Share
Amazon API Gateway
Why API Gateway?
Using Amazon API Gateway, developers can easily build, publish, maintain, monitor, and defend APIs of any scale. It is available as a public or private cloud service. Data, business logic, and functionality from your backend services are accessible to apps through APIs, which serve as the “front door” to those services.The API Gateway can be used to construct RESTful APIs and WebSocket APIs that allow for real-time two-way communication applications. Serverless and containerized workloads, as well as web applications and web services, are all supported by API Gateway. In order to accept and handle hundreds of thousands of API calls simultaneously, API Gateway is in charge of all the duties involved. All of the above activities are included in this list, which includes CORS support, authorization (including throttling and monitoring), and API version management.
Using API Gateway does not entail any upfront expenditures or a minimum fee. API calls and data transfers are billed separately, allowing you to have full control over your costs. The tiered pricing model of API Gateway ensures that you can scale your API usage while keeping your expenses as low as possible.
When it comes to HTTP APIs, the cost is based on the number of requests made. For the first 300 million requests, the price is $1 per million requests, and for subsequent requests, it decreases to $0.90 per million. It’s important to note that this pricing applies to requests of up to 512 KB of data per request.
REST APIs, on the other hand, have a slightly different pricing structure. The cost for the first 350 million requests is $3.50 per million, and for the next 667 million, it decreases to $2.80 per million. Additionally, there is a pricing tier called the ‘next 19 billion’ which costs $2.38 per million requests. If your API usage exceeds 20 billion requests, the price further reduces to $1.51 per million.
It’s worth mentioning that these prices are calculated on a monthly basis. However, it is important to consider that serving 20 billion requests per month is typically associated with the scale of cloud providers like AWS, Google, and Microsoft.
How it Works
Image sourced from Amazon Web Services
Features
It is simple for developers to publish, maintain, monitor, protect, and run APIs at any scale using the Amazon API Gateway, a fully managed service provided by Amazon. This service allows you to pay for it on a pay-as-you-go basis, and it will take care of all of the undifferentiated heavy lifting required to run APIs securely and reliably on a wide scale. As a result of the proliferation of mobile devices and the rise of the Internet of Things, it is becoming an increasingly common practice to make backend systems and data accessible to apps through application programming interfaces (APIs). This practice is gaining popularity. A growing amount of time and effort is being spent on the construction and administration of application programming interfaces (APIs) to accommodate the large number of apps and communities of developers that rely on APIs. It is possible to construct client SDKs that are compatible with API Gateway using a variety of programming languages. These languages include JavaScript, iOS, and Android. Client software development kits (SDKs) can also be generated by API Gateway for usage in conjunction with other API Gateway services, such as web services.
Amazon API Gateway provides comprehensive monitoring capabilities to track the performance and health of APIs. The API Gateway console seamlessly integrates with CloudWatch, enabling users to access backend performance metrics such as API calls, response latency, and error rates. Users have the flexibility to configure custom alarms on API Gateway APIs, ensuring timely notifications for any unusual activity or issues. Additionally, API Gateway can log detailed information about API execution errors to CloudWatch Logs, allowing for efficient troubleshooting and analysis. This robust monitoring feature set empowers users to proactively monitor and manage the performance of their APIs effectively.
RESTful and WebSocket API Support
API Gateway allows you to create RESTful APIs using HTTP or REST APIs. HTTP APIs should be used to construct APIs lacking API management functionality. Compared to REST APIs implemented through API Gateway, serverless HTTP APIs can reduce costs by up to 71 percent and latency by up to 60 percent. Using API Gateway, you may access REST APIs and API management tools such as consumption plans and API keys for your API proxy-enabled applications. Use WebSocket APIs to construct real-time two-way communication apps like chat and streaming dashboards.
Private AWS ELB & Cloud Map integrations
API Gateway supports various integrations to cater to different use cases. One such integration is with private AWS ELB and Cloud Map. With this integration, VPC resources can seamlessly be accessed through API Gateway, allowing for secure and controlled access to resources within your Virtual Private Cloud.
Moreover, API Gateway supports IP-based services, such as ECS jobs, through HTTP APIs. This means you can easily build APIs for services that rely on IP addresses. By leveraging this integration, you can efficiently manage and expose your IP-based services through API Gateway.
While Your article focuses on specific integrations like private AWS ELB, Cloud Map, and IP-based services, it is important to note that API Gateway offers a much broader range of integrations. API Gateway supports direct integration with various AWS services, including EC2, Lambda, Step Functions, SQS, DynamoDB, Kinesis, Eventbridge, VPC links, etc. Additionally, API Gateway can be used with any workload operating on ports 80, 443, and 1024 to 65535. This extensive list of supported integrations ensures you can seamlessly front any workload with API Gateway.
Regarding the different flavors of the API Gateway, Amazon API Gateway supports various options to suit your needs, including REST APIs, HTTP APIs, and WebSocket APIs. To grant users access to your APIs, you can leverage the power of AWS Identity and Access Management (IAM) in conjunction with Amazon Cognito. This combination provides a robust security solution. If you are using OAuth tokens, API Gateway has native support for OIDC and OAuth2, making integrating with existing authentication systems easier.
Resiliency
API Gateway helps you manage traffic by restricting the number of requests per second for each HTTP method in your APIs. It frees you from worrying about traffic by focusing on business logic and services rather than infrastructure. You can save time by storing your API data in a cache with reusable keys and a time-to-live in seconds.
By default, API Gateway’s steady-state request rate limit is 10,000 requests per second, and its maximum concurrent request limit is 5,000 requests. This limit applies to the total number of requests running simultaneously across all AWS account APIs. Consequently, if the number of concurrent requests exceeds 5,000, some requests may be queued or experience delays until the number of concurrent requests decreases.
Easy API Development
With API Gateway, you can quickly and easily build a custom API to call AWS Lambda functions. Web services with publicly accessible HTTP endpoints, such as Amazon EC2, AWS Elastic Beanstalk, and AWS Lambda, are all included. In the API Gateway console, you can design and manage your REST API, create client SDKs, and monitor your API metrics.
In Amazon API Gateway, there are three different types of endpoints:
1. Edge-Optimized Endpoint: This type of endpoint is suitable for clients across different geographical locations. When API requests are made, they are automatically directed to the nearest CloudFront Point of Presence (POP). Edge-optimized endpoints are the default type for API Gateway REST APIs, allowing for optimized routing and reduced latency for clients worldwide.
2. Regional Endpoint: A regional API endpoint is designed for clients within the same region as the API. This endpoint type is ideal when clients are located in the same region as the API or when the API serves a small number of clients with high demands. By reducing connection overhead, regional endpoints enable faster and more efficient communication between clients and the API by leveraging the low-latency network within the region.
3. Private Endpoint: A private API endpoint restricts access to the API, making it accessible only from within your Amazon Virtual Private Cloud (VPC). To use a private endpoint, you must create an interface VPC endpoint, an endpoint network interface (ENI) within your VPC. This enables secure and private communication between resources within your VPC and the API Gateway, ensuring that external access is limited to authorized connections within your VPC.
API Operations Monitoring
API Gateway provides a dashboard for monitoring service calls when an API is implemented. API calls, latency, and errors are all tracked by Amazon CloudWatch via the API Gateway panel. Thanks to CloudWatch’s ability to record monitoring data, API Gateway APIs can be equipped with custom alerts. API Gateway can record errors in API execution to CloudWatch Logs to aid debugging.
Authorization from Amazon Web Services
API Gateway offers several options for handling security. One way to authenticate and validate API calls is to use signature version 4 for both REST APIs and WebSocket APIs. This allows you to grant access to AWS resources through AWS Identity and Access Management (IAM). Additionally, bearer tokens such as JWT tokens and SAML assertions can be verified and authorized using AWS Lambda functions. To grant users access to your APIs, you can leverage the power of AWS Identity and Access Management (IAM) in conjunction with Amazon Cognito. This combination provides a robust security solution. If you are using OAuth tokens, API Gateway has native support for OIDC and OAuth2, making integrating with existing authentication systems easier. AWS Lambda authenticators can be utilized to meet specific authorization needs. With Lambda’s flexibility, you can implement custom authorization rules and policies to meet your unique requirements.
For REST APIs, security can be further enhanced through Amazon Virtual Private Cloud (VPC) Endpoint policies, tag policies, or custom Lambda authorizers, providing a tailored approach to securing your API infrastructure. On the other hand, HTTP APIs offer a streamlined set of security features that are designed for simplicity and speed. The standout option for HTTP APIs is the plug-and-play JWT-based security that allows integration with external JWT providers like Firebase or AWS Cognito, offering a straightforward yet effective security solution. This option, exclusive to HTTP APIs, complements the standard IAM and custom Lambda authorizers. Additionally, both API types fully support TLS connections, ensuring secure data transfer across your systems facilitated by certificates hosted in AWS Certificate Manager.
REST API Security
REST API security is available through IAM, AWS Cognito, VPC Endpoint policies, tag policies, or custom Lambda authorizers. These options allow you to create fine-grained access controls tailored to your specific needs. IAM policies can be employed to manage permissions, while AWS Cognito helps with user authentication and token management. VPC Endpoint policies and tag policies provide additional layers of security by restricting access based on network conditions and resource tagging.
HTTP API Security
The HTTP API’s security is a little slimmer, as it’s a streamlined offering of the REST API. One of the standout features of HTTP API is the plug-and-play JWT-based security. You can leverage external JWT providers like Firebase or use AWS Cognito to handle user authentication seamlessly. Although HTTP APIs are more lightweight, they still support IAM and custom authorizers via AWS Lambda, giving you the flexibility to implement sophisticated security measures.
TLS and Certificate Management
As expected, TLS connections are fully supported across the board, using certificates hosted in AWS Certificate Manager. This ensures encrypted communication between clients and your API endpoints. AWS Certificate Manager simplifies managing TLS certificates, crucial for maintaining a secure and reliable API infrastructure.
API Keys for External Developers
Using API Gateway, you can keep track of the many third-party developers using your REST APIs. You may also grant specific third-party developers access to your APIs based on permissions you define for each API key. Throttling and request quotas can be established for each API key individually in your plans. This optional feature must be turned on for each technique before it can be used.
Generation of SDKs
To make it easier for you to test new APIs from your apps and to provide SDKs for third-party developers, API Gateway can build client SDKs for a range of platforms. To sign requests and manage API keys in the developed SDKs, AWS credentials are required. API Gateway can produce Ruby and Objective-C/Swift client SDKs for all of the aforementioned platforms. You can use the AWS CLI to develop and download an SDK for a supported platform by using the get-sdk command.
Download list of all AWS Services PDF
Download our free PDF list of all AWS services. In this list, you will get all of the AWS services in a PDF file that contains descriptions and links on how to get started.
Management of the API Lifecycle
With the help of API Gateway, which is compatible with RESTful APIs, applications will be able to continue using older versions of an API even after the most recent version of the API has been made available to the public. Because API Gateway comes equipped with release management features, it is simple to monitor many API versions at the same time. You can specify which API endpoints you want to communicate with at each stage. When utilising API Gateway, it is possible to give a specialized domain name to a certain version or stage of an API. You are able to test new API versions that either update older API releases or provide new functionality to older API releases. This allows you to ensure backward compatibility when user communities move to accept the most recent release.
Benefits
- API development
API Gateway allows you to simultaneously operate many versions of the same service for testing and iteration. For API calls and data transfers, there are no upfront fees, and you just pay for what you use. Using Amazon CloudFront, we can deliver the lowest possible latency for API requests and responses to end users. To avoid overloading the back-end processes, it’s critical to keep traffic to a minimum and only permit legitimate API calls.
API Gateway offers tier-based pricing for API queries. AWS account API request fees can be decreased down to just $0.90 per million API requests, even as the volume of API calls increases. To keep tabs on API requests, data latency, and error rates using Amazon CloudWatch, the API Gateway dashboard provides a wealth of metrics and statistics.
Use AWS Identity and Access Management (IAM) with Amazon Cognito to grant users access to your APIs. API Gateway has native OIDC and OAuth2 support if you utilize OAuth tokens. Using AWS Identity and Access Management (IAM) and Amazon Cognito, you may restrict access to your APIs. API Gateway provides native support for OIDC and OAuth2 tokens. It is possible to run a Lambda authorizer using AWS Lambda in order to enable specific custom authorization rules and policies.
- Effectiveness in any context
Using Amazon CloudFront, we are able to deliver the lowest possible latency for API requests and responses to end users. To avoid overloading the back-end processes, it?s critical to keep traffic to a minimum and only permit legitimate API calls. API Gateway offers tier-based pricing for API queries. AWS account API request fees can be decreased down to just $0.90 per million API requests, even as the volume of API calls increases.
To keep tabs on API requests, data latency, and error rates using Amazon CloudWatch, the API Gateway dashboard provides a wealth of metrics and statistics. Use AWS Identity and Access Management (IAM) with Amazon Cognito to grant users access to your APIs. API Gateway has native OIDC and OAuth2 support if you utilize OAuth tokens. AWS Lambda authenticators make It possible to use Lambda to meet specific authorization needs. Using AWS Identity and Access Management (IAM) and Amazon Cognito, you may restrict access to your APIs. API Gateway provides native support for OIDC and OAuth2 tokens. It is possible to run a Lambda authorizer using AWS Lambda in order to enable specific custom authorization rules and policies.
- Scaled-down cost savings
API Gateway offers tier-based pricing for API queries. AWS account API request fees can be decreased down to just $0.90 per million API requests, even as the volume of API calls increases.
- Streamlined reporting
To keep tabs on API requests, data latency, and error rates using Amazon CloudWatch, the API Gateway dashboard provides a wealth of metrics and statistics.
- Intuitive security measures are available.
Intuitive security measures are available to address security concerns effectively within Amazon API Gateway. Utilize AWS Identity and Access Management (IAM) with Amazon Cognito to grant users secure access to your APIs. Additionally, API Gateway offers native support for OIDC and OAuth2, ensuring robust security through token authentication.
For advanced authorization needs, AWS Lambda authenticators provide a flexible solution tailored to your specific requirements. By leveraging AWS Identity and Access Management (IAM) and Amazon Cognito, you can implement stringent access controls to safeguard your APIs effectively. With built-in support for OIDC and OAuth2 tokens, API Gateway ensures a secure environment for your resources. Furthermore, the option to deploy a Lambda authorizer using AWS Lambda enables the implementation of customized authorization rules and policies, enhancing the overall security posture of your APIs.
- Flexible security controls
Using AWS Identity and Access Management (IAM) and Amazon Cognito, you may restrict access to your APIs. API Gateway provides native support for OIDC and OAuth2 tokens. It is possible to run a Lambda authorizer using AWS Lambda in order to enable specific custom authorisation rules and policies.
Application Load Bearers
An Application Load Balancer (ALB) is a service that primarily focuses on managing the distribution of incoming requests to backend compute resources such as EC2 instances, Lambdas, or other load balancers. While ALBs do not have the capability to directly query databases like DynamoDB or initiate complex workflows like Step Functions, they can serve as a hosting solution for web-facing Lambdas to handle basic call-and-response setups. In this sense, ALBs can be seen as competitors to the HTTP API offering.
You could do all of this on-premises, but that’s difficult, complicated, and expensive. By leveraging an ALB, you can simplify and streamline your API management without the heavy lifting and costs associated with on-premises solutions.
- Compute-Focused: ALBs excel in distributing traffic among EC2 instances, Lambdas, and other load balancers.
- Limitations: They cannot directly interact with services like DynamoDB or initiate Step Functions.
- Basic Call-and-Response Setups: Perfect for hosting web-facing Lambdas that require straightforward request handling.
How Does Cost Differ?
The pricing structure of Application Load Balancers (ALBs) and API Gateway differs, especially for a high number of low data volume requests. ALBs tend to be more cost-effective in this scenario compared to API Gateway.
ALBs have a unique pricing model that considers both a standing cost and a cost-per-request, which is solely based on data transfer. Although they have a higher standing cost, the cost per request is significantly lower. This means that if you have a large volume of low data volume requests (such as 1 million per day with an average of 5KB per request), ALBs generally prove to be more affordable when compared to API Gateway, even when the Web Application Firewall (WAF) feature is enabled.
Need help on AWS?
AWS Partners, such as AllCode, are trusted and recommended by Amazon Web Services to help you deliver with confidence. AllCode employs the same mission-critical best practices and services that power Amazon’s monstrous ecommerce platform.
API Types:
RESTful APIs
You can construct RESTful APIs optimized for serverless workloads and HTTP backends by utilizing HTTP application programming interfaces (APIs). HTTP APIs are ideal for designing APIs that only require API proxy capabilities, such as web service APIs. By leveraging REST APIs, you can combine API proxy and API administration services into a single solution provided by API Gateway.
WEBSOCKET APIS
For real-time two-way communication applications like chat apps and streaming dashboards, WebSocket APIs are a quick and effective solution. API Gateway handles the message transfer between your customers and your backend service, maintaining a constant connection for seamless communication.
Pricing
You only pay for the time your APIs are utilized using Amazon API Gateway. There are no upfront charges or obligations. You only pay for the API requests you receive and the data you transport out of the system when using HTTP APIs or REST APIs. There are no outbound data transmission fees for Private APIs. However, AWS PrivateLink charges will be charged while using private APIs in API Gateway. API Gateway, on the other hand, offers an optional data caching service with variable hourly pricing based on cache size. You can pay only when your WebSocket APIs are in use, and the amount you pay depends on the number of messages transmitted and received as well as the number of connection minutes you have used the APIs.
The costs for caching can vary significantly depending on the size of the cache you choose to provision. For instance, prices start at $0.02 per hour for a minimal cache size of 0.5 GB. For larger needs, such as a 237GB cache, the cost can go up to $3.80 per hour. These figures illustrate the service’s scalability, catering to both small-scale and large-scale operations.
If your services handle an extensive amount of traffic, say around 100 million requests per month (which breaks down to slightly more than 38 requests per second), implementing a robust caching strategy becomes crucial. In this scenario, the investment in caching is not only cost-effective but also essential for maintaining performance. Comparatively, the cost of setting up and managing such capabilities on-premises would likely exceed the straightforward costs of API Gateway’s caching service, not to mention the significant savings on the manpower usually required for such operations.
Regarding Amazon API Gateway, the pricing structure is designed to be transparent and flexible. You won’t encounter any upfront costs or minimum fees, making starting easy. The pricing model is based on two main factors: API calls and data transfers. For HTTP APIs, the cost is $1 per million requests for the initial 300 million requests, covering up to 512 KB of data per request. Beyond that initial threshold, the cost decreases to $0.90 per million requests.
For REST APIs, the pricing is slightly different. You will be charged $3.50 per million requests for the first 350 million requests, and the cost reduces to $2.80 per million requests for the subsequent 667 million requests. These pricing tiers are structured to provide cost efficiency as your API usage scales. While these are the core pricing components, it’s important to note that additional charges may apply for optional data caching based on the cache size selected. This detailed breakdown ensures that you can keep track of your costs and optimize your usage of Amazon API Gateway effectively. In addition, there can be other additional charges depending on how API Gateway is being used, such as data transfer, Lambda, and Cloudwatch. By understanding and considering these potential charges, you can make informed decisions to manage your expenses and maximize the benefits of utilizing Amazon API Gateway.
Text AWS to (415) 890-6431
Text us and join the 700+ developers that have chosen to opt-in to receive the latest AWS insights directly to their phone. Don’t worry, we’ll only text you 1-2 times a month and won’t send you any promotional campaigns - just great content!
