensure that the API method permits CORS access.

Question 26

What is a usage plan ?

Answer 26

A usage plan specifies who can access one or more deployed API stages and methods — and how much and how fast they can access them.

You can use a usage plan to configure throttling and quota limits, which are enforced on individual client API keys.

The plan uses API keys to identify API clients and meters access to the associated API stages for each key.

Question 27

What is Same origin policy ?

Answer 27

Used to prevent cross-site scripting attacks.

Web browser permits scripts in a first web page to access data in a second web page but only if the web pages have the same origin.

This is enforced by web browsers.

Question 28

What is Cross-origin resource sharing (CORS) ?

Answer 28

Can enable Cross Origin Resource Sharing (CORS) for multiple domain use with JavaScript/AJAX.

CORS is one way that the server at the other end (not the client code in the browser) can relax the same-origin policy.

CORS allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was shared.

Question 29

Using CORS Benefits ?

Answer 29

Can enable CORS on API Gateway if using JavaScript / AJAX.

Can be used to enable requests from domains other than the APIs domain.

Allows the sharing of resources between different domains.

The method (GET, PUT, POST etc.) for which you will enable CORS must be available in the API Gateway API before you enable CORS.

If CORS is not enabled and an API resource received requests from another domain the request will be blocked.

Enable CORS on the API resources using the selected methods under the API Gateway.

Question 30

There are several mechanisms for controlling and managing access to an API.

These mechanisms include ?

Answer 30

Resource-based policies.

Standard IAM Roles and Policies (identity-based policies).

IAM Tags.

Endpoint policies for interface VPC endpoints.

Lambda authorizers.

Amazon Cognito user pools.

Question 31

Amazon API Gateway resource policies are ?

Answer 31

Amazon API Gateway resource policies are JSON policy documents that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API.

Question 32

You can use API Gateway resource policies to allow your API to be securely invoked by ?

Answer 32

• Users from a specified AWS account.
• Specified source IP address ranges or CIDR blocks.
• Specified virtual private clouds (VPCs) or VPC endpoints (in any account).
• You can use resource policies for all API endpoint types in API Gateway: private, edge-optimized, and Regional.

Question 33

IAM Identity-Based Policies in context of API Gateway ?

Answer 33

You need to create IAM policies and attach to users / roles.

API Gateway verifies IAM permissions passed by the calling application.

Leverages sigv4 capability where IAM credentials are passed in headers.

Handles authentication and authorization.

Great for user / roles within your AWS account.

Question 34

What is a Lambda Authorizer ?

Answer 34

Use AWS Lambda to validate the token in the header being passed.

Option to cache the result of the authentication.

Lambda must return an IAM policy for the user.

You pay per Lambda invocation.

Handles authentication and authorization.

Good for using OAuth, SAML or 3rd party authentication.

Question 35

What is a cognito user pool ?

Answer 35

A user pool is a user directory in Amazon Cognito.

With a user pool, users can sign in to a web or mobile app through Amazon Cognito.

Users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.

Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).

Question 36

User pools provide which capabilities ?

Answer 36

Sign-up and sign-in services.

A built-in, customizable web UI to sign in users.

Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, as well as sign-in with SAML identity providers from your user pool.

User directory management and user profiles.

Security features such as multi-factor authentication (MFA).

Question 37

API Gateway provides several features that assist with creating and managing APIs ?

Answer 37

Metering – Define plans that meter and restrict third-party developer access to APIs.

Security – API Gateway provides multiple tools to authorize access to APIs and control service operation access.

Resiliency – Manage traffic with throttling so that backend operations can withstand traffic spikes.

Operations Monitoring – API Gateway provides a metrics dashboard to monitor calls to services.

Lifecycle Management – Operate multiple API versions and multiple stages for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.

Question 38

Logging and Monitoring, API Gateway Principles ?

Answer 38

The Amazon API Gateway logs (near real time) back-end performance metrics such as API calls, latency, and error rates to CloudWatch.

You can monitor through the API Gateway dashboard (REST API) allowing you to visually monitor calls to the services.

API Gateway also meters utilization by third-party developers and the data is available in the API Gateway console and through APIs.

Amazon API Gateway is integrated with AWS CloudTrail to give a full auditable history of the changes to your REST APIs.

All API calls made to the Amazon API Gateway APIs to create, modify, delete, or deploy REST APIs are logged to CloudTrail.

Question 39

Understanding the following Logging and Monitoring metrics is useful for the exam ?

Answer 39

Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.

Monitor the Latency metrics to measure the overall responsiveness of your API calls.

Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.

Question 40

Open API / Swagger, what is it ?

Answer 40

Can import existing Swagger / Open API 3.0 definitions (written in YAML or JSON) to API Gateway.

This is a common way of defining REST APIs using API definition as code.

Can also export current APIs as Swagger / Open API 3.0 definition.

Uses the API Gateway Import API feature to import an API from an external definition.

With the import API you can either create a new API by submitting a POST request that includes a Swagger definition in the payload and endpoint configuration or you can update an existing API by using a PUT request that contains a Swagger definition or merge a definition with an existing API.

Question 41

What charges are incurred ?

Answer 41

With Amazon API Gateway, you only pay when your APIs are in use.

There are no minimum fees or upfront commitments.

You pay only for the API calls you receive, and the amount of data transferred out.

There are no data transfer out charges for Private APIs (however, AWS PrivateLink charges apply when using Private APIs in Amazon API Gateway).

Amazon API Gateway also provides optional data caching charged at an hourly rate that varies based on the cache size you select.

The API Gateway free tier includes one million API calls per month for up to 12 months.