API Gateway

  •  API gateway manages creation, publishing, monitoring and securing of Http, Rest and Websocket APIs.
  • Helps create Restful with lower latency and cost that RESt APIs.
  • Helps create Websocket API using which client and server can communicate continuously.
  • API endpoint form - api-id.execute-api.region.amazonaws.com
  • Proxy Integration - can be HTTP Proxy or Lambda Proxy integration. In HTTP Proxy integration, API g/w passes entire request/response between frontend and backend. In Lambda Proxy integration, API g/w passes request to Lambda function and the output of Lambda function is returned to frontend.
  • Lambda, IAM, Cognito User Pools, OAuth 2.0 Authorizers are supported for Http API. For Rest except OAuth rest of them are supported.
    • Lambda authorizers are Lambda functions that control access of REST or Http API using bearer token authentication or using request parameters like headers, paths, query string, etc.
    • Cognito User Pools helps control who can access REST or Http API. The client first logs into user pool and obtains access token and then calls the API method with the token. API validates the token and allows the client.
  • Http supports private integrations with ALB.
  • Http and Rest supports private integrations with NLB. 
  • API End Point types
    • Http API can be Regional only, whereas Rest API can be Regional, Private or Edge Optimized.
    • Regional API endpoint - Host name of API that is deployed to a region and accessible from clients in that region.
    • Edge Optimized API endpoint is best for geographically distributed clients. API requests will be routed to nearest Cloudfront.
    • Private API endpoint is exposed through interface VPC endpoint - allows clients to access private API resources inside VPC. An endpoint policy can be used to restrict traffic from internal network to private API. (Certain IPs can be allowed or disallowed).
  • CORS should be enabled for the API that is hosted in apisample.com, so that the application which is hosted on example.com can access it.
  • The request parameters, headers or query strings can be modified before they can hit backend integrations. The request can also be validated before it hits backend - if validation fails API g/w throws 400 and ends call, that way unnecessary backend call is reduced.
  • Client Side SSL Certs can be used to verify that Http Requests are from API gateway
  • Protecting API
    • API Caching is supported by Rest alone - TTL of 0 means caching is disabled. Default TTL is 300 secs and max is 3600 secs. When caching is enabled for a stage, gateway caches responses for that TTL. Helps reduce calls to API.
    • WAF protects from web exploits.
    • Self signed SSL cert generated by API g/w can also be used to verify that request to backend are from gateway.
    • Mutual TLS authentication requires 2 way authentication between client and server.  Clients presents x.509 certs. This is used when the API uses custom domain, a SSL cert is configured for the domain and a trust store is configured in S3.
      • Certificate can be setup in ACM.
      • Trust store is .PEM file which has full chain of trust. 
  • API can be throttled to avoid them being overwhelmed by too many requests. When the limit is crossed client received 429 Too many request error.
  • API gateway 504 error - The integration timeout is 29 seconds (a hard limit) for all API Gateway integrations. 
  • X-Ray can be used  to trace and analyze user requests through API gateway. X-ray provides e2e view of request -it can be used to analyse latency at each level. 
  • API gateway can be integrated with X-ray in 2 modes
    • Passive tracing mode - default - when X-ray is not enabled
    • Active - When set, the API gateway automatically samples API invocation based on X-ray sampling algo. 
  • API gateway manages creation, publishing, monitoring and securing of Http, Rest and Websocket APIs.
  • Helps create Restful with lower latency and cost that RESt APIs.
  • Helps create Websocket API using which client and server can communicate continuously.
  • API endpoint form - api-id.execute-api.region.amazonaws.com
  • Proxy Integration - can be HTTP Proxy or Lambda Proxy integration. In HTTP Proxy integration, API g/w passes entire request/response between frontend and backend. In Lambda Proxy integration, API g/w passes request to Lambda function and the output of Lambda function is returned to frontend.
  • Lambda, IAM, Cognito User Pools, OAuth 2.0 Authorizers are supported for Http API. For Rest except OAuth rest of them are supported.
    1. Lambda authorizers are Lambda functions that control access of REST or Http API using bearer token authentication or using request parameters like headers, paths, query string, etc.
    2. Cognito User Pools helps control who can access REST or Http API. The client first logs into user pool and obtains access token and then calls the API method with the token. API validates the token and allows the client.
  • Http supports private integrations with ALB.
  • Http and Rest supports private integrations with NLB. 
  • API End Point types
    1. Http API can be Regional only, whereas Rest API can be Regional, Private or Edge Optimized.
    2. Regional API endpoint - Host name of API that is deployed to a region and accessible from clients in that region.
    3. Edge Optimized API endpoint is best for geographically distributed clients. API requests will be routed to nearest Cloudfront.
    4. Private API endpoint is exposed through interface VPC endpoint - allows clients to access private API resources inside VPC. An endpoint policy can be used to restrict traffic from internal network to private API. (Certain IPs can be allowed or disallowed).
  • CORS should be enabled for the API that is hosted in apisample.com, so that the application which is hosted on example.com can access it.
  • The request parameters, headers or query strings can be modified before they can hit backend integrations. The request can also be validated before it hits backend - if validation fails API g/w throws 400 and ends call, that way unnecessary backend call is reduced.
  • Client Side SSL Certs can be used to verify that Http Requests are from API gateway
  • Protecting API
    1. API Caching is supported by Rest alone - TTL of 0 means caching is disabled. Default TTL is 300 secs and max is 3600 secs. When caching is enabled for a stage, gateway caches responses for that TTL. Helps reduce calls to API.
    2. WAF protects from web exploits.
    3. Self signed SSL cert generated by API g/w can also be used to verify that request to backend are from gateway.
    4. Mutual TLS authentication requires 2 way authentication between client and server.  Clients presents x.509 certs. This is used when the API uses custom domain, a SSL cert is configured for the domain and a trust store is configured in S3.
    5. Certificate can be setup in ACM.
    6. Trust store is .PEM file which has full chain of trust. 
  • API gateway errors
    1. API can be throttled to avoid them being overwhelmed by too many requests. When the limit is crossed client received 429 Too many request error. (Quota exceeded, throttling)
    2. API gateway 504 error - The integration timeout is 29 seconds (a hard limit) for all API Gateway integrations. 
    3. 503 - service unavailable
    4. 502  - bad gateway  - incompatible output from backend - or due to increased load
  • X-Ray can be used  to trace and analyze user requests through API gateway. X-ray provides e2e view of request -it can be used to analyse latency at each level. 
  • API gateway can be integrated with X-ray in 2 modes
    1. Passive tracing mode - default - when X-ray is not enabled
    2. Active - When set, the API gateway automatically samples API invocation based on X-ray sampling algo. 
  • If your Lambda function's resource-based policy doesn't include permissions for your API to invoke the function, API Gateway returns an Internal server error message. 
  • Caching of API responses should be done on API gateway and not on Cloudfront. 

Comments

Post a Comment

Popular posts from this blog

Artificial Computation Intelligence

  Components of Problem Formulation Initial State - Is the starting configuration of system. Actions - The permissible moves or operations that can be performed in the problem space. Transition Model - Describes the result of applying specific action in a given state. Goal State - Desired configuration that indicates problem has been solved. Cost function - numerical cost for each action. Task is to setup an automated traffic monitoring system that should be equipped with 10 cameras at each intersection to detect traffic violoations and detect license plates to cross verify with stolen vehicle database. What is the problem formulation for this, provide PEAS description, which agent architecture will fit this ? PEAS Description: Performance Measure: The system's performance is measured by its accuracy in detecting traffic violations, identifying license plates, and cross-verifying them with the stolen vehicle database. Additionally, the efficiency of the system in processing and ana...
Read more

Serverless - Lambda functions

 Lambda All operational activities of applying patch, capacity provisioning, monitoring fleet health, code deployment etc is taken care by Lamda. Best suited for use cases which are event based, such as changes to S3 buckets,  serverless processing of streaming data, updates to Dynamo DB table or custom event generated by apps/devices. All code uploaded to Lambda is encrypted. Each Lambda has built-in ephemeral storage of 512 MB. In-bound network connections are blocked by Lambda. Total Metrics, Account and Function level concurrency usage, latency and throttled requests are metrics shared by Lambda through Cloud Watch. Each Lambda function has a log group which can be traced in Cloudwatch logs. We can define the memory to be set for the function. Lambda function max execution time is 15 mins. Lambda can do polling of resources that do not publish events. Or it can be triggered basis events. S3 Integration - The S3 Bucket notifications can be sent to Lambda functions. Lambda c...
Read more

System Design

 System Design Designing for scale Designing for availability Designing for performance Content delivery network Caching Designing for resilience Secure by design Perimeter Security Intrusion detection and Prevention Zscaler Network security Network Isolation Zero trust architecture Server security Application security Data at rest - Encryption using keys Data in transit Encryption Key management  Code Security OWASP guidelines Web security Authentication OAuth Single Signon LDAP Authorization Google Zanzibar OPA Mobile Security Wireless transmission security Penetration testing Architecture principles in system design 12 factor DRY SOLID Programming types Functional Reactive Architecture tools Abacus Modular design Do we need microservices? When to go for Microservices ? Building microservice architecture Breaking down into Microservices Domain driven design Inter service communication Direct Connectivity Circuit breakers Service Registry Distributed transaction management Sa...
Read more