Amazon API Gateway¶

Introduction¶

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from backend services.

Key Features¶

RESTful and WebSocket APIs - Support for different API types
Serverless - No infrastructure to manage
Multiple backends - Lambda, HTTP, AWS services
Security - IAM, Cognito, API keys, Lambda authorizers
Throttling - Rate limiting and burst control
Caching - Reduce backend calls
OpenAPI support - Import/export API definitions

When to Use¶

Ideal Use Cases¶

Serverless backends - API Gateway + Lambda
Microservices - Unified API layer
Mobile/Web backends - REST APIs for apps
Real-time applications - WebSocket APIs
API monetization - Usage plans and API keys
Legacy modernization - Facade for legacy systems

Signs API Gateway is Right for You¶

Need managed API infrastructure
Want built-in authentication/authorization
Need request/response transformation
Want usage tracking and throttling
Building serverless applications

API Types¶

REST API¶

Full-featured, original API type
Request/response transformation
API keys, usage plans
Caching support
Private integrations (VPC)

HTTP API¶

Lower latency, lower cost
Simpler feature set
JWT authorizers built-in
Best for Lambda/HTTP backends
70% cheaper than REST API

WebSocket API¶

Real-time, bidirectional communication
Persistent connections
Use for: Chat, gaming, dashboards

Comparison¶

Feature	REST API	HTTP API	WebSocket
Cost	Higher	70% less	Per message
Latency	Higher	Lower	Real-time
Caching	Yes	No	N/A
Request transform	Full	Limited	No
Private integration	Yes	Yes	No
Usage plans	Yes	No	No

What to Be Careful About¶

Performance¶

Cold starts - Lambda integration adds latency
Timeout - 29 second maximum (30s for Lambda)
Payload size - 10 MB max (REST), 6 MB (Lambda)
Caching - Only available in REST API
Regional vs Edge - Choose based on client locations

Cost Management¶

Request pricing - $3.50 per million (REST)
Data transfer - Standard AWS rates
Caching - Additional cost for cache instances
HTTP API is cheaper - Use when features allow
WebSocket - Charged per message and connection

Security¶

Authentication - Choose appropriate method
Authorization - Configure carefully
API keys - Not for authentication (only identification)
CORS - Configure properly for browser access
WAF integration - REST API only

Limits¶

Throttling - Default 10,000 RPS account limit
Burst - 5,000 concurrent requests
Stages - Limited stages per API
Resources - Limited resources per API

Integration Types¶

Type	Description	Use Case
Lambda	Invoke Lambda function	Serverless backends
HTTP	Proxy to HTTP endpoint	Existing services
AWS Service	Direct AWS service integration	S3, DynamoDB, SQS
Mock	Return static response	Testing, prototyping
VPC Link	Private resources	NLB in VPC

Authentication & Authorization¶

Methods¶

Method	Description	Use Case
IAM	AWS Signature V4	AWS clients, internal
Cognito	User pools	Web/mobile users
Lambda Authorizer	Custom auth logic	Third-party tokens
API Keys	Usage identification	Tracking, throttling
JWT	HTTP API only	OAuth/OIDC tokens

Lambda Authorizer Types¶

Token-based - Validate bearer token
Request-based - Validate headers, query strings

Common Interview Questions¶

What's the difference between REST API and HTTP API?
REST API: Full-featured, caching, usage plans, higher cost
HTTP API: Simpler, lower latency, 70% cheaper
HTTP API for most new serverless applications
How do you secure an API Gateway endpoint?
IAM authorization (AWS clients)
Cognito authorizer (user pools)
Lambda authorizer (custom logic)
API keys (not for security, for tracking)
WAF (web application firewall)
What is a Lambda authorizer?
Lambda function that validates requests
Returns IAM policy allowing/denying access
Caching available for performance
Two types: token-based, request-based
How do you handle throttling?
Configure usage plans
Set rate limit and burst
Per-method throttling
Account-level limits exist
Return 429 Too Many Requests
What are stages in API Gateway?
Deployment snapshots
Environment representation (dev, staging, prod)
Stage variables for configuration
Canary deployments supported

Request/Response Flow¶

API Gateway Request Flow

Mapping Templates¶

Velocity Template Language (VTL)
Transform request/response
Access context variables
REST API feature (limited in HTTP API)

Caching (REST API)¶

Reduce backend calls
Cache per stage
TTL: 0-3600 seconds
Cache sizes: 0.5 GB to 237 GB
Cache key: URL path, query strings, headers
Invalidation via API or TTL

Alternatives¶

AWS Alternatives¶

Service	When to Use Instead
AppSync	GraphQL APIs
Lambda Function URLs	Simple Lambda invocation
ALB	Container/EC2 backends
CloudFront	Static content, edge functions

External Alternatives¶

Provider	Service
Kong	API gateway platform
Apigee	Google Cloud API management
Azure	Azure API Management
Tyk	Open-source API gateway

Best Practices¶

Use HTTP API - When full REST API features not needed
Enable caching - Reduce backend load (REST API)
Set up throttling - Protect backends from overload
Use Lambda authorizers wisely - Cache authorization results
Configure CORS properly - Required for browser access
Use stages - Separate environments
Enable CloudWatch logging - Debug and monitor
Use WAF - Protect against common attacks
Set appropriate timeouts - Don't waste resources
Use request validation - Fail fast on bad requests

Pricing Summary¶

Component	REST API	HTTP API
First 333M requests	$3.50/million	$1.00/million
Over 333M requests	$2.80/million	$0.90/million
Caching	$0.02-$3.80/hour	N/A
Data transfer	Standard rates	Standard rates
WebSocket	$1.00/million messages	N/A