Amazon API Gateway
Managed API front door — create, publish, and secure REST, HTTP, and WebSocket APIs at any scale with throttling, caching, and authorization.
Overview
Amazon API Gateway is a fully managed service for creating, publishing, and managing APIs at any scale — it handles request routing, throttling, caching, authorization, and monitoring for REST, HTTP, and WebSocket APIs.
Core Concepts
| Concept | Description |
|---|---|
| REST API | Full-featured API type with resource-based routing, request validation, caching, and WAF integration |
| HTTP API | Lightweight, lower-cost API type optimised for Lambda and HTTP proxy integrations |
| WebSocket API | Persistent two-way communication for real-time applications (chat, streaming) |
| Stage | A named deployment snapshot (e.g., dev, staging, prod) with its own URL and settings |
| Resource & Method | URL path segments and HTTP verbs (GET, POST, etc.) that define API endpoints |
| Integration | Backend target: Lambda, HTTP endpoint, AWS service, VPC Link, or Mock |
| Authorizer | Authentication/authorization mechanism (Cognito, Lambda, IAM, JWT) |
| Usage Plan | Throttling and quota limits applied per API key |
| API Key | Token distributed to consumers for usage tracking and quota enforcement |
REST API vs HTTP API vs WebSocket API
| Feature | REST API | HTTP API | WebSocket API |
|---|---|---|---|
| Protocol | REST (HTTP/1.1) | HTTP (HTTP/1.1 + HTTP/2) | WebSocket |
| Pricing | Higher (per million + cache) | ~70% cheaper than REST | Per message + connection mins |
| Caching | Yes (built-in) | No | No |
| Request validation | Yes | No | No |
| WAF integration | Yes | No | Yes |
| Usage plans / API keys | Yes | No (use Lambda authorizer) | No |
| Lambda authorizer | Yes (request + token) | Yes (payload v2.0) | Yes |
| JWT / Cognito authorizer | Via Lambda authorizer | Yes (native JWT) | No |
| IAM authorization | Yes | Yes | Yes |
| VPC Link | Yes (NLB) | Yes (ALB, NLB, Cloud Map) | No |
| Private endpoints | Yes | No | No |
Integration Types
| Type | Description |
|---|---|
| Lambda Proxy | Passes entire request to Lambda; Lambda controls the response format |
| Lambda Non-Proxy | API Gateway transforms request/response using mapping templates |
| HTTP Proxy | Forwards request to an HTTP backend as-is |
| HTTP Non-Proxy | Applies request/response transformations via mapping templates |
| AWS Service | Direct integration with AWS APIs (e.g., SQS SendMessage, S3 PutObject) |
| Mock | Returns a static response without a backend — useful for testing |
| VPC Link | Routes to private resources inside a VPC (via NLB or ALB) |
Authorization Methods
Client Request
→ API Gateway
├── IAM (SigV4) — for AWS-to-AWS / internal service calls
├── Cognito User Pool — issues JWT; API Gateway validates natively (REST: via authorizer)
├── Lambda Authorizer — custom auth logic (OAuth, SAML, tokens)
└── API Key — usage tracking + throttling (NOT authentication)Exam Trap: API keys are for usage metering and throttling — they are NOT a security mechanism. Always combine API keys with an authorizer (IAM, Cognito, or Lambda).
Throttling and Caching
| Feature | Detail |
|---|---|
| Default throttle | 10,000 requests/s account-wide; 5,000 burst |
| Stage-level throttle | Override per stage or per method |
| Usage plan quota | Daily/weekly/monthly request limits per API key |
| Caching (REST only) | 0.5 GB to 237 GB; TTL 0–3,600 s; reduces backend calls |
| Cache invalidation | Header Cache-Control: max-age=0 (requires authorization) |
Common Use Cases
- Serverless API backend — API Gateway + Lambda for fully managed request handling without servers.
- Microservice API layer — Route requests to containers (ECS/EKS via VPC Link) with centralized auth and throttling.
- Direct AWS service proxy — Expose SQS SendMessage or DynamoDB PutItem as an API without Lambda in between.
- Real-time communication — WebSocket API for chat applications, live dashboards, or IoT command channels.
- API monetisation — Usage plans + API keys to meter and throttle third-party developer access.
SAA/SAP Exam Tips
SAA Tip: "Serverless REST API" → API Gateway REST API + Lambda. "Cheapest serverless API" → API Gateway HTTP API + Lambda (HTTP API is ~70% cheaper).
SAA Tip: "Reduce Lambda invocations for repeated identical requests" → Enable API Gateway caching (REST API only). HTTP API does not support caching.
SAP Tip: For private APIs accessible only within a VPC, use REST API with a VPC Endpoint (Interface endpoint). HTTP APIs do not support private endpoints.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | Amazon API Gateway | Baseline |
| Azure | Azure API Management | Full lifecycle management; developer portal |
| GCP | Google Cloud API Gateway / Apigee | Apigee for enterprise; API GW for serverless |
| On-Premises | Kong, NGINX, Envoy, Tyk | Open-source API gateways |
Pricing Model
| Dimension | Unit | Notes |
|---|---|---|
| REST API requests | Per million requests | Plus cache instance cost if enabled |
| HTTP API requests | Per million requests | ~70% cheaper than REST; no caching charge |
| WebSocket messages | Per million messages | Plus connection minutes charged separately |
| WebSocket connection time | Per million minutes | Charged while client is connected |
Related Services / See Also
- AWS Lambda — primary compute backend for API Gateway
- Amazon Cognito — user pools for JWT-based API authorization
- Elastic Load Balancing — ALB as an alternative HTTP routing layer for container-based backends
- AWS WAF and Shield — attach WAF web ACLs to REST API and WebSocket API stages
Amazon Timestream
Amazon Timestream — AWS's purpose-built serverless time-series database. Covers time-series data model, storage tiers, query engine, and cross-cloud equivalents.
Amazon EventBridge
Serverless event bus — routes events from AWS services, SaaS partners, and custom applications to targets using content-based filtering rules.