Amazon API Gateway

Amazon API Gateway is a fully-managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the front door for applications to access data, business logic, or functionality from backend services. Using Amazon  API Gateway, users can create RESTful APIs and WebSocket APIs that enable real-time, two-way communication applications. Amazon API Gateway supports a variety of backend integrations, enabling containerized, serverless, and traditional instance-based workloads. API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls.

  • This includes traffic management, cross-origin resource sharing (CORS) support, authorization and access control, throttling, monitoring, and API version management.
  • API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an Amazon  API Gateway API developer, users can create APIs for use in their own client applications. 
  • Amazon API Gateway has no minimum fees or startup costs. Users pay based on the API calls received, and the amount of data transferred out. With the Amazon API Gateway tiered pricing model, cost per million invocations reduces as API usage scales.
Amazon API Gateway

Amazon API Gateway Benefits

Amazon  API Gateway enables users to run multiple versions of the same API simultaneously, so that applications can continue to call previous API versions even after newer versions are published. Amazon  API Gateway also helps users manage multiple release stages for each API version, such as alpha, beta, and production. Each API stage can be configured to interact with different backend endpoints based on the API setup. Stage and version management allow users to test new API versions while ensuring backwardcompatibility as user communities transition to adopt the latest release.

Amazon API Gateway authorize access to users APIs with AWS Identity and Access Management (IAM) and Amazon Cognito. API Gateway supports OpenAPI specification versions 2 and 3 for import and export of APIs, and authorization with native OpenID Connect and OAuth 2.0 token parsing. To support custom authorization requirements, users can execute a Lambda authorizer from AWS Lambda. Monitor performance metrics and information on API calls, data latency, and error rates from the API Gateway dashboard, which allows to visually monitor calls to services using Amazon CloudWatch.

 

Amazon API Gateway enables users to run multiple versions of the same API simultaneously, so that applications can continue to call previous API versions even after newer versions are published. Amazon API Gateway also helps manage multiple release stages for each API version, such as alpha, beta, and production. Each API stage can be configured to interact with different backend endpoints based on the API setup. Stage and version management allow users to test new API versions while ensuring backward compatibility as user communities transition to adopt the latest release.

Amazon API Gateway is an always-on, scalable service that supports practically any load with no warm-up limitations. It provides users with the lowest possible latency for API requests and responses by accelerating content delivery with global edge network locations using Amazon CloudFront. It can also handle bursts of traffic for workloads while throttling and authorizing API calls, to help ensure that backend operations can withstand traffic spikes and not be unnecessarily called.

Amazon API Gateway Features

Amazon API Gateway offers stateful (WebSocket) and stateless (HTTP and REST) APIs. HTTP APIs are the best way to build APIs that do not require API management features. HTTP APIs are optimized for serverless workloads and HTTP backends—they offer up to 71% cost savings and 60% latency reduction compared to REST APIs from API Gateway.

HTTP API: HTTP APIs are optimized for building APIs that proxy to AWS Lambda functions or HTTP backends, making them ideal for serverless workloads. They do not currently offer API management functionality.

  • For workloads that require API proxy functionality and API management features in a single solution, such as usage plans and API keys, API Gateway offers REST APIs.

REST API: REST APIs offer API proxy functionality and API management features in a single solution. REST APIs offer API management features such as usage plans, API keys, publishing, and monetizing APIs.

  • To see a side-by-side comparison of supported features for HTTP APIs and REST APIs, visit AWS documentation.

WebSocket API: WebSocket APIs maintain a persistent connection between connected clients to enable real-time message communication. With WebSocket APIs in API Gateway, users can define backend integrations with AWS Lambda functions, Amazon Kinesis, or any HTTP endpoint to be invoked when messages are received from the connected clients.

  • To build real-time two-way communication applications, such as chat apps and streaming dashboards, use WebSocket APIs.

To authorize and verify API requests to AWS services, Amazon API Gateway can help users leverage signature version 4 for REST APIs and WebSocket APIs. API Gateway use Powerful, flexible authentication mechanisms, such as AWS Identity and Access Management policies, Lambda authorizer functions, and Amazon Cognito user pools. Users can use the following mechanisms for authentication and authorization:

  • Resource policies: Enables users to create resource-based policies to allow or deny access to the APIs and methods from specified source IP addresses or VPC endpoints. 
  • Standard AWS IAM roles and policies: offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage the APIs, as well as who can invoke them. 
  • IAM tags can be used together with IAM policies to control access.
  • Endpoint policies for interface VPC endpoints allow users to attach IAM resource policies to interface VPC endpoints to improve the security of users private APIs
  • Lambda authorizers are Lambda functions that control access to REST API methods using bearer token authentication—as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. 
  • Amazon Cognito user pools let users create customizable authentication and authorization solutions for the REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods. 
 

After an API is deployed and in use, Amazon API Gateway provides users with a dashboard to visually monitor calls to the services. The Amazon API Gateway console is integrated with Amazon CloudWatch, so users get backend performance metrics such as API calls, latency, and error rates. Because Amazon  API Gateway uses CloudWatch to record monitoring information, users can set up custom alarms on API Gateway APIs. Amazon  API Gateway can also log API execution errors to CloudWatch Logs to make debugging easier.

Users can monitor API execution by using CloudWatch, which collects and processes raw data from API Gateway into readable, near-real-time metrics. These statistics are recorded for a period of 15 months so that users can access historical information and gain a better perspective on how the web application or service is performing. By default, API Gateway metric data is automatically sent to CloudWatch in one-minute periods. The following are some common uses for the metrics: 

  • Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.
  • Monitor the Latency metrics to measure the overall responsiveness of the API calls.
  • Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.
 

When using REST APIs, API Gateway helps manage the ecosystem of third-party developers accessing users APIs. Users can create API keys on API Gateway, set fine-grained access permissions on each API key, and distribute them to third-party developers to access your APIs. A developer portal is an application that can be used to make APIs available to third-party developers.

Users can use the Serverless Developer Portal to publish API Gateway managed APIs directly from API Gateway. Users can also use it to publish non-API Gateway managed APIs by uploading OpenAPI definitions for them. When publishing APIs in a developer portal, third-party developers can easily:

  • Discover which APIs are available.
  • Browse the API documentation.
  • Register for—and immediately receive—their own API key that can be used to build applications.
  • Try out your APIs in the developer portal UI.
  • Monitor their own API usage.

Users can also define plans that set throttling and request quota limits for each individual API key. The use of API keys is completely optional and must be enabled on a per-method level. Amazon API Gateway provides throttling at multiple levels including global and by service call. Throttling ensures that API traffic is controlled to help users backend services maintain performance and availability.

 

With Amazon API Gateway, users can quickly and easily create a custom API to users code running in AWS Lambda and then call the Lambda code from the API. Amazon API Gateway can execute AWS Lambda code in users account, start AWS Step Functions state machines, or make calls to AWS Elastic Beanstalk, Amazon EC2, or web services outside of AWS with publicly accessible HTTP endpoints. Using the API Gateway console, users can define the REST API and its associated resources and methods, manage the API lifecycle, generate the client SDKs, and view API metrics.

Canary release is a software development strategy in which a new version of an API (as well as other software) is deployed for testing purposes, and the base version remains deployed as a production release for normal operations on the same stage. 

In a canary release deployment, total API traffic is separated at random into a production release and a canary release with a pre-configured ratio. Typically, the canary release receives a small percentage of API traffic and the production release takes up the rest. The updated API features are only visible to API traffic through the canary. 

By keeping canary traffic small and the selection random, most users are not adversely affected at any time by potential bugs in the new version, and no single user is adversely affected all the time.

When using REST APIs, Amazon API Gateway can generate client SDKs for a number of platforms which users can use to quickly test new APIs from the applications and distribute SDKs to third-party developers. The generated SDKs handle API keys and sign requests using AWS credentials. API Gateway can generate client SDKs for Java, JavaScript, Java for Android, Objective-C or Swift for iOS, and Ruby. Users can use AWS CLI to generate and download an SDK of an API for a supported platform by calling the get-sdk command.

When using REST APIs, Amazon API Gateway enables users run multiple versions of the same API simultaneously so that applications can continue to call previous API versions even after the latest versions are published. Amazon API Gateway also helps manage multiple release stages for each API version, such as alpha, beta, and production. Each API stage can be configured to interact with different backend endpoints based on the API setup.

  • Specific stages and versions of an API can be associated with a custom domain name and managed through API Gateway.
  • Stage and version management allow users to easily test new API versions that enhance or add new functionality to earlier API releases, and ensures backward-compatibility as user communities transition to adopt the latest release.

API and Endpoint Types

API Types

Amazon API Gateway supports multiple API types and a variety of architectural patterns:

  • HTTP APIs: Using HTTP APIs, users can build stateless RESTful APIs optimized for serverless workloads and HTTP backends using HTTP APIs. HTTP APIs are the best choice for building APIs that require only API proxy functionality. If users’ APIs require API proxy functionality and API management features in a single solution, API Gateway also offers REST APIs.
  • WebSocket APIs: Using WebSocket APIs, users can build real-time, two-way communication applications, such as chat apps and streaming dashboards, with WebSocket APIs. Amazon API Gateway maintains a persistent connection to handle message transfer between users backend service and their clients.
Endpoint Types

Amazon API Gateway offers three types of endpoints:

  • Private API endpoints: Private API endpoints can be accessed only from users Amazon Virtual Private Cloud (Amazon VPC) and approved subnets using an interface VPC endpoint.
  • Regional API endpoints: Regional API endpoints terminate transport layer security (TLS) within the API deployment in users chosen AWS region. This is suggested for use cases where API client calls originate in the same region, or for when to custom-manage an Amazon CloudFront distribution with a regional API Gateway endpoint as users origin for dynamic content. This is the default selection for HTTP and WebSocket API Gateway endpoints. 
  • Edge-optimized API endpoints: Edge-optimized API endpoints provide API access to geographically distributed clients with managed edge network acceleration built-in. This is the default selection for REST API Gateway endpoints. It should not be used for APIs where clients consist of other services within the same region, or when users require granular control of CloudFront CDN caching behaviors. Client TLS termination occurs at the CloudFront edge location where the API request is first routed, and AWS manages TLS termination between CloudFront and API Gateway instances.
Security Design Principles

Building on the principles of the Security Pillar of the AWS Well-Architected Framework, the following design principles can help strengthen and securing the workloads when using Amazon API Gateway:

  • Understand the AWS security and compliance Shared Responsibility Model: Security and Compliance is a shared responsibility between AWS and the customer. Understanding this shared model can help reduce the operational burden.
  • Protect data in-transit and at-rest: Classify users data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control, where appropriate.
  • Implement a strong identity and access foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with users AWS resources. Centralize identity management, and aim to eliminate long-lived credentials through integrated authentication and authorization.
  • Minimize attack surface area: When architecting the application, examine the connectivity requirements of each component and restrict the options to the minimum exposure possible.
  • Mitigate Distributed Denial of Service (DDoS) attack impacts: Architect application for, and prepare teams to deal with, impacts from DDoS attacks.
  • Implement inspection and protection: Inspect and filter traffic: For components transacting over HTTP-based protocols, a web application firewall (WAF) can help protect from common attacks.
  • Enable auditing and traceability: Monitor, alert, and audit actions and changes to the environment in real-time. Integrate log and metric collection with systems to automatically investigate and take action.
  • Automate security best practices: Automated software-based security mechanisms help improve the ability to securely scale more rapidly and cost effectively.
  • Apply security at all layers: Apply a defense in-depth approach with multiple security controls. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).

Amazon API Gateway Use Cases

#01

HTTP APIs

 
 

HTTP APIs build stateless RESTful APIs optimized for serverless workloads and HTTP backends using HTTP APIs. HTTP APIs are the best choice for building APIs that require only API proxy functionality. If the APIs require API proxy functionality and API management features in a single solution, API Gateway also offers REST APIs. Amazon API Gateway creates RESTful APIs that:

  • Are HTTP-based.
  • Enable stateless client-server communication.
  • Implement standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.

HTTP APIs are optimized for building APIs that proxy to AWS Lambda functions or HTTP backends, making them ideal for serverless workloads. HTTP APIs are a cheaper and faster alternative to REST APIs, but they do not currently support API management functionality. REST APIs are intended for APIs that require API proxy functionality and API management features in a single solution. HTTP APIs are ideal for:

  1. Building proxy APIs for AWS Lambda or any HTTP endpoint
  2. Building modern APIs that are equipped with OIDC and OAuth 2 authorization 
  3. Workloads that are likely to grow very large
  4. APIs for latency sensitive workloads

An Amazon API Gateway REST API is made up of resources and methods. A resource is a logical entity that an app can access through a resource path (e.g., /tickets). A method corresponds to a REST API request that is submitted to an API resource (e.g., GET /tickets). Amazon API Gateway allows users to back each method with a Lambda function, that is, when calling the API through the HTTPS endpoint exposed in API Gateway, API Gateway invokes the Lambda function. Users can connect API Gateway and Lambda functions using Proxy Integrations and Non-Proxy Integrations.

  • Proxy Integrations: In a Proxy Integration, the entire client HTTPS request is sent to the Lambda function “as-is.” Amazon API Gateway passes the entire client request as the event parameter of the Lambda handler function, and the output of the Lambda function is returned directly to the client (including status code, headers, and so on.).
  • Non-Proxy Integrations: In a Non-Proxy Integration, users configure how the parameters, headers, and body of the client request are passed to the event parameter of the Lambda handler function. Additionally, users configure how the Lambda output is translated back to the user. Note that Amazon API Gateway can also proxy to additional serverless resources outside AWS Lambda, such as mock integrations (useful for initial application development), and direct proxy to S3 objects.

Amazon API Gateway supports multiple mechanisms for controlling and managing access to your HTTP API:

  • Lambda authorizers use Lambda functions to control access to APIs. 
  • JWT authorizers use JSON web tokens to control access to APIs. 
  • Standard AWS IAM roles and policies offer flexible and robust access controls. Users can use IAM roles and policies to control who can create and manage the APIs, as well as who can invoke them. 
 
 

A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. Users can use API Gateway features to help with all aspects of the API lifecycle, from creation through monitoring the production APIs. Amazon API Gateway REST APIs use a request/response model where a client sends a request to a service and the service responds back synchronously. This kind of model is suitable for many different kinds of applications that depend on synchronous communication. REST APIs are ideal for:

  • Users looking to pay a single price point for an all-inclusive set of features needed to build, manage, and publish their APIs. 

In Amazon API Gateway, users build a REST API as a collection of programmable entities known as API Gateway resources

  • RestApirepresent an API that can contain a collection of Resource entities.
  • Method defines the application programming interface for the client to access the exposed Resource and represents an incoming request submitted by the client.
  • Integration resource integrate the Method with a backend endpoint, also known as the integration endpoint, by forwarding the incoming request to a specified integration endpoint URI.
  • MethodResponse represent a request response received by the client
  • IntegrationResponse represent the request response that is returned by the backend. 

Amazon API Gateway offers three types of endpoints. These API endpoint type can be edge-optimized, regional, or private, depending on where the majority of your API traffic originates from. An API endpoint type refers to the hostname of the API.

  • An edge-optimized API endpoint is best for geographically distributed clients. API requests are routed to the nearest CloudFront Point of Presence (POP). This is the default endpoint type for API Gateway REST APIs. Edge-optimized APIs capitalize the names of HTTP headers (for example, Cookie).
  • regional API endpoint is intended for clients in the same region. When a client running on an EC2 instance calls an API in the same region, or when an API is intended to serve a small number of clients with high demands, a regional API reduces connection overhead. Regional API endpoints pass all header names through as-is.
  • private API endpoint is an API endpoint that can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint, which is an endpoint network interface (ENI) that users create in the VPC. Private API endpoints pass all header names through as-is.

Users can use the following mechanisms for authentication and authorization to controll and manage access the REST API in Amazon API Gateway:

  • Resource policies let users create resource-based policies to allow or deny access to the APIs and methods from specified source IP addresses or VPC endpoints. 
  • Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage the APIs, as well as who can invoke them. 
  • IAM tags can be used together with IAM policies to control access. For more information, see Using tags to control access to API Gateway resources.
  • Endpoint policies for interface VPC endpoints allow users to attach IAM resource policies to interface VPC endpoints to improve the security of the private APIs
  • Lambda authorizers are Lambda functions that control access to REST API methods using bearer token authentication—as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. Lambda authorizers are used to control who can invoke REST API methods. 
  • Amazon Cognito user pools let users create customizable authentication and authorization solutions for the REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods. 

#02

REST APIs

 
 

 

#03

WebSocket

 
 

A WebSocket API in Amazon API Gateway is a collection of WebSocket routes that are integrated between the client and service. It lets users to build their business logic using HTTP-based backends such as AWS Lambda, Amazon Kinesis, or any other HTTP endpoint. While HTTP-based APIs use a request/response model with a client sending a request to a service and the service responding synchronously back to the client, WebSocket-based APIs are bidirectional in nature. This means that a client can send messages to a service and services can independently send messages to its clients.

Users can use Amazon API Gateway features to help with all aspects of the API lifecycle, from creation through monitoring of the production APIs. With WebSocket APIs, users can build real-time two-way communication applications, such as chat apps and streaming dashboards. API Gateway maintains a persistent connection to handle message transfer between users backend service and their clients.

A WebSocket API in API Gateway has two resource types called a route and routeKey. A route describes how Amazon API Gateway should handle a particular type of client request, and includes a routeKey parameter, a value that users provide to identify the route. A WebSocket API is composed of one or more routes. To determine which route a particular inbound request should use, users need to provide a route selection expression. The expression is evaluated against an inbound request to produce a value that corresponds to one of the route’s routeKey values. There are three special routeKey values that Amazon API Gateway allows users to perform for a route:

  • $default—API Gateway calls the $default route if the route selection expression cannot be evaluated against the message or if no matching route is found. This can be used, for example, to implement a generic error handling mechanism.
  • $connect—Amazon API Gateway calls the $connect route when a persistent connection between the client and a WebSocket API is being initiated
  • $disconnect—The associated route is used when a client disconnects from users API. This call is made on a best-effort basis.

API developers can use API Gateway WebSocket APIs to build secure, real-time communication applications without having to provision or manage any servers to manage connections or large-scale data exchanges. The targeted use cases of WebSocket API include real-time applications such as:

  • Chat applications
  • Real-time dashboards such as stock tickers
  • Real-time alerts and notifications

An app developer builds a functioning application to call AWS services by invoking a WebSocket or REST API created by an API developer in API Gateway. The app developer is the customer of the API developer. Amazon API Gateway provides WebSocket API management functionality such as the following:

  • Monitoring and throttling of connections and messages
  • Using AWS X-Ray to trace messages as they travel through the APIs to backend services
  • Easy integration with HTTP/HTTPS endpoints

Amazon API Gateway supports multiple mechanisms for controlling and managing access to users WebSocket API. Users can use the following mechanisms for authentication and authorization:

  • Standard AWS IAM roles and policies offer flexible and robust access controls. Users can use IAM roles and policies for controlling who can create and manage the APIs, as well as who can invoke them. 
  • IAM tags: IAM tags can be used together with IAM policies to control access. 
  • Lambda authorizers are Lambda functions that control access to APIs.

Integrations 

By integrating AWS resources, users can enable Auditing and Traceability of API gateway. Users can monitor and audit Amazon API Gateway using many AWS capabilities and services.

Amazon CloudWatch

Amazon CloudWatch is the foundational monitoring and observability service for AWS. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing with a unified view of AWS resources, applications, and services. Users can use CloudWatch to detect anomalous behavior in their environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to help keep the APIs running smoothly.

  • Amazon CloudWatch Metrics API Gateway: CloudWatch reports a number of default metrics, such as the number of requests, 4xx errors, 5xx errors, latency, and integration latency. If caching is enabled, cache hit and miss counts are reported. For REST APIs, these filters are based on API Name and Stage. For HTTP APIs, it’s API ID and Stage.
  • Amazon CloudWatch Alarms: Users can choose a CloudWatch metric and monitor when a threshold is crossed. Alarms can be metric alarms or composite alarms. A metric alarm watches a single CloudWatch metric, or the result of a math expression based on CloudWatch metrics. A composite alarm watches a rule expression that takes into account the alarm states of other alarms users created. 
  • Amazon CloudWatch Alarms have the capability to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic. When a target threshold for error rate is breached, subscribers can receive email notification, a Lambda function could be triggered, or a message can be published to a HTTP/S target.
  • Amazon CloudWatch Logs: There are two types of logging available in CloudWatch for Amazon API Gateway: execution logs and access logging. CloudWatch Logs are disabled by default. Users must grant API Gateway permission to write logs to CloudWatch for their account. In execution logging, Amazon API Gateway manages the format of the CloudWatch logs. API Gateway creates CloudWatch log groups and log streams, recording any caller’s requests and responses payloads (up to 1 kb), data used by Lambda authorizers
  • Access logs capture who has accessed the API, and how the caller accessed the API. Users can create their own log group, or choose an existing log group that can be managed by API Gateway. Logs can be formatted using Common Log Format (CLF), JSON, XML, or CSV. It’s also possible to configure access logging to direct events to Amazon Kinesis Data Firehose, bypassing CloudWatch Logs
AWS CloudTrail

Using AWS CloudTrail, users can implement governance, compliance operational auditing, and risk auditing of their AWS account activity, including API Gateway. CloudTrail enables users to log, continuously monitor, and retain account activity, providing a complete event history of API Gateway management actions taken. Management actions include creating, deploying, or updating API operations invoked through the AWS Management Console, AWS SDKs, and command line tools.

  • Using CloudTrail, users can optionally encrypt the log files using Amazon Key Management Service (KMS) and also leverage the CloudTrail log file integrity validation for positive assertion.
  • CloudTrail can detect when management API calls are made against API Gateway, and send notifications to Amazon EventBridge. EventBridge is a serverless event bus service that enables users to connect their applications with data from a variety of sources. EventBridge has the ability to direct messages to a number of available targets based on matched rules. 
AWS Config

AWS Config provides users with a set of AWS managed rules to evaluate users AWS resources comply with common best practices. Users can write their own custom rules to identify whether a resource is compliant or not. They can manually or automatically remediate non-compliant resources. With AWS Config, users can track specific configuration changes to their API Gateway resources, and send notifications based on resource changes. These include:

  • Changes to API configurations: Changes to API configurations includes endpoint configuration, version, protocol, and tags. 
  • Changes to deployments and stages: Changes to deployments and stages includes cache cluster settings, throttle settings, access log settings, and active deployment set on the stage.
AWS X-Ray

Using AWS X-Ray, users can analyze and debug distributed Amazon API Gateway-based applications. This helps to understand the performance of the application and its underlying services, so users can eventually identify and troubleshoot the root cause of performance issues and errors. X-Ray’s end-to-end view of requests as they travel through the application shows a map of the application’s underlying components, so they can analyze the application during development and in production.

Security

Apply Security at All Layers

 

It is important to apply security at all layers to enable a defense in-depth strategy. For a Serverless application, holistic security can include the following:

  • Application identity is managed with a secure identity provider such as Amazon Cognito, enabling secure sign-up, sign-in, and federation.
  • DDoS protection is implemented with AWS Shield and AWS WAF to mitigate both network and application layer attacks. AWS WAF is configured to block cross-site scripting, SQL injection, bad bots and user agents, and more.
  • Amazon Route 53 DNS is protected with AWS Shield and anycast striping and shuffle sharding to ensure increased availability. See Reduce DDoS Risks Using Amazon Route 53 and AWS Shield.
  • Amazon CloudFront enables further DDoS mitigation by splitting any DDoS traffic across 100+ edge locations, and accelerating and caching content. It accelerates delivery of both static content such as HTML, CSS, and Javascript (JS) via S3, and dynamic content served via API Gateway.
  • API Gateway implements CORS protection, restricts requests to only valid clients/sources, and authorizes all requests based on the configured authorizers. It validates requests against defined resource policies, and inputs against defined API models, to block any requests which don’t conform to expected schema before invoking the respective integrations.
  • Once requests are authorized and backend Lambda integration is invoked, the Lambda execution environment runs only with a least-privileged IAM execution. The role grants the request access exclusively to the Amazon DynamoDB table needed, with the minimum permission set possible. For relational databases, Lambda can authenticate with Amazon Aurora using AWS IAM, and not leverage static credentials while pre-compiling SQL statements to prevent any SQL injection attacks.

API Gateway pricing

Amazon API Gateway

With Amazon API Gateway, you only pay when your APIs are in use. There are no minimum fees or upfront commitments. For HTTP APIs and REST APIs, users pay only for the API calls they receive and the amount of data transferred out. There are no data transfer out charges for Private APIs. However, AWS PrivateLink charges apply when using Private APIs in API Gateway. API Gateway also provides optional data caching charged at an hourly rate that varies based on the cache size selected. For WebSocket APIs, users only pay when the APIs are in use based on number of messages sent and received and connection minutes.

The API Gateway free tier includes one million HTTP API calls, one million REST API calls, one million messages, and 750,000 connection minutes per month for up to 12 months.

  • HTTP API: A RESTful API that is optimized for serverless workloads. Pay only for the API calls users make. For HTTP APIs, the API Gateway free tier includes one million API calls per month for up to 12 months.
  • REST API: A RESTful API that offers API proxy functionality and management features in a single solution. Pay only for the API calls users receive and the amount of data transferred out. There are no data transfer out charges for Private APIs. However, AWS PrivateLink charges apply when using Private APIs in API Gateway. API Gateway also provides optional data caching charged at an hourly rate that varies based on the cache size selected. For REST APIs, the API Gateway free tier includes one million API calls per month for up to 12 months.
  • WebSocket API: Maintains a persistent connection between connected clients to enable real-time message communication. Pay for messages transferred and connection minutes. Pay only for messages sent and received and the total number of connection minutes. Users may send and receive messages up to 128 kilobytes (KB) in size. Messages are metered in 32 KB increments. So, a 33 KB message is metered as two messages. For WebSocket APIs, the API Gateway free tier includes one million messages (sent or received) and 750,000 connection minutes for up to 12 months.

Amazon API Gateway is a fully-managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the front door for applications to access data, business logic, or functionality from backend services. Using Amazon  API Gateway, users can create RESTful APIs and WebSocket APIs that enable real-time, two-way communication applications. Amazon API Gateway supports a variety of backend integrations, enabling containerized, serverless, and traditional instance-based workloads. API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls.

  • This includes traffic management, cross-origin resource sharing (CORS) support, authorization and access control, throttling, monitoring, and API version management.
  • API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an Amazon  API Gateway API developer, users can create APIs for use in their own client applications. 
  • Amazon API Gateway has no minimum fees or startup costs. Users pay based on the API calls received, and the amount of data transferred out. With the Amazon API Gateway tiered pricing model, cost per million invocations reduces as API usage scales.