API Gateway

API Gateway Simplified:

API Gateway is a fully managed service for developers that makes it easy to build, publish, manage, and secure entire APIs. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on EC2) code running on AWS Lambda, or any web application.

API Gateway Key Details:

  • Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
  • Amazon API Gateway has no minimum fees or startup costs. You pay only for the API calls you receive and the amount of data transferred out.
  • API Gateway does the following for your APIs:
    • Exposes HTTP(S) endpoints for RESTful functionality
    • Uses serverless functionality to connect to Lambda & DynamoDB
    • Can send each API endpoint to a different target
    • Runs cheaply and efficiently
    • Scales readily and effortlessly
    • Can throttle requests to prevent attacks
    • Track and control usage via an API key
    • Can be version controlled
    • Can be connected to CloudWatch for monitoring and observability
  • Since API Gateway can function with AWS Lambda, you can run your APIs and code without needing to maintain servers.
  • Amazon API Gateway provides throttling at multiple levels including global and by a service call.
    • In software, a throttling process, or a throttling controller as it is sometimes called, is a process responsible for regulating the rate at which application processing is conducted, either statically or dynamically.
    • Throttling limits can be set for standard rates and bursts. For example, API owners can set a rate limit of 1,000 requests per second for a specific method in their REST APIs, and also configure Amazon API Gateway to handle a burst of 2,000 requests per second for a few seconds.
    • Amazon API Gateway tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response. The client SDKs generated by Amazon API Gateway retry calls automatically when met with this response.
  • You can add caching to API calls by provisioning an Amazon API Gateway cache and specifying its size in gigabytes. The cache is provisioned for a specific stage of your APIs. This improves performance and reduces the traffic sent to your back end. Cache settings allow you to control the way the cache key is built and the time-to-live (TTL) of the data stored for each method. Amazon API Gateway also exposes management APIs that help you invalidate the cache for each stage.
  • You can enable API caching for improving latency and reducing I/O for your endpoint.
  • When caching for a particular API stage (version controlled version), you cache responses for a particular TTL in seconds.
  • API Gateway supports AWS Certificate Manager and can make use of free TLS/SSL certificates.
  • With API Gateway, there are two kinds of API calls:
    • Calls to the API Gateway API to create, modify, delete, or deploy REST APIs. These are logged in CloudTrail.
    • API calls set up by the developers to deliver their custom functionality: These are not logged in CloudTrail.

Cross Origin Resource Sharing:

  • In computing, the same-origin policy is an important concept where a web browser permits scripts contained in one page to access data from another page, but only if both pages have the same origin.
  • This behavior is enforced by browsers, but is ignored by tools like cURL and PostMan.
  • Cross-origin resource sharing (CORS) is one way the server at the origin can relax the same-origin policy. CORS allows sharing of restricted resources like fonts to be requested from another domain outside the original domain of where the first resource was shared from.
  • CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.
  • If you ever come across an error that mentions that an origin policy cannot be read at the remote resource, then you need to enable CORS on API Gateway.
  • CORS is enforced on the client (web browser) side.
  • A common example of this issue is if you are using a site with Javascript/AJAX for multiple domains under API Gateway. You would need to ensure that CORS is enabled.
  • CORS does not prevent XSS attacks, but does protect against CSRF attacks. What it does is controls who can use the data served by your endpoint. So if you have a weather website with callbacks to an API that checks the forecast, you could stop someone from writing a website that serves JavaScript calls into your API when they navigate to your website.
  • When someone attempts the malicious calls, your browser will read the CORS headers and it will not allow the request to take place thus protecting you from the attack.