AWS Explained
    Application Integration
    🔗Application Integration

    Amazon API Gateway

    Create, publish, and manage APIs at any scale

    API Gateway is like a receptionist for your backend services. When clients (web apps, mobile apps) need to call your backend (Lambda functions, EC2 servers, databases), they don't call directly; they go through API Gateway. API Gateway handles authentication, rate limiting, request validation, and routing. It's like having a front desk that checks IDs, enforces visiting hours, and directs visitors to the right department. API Gateway also transforms requests/responses, caches responses for performance, and provides detailed metrics. It's the front door to your APIs, making them secure, scalable, and easy to manage.

    API Gateway supports three API types: REST APIs (full-featured, stateless), HTTP APIs (lightweight, lower cost), and WebSocket APIs (bidirectional communication). You define resources (URL paths), methods (GET, POST, etc.), and integrations (Lambda, HTTP endpoints, AWS services).

    Key Capabilities

    • Creates REST, HTTP, and WebSocket APIs; REST APIs support request/response transformation via VTL mapping templates, HTTP APIs offer lower latency and cost for proxy use cases
    • WebSocket APIs maintain persistent two-way connections for real-time applications such as chat, live dashboards, and collaborative tools
    • Lambda authorizers run custom authorization logic; Cognito authorizers validate JWTs directly, both gating access before requests reach backend integrations
    • Usage plans and API keys enforce per-consumer rate limits and quotas for third-party API access
    • Canary deployments route a configurable percentage of traffic to a new stage deployment for gradual rollout and testing
    • Stage variables act as environment-specific configuration, allowing a single API definition to point to different Lambda aliases or backend URLs per stage

    Gotchas & Constraints

    Gotcha #1: API Gateway has a 29-second timeout; long-running operations should be asynchronous (return immediately, process in background). Gotcha #2: API Gateway charges per million requests plus data transfer; high-traffic APIs can be expensive. Constraints: Maximum 10,000 requests/second per account per region (request increase), maximum 10MB payload size, and maximum 29-second integration timeout for REST APIs.

    A mobile app backend runs on Lambda functions: user authentication, profile management, content retrieval. Exposing Lambda functions directly is insecure and hard to manage. They create an API Gateway REST API with resources: /auth (login/signup), /profile (get/update profile), /content (list/get content). They configure Cognito authorizer, so all requests must include a valid JWT token. They enable throttling: 1,000 requests/second per API key (prevent abuse). They enable caching for /content endpoint (5-minute TTL); reduces Lambda invocations by 80%. They configure request validation to reject requests with invalid JSON or missing required fields before invoking Lambda. They enable CloudWatch logging and create dashboards showing request count, latency, and error rates. When they need to add a new feature (/comments), they create a new resource and deploy it without affecting existing endpoints. They use API Gateway stages (dev, staging, prod) to test changes before production.

    The Result

    secure API, 80% cost reduction via caching, and easy API management.

    Official AWS Documentation