Amazon API Gateway Study Workshop

API Gateway Study Workshop 06/18/2020 by 37108

API Application Programming Interface

API Gateway is a fully managed service that makes it
easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. https://go.aws/30gXhc7

API Gateway

Talking Basic knowledge of API Gateway Core Feature of API
Gateway REST API and HTTP API

Basic Components method res method req integration req integration res

Basic Components Method Request method res method req integration req
integration res

Basic Components Integration Request method res method req integration req
integration res

Basic Components Integration Response method res method req integration req
integration res

Basic Components Method Response method res method req integration req
integration res

Resource / Method / ANY /members GET /members/{id} GET POST
/parts/ GET method req… method req… method req… method req…

Request API Flow /members GET method req integ req integ
res method res /members/{id} POST method req integ req integ res method res

Integration Types AWS Services Directly calls AWS services and fire
the specify action. HTTP Connects via internet to a HTTP endpoint. Lambda Connects via proxy or direct integration to a Lambda. Mock Directly calls AWS services and fire the specify action. VPC Endpoint Connects to a VPC Endpoint. Access through a NLB.

Lambda Backend via Proxy Synchronous res res req Wrapped req
Wrapped req res

Lambda Backend via direct integration Synchronous req req res res
req req res res

Lambda Resource Policy { “version”: “2012-10-17”, “statement”: { “Effect” :
“Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id/stage/method/resource” } } } }

Lambda Resource Policy Allow every stages, resources { “version”: “2012-10-17”,
“statement”: { “Effect” : “Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id ” } } } }

Lambda Resource Policy Allow every lambda authorizer { “version”: “2012-10-17”,
“statement”: { “Effect” : “Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id/authorizers ” } } } }

Mapping Template before after { “FirstName”: “Alexander”, “LastName” : “Pierce”,
“phone” : “000-0000-0000”, “address” : “xxx”, “favorite” : “eggplant” } { “Name” : “Alexander Pierce”, “phone” : “000-0000-0000”, “address” : “xxx”, “favorite”: “beef” }

method res method req integration req </> {;} integration res
</> {;} Mapping Template

res method res /members/{id} POST method req integ req integ res method res

Stages v1 v2 v3 https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/… https://xxx.execute-api…/v3/…

Deploy Deploy 2020/06/18 Deploy 2020/06/05 v1 v2 v3 https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/…
https://xxx.execute-api…/v3/…

res method res /members/{id} POST method req integ req integ res method res v1 v2

Endpoint Type Edge Regional VPC Routing from CloudFront Distribution. Routing
directly to region. Can combine with CloudFront. Routing from VPC Private Link. No public endpoint.

Release it ! 1. Design API 2. Choose Protocol and
Endpoint 3. Define Resources and Methods 4. Integrate Backend 5. Create Stage and deploy

Protect API Open IAM Lambda Authorizer Cognito Authorizer No AuthN
and AuthZ. API is Public and everybody can access. Use IAM credentials for grant access. Connect Cognito User Pool for grant access. Validate bearer token via Lambda for grant access.

Lambda Authorizer

Lambda Authorizer input output eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwib mFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNT E2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fw pMeJf36POk6yJV_adQssw5c {
“principalId”: “AlexanderPierce”, “policyDocument”: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: “execute-api:Invoke”, “Effect”: “Allow”, “Resource”: “………” } ] } }

SPA Architecture

Regular Architecture

Manage REST API CDK Terraform CLI CFn SAM

Open API OAS OAS export deﬁne refer import

Token Bucket 5,000 Tokens on Bucket 10,000 tokens/sec Rate: Rate:
Burst: Burst: Requests Consumes

Throttling 10,000 reqs/sec Account: Account: API 1 API 1 method
method method method /members GET /pets GET /parta GET

Monitoring/Tracing Metrics by APIs, Stages. API Calls Latency 4xxx /
5xx Error Cache HitCount Execution logs error/info level full req/res logs Access logs specify log destination customize log format Integrate X-Ray and trace request. Just enable tracing, analyze requests end to end.

Caching 0.5 GB to 237 GB Capacity 0 sec to
3600 sec TTL

Security

Canary release n% of trafﬁc x duration prod canary

HTTP API Faster reduces up to 60% in latency. Lower
Cost Frugality is one of the Leadership Principles. Overall, at least 71% lower cost. More Simple JWT Authorizer Features are specified, but this makes more simple. No need to write code for validating JWT.

Routes / /members GET /members/ba GET /members/ba POST /parts GET

Integrations / /members GET /members/ba GET /members/ba POST /parts GET
Invoke function private integration private integration get https://xxx.example.com

stages / deploy Deploy 2020/06/18 Deploy 2020/06/05 $default v1 v2
https://xxx.execute-api…/… https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/…

JWT Authorizer 1. verify token 2. grant access

To Closely You know core features. We need practices. We
can’t cover whole of features…

Amazon API Gateway Study Workshop

Amazon API Gateway Study Workshop

More Decks by 37108

Other Decks in Technology

Featured

Transcript