Amazon API Gateway is one of the default ways to create HTTP APIs in AWS. In essence, API Gateway implements the web layer of your application as a managed service in AWS, which allows you to focus on business logic rather than infrastructure.
By integrating a Lambda with an API Gateway endpoint, you create a serverless public web API. API Gateway offers a level of protection to your application code by decoding and validating HTTP requests to your endpoints. There is a choice between high performance, simple HTTP APIs, which offer only basic HTTP validation, and slower, but more fully-featured REST APIs which can additionally validate request bodies.
In addition to HTTP and REST modes, API Gateway also supports WebSocket APIs. While the HTTP variety is less feature-rich in some ways, it is much cheaper, faster and is well suited to uses cases that only need to proxy requests to Lambda functions or HTTP endpoints such as load balancers. AWS offer an HTTP vs REST guide to help you choose which flavour best suits your use case, along with the following from the FAQs:
HTTP APIs are ideal for:
- Building proxy APIs for AWS Lambda or any HTTP endpoint
- Building modern APIs that are equipped with OIDC and OAuth 2 authorisation
- Workloads that are likely to grow very large
- APIs for latency sensitive workloads
REST APIs are ideal for:
- Customers looking to pay a single price point for an all-inclusive set of features needed to build, manage, and publish their APIs.
Key features of REST API
- Request body validation using OpenAPI models, so you can ensure that your serverless code only receives appropriately structured requests.
- Auto generated OpenAPI documentation
- Access logs may be sent to Kinesis firehose for analytics
- TLS 1.0 support, for older clients which require this deprecated version
- Coarse-grained throttling
- Lambda, IAM and Cognito authorisers
Key features of HTTP API
- Newer than REST API (HTTP APIs released Dec 2019; REST APIs released 2015)
- Faster (60% lower latency than REST API)
- Cheaper (71% lower cost than REST API)
- Simpler to configure than REST API
- Fine-grained throttling
- OIDC and OAuth 2 authorisers
WebSocket APIs maintain a persistent connection between connected clients to enable real-time message communication. With WebSocket APIs in API Gateway, you can define back-end integrations with AWS Lambda functions, Amazon Kinesis, or any HTTP endpoint to be invoked when messages are received from the connected clients.
All varieties of API Gateway allow the use of a custom domain, and integrate well with AWS Certificate Manager to enable secure HTTPS.
A key feature of API Gateway is that clients can be issued with their own API Request key for server to server integrations. Each client can be assigned different rate limits and usage quotas, enabling fine grained controls that support monetisation of an API.
AWS Web Application Firewall('WAF') can be used to further protect the APIs exposed by API Gateway. The Web Application Firewall is feature rich and can filter and restrict traffic based on configurable rules.
Development and deployment
It is worth considering whether either the Serverless framework or AWS Serverless Application Model ('SAM') may be a better approach to deploying a serverless application. These provide an abstraction layer which can reduce development and maintenance effort compared to defining AWS resources directly using tools like Cloudformation or Terraform.