⬡ Hub
Skip to content

AWS API Gateway

Detailed Content

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from your backend services.

Core Concepts

  • API: A collection of programmable interfaces that allow different software components to communicate with each other. In API Gateway, an API can be a REST API, HTTP API, or WebSocket API.
  • Endpoints: The URL through which your API is exposed. API Gateway supports different endpoint types:
    • Edge-optimized: For APIs accessed by clients from geographically diverse locations. It uses Amazon CloudFront to improve performance by routing requests through the AWS global network to the nearest CloudFront edge location.
    • Regional: For APIs primarily accessed by clients within the same AWS region. This is suitable when your API consumers are co-located with your backend services.
    • Private: For APIs that can only be accessed from within your Amazon VPC using an interface VPC endpoint. This is ideal for internal applications or microservices that should not be exposed to the public internet.
  • Resources: Represent the logical components of your API (e.g., /users, /products). These are hierarchical and define the structure of your API.
  • Methods: HTTP verbs (GET, POST, PUT, DELETE, PATCH, OPTIONS) associated with a resource. Each method can have its own integration and response configuration.
  • Integrations: The backend endpoint that API Gateway connects to when a client invokes an API method. API Gateway supports various integration types:
    • Lambda functions: For serverless backends, where API Gateway directly invokes a Lambda function. This is a common pattern for building serverless APIs.
      • Use Case (Lambda Proxy Integration): This is the most common approach. API Gateway passes the entire request as an event to the Lambda function. The Lambda function then handles the business logic and returns a response in a specific format that API Gateway understands. This is ideal for building RESTful APIs where the backend logic is encapsulated in a single function.
      • Example (Lambda Proxy Integration): A /users endpoint that retrieves user data. The Lambda function receives the request, queries a DynamoDB table based on a user ID from the path parameters, and returns the user data as a JSON object.
      • Use Case (Lambda Custom Integration): Provides more control. You can use mapping templates to transform the incoming request before it reaches the Lambda function and transform the response from the Lambda function before it's returned to the client. This is useful when you need to decouple the API Gateway interface from the Lambda function's input/output format.
      • Example (Lambda Custom Integration): An API endpoint that receives a POST request with a complex JSON payload. A request mapping template extracts and transforms specific fields from the payload into a simpler JSON object that the Lambda function expects. The response mapping template then transforms the Lambda function's output into a different JSON structure for the client.
    • HTTP endpoints: Any publicly accessible HTTP endpoint (e.g., an EC2 instance, an Elastic Load Balancer, or an on-premises server).
      • Use Case (HTTP Proxy Integration): Used to integrate with existing HTTP APIs. API Gateway simply forwards the client's request to the backend HTTP endpoint and returns the backend's response to the client. This is useful for creating a unified API front-end for multiple microservices.
      • Example (HTTP Proxy Integration): An /products endpoint that forwards requests to a product catalog microservice running on an EC2 instance.
      • Use Case (HTTP Custom Integration): Similar to Lambda custom integration, this allows you to use mapping templates to modify the request and response. This is useful when integrating with legacy APIs or third-party APIs that have different request/response formats.
      • Example (HTTP Custom Integration): Integrating with a legacy SOAP API. API Gateway can transform an incoming RESTful JSON request into a SOAP XML request and then transform the SOAP XML response back into a JSON response for the client.
    • AWS services: Direct integration with other AWS services like DynamoDB, S3, Kinesis, Step Functions, etc., allowing you to expose AWS service actions as REST endpoints.
      • Use Case: To expose AWS service actions directly through your API without writing any backend code. This is a powerful way to create APIs that interact with your AWS resources.
      • Example: An API endpoint that allows users to upload files directly to an S3 bucket. The API Gateway integration would be configured to call the PutObject action on the S3 service. Another example is an API endpoint that puts an item into a DynamoDB table using the PutItem action.
    • VPC Link: For private integration with resources in your VPC (e.g., EC2 instances, ECS containers, Application Load Balancers). This allows API Gateway to securely connect to private resources without traversing the public internet.
      • Use Case: To expose services running in a private VPC to the outside world through API Gateway without exposing them to the public internet. This is essential for securing your backend services.
      • Example: An API Gateway that connects to a microservice running on an ECS container in a private subnet. A VPC Link is used to connect the API Gateway to a Network Load Balancer (NLB) or Application Load Balancer (ALB) that routes traffic to the ECS container.
    • Mock Integration: Allows API Gateway to return a response without sending the request to a backend. Useful for testing, prototyping, or returning static responses.
      • Use Case: For testing and development. You can create a mock integration to return a sample response, allowing frontend developers to start working on the UI before the backend is ready. It's also used to handle CORS preflight OPTIONS requests.
      • Example: A /health endpoint that always returns a 200 OK response with a static body like {"status": "ok"}.
  • Stages: A logical reference to a snapshot of your API. Stages are used to manage and deploy different versions of your API (e.g., dev, test, prod, v1, v2). Each stage can have its own configuration, such as caching settings, throttling limits, and associated WAF ACLs.
  • Deployment: The process of making a stage of your API available to clients. A deployment creates an immutable snapshot of your API configuration.
  • Custom Domain Names: Allows you to use your own domain name (e.g., api.example.com) instead of the default API Gateway URL. This requires configuring a custom domain in API Gateway and updating your DNS records.
  • Usage Plans: Allow you to set throttling and quota limits for individual API keys. This helps you monetize your APIs or control access for different tiers of users.
  • API Keys: Alphanumeric strings that you distribute to your customers to grant them access to your API. API keys are typically used in conjunction with usage plans.
  • Authorizers: Control who can invoke your API methods. API Gateway supports several types of authorizers:
    • IAM Authorizers: Use AWS Identity and Access Management (IAM) roles and policies to control access. Ideal for internal applications or AWS services.
    • Lambda Authorizers (Custom Authorizers): A Lambda function that you provide to control access. The Lambda function receives the incoming request, performs authentication/authorization logic, and returns an IAM policy.
    • Cognito User Pool Authorizers: Integrate with Amazon Cognito User Pools for user authentication. This is suitable for mobile and web applications where users authenticate via Cognito.
  • Caching: API Gateway can cache responses from your backend to reduce the load on your backend services, improve API latency for clients, and reduce costs. You can configure cache size and time-to-live (TTL).
  • Throttling: Protects your backend from being overwhelmed by too many requests. You can set default throttling limits at the account level, and override them at the stage or method level.
  • Request/Response Transformation: API Gateway can transform the request and response payloads using mapping templates (Velocity Template Language - VTL). This allows you to map incoming requests to the format expected by your backend and outgoing responses to the format expected by your clients.
  • AWS WAF Integration: API Gateway can integrate with AWS WAF (Web Application Firewall) to protect your APIs from common web exploits and bots.

API Gateway Types

  • REST APIs:
    • Description: For traditional RESTful web services. Offers comprehensive features for API management, including request/response transformation, API keys, usage plans, custom authorizers, and WAF integration.
    • Use Cases: Complex APIs requiring advanced features, public-facing APIs with monetization or strict access control, and scenarios where fine-grained control over request/response mapping is needed.
  • HTTP APIs:
    • Description: A simpler, faster, and cheaper alternative to REST APIs for building HTTP-based APIs. Optimized for serverless workloads and offers lower latency and cost.
    • Features: Supports OIDC and OAuth 2.0 authorizers, CORS, and automatic deployments. It has fewer features than REST APIs (e.g., no usage plans, API keys, or request/response transformation directly in API Gateway).
    • Use Cases: Ideal for serverless backends, internal microservices, and high-performance APIs where the advanced features of REST APIs are not required.
  • WebSocket APIs:
    • Description: For building real-time, two-way communication applications. It maintains a persistent connection between the client and the server, allowing messages to be sent in both directions at any time.
    • Use Cases: Chat applications, real-time dashboards, gaming applications, and IoT device communication.

Interview Questions

Conceptual Questions

  1. What is AWS API Gateway and what are its primary use cases?
    • AWS API Gateway is a fully managed service that acts as a "front door" for applications to access data, business logic, or functionality from your backend services. Its primary use cases include:
      • Building serverless backends for web and mobile applications.
      • Exposing microservices as managed APIs.
      • Creating real-time communication applications using WebSocket APIs.
      • Providing a unified API layer for various backend services.
      • Monetizing APIs by controlling access and usage.
  2. Explain the different types of API Gateway endpoints and when you would use each.
    • Edge-optimized: Uses CloudFront for global access, ideal for APIs with geographically dispersed clients to reduce latency.
    • Regional: For APIs primarily accessed by clients within the same AWS region, suitable when your API consumers are co-located with your backend.
    • Private: Accessible only from within a VPC using an interface VPC endpoint, perfect for internal applications or microservices that should not be public.
  3. What is the difference between REST APIs and HTTP APIs in API Gateway? When would you choose one over the other?
    • HTTP APIs: Simpler, faster, and more cost-effective. Ideal for serverless workloads and when you need a high-performance, low-latency API without the full feature set of REST APIs. They support OIDC/OAuth 2.0 authorizers and CORS.
    • REST APIs: Offer a comprehensive feature set including API keys, usage plans, request/response transformations (VTL), custom authorizers (Lambda), WAF integration, and more granular control. Choose REST APIs for complex APIs requiring advanced management, monetization, or strict access control.
  4. How do you secure an API Gateway endpoint? Describe various authorization mechanisms.
    • IAM Authorizers: Use AWS IAM roles and policies, suitable for internal AWS services or applications.
    • Lambda Authorizers (Custom Authorizers): A custom Lambda function that performs authentication/authorization logic, offering maximum flexibility.
    • Cognito User Pool Authorizers: Integrates with Amazon Cognito User Pools for user authentication, commonly used for mobile and web applications.
    • API Keys: Used in conjunction with Usage Plans to control access and throttle requests, often for third-party developers.
    • VPC Endpoints: For Private APIs, ensuring access only from within a specified VPC.
    • AWS WAF: Integrates with API Gateway to protect against common web exploits.
  5. Explain the concept of API Gateway integrations. What are the different types, and how do they work?
    • Integrations define how API Gateway connects to your backend. Types include:
      • Lambda Integration: API Gateway directly invokes a Lambda function. Can be proxy (Lambda handles all request/response mapping) or non-proxy (API Gateway handles mapping).
      • HTTP Integration: Connects to any HTTP endpoint. Can also be proxy or non-proxy.
      • AWS Service Integration: Allows API Gateway to directly invoke actions on other AWS services (e.g., DynamoDB, S3) without an intermediary Lambda function.
      • VPC Link Integration: For private integration with resources within your VPC (e.g., ALBs, NLBs, EC2 instances).
      • Mock Integration: API Gateway returns a response without calling a backend, useful for testing or static responses.
  6. How can API Gateway help with caching and throttling? Why are these important?
    • Caching: API Gateway can cache responses from your backend, reducing the load on your backend services, improving API latency for clients, and lowering costs. It's important for frequently accessed, non-changing data.
    • Throttling: API Gateway allows you to set limits on the number of requests per second and burst capacity at the account, stage, and method levels. This protects your backend services from being overwhelmed by traffic spikes or malicious attacks, ensuring stability and availability.

Scenario-Based Questions

  1. You are building a serverless backend for a mobile application that needs to expose several RESTful endpoints. Users will authenticate using their social media accounts. How would you design this using API Gateway and Lambda?
    • I would create a REST API in API Gateway. For user authentication, I would integrate with Amazon Cognito User Pools and configure a Cognito User Pool Authorizer for the API methods that require authentication. Each endpoint (resource and method) would be integrated with a corresponding Lambda function (using Lambda proxy integration for simplicity). The Lambda functions would contain the business logic, interact with other AWS services (e.g., DynamoDB for data storage), and return responses to API Gateway. I would also enable API caching for frequently accessed, non-sensitive data to improve performance and reduce Lambda invocations.
  2. Your API is experiencing high traffic, and you want to protect your backend services from being overwhelmed while also providing different access tiers for premium and free users. How can API Gateway help with this?
    • I would use API Gateway Usage Plans. I would create two separate usage plans: one for "Free Tier" users with lower throttling and quota limits, and another for "Premium Tier" users with higher limits. I would then generate API Keys for each user and associate them with the appropriate usage plan. Clients would include their API key in their requests. API Gateway would automatically enforce the defined throttling and quota limits, protecting the backend and differentiating access.
  3. You have an internal microservice running on ECS Fargate within a private VPC. You want to expose an API for this microservice to other internal applications within your AWS account without exposing it to the public internet. How would you do this?
    • I would create a Private API Gateway endpoint. This API would be accessible only from within my VPC using an interface VPC endpoint. I would then create a VPC Link to connect API Gateway to an Internal Application Load Balancer (ALB) that sits in front of my ECS Fargate microservice. This setup ensures that traffic flows privately within the AWS network, never traversing the public internet, and provides secure, internal API access.
  4. You need to transform the request payload coming into your API Gateway endpoint before it reaches your Lambda backend, and also transform the response from Lambda before sending it back to the client. How would you achieve this?
    • I would use API Gateway's mapping templates (written in Velocity Template Language - VTL). For the request transformation, I would configure a request mapping template for the specific method and integration. This template would take the incoming request body and transform it into the format expected by the Lambda function. Similarly, for the response transformation, I would configure a response mapping template for the integration response, which would take the Lambda's output and transform it into the desired format for the client. This requires using a non-proxy Lambda integration.

Coding/CLI Examples

Here are some common API Gateway operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Create a simple REST API with a Lambda proxy integration: ```bash # Assume a Lambda function 'MyLambdaFunction' exists with ARN: arn:aws:lambda:REGION:ACCOUNT_ID:function:MyLambdaFunction # 1. Create a REST API API_NAME="MyProxyAPI" API_ID=$(aws apigateway create-rest-api --name "$API_NAME" --query 'id' --output text) echo "API ID: $API_ID"

    2. Get the root resource ID

    ROOT_RESOURCE_ID=$(aws apigateway get-resources --rest-api-id $API_ID --query 'items[?path==/].id' --output text) echo "Root Resource ID: $ROOT_RESOURCE_ID"

    3. Create a resource (e.g., /items)

    ITEMS_RESOURCE_ID=$(aws apigateway create-resource --rest-api-id $API_ID --parent-id $ROOT_RESOURCE_ID --path-part "items" --query 'id' --output text) echo "/items Resource ID: $ITEMS_RESOURCE_ID"

    4. Create a GET method for /items

    aws apigateway put-method \ --rest-api-id $API_ID \ --resource-id $ITEMS_RESOURCE_ID \ --http-method GET \ --authorization-type NONE

    5. Set up Lambda proxy integration for GET /items

    LAMBDA_ARN="arn:aws:lambda:us-east-1:123456789012:function:MyLambdaFunction" # REPLACE with your Lambda ARN aws apigateway put-integration \ --rest-api-id $API_ID \ --resource-id $ITEMS_RESOURCE_ID \ --http-method GET \ --type AWS_PROXY \ --integration-http-method POST \ --uri "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/$LAMBDA_ARN/invocations"

    6. Add permission for API Gateway to invoke Lambda

    aws lambda add-permission \ --function-name MyLambdaFunction \ --statement-id "apigateway-get-items" \ --action "lambda:InvokeFunction" \ --principal apigateway.amazonaws.com \ --source-arn "arn:aws:execute-api:us-east-1:123456789012:$API_ID/*/GET/items"

    7. Deploy the API to a stage

    STAGE_NAME="dev" aws apigateway create-deployment \ --rest-api-id $API_ID \ --stage-name $STAGE_NAME \ --description "Initial deployment of proxy API"

    echo "API Endpoint: https://$API_ID.execute-api.us-east-1.amazonaws.com/$STAGE_NAME/items" ```

  2. Create an HTTP API with a Lambda integration: ```bash # Assume a Lambda function 'MyHttpLambdaFunction' exists # 1. Create an HTTP API HTTP_API_NAME="MyHttpApi" HTTP_API_ID=$(aws apigatewayv2 create-api \ --name "$HTTP_API_NAME" \ --protocol-type HTTP \ --target "arn:aws:lambda:us-east-1:123456789012:function:MyHttpLambdaFunction" \ --query 'ApiId' --output text) echo "HTTP API ID: $HTTP_API_ID"

    2. Create a default stage and deployment

    aws apigatewayv2 create-stage \ --api-id $HTTP_API_ID \ --stage-name '$default' \ --auto-deploy

    echo "HTTP API Endpoint: https://$HTTP_API_ID.execute-api.us-east-1.amazonaws.com" ```

  3. Enable API caching for a specific REST API stage: ```bash API_ID="your-rest-api-id" # Replace with your REST API ID STAGE_NAME="dev"

    aws apigateway update-stage \ --rest-api-id $API_ID \ --stage-name $STAGE_NAME \ --patch-operations \ op='replace',path='/cacheClusterEnabled',value='true' \ op='replace',path='/cacheClusterSize',value='0.5' # 0.5 GB cache size ```

  4. Create a usage plan, API key, and associate them: ```bash API_ID="your-rest-api-id" # Replace with your REST API ID

    1. Create a usage plan

    USAGE_PLAN_ID=$(aws apigateway create-usage-plan \ --name "PremiumUsersPlan" \ --description "Usage plan for premium API consumers" \ --throttle burstLimit=200,rateLimit=100 \ --quota limit=1000000,period=MONTH \ --api-stages items=[{apiId=$API_ID,stage='prod'}] \ --query 'id' --output text) echo "Usage Plan ID: $USAGE_PLAN_ID"

    2. Create an API key

    API_KEY_VALUE="$(head /dev/urandom | tr -dc A-Za-z0-9_ | head -c 32)" # Generate a random key API_KEY_ID=$(aws apigateway create-api-key \ --name "MyPremiumAPIKey" \ --description "Key for premium user" \ --enabled \ --value "$API_KEY_VALUE" \ --query 'id' --output text) echo "API Key ID: $API_KEY_ID" echo "API Key Value: $API_KEY_VALUE" # IMPORTANT: Store this securely!

    3. Associate the API key with the usage plan

    aws apigateway create-usage-plan-key \ --usage-plan-id $USAGE_PLAN_ID \ --key-id $API_KEY_ID \ --key-type API_KEY echo "API Key $API_KEY_ID associated with Usage Plan $USAGE_PLAN_ID" ```

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Create a simple REST API and deploy it: ```python import boto3

    client = boto3.client('apigateway') lambda_client = boto3.client('lambda')

    api_name = "MyBoto3RestApi" lambda_function_name = "MyLambdaFunction" # Replace with your Lambda function name region = "us-east-1" # Replace with your region account_id = "123456789012" # Replace with your AWS Account ID

    try: # 1. Create REST API response = client.create_rest_api(name=api_name, description="API created with Boto3") api_id = response['id'] print(f"Created REST API with ID: {api_id}")

    # 2. Get root resource ID
response = client.get_resources(restApiId=api_id)
root_resource_id = [item['id'] for item in response['items'] if item['path'] == '/'][0]
print(f"Root Resource ID: {root_resource_id}")

# 3. Create a resource (e.g., /hello)
response = client.create_resource(
    restApiId=api_id,
    parentId=root_resource_id,
    pathPart='hello'
)
hello_resource_id = response['id']
print(f"Created /hello resource with ID: {hello_resource_id}")

# 4. Put a GET method
client.put_method(
    restApiId=api_id,
    resourceId=hello_resource_id,
    httpMethod='GET',
    authorizationType='NONE'
)
print("Created GET method for /hello")

# 5. Put integration (Lambda Proxy)
lambda_uri = f"arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/arn:aws:lambda:{region}:{account_id}:function:{lambda_function_name}/invocations"
client.put_integration(
    restApiId=api_id,
    resourceId=hello_resource_id,
    httpMethod='GET',
    type='AWS_PROXY',
    integrationHttpMethod='POST',
    uri=lambda_uri
)
print("Configured Lambda proxy integration")

# 6. Add Lambda permission (API Gateway to invoke Lambda)
lambda_client.add_permission(
    FunctionName=lambda_function_name,
    StatementId='ApiGatewayInvokePermission',
    Action='lambda:InvokeFunction',
    Principal='apigateway.amazonaws.com',
    SourceArn=f"arn:aws:execute-api:{region}:{account_id}:{api_id}/*/*/*"
)
print("Added Lambda invocation permission for API Gateway")

# 7. Deploy API to a stage
stage_name = "prod"
client.create_deployment(
    restApiId=api_id,
    stageName=stage_name,
    description="Initial Boto3 deployment"
)
print(f"Deployed API to stage: {stage_name}")
print(f"API Endpoint: https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/hello")

    except Exception as e: print(f"Error creating API Gateway: {e}") ```

  2. List all REST APIs: ```python import boto3

    client = boto3.client('apigateway')

    try: response = client.get_rest_apis() print("REST APIs:") for api in response['items']: print(f"- Name: {api['name']}, ID: {api['id']}") except Exception as e: print(f"Error listing REST APIs: {e}") ```

  3. Create an API Key and associate with a Usage Plan: ```python import boto3 import secrets

    client = boto3.client('apigateway')

    usage_plan_id = "your-usage-plan-id" # Replace with an existing Usage Plan ID api_key_name = "MyBoto3ApiKey" api_key_value = secrets.token_urlsafe(32) # Generate a secure random key

    try: # 1. Create API Key response = client.create_api_key( name=api_key_name, description="API Key created via Boto3", enabled=True, value=api_key_value ) api_key_id = response['id'] print(f"Created API Key ID: {api_key_id}") print(f"API Key Value: {api_key_value}") # Store this securely!

    # 2. Associate with Usage Plan
client.create_usage_plan_key(
    usagePlanId=usage_plan_id,
    keyId=api_key_id,
    keyType='API_KEY'
)
print(f"API Key {api_key_id} associated with Usage Plan {usage_plan_id}")

    except Exception as e: print(f"Error with API Key/Usage Plan operations: {e}") ```