Amazon API Gateway Study Workshop

Slide 1

Slide 1 text

API Gateway Study Workshop 06/18/2020 by 37108

Slide 2

Slide 2 text

API Application Programming Interface

Slide 3

Slide 3 text

API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. https://go.aws/30gXhc7

Slide 4

Slide 4 text

API Gateway

Slide 5

Slide 5 text

Talking Basic knowledge of API Gateway Core Feature of API Gateway REST API and HTTP API

Slide 6

Slide 6 text

Basic Components method res method req integration req integration res

Slide 7

Slide 7 text

Basic Components Method Request method res method req integration req integration res

Slide 8

Slide 8 text

Basic Components Integration Request method res method req integration req integration res

Slide 9

Slide 9 text

Basic Components Integration Response method res method req integration req integration res

Slide 10

Slide 10 text

Basic Components Method Response method res method req integration req integration res

Slide 11

Slide 11 text

Resource / Method / ANY /members GET /members/{id} GET POST /parts/ GET method req… method req… method req… method req…

Slide 12

Slide 12 text

Request API Flow /members GET method req integ req integ res method res /members/{id} POST method req integ req integ res method res

Slide 13

Slide 13 text

Integration Types AWS Services Directly calls AWS services and fire the specify action. HTTP Connects via internet to a HTTP endpoint. Lambda Connects via proxy or direct integration to a Lambda. Mock Directly calls AWS services and fire the specify action. VPC Endpoint Connects to a VPC Endpoint. Access through a NLB.

Slide 14

Slide 14 text

Lambda Backend via Proxy Synchronous res res req Wrapped req Wrapped req res

Slide 15

Slide 15 text

Lambda Backend via direct integration Synchronous req req res res req req res res

Slide 16

Slide 16 text

Lambda Resource Policy { “version”: “2012-10-17”, “statement”: { “Effect” : “Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id/stage/method/resource” } } } }

Slide 17

Slide 17 text

Lambda Resource Policy Allow every stages, resources { “version”: “2012-10-17”, “statement”: { “Effect” : “Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id ” } } } }

Slide 18

Slide 18 text

Lambda Resource Policy Allow every lambda authorizer { “version”: “2012-10-17”, “statement”: { “Effect” : “Allow”, “Principle”: “apigateway.amazonaws.com”, “Action” : “lambda:InvokeFunction”, “Resource” : “arn:aws:lambda:…:function_name”, “Condition”: { “ArnLike”: { “AWS:SourceArn”: “arn:aws:execute-api:…:id/authorizers ” } } } }

Slide 19

Slide 19 text

Mapping Template before after { “FirstName”: “Alexander”, “LastName” : “Pierce”, “phone” : “000-0000-0000”, “address” : “xxx”, “favorite” : “eggplant” } { “Name” : “Alexander Pierce”, “phone” : “000-0000-0000”, “address” : “xxx”, “favorite”: “beef” }

Slide 20

Slide 20 text

method res method req integration req {;} integration res {;} Mapping Template

Slide 21

Slide 21 text

Request API Flow /members GET method req integ req integ res method res /members/{id} POST method req integ req integ res method res

Slide 22

Slide 22 text

Stages v1 v2 v3 https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/… https://xxx.execute-api…/v3/…

Slide 23

Slide 23 text

Deploy Deploy 2020/06/18 Deploy 2020/06/05 v1 v2 v3 https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/… https://xxx.execute-api…/v3/…

Slide 24

Slide 24 text

Request API Flow /members GET method req integ req integ res method res /members/{id} POST method req integ req integ res method res v1 v2

Slide 25

Slide 25 text

Endpoint Type Edge Regional VPC Routing from CloudFront Distribution. Routing directly to region. Can combine with CloudFront. Routing from VPC Private Link. No public endpoint.

Slide 26

Slide 26 text

Release it ! 1. Design API 2. Choose Protocol and Endpoint 3. Define Resources and Methods 4. Integrate Backend 5. Create Stage and deploy

Slide 27

Slide 27 text

Protect API Open IAM Lambda Authorizer Cognito Authorizer No AuthN and AuthZ. API is Public and everybody can access. Use IAM credentials for grant access. Connect Cognito User Pool for grant access. Validate bearer token via Lambda for grant access.

Slide 28

Slide 28 text

Lambda Authorizer

Slide 29

Slide 29 text

Lambda Authorizer input output eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwib mFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNT E2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fw pMeJf36POk6yJV_adQssw5c { “principalId”: “AlexanderPierce”, “policyDocument”: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: “execute-api:Invoke”, “Effect”: “Allow”, “Resource”: “………” } ] } }

Slide 30

Slide 30 text

SPA Architecture

Slide 31

Slide 31 text

Regular Architecture

Slide 32

Slide 32 text

Manage REST API CDK Terraform CLI CFn SAM

Slide 33

Slide 33 text

Open API OAS OAS export deﬁne refer import

Slide 34

Slide 34 text

Token Bucket 5,000 Tokens on Bucket 10,000 tokens/sec Rate: Rate: Burst: Burst: Requests Consumes

Slide 35

Slide 35 text

Throttling 10,000 reqs/sec Account: Account: API 1 API 1 method method method method /members GET /pets GET /parta GET

Slide 36

Slide 36 text

Monitoring/Tracing Metrics by APIs, Stages. API Calls Latency 4xxx / 5xx Error Cache HitCount Execution logs error/info level full req/res logs Access logs specify log destination customize log format Integrate X-Ray and trace request. Just enable tracing, analyze requests end to end.

Slide 37

Slide 37 text

Caching 0.5 GB to 237 GB Capacity 0 sec to 3600 sec TTL

Slide 38

Slide 38 text

Security

Slide 39

Slide 39 text

Canary release n% of trafﬁc x duration prod canary

Slide 40

Slide 40 text

HTTP API Faster reduces up to 60% in latency. Lower Cost Frugality is one of the Leadership Principles. Overall, at least 71% lower cost. More Simple JWT Authorizer Features are specified, but this makes more simple. No need to write code for validating JWT.

Slide 41

Slide 41 text

Routes / /members GET /members/ba GET /members/ba POST /parts GET

Slide 42

Slide 42 text

Integrations / /members GET /members/ba GET /members/ba POST /parts GET Invoke function private integration private integration get https://xxx.example.com

Slide 43

Slide 43 text

stages / deploy Deploy 2020/06/18 Deploy 2020/06/05 $default v1 v2 https://xxx.execute-api…/… https://xxx.execute-api…/v1/… https://xxx.execute-api…/v2/…

Slide 44

Slide 44 text

JWT Authorizer 1. verify token 2. grant access

Slide 45

Slide 45 text

To Closely You know core features. We need practices. We can’t cover whole of features…