Developing Solutions with Amazon API Gateway Flashcards
What is Amazon API Gateway
API Gateway allows you to connect your applications to AWS services and other public or private websites. It provides consistent RESTful and HTTP APIs for mobile and web applications to access AWS services and other resources hosted outside of AWS.
Models and Mapping templates in API Gateway
API Gateway offers message transformation and validation. Models can be created to define a schema for request/response messages. The request/response payload and header can be validated against the model.
A model defines the data structure of a payload and is described using a JSON schema format.
A mapping template can be used to translate the data from one model to another.
Difference between Regional and Edge-optimized endpoints
Regional: Regional APIs are deployed in the current region (default selection)
Edge-optimized: Edge-optimized APIs are deployed to an Amazon CloudFront distribution that is geographically closer to the client.
What is API caching
When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint.
The default TTL value for API caching is 300 seconds. The maximum is 3600 seconds.
The minimum and maximum values for Cache capacity are 0.5GB and 237GB, respectively
API throttling : what does API usage plan contain
A usage plan prescribes who can access one or more deployed API stages (deployment environment), and how much and how fast the caller can access the APIs. The plan uses an API key to identify an API client and meters access to an API stage with the configurable throttling and quota limits that are enforced on individual client API keys.
API Throttling : what are the two limits that can be set
• Rate: Average number of request per seconds over an extended period of time (Steady-state request rate). The default value is 10,000 requests per second.
• Burst: Maximum number of concurrent requests that API Gateway can fulfill at any moment. The default value is 5,000 requests. If this limit is exceeded, API Gateway returns an HTTP 429 Too Many Requests error response.
How to secure API method invocations
- Creating a resource policy : A resource policy is a JSON policy document that you attach to an API to control whether a specified principal (typically an IAM user or role) can invoke the API.
- Creating an Identity and Access Management (IAM) permission policy, in order to protect :
• The creation, deployment, and management of an API
• The invocation of the methods in the API and the refresh of its cache - Creating a Private API endpoint that can only be accessed by a virtual private cloud (VPC) client.
- Integrating with Amazon Cognito or Lambda authorizers to authenticate and authorize clients before accessing backend resources.
- Using Amazon CloudFront as security layer to protect against distributed denial of service (DDoS) attacks
What are Amazon Cognito user pools
Cognito user pools allow you to create and maintain a user directory. With Cognito, a user can sign in using an email, a phone number, or a user name. The user can also start as an anonymous user and then sign-in using a social identity.
Cognito User Pool authentication’s steps
- Client app sent an authentication request to Cognito user pool
- Cognito sent an Open ID Connect-compatible (OIDC) and JWT (JSON web tokens) access token.
- The Identify token is passed to the API Gateway in the Authorization Header to authenticate the client.
- API Gateway validate identity token with Cognito
- If the request is authorized, the call is forwarded to the backend service.
- Client app can access to AWT resource.
How does API Gateway integrate with CloudWatch
Amazon API Gateway integrates with Amazon CloudWatch by sending log messages and detailed metrics to it.
The detailed metrics that API Gateway can send to Amazon CloudWatch are:
• Number of API calls
• Latency
• Integration latency
• HTTP 400 and 500 error
How can we test the API
To test the API using a client other than the API Gateway test-invoke-request feature, you must first deploy it to a stage. Stages are meant to help with the development lifecycle of an API.
Once the deployment process is finished, the Stage Editor pane is displayed showing the URL to invoke the API’s GET / method request in the Invoke URL field. The State Editor also allows you to manage and optimize a particular deployment.
How can we document the API
API Gateway API documentation consists of individual documentation parts associated with specific API entities that include API, resource, method, request, response, message parameters (path, query, and header), in addition to authorizers and models.
Documentation can also be imported as a Swagger file, either as part of the API or separately, allowing you to add or update the documentation without disturbing the API definition. API Gateway conforms to the Open API specification for documentation imported from, or exported to, Swagger files.
How can we call the API programmatically
To call your API programmatically, you must generate a platform or language-specific SDK for it, from the Stage Editor’s SDK Generation tab.
Supported platforms: Java, Java for Android, JavaScript, Objective-C, Swift, and Ruby.
Every time you update an API, you must redeploy it and regenerate the SDK to include the updates.
Difference between Lambda Proxy integration and Custom integration
With the Lambda proxy integration, the setup is simple because the input to the integrated Lambda function is the as-is input request from the client.
if the API does not require data transformation, you need to set only the integration’s HTTP method to POST, the integration endpoint URI to the ARN of the Lambda function, and the credential to an IAM role with permissions to allow API Gateway to call the Lambda function.
The custom integration is a legacy technology. With the Lambda custom integration, the setup is more involved. In addition to the proxy integration setup steps, you must also specify how the incoming request data is mapped to the integration request, and how the resulting integration response data is mapped to the method response.
You must map errors returned by the Lambda function in the integration response to standard HTTP error responses. By default, Lambda function errors are returned as 200 OK.
Best practices for developing an API
- When API client requests come from the same region where the API is deployed, a regional API endpoint is recommended.
- Test invoking the API before deploying it.
- Use HTTP 500 error code for error handling.
- Cache only GET methods.
- Enable CloudWatch logs and metrics.
