API Gateway
An API Gateway is like a front door for your backend services. It handles all requests from clients (like web or mobile apps) and forwards them to your serverless functions or other services.
𧩠Main Roles of an API Gateway
Request routing π¦
Receives client requests (HTTP, WebSocket, etc.)
Sends them to the correct backend (Lambda, EC2, S3, etc.)
Security & Authentication π
Can check tokens, API keys, or integrate with Cognito for login
Blocks unauthorized requests
Rate limiting & throttling β±οΈ
Controls how many requests a client can make in a time frame
Prevents backend overload
Data transformation π
Can convert request/response formats (e.g., JSON β XML)
Makes backend simpler by standardizing input/output
Monitoring & Logging π
Tracks traffic, errors, and performance metrics
β Real-world Example
Imagine an online shoe shop app:
User clicks βPlace Orderβ in the app
API Gateway receives the request
It checks if the user is logged in (Cognito authentication)
Routes request to Lambda function that processes the order
Returns the result back to the app
π Analogy
API Gateway = Receptionist of an office building
Checks who you are (authentication)
Directs you to the right department (routing)
Limits entry if too many people come at once (throttling)
Logs all visits (monitoring)
π AWS
Amazon API Gateway (HTTP, REST, WebSocket)
Integrates perfectly with Lambda, Step Functions, S3, DynamoDB, etc.
Three Phases of API Gateway
When a request comes to an API Gateway, it goes through three main phases:
Client Request Phase (Incoming Request)
The client (web, mobile app, or service) sends a request to the API Gateway.
API Gateway receives the request and starts processing.
Checks HTTP method, URL, headers, and authentication.
β‘ Example:
User clicks βPlace Orderβ β sends POST request to
/orderendpoint.API Gateway receives the request.
Processing Phase (Gateway Logic & Routing)
API Gateway does the heavy lifting before sending it to the backend:
Authentication / Authorization β checks if the request is allowed (e.g., via Cognito, API Key, JWT token).
Validation β checks if request parameters are correct.
Transformation / Mapping β changes request format if needed (JSON β XML).
Routing β forwards request to the correct backend service (Lambda, S3, Step Functions, etc.).
β‘ Example:
Request is validated β routed to Lambda function that processes the order.
Response Phase (Return to Client)
The backend sends a response back to API Gateway.
API Gateway can transform the response if needed, add headers, or handle errors.
Sends the final response back to the client.
β‘ Example:
Lambda returns
{ "status": "Order Placed", "orderId": 123 }API Gateway sends this to the app, which shows a confirmation to the user.
π Analogy
Think of API Gateway like a restaurant receptionist:
Client Request = customer arrives at the reception.
Processing = receptionist checks the reservation, asks questions, and sends the order to the kitchen.
Response = the kitchen prepares food, receptionist hands it back to the customer.
API Gateway Authentication
Authorization in API Gateway controls who can access your API and what they are allowed to do.
It usually happens after authentication (verifying identity).
Types of Authorization in API Gateway
IAM Roles & Policies (AWS Managed)
Uses AWS credentials to allow/deny access.
Typically for internal AWS clients (Lambda, EC2, another API).
Example:
Only Lambda function with the correct IAM role can call your API.
Cognito User Pools
Uses Amazon Cognito to manage users and tokens.
API Gateway validates JWT tokens from Cognito.
Example:
Users log in via your app β Cognito issues token β API Gateway allows access only if token is valid.
Lambda Authorizer (Custom Authorizer)
A custom Lambda function decides whether a request is allowed.
Can use any logic or external system (database, OAuth, third-party token).
Example:
Check if user subscription level allows access to premium API features.
Resource Policies
Lets you allow or deny access based on IP address, VPC, or AWS account.
Example:
Only allow requests from your corporate network or a specific VPC endpoint.
β‘ How it works (Flow)
Client sends request to API Gateway.
API Gateway checks authorization (IAM, Cognito, Lambda authorizer, or resource policy).
If authorized β request goes to backend (Lambda, S3, etc.).
If unauthorized β API Gateway returns 403 Forbidden.
π Analogy
Authentication = βWho are you?β (ID check at the door)
Authorization = βWhat can you do?β (VIP lounge, restricted areas, or full access)
β Key point:
Authorization ensures only allowed users or systems can access your APIs, protecting your backend.
API Gateway Enpoint types
AWS API Gateway supports three main types of endpoints, which determine how your API is accessed:
Edge-Optimized Endpoint π
Designed for: Global clients
How it works:
Requests go through CloudFront (AWS global CDN).
Fast access for users anywhere in the world.
Use case: Public APIs accessed globally.
Analogy: International airport β routes passengers (requests) efficiently from anywhere.
Regional Endpoint ποΈ
Designed for: Clients in the same region as your API.
How it works:
Requests go directly to the API Gateway in the same region.
Slightly faster for local users, cheaper than edge-optimized.
Use case: Internal apps, enterprise APIs, or regional traffic.
Analogy: Local bus station β serves nearby passengers quickly.
Private Endpoint π
Designed for: VPC-only access (private network).
How it works:
API is not exposed publicly.
Only accessible from inside your VPC using VPC endpoints.
Use case: Internal microservices, sensitive data APIs.
Analogy: VIP-only entrance β only authorized people inside.
Edge-Optimized
Global (via CloudFront)
Public API for worldwide users
Regional
Regional (direct)
Local or regional clients
Private
VPC only
Internal/private APIs
API Gateway Stages
A stage in API Gateway is like a versioned environment of your API. Itβs where your API is deployed and made accessible to clients
𧩠Key Concepts
Stages are Environments π±
Each stage represents a different deployment environment:
dev β for testing
test β for QA
prod β for real users
Stage Variables βοΈ
Variables specific to a stage that your API or Lambda can use.
Example:
db_table_name= βOrdersDevβ for dev stage, βOrdersProdβ for prod stage
Endpoint URLs π
Each stage gets a unique URL:
Example:
Dev:
https://abcd1234.execute-api.us-east-1.amazonaws.com/devProd:
https://abcd1234.execute-api.us-east-1.amazonaws.com/prod
Deployment π
You deploy your API to a stage after making changes.
Old stage versions remain intact until updated.
Monitoring & Throttling per Stage π
You can set logging, metrics, and throttling limits for each stage separately.
API Gateway Errors
When a client calls your API, sometimes things go wrong. API Gateway classifies errors mainly by HTTP status codes and types.
Client-Side Errors (4XX)
Meaning: The request from the client was wrong or unauthorized.
Common Status Codes:
400 Bad Request β Invalid input or malformed request
401 Unauthorized β No authentication token or invalid token
403 Forbidden β Authenticated but not allowed to access resource
404 Not Found β API or resource does not exist
429 Too Many Requests β Throttling limit exceeded
β‘ Example:
User sends an order with missing fields β 400 Bad Request
User tries to access an admin API without proper role β 403 Forbidden
Server-Side Errors (5XX)
Meaning: Something went wrong on the backend or API Gateway itself.
Common Status Codes:
500 Internal Server Error β Backend function (Lambda) failed
502 Bad Gateway β API Gateway couldnβt reach backend properly
503 Service Unavailable β Backend is overloaded or unavailable
504 Gateway Timeout β Backend took too long to respond
β‘ Example:
Lambda crashes while processing an order β 500 Internal Server Error
S3 service is temporarily down β 503 Service Unavailable
Mapping & Custom Errors
API Gateway can map backend errors to custom messages.
Example:
Lambda returns an error β API Gateway maps it to a friendly JSON:
{ "error": "Unable to process order", "code": 500 }
π Analogy
4XX (Client) = Customer filled the order form wrong β issue is with them
5XX (Server) = Kitchen made a mistake or oven broke β issue is internal
https://docs.aws.amazon.com/apigateway/latest/api/CommonErrors.html
API Gateway Caching
API Gateway caching stores the response of your API for a period of time so that repeated requests donβt have to hit the backend every time.
𧩠How it works
A client requests data (e.g., product list).
API Gateway forwards the request to backend (Lambda, S3, etc.) the first time.
API Gateway stores the response in cache for a defined TTL (Time-To-Live).
Next time the same request comes in, API Gateway returns the cached response immediately β no backend call needed.
β Benefits
Faster responses π β reduces latency.
Reduces load on backend π‘οΈ β saves compute and cost.
Scales better π β handles more users with less stress on servers.
β‘ Example
Your online shoe shop app asks: βShow all shoes in stockβ
First request β hits Lambda β gets 100 shoes β API Gateway caches it.
Next 50 users request the same β API Gateway serves cached data instantly instead of calling Lambda each time.
π§ Key Configurations
Cache TTL β how long the data stays in cache (seconds, minutes, hours).
Cache key β determines which requests are cached (usually based on URL + query params + headers).
Invalidate / Flush β you can manually clear the cache if data changes.
π Analogy
API Gateway cache is like a fast-food restaurant pre-prepping popular items:
First customer orders β chef makes it fresh.
Next customers get the already-prepared food immediately β faster service, less chef work.
Last updated