Amazon API Gateway

Features

API GW can be said to be a bridge between different AWS services or between Users of a Application and their corresponding backend. It can act as the "front door" for applications to access data, business logic, or functionality from the backend services.

Amazon API Gateway is a fully managed service to create, publish, maintain, monitor, and secure APIs at any scale with the help of API Keys and its tracking via usage plan. Note that usage plan can be used to put limitations/restrictions on a particular API with the help of Quotas or throttling etc.

API Gateway supports RESTful APIs, WebSocket APIs and even HTTP APIs

They support containerized and serverless workloads, as well as web applications. One such use case is its integration with Lambda:

API Gateway supports thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management.

The url is of the format: https://<random-api-key/id>.execute-api.<region>-amazonaws.com/<stage-such-as-dev>/<resource-name-such-as-default>

Note that Stage can also have stage variables, which can be used to store configuration without modifying the code (example, URI for uat stage and prod stage can be different and this is stored in stage variables, so dynamically the value can be taken at runtime and used further by the API)

An HTTP or REST API GW can have versions with each version having a method (GET/POST...), Authorization and API Key

API Gateway can also be private and can be only accessed via VPC endpoints.

Authentication and Authorization

• API GW also supports Standard AWS IAM roles and policies, Endpoint policies for interface VPC endpoints

• Just like S3, it can also have Resource Policy, which can be used to configure for IAM users, Source IP Address ranges or CIDR blocks and even specified VPCs or VPC endpoints (any AWS account).

// Generated by ChatGPT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd1234ef/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::098765432109:role/MyRole"
      },
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd1234ef/*"
    }
  ]
}

The authorization workflow with IAM and resource policy can be highlighted as shown below:

• It also supports Amazon Cognito User Pools

• One different authorization it supports is Lamda Authorizers

Lambda Authorizers

It is a lambda function to control the access to a APIs behind a API Gateway. It can be used to build custom authentication or authorization apart from the usual IAM based or API key based.

It uses custom authorization scheme:

• Based on bearer token authentication strategy

• Uses request parameters to determine the caller's identity

There are two types:

• TOKEN authorizer (token-based)

• REQUEST authorizer (request parameter based)

Based on authorizer values, access can be granted or denied as shown below:

Note that policy is usually cached for 30 seconds

Steps to setup an API Gateway

Head back to Lambda to complete setting up trigger and then use API Gateway URL