Skip to content

API Gateway Introduction

Types of APIs

  • REST APIs (REpresentation State Transfer)
    • Used JSON
  • SOAP (Simple Object Access Protocol)
    • Uses XML

What is API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a "front door" for applications to access data, business logic, or functionality from your back-end services, such as applications running on EC2, code running on Lambda, or any web application.

What can API Gateway Do

  • Expose HTTPS endpoints to define a RESTful API
  • Serverless-ly connect to services like Lambda and DynamoDB
  • Send each API endpoint to different target
  • Run efficiently with low cost
  • Scale effortlessly
  • Track and control usage by API key
  • Throttle requersts to prevent attacks
  • Connect to CloudWatch to log all requests for monitoring
  • Maintain multiple versions of your API

How do I configure API Gateway

  • Define an API (container)
  • Define Resources and Nested Resources (URL Paths)
  • For each Resource
  • Select supported HTTP methods (verbs)
  • Set security
  • Choose target (such as EC2, Lambda, DynamoDB, etc.)
  • Set request and response transformations
  • Deploy API to a stage
  • Uses API Gateway domain, by default
  • Can use custom domain
  • Now Supports AWS Certificate Manager: free SSL/TLS certs!

What is API Caching

You can enable API Caching in API Gateway to cache your endpoint's response. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of the requests to your API. When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified TTL period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint.

Same-Origin Policy

In computing, the Same-Origin Policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

This is done to prevent Cross-Site Scripting (XSS) attacks.

  • Enforced by web browsers
  • Ignored by tools like PostMan and cURL.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is one way the server at the other end (not the client code in the browser) can relax the same origin policy.

Cross-Origin Resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.

  • Browser makes an HTTP OPTIONS call for a URL
  • OPTIONS is an HTTP method like GET, PUT, and POST
  • Server returns a response that says: "These other domains are approved to GET this URL."
  • Error: "Origin policy cannot be read at the remote resource?" You need to enable CORS on API Gateway.