๐ AWS 1x1 - ๐๐ฃ๐ ๐๐ฎ๐๐ฒ๐๐ฎ๐
Learn about its capabilities & why it's more than just a simple front door for your serverless application โ
Learn about its capabilities & why it's more than just a simple front door for your serverless application โ
๐ง๐ต๐ฟ๐ฒ๐ฎ๐ฑ ๐ข๐๐ฒ๐ฟ๐๐ถ๐ฒ๐ ๐งต
โข Introduction
โข The Basics
โข Authorizers
โข Usage Plans
โข Validation
โข Proxy Resources, Proxy Integrations & Service Proxies
โข Error Handling
โข Handling Responses
โข API Types
โข Monitoring
โข Pricing
{ 1 | 32 }
โข Introduction
โข The Basics
โข Authorizers
โข Usage Plans
โข Validation
โข Proxy Resources, Proxy Integrations & Service Proxies
โข Error Handling
โข Handling Responses
โข API Types
โข Monitoring
โข Pricing
{ 1 | 32 }
๐๐ป๐๐ฟ๐ผ๐ฑ๐๐ฐ๐๐ถ๐ผ๐ป
It's easy to think of API Gateway just as an HTTP mediator between a client and an internal AWS service like Lambda.
But there's more to explore as it offers a lot of valuable features.
{ 2 | 32 }
It's easy to think of API Gateway just as an HTTP mediator between a client and an internal AWS service like Lambda.
But there's more to explore as it offers a lot of valuable features.
{ 2 | 32 }
๐ง๐ต๐ฒ ๐๐ฎ๐๐ถ๐ฐ๐
API Gateway consists of three major parts:
โข Request Flow
โข Integration
โข Response Flow
The integration is the most important element, as it contains what the client actually wants to do. It can be for example a Lambda function.
{ 3 | 32 }
API Gateway consists of three major parts:
โข Request Flow
โข Integration
โข Response Flow
The integration is the most important element, as it contains what the client actually wants to do. It can be for example a Lambda function.
{ 3 | 32 }
The ๐ฅ๐ฒ๐พ๐๐ฒ๐๐ ๐๐น๐ผ๐ is everything that happens before the integration is triggered, like authentication and authorization processing or request validation.
The ๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ ๐๐น๐ผ๐ is everything that comes after the integration, like transformations.
{ 4 | 32 }
The ๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ ๐๐น๐ผ๐ is everything that comes after the integration, like transformations.
{ 4 | 32 }
๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฒ๐ฟ๐
If you want to protect some routes of your API you can make use of Authorizers.
This will protect your downstream services & also allow forwarding of a security context, like the details of the authenticated user.
{ 5 | 32 }
If you want to protect some routes of your API you can make use of Authorizers.
This will protect your downstream services & also allow forwarding of a security context, like the details of the authenticated user.
{ 5 | 32 }
There are different Authorizer types for this step which all look at some aspects of the request to identify the caller & either allow or reject the request.
โข default JWT
โข Cognito User Pool
โข IAM permission-based
โข custom Lambda function
{ 6 | 32 }
โข default JWT
โข Cognito User Pool
โข IAM permission-based
โข custom Lambda function
{ 6 | 32 }
๐๐ฒ๐ณ๐ฎ๐๐น๐ ๐๐ช๐ง ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฒ๐ฟ
If you're using an identity provider that supports OAuth2 & OpenID (for example Auth0), this is a great option to have a central access control that doesn't require any operations on your side.
{ 7 | 32 }
If you're using an identity provider that supports OAuth2 & OpenID (for example Auth0), this is a great option to have a central access control that doesn't require any operations on your side.
{ 7 | 32 }
You basically only need to add the URL of the OpenID configuration endpoint which returns all needed details to AWS that are needed to validate signatures of ๐son ๐ชeb ๐งokens
If the signature is valid & the token is not expired, a security context will be created
{ 8 | 32 }
If the signature is valid & the token is not expired, a security context will be created
{ 8 | 32 }
This context will contain details from the token payload like the claims and scopes.
You can additionally define which route does accept which scopes - without needing to write any code.
Everything is solely about configuration.
{ 9 | 32 }
You can additionally define which route does accept which scopes - without needing to write any code.
Everything is solely about configuration.
{ 9 | 32 }
You can also define your own ๐ฐ๐๐๐๐ผ๐บ ๐๐ฎ๐บ๐ฏ๐ฑ๐ฎ ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฒ๐ฟ ๐ณ๐๐ป๐ฐ๐๐ถ๐ผ๐ป.
This function will receive the authorization token. You can do your own validation & return your own authorization context which will be forwarded by API Gateway.
{ 10 | 32 }
This function will receive the authorization token. You can do your own validation & return your own authorization context which will be forwarded by API Gateway.
{ 10 | 32 }
๐จ๐๐ฎ๐ด๐ฒ ๐ฃ๐น๐ฎ๐ป๐
API keys can be used as a method for rate limiting and throttling certain clients at your API. Define rules about clients:
โข max number of requests per second
โข max number of requests over a certain time period (=> a quota)
{ 11 | 32 }
API keys can be used as a method for rate limiting and throttling certain clients at your API. Define rules about clients:
โข max number of requests per second
โข max number of requests over a certain time period (=> a quota)
{ 11 | 32 }
๐ฉ๐ฎ๐น๐ถ๐ฑ๐ฎ๐๐ถ๐ผ๐ป
You can define validation rules directly at the Gateway level, which comes with two benefits:
โข it reduces the number of invocations for your integrations
โข saving boilerplate code at the integration
{ 12 | 32 }
You can define validation rules directly at the Gateway level, which comes with two benefits:
โข it reduces the number of invocations for your integrations
โข saving boilerplate code at the integration
{ 12 | 32 }
Requests that fail the validation are not forwarded to the backend integration, which therefore saves invocation.
Also, your validation rules on the Gateway will save you code for validations at your backend integration.
{ 13 | 32 }
Also, your validation rules on the Gateway will save you code for validations at your backend integration.
{ 13 | 32 }
Validation of ๐ฃ๐ฎ๐ฟ๐ฎ๐บ๐ฒ๐๐ฒ๐ฟ๐
Define requirements for your API like needed query parameters or headers. If they are not provided by the client, the API Gateway will return an HTTP 400 Bad Request response with a message listing the missing parameters.
{ 14 | 2 }
Define requirements for your API like needed query parameters or headers. If they are not provided by the client, the API Gateway will return an HTTP 400 Bad Request response with a message listing the missing parameters.
{ 14 | 2 }
Validation of ๐ฅ๐ฒ๐พ๐๐ฒ๐๐ ๐๐ผ๐ฑ๐ถ๐ฒ๐
In addition to validating query strings and headers, you can also choose to have dedicated models for your incoming request payloads.
A model defines what content type is accepted and how the body has to contain.
{ 15 | 32 }
In addition to validating query strings and headers, you can also choose to have dedicated models for your incoming request payloads.
A model defines what content type is accepted and how the body has to contain.
{ 15 | 32 }
For the body, you define required fields and the types, like ๐๐๐ฟ๐ถ๐ป๐ด or ๐ถ๐ป๐๐ฒ๐ด๐ฒ๐ฟ.
All of your validation rules need to be attached to the method request step in the request flow.
{ 16 | 32 }
All of your validation rules need to be attached to the method request step in the request flow.
{ 16 | 32 }
Let's have a quick wrap up about the different types of '๐ฝ๐ฟ๐ผ๐
๐' you'll find in correlation with API Gateway:
โข Proxy Resource/Method
โข Proxy Integration
โข Service Proxy
{ 17 | 32 }
โข Proxy Resource/Method
โข Proxy Integration
โข Service Proxy
{ 17 | 32 }
A ๐ฃ๐ฟ๐ผ๐
๐ ๐ฅ๐ฒ๐๐ผ๐๐ฟ๐ฐ๐ฒ enables you to bind different HTTP requests to a single integration.
Example:
/api/customers/{๐ถ๐ฑ}
It will bind calls to
โข /api/customers/05d02cea
โข /api/customers/a8de
โข /api/customers/8d32a88dd1
{ 18 | 32 }
Example:
/api/customers/{๐ถ๐ฑ}
It will bind calls to
โข /api/customers/05d02cea
โข /api/customers/a8de
โข /api/customers/8d32a88dd1
{ 18 | 32 }
You can extend the proxy indicator with a + to capture all values that come after.
For the example:
/api/{๐ฝ๐ฟ๐ผ๐ ๐+}
Will match
โข /api/customers
โข /api/customers/05d02cea/addresses
... and everything else that's under /๐ฎ๐ฝ๐ถ.
{ 19 | 32 }
For the example:
/api/{๐ฝ๐ฟ๐ผ๐ ๐+}
Will match
โข /api/customers
โข /api/customers/05d02cea/addresses
... and everything else that's under /๐ฎ๐ฝ๐ถ.
{ 19 | 32 }
๐ฃ๐ฟ๐ผ๐
๐ ๐๐ป๐๐ฒ๐ด๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐
The important part: the actual integration with a backend service.
There are two types:
โข Lambda proxy: forwarding your request to a Lambda function
โข HTTP proxy: forwarding the entire request to an HTTP endpoint.
{ 20 | 32 }
The important part: the actual integration with a backend service.
There are two types:
โข Lambda proxy: forwarding your request to a Lambda function
โข HTTP proxy: forwarding the entire request to an HTTP endpoint.
{ 20 | 32 }
The benefit of using one of those proxy integrations is that you don't require any transformations with mapping templates using the ๐ฉelocity ๐งemplate ๐anguage (VTL).
{ 21 | 32 }
{ 21 | 32 }
๐๐ช๐ฆ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฃ๐ฟ๐ผ๐
๐ ๐๐ป๐๐ฒ๐ด๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐
It's also possible to integrate your API Gateway to another AWS service like DynamoDB, e.g. to insert items.
This is useful for simple data ingestion services which then don't require any maintenance.
{ 22 | 32 }
It's also possible to integrate your API Gateway to another AWS service like DynamoDB, e.g. to insert items.
This is useful for simple data ingestion services which then don't require any maintenance.
{ 22 | 32 }
๐๐ฟ๐ฟ๐ผ๐ฟ ๐๐ฎ๐ป๐ฑ๐น๐ถ๐ป๐ด
As your request can get rejected for various reasons (missing or invalid Authentication Token, the payload does not match our model, ...), you may want to define how errors are handled and how they are returned to the client.
{ 23 | 32 }
As your request can get rejected for various reasons (missing or invalid Authentication Token, the payload does not match our model, ...), you may want to define how errors are handled and how they are returned to the client.
{ 23 | 32 }
API Gateway has a set of default ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ ๐๐๐ฝ๐ฒ๐ indicating different types of errors.
They contain:
โข response type, parameters & templates
โข the status code
You're able to overwrite those to adapt to your own needs.
{ 24 | 32 }
docs.aws.amazon.com
They contain:
โข response type, parameters & templates
โข the status code
You're able to overwrite those to adapt to your own needs.
{ 24 | 32 }
docs.aws.amazon.com
A common stumbling block is for example that there are by default not CORS headers return for rejected requests, which will lead to errors in frontends that you can't easily handle.
Custom response parameters allow you to define those headers for error responses.
{ 25 | 32 }
Custom response parameters allow you to define those headers for error responses.
{ 25 | 32 }
๐๐ฎ๐ป๐ฑ๐น๐ถ๐ป๐ด ๐ฅ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ๐
If you're not using a proxy integration, we need to define integration responses
Those are the counterpart to our integration request in the request flow and transform the backend responses into something API Gateway can handle
{ 26 | 32 }
If you're not using a proxy integration, we need to define integration responses
Those are the counterpart to our integration request in the request flow and transform the backend responses into something API Gateway can handle
{ 26 | 32 }
This is also done by using the VTL. Additionally, we also need to determine if our integration request was successful or if it returned an error - also finding out which exact error occurred.
{ 27 | 32 }
{ 27 | 32 }
The last step that follows (also only if not using Lambda or HTTP proxy integrations) is the method response.
They are needed to define:
โข the response status code
โข the response body
that will be returned to the client.
{ 28 | 32 }
They are needed to define:
โข the response status code
โข the response body
that will be returned to the client.
{ 28 | 32 }
๐ ๐ผ๐ป๐ถ๐๐ผ๐ฟ๐ถ๐ป๐ด
CloudWatch contains a lot of default metrics for our API Gateways.
These include:
โข number of HTTP 4xx and 5xx responses
โข execution & integration errors
โข integration latency
Besides that, you can enable API GW to write logs to CloudWatch
{ 29 | 32 }
CloudWatch contains a lot of default metrics for our API Gateways.
These include:
โข number of HTTP 4xx and 5xx responses
โข execution & integration errors
โข integration latency
Besides that, you can enable API GW to write logs to CloudWatch
{ 29 | 32 }
๐ฃ๐ฟ๐ถ๐ฐ๐ถ๐ป๐ด
For the first 12 months, you'll get 1m of API calls per month for free.
It also includes 1m messages & 750k connection minutes for WebSockets.
For more:
โข HTTP APIs: $1.2/m requests
โข REST APIs: $3.5/m requests
โข Sockets: $1.1/m messages
{ 30 | 32 }
For the first 12 months, you'll get 1m of API calls per month for free.
It also includes 1m messages & 750k connection minutes for WebSockets.
For more:
โข HTTP APIs: $1.2/m requests
โข REST APIs: $3.5/m requests
โข Sockets: $1.1/m messages
{ 30 | 32 }
You may also leverage third-party tools like Dashbird.io for enhanced monitoring of your API Gateways.
It gives you a real-time overview of all API executions, detects errored requests within them, and lets you quickly identify the root cause.
{ 31 | 32 }
It gives you a real-time overview of all API executions, detects errored requests within them, and lets you quickly identify the root cause.
{ 31 | 32 }
That's it for API Gateway.
๐๐ฟ๐ฒ๐ฑ๐ถ๐๐ go to an awesome post by @alexbdebrie
To be honest: I learned a lot here, even though I already knew most things about API Gateway! ๐
It's a must-read & covers even more details! ๐
alexdebrie.com
{ 32 | 32 }
๐๐ฟ๐ฒ๐ฑ๐ถ๐๐ go to an awesome post by @alexbdebrie
To be honest: I learned a lot here, even though I already knew most things about API Gateway! ๐
It's a must-read & covers even more details! ๐
alexdebrie.com
{ 32 | 32 }
Thank you for reading to the end!
If you've enjoyed this, โป๏ธ or โฅ๏ธ the initial post so other's can see it too.
Also, follow me & @thedashbird if you're interested in regular cloud & serverless content ๐ค ๐
If you've enjoyed this, โป๏ธ or โฅ๏ธ the initial post so other's can see it too.
Also, follow me & @thedashbird if you're interested in regular cloud & serverless content ๐ค ๐
Loading suggestions...