A Beginner's Guide to API Gateway: What is it and Why is it Important?
In this article, you'll learn:
- What is API Gateway and how does it work?
- How does an API Gateway work?
- Why use an API Gateway?
- API Gateway security
- Amazon API Gateway
- Features of Amazon API Gateway
- Amazon API Gateway benefits
- Amazon API Gateway and AWS Lambda
- Does Putting CloudFront CDN in Front of API Gateway Make Sense?
Application Programming Interfaces (APIs) are the primary way that external users are going to make calls to your application.
Now more than ever, companies are modernizing their large legacy monolithic apps into smaller individual microservices. These microservices are loosely coupled to make your application more scalable and highly available. However, the result of using a microservice architecture is that more API calls are exchanged between your client and the microservice.
In this blog post, we explore what you need to know about a managed API Gateway, its security, benefits, and also Amazon API Gateway basics, features, and how it interacts with AWS Lambda.
What is API Gateway and how does it work?
An API Gateway is a service that sits before an API or set of microservices to facilitate requests and the delivery of data.
For example, every time you use an app of your favorite social network or check travel prices for your next vacation, you're using an API.
An API Gateway is a way to decouple the client interface from the backend. When a client makes a request, the API gateway breaks it into multiple requests, routes them to the right services, produces a response, and keeps track of everything.
An API Gateway should also include:
- API composition and processing
- API monitoring
How does an API Gateway work?
API gateways allow different applications/services to communicate with each other and exchange data on and off the network. It receives requests (called "API calls") from internal and external sources, forwards them to the appropriate API, and then receives and transmits responses to the requesting user or device.
For example, suppose there is an application user that needs to call four different services as part of a process. Instead of having microservices calling each other directly, we do all the calls through the API Gateway.
Why use an API Gateway?
At its most basic, an API Gateway accepts a remote request and returns a response. It is particularly useful for overcoming the challenge of offering your clients a simple and dependable experience.
API Gateway benefits
- It helps to protect your APIs from overuse and abuse, and you can leverage an authentication/authorization and rate limiting.
- It simplifies analytics and monitoring because it has these functions integrated.
- If you are using a microservices architecture, a single request could require calls to dozens of distinct applications; an API Gateway will act as an intermediary between services.
- At some point you’ll likely add new or update API services, but your users need to find all your services in the same place.
Disadvantages and challenges of API Gateway
- It requires the setting of routing rules.
- Risk of complexity due to all the API rules being in one place.
- There is a possibility of a single point of failure.
API Gateway security
Generally, API gateway security can be divided into:
Identity and Access management
Access control is the number-one security driver for API Gateway technology, serving as a governor of sorts so an organization can manage who can access an API and establish rules around how data requests are handled.
When all traffic is routed through an API Gateway, IT security experts tend to feel more confident that they have their finger on the pulse of an organization.
API calls security
Gateways are a great way to route all API calls through a single place for evaluating, transforming, and securing them across the whole infrastructure. When all traffic is routed through a gateway, security specialists know what is happening and can make changes much more easily.
DDoS and threat protection
Without threat protection, the API Gateway, its APIs, and the native services of the integration server are insecure. That means malware or any anonymous outsiders could easily attempt to propagate a series of attacks such as DDoS or SQL injection.
Taking advantage of loose input validations allows a hacker to find the gaps in a system. Using existing inputs, an attacker will explore what is accepted or rejected and push what is possible until they find a way into an API and break down the system's integrity.
Here are the most common input validations.
- Message size: it is good to have message size limitations if you know with 100% certainty that you are not going to receive large messages.
- SQL injection: SQL injection protection allows you to block requests that could cause an SQL injection attack.
- XML threat protection: Malicious attacks on XML applications typically involve large, recursive payloads, XPath/XSLT or SQL injections, and CData to overwhelm the parser and eventually crash the service.
- Rate limiting: Requiring authentication for all API users, and the logging of all API calls made allow API providers to limit the rate of consumption for all API users.
Amazon API Gateway introduction
Amazon API Gateway is a managed service that lets you easily handle common API tasks such as routing, security, caching, throttling, and monitoring.
Amazon API Gateway provides a highly scalable solution for creating and deploying these API types:
- HTTP API: Low-cost, low-latency REST API with built-in features like OIDC and OAuth2, and native CORS support.
- WebSocket API: Build a WebSocket API with persistent connections for real-time use cases such as chat applications or dashboards.
- REST API: Develop REST APIs that give you full control over requests and responses, as well as API management capabilities.
- Private REST API: Create a REST API that can only be accessed within an AWS Virtual Private Cloud (VPC).
AWS provides flexibility in choosing backend technologies such as AWS Lambda functions, AWS Step Functions state machines, or call HTTP(s) endpoints hosted on AWS Elastic Beanstalk, Amazon EC2, or any other hosted HTTP based services.
It can also allow backends to be simple web applications for web portal access or Amazon S3 buckets for providing access to static web content or documents.
Amazon API Gateway pricing
With Amazon API Gateway, you only pay when you use your API. There are no minimum fees or upfront payments.
For HTTP APIs and REST APIs, you only pay for the API calls you receive and the amount of data transferred. Private APIs do not incur data transfer charges. Learn more here: Amazon API Gateway pricing.
Features of API Gateway
- Powerful, flexible authentication mechanisms, such as AWS Identity and Access Management policies, Lambda authorizer, and Amazon Cognito user pools.
- Canary release deployments for safely rolling out changes.
- CloudTrail logging and monitoring of API usage and API changes.
- CloudWatch access logging and execution logging, including the ability to set alarms.
- Support for custom domain names.
- Integration with AWS WAF for protecting your APIs against common web exploits.
Amazon API gateway caching to enhance responsiveness
You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period in seconds.
Caching is charged by the hour and is not eligible in the AWS Free Tier.
Amazon API Gateway benefits
Efficient and scalable
Run multiple versions of the same API simultaneously so you can quickly iterate, test, and release new versions. You pay for API calls and data transfer, and there are no minimum fees or upfront fees.
Provide end users with the lowest possible API request and response latency by leveraging the global network of edge locations and Amazon CloudFront CDN. Limit traffic and authorize API calls to ensure backend operations can withstand traffic spikes and don't call backend systems unnecessarily.
Monitor with ease
Monitor performance metrics and information on API calls, data latency, and error rates from the API Gateway dashboard, which allows you to visually monitor calls to your services using Amazon CloudWatch.
Authorize access to your APIs with AWS Identity and Access Management (IAM) and Amazon Cognito. If you use OAuth tokens, API Gateway offers native OIDC and OAuth2 support.
To support custom authorization requirements, you can execute a Lambda authorizer from AWS Lambda.
AWS Lambda and Amazon API Gateway example
Together with AWS Lambda, API Gateway forms the app-facing part of the AWS serverless infrastructure.
It’s also possible to combine these serverless services with, for example, Amazon Cognito for authorization/authentication purposes, and Amazon DynamoDB to play the role of the non-relational serverless database.
For an app to call publicly available AWS services, you can use Lambda to interact with required services and expose Lambda functions through API methods in API Gateway.
AWS Lambda runs your code on highly available computing infrastructure. It performs the necessary execution and administration of computing resources.
To enable serverless applications, API Gateway supports Lambda proxy integration or Lambda non-proxy integration:
- Lambda-Proxy: If you want a simple Integration and don’t need specifications or any other filters.
- Lambda Integration: If you need to have more control over the workflow, generate sophisticated documentation, and SDK generation.
The StormIT team holds the AWS Service Delivery Program designation for AWS Lambda and helps organizations to redesign their legacy applications or release new ones by leveraging the Amazon API Gateway and other AWS serverless services.
Does Putting CloudFront in Front of API Gateway Make Sense?
Because API is used widely, it’s common that customers want to have a global API presence. But is it always sensible not to use your CloudFront distribution? This is a good question that we've tried to answer in our article: Does Putting CloudFront CDN in Front of API Gateway Make Sense?