Amazon API Gateway

What is Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It acts as a "front door" for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (EC2), code running on AWS Lambda, or any web application.

Available Types of APIs

API Gateway supports three types of APIs: HTTP APIs, REST APIs, and WebSocket APIs.

HTTP APIs are optimized for building APIs that proxy to AWS Lambda functions or HTTP backends, making them ideal for serverless workloads and web applications.
REST APIs are best suited for APIs that require RESTful capabilities, including resource-based paths, standard HTTP methods, and different types of responses. REST APIs also offer advanced request routing, integration, and policy capabilities.
WebSocket APIs maintain a persistent connection between connected clients, enabling real-time message communication.

Difference Between HTTP API and REST API

HTTP APIs are a more efficient, cost-effective option to build APIs that proxy to AWS Lambda functions or HTTP backends. They support a payload of JSON format and offer standard API features like CORS and throttling.

REST APIs, on the other hand, come with more features than HTTP APIs. REST APIs support multiple payload formats, integrate with AWS services, and support API Gateway caching. They also allow for more advanced request/response transformations and have different types of endpoint types.

Core Concepts and Architecture of API Gateway

At a high level, API Gateway involves several components:

API - This is the core object that you create and configure.
Resource - A logical entity that can be accessed via a specific path (e.g., /orders, /users)
Method - Allows for HTTP methods (e.g., GET, POST, PUT) that define operations to be performed on resources.
Integration - Specifies how a request is sent to the backend and how the response is processed.
Deployment - This is a snapshot of the API that can be invoked.
Stage - Used to reference a deployed API.

REST API Endpoint Types: Edge-Optimised vs Regional

API Gateway provides two types of endpoints for REST APIs: edge-optimized and regional.

Edge-optimized Endpoint: The API is deployed to a CloudFront distribution that is associated with a globally unique URL. This option is suitable for globally distributed client calls.
Regional Endpoint: The API is deployed to the region where you created the API and is associated with a region-specific URL. This option is suitable if the clients are located in the same region.

Securing APIs with Authorizers

In Amazon API Gateway, you can create an authorizer that controls access to your API methods. The authorizer uses bearer token authentication strategies, such as OAuth or SAML. These authorizers are of two types:

Lambda Authorisers (formerly known as Custom Authorisers): Lambda functions that control access to your APIs. When a client makes a request, API Gateway calls the Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.
Amazon Cognito User Pools: A user pool is a user directory in Amazon Cognito. When a client makes a request, API Gateway checks with Amazon Cognito to verify if the caller's identity is in the user pool.

Creating a Lambda Authoriser

To create a Lambda authorizer, create a Lambda function that includes your custom authorization logic. This function will receive an authorization token, perform the required verification (possibly against a separate authorization service), and then return an IAM policy.

Here's a very simple example of a Lambda function written in Node.js:

exports.handler =  function(event, context, callback) {
    var token = event.authorizationToken;
    switch (token.toLowerCase()) {
        case 'allow':
            callback(null, generatePolicy('user', 'Allow', event.methodArn));
            break;
        case 'deny':
            callback(null, generatePolicy('user', 'Deny', event.methodArn));
            break;
        case 'unauthorized':
            callback("Unauthorized");  
            break;
        default:
            callback("Error: Invalid token"); 
    }
};

var generatePolicy = function(principalId, effect, resource) {
    var authResponse = {};
    authResponse.principalId = principalId;
    if (effect && resource) {
        var policyDocument = {};
        policyDocument.Version = '2012-10-17';
        policyDocument.Statement = [];
        var statementOne = {};
        statementOne.Action = 'execute-api:Invoke';
        statementOne.Effect = effect;
        statementOne.Resource = resource;
        policyDocument.Statement[0] = statementOne;
        authResponse.policyDocument = policyDocument;
    }

    return authResponse;
}

This Lambda function checks if the received token is allow, deny, or unauthorized, and returns an IAM policy to Allow or Deny the request based on the token. It's a basic example and should be adapted to fit your security requirements.

Then, in API Gateway, go to your API's settings. Under Authorisers, click Create New Authoriser. Provide a name for the authorizer, select Lambda for the type, and select the region where you created your Lambda function. Enter the name of the Lambda function you just created, choose the Lambda Invoke Role (if any), and set the Token Source (the name of a header, usually it's an Authorizer header) and Token Validation (a regular expression).

PreviousAWS Lambda NextAmazon Simple Queue Service (SQS)

Last updated 2 years ago

Was this helpful?