1. AWS
  2. API Gateway

API Gateway

What can API Gateway Do?

- Track and control usage by API key.
- Throttle requests to prevent attacks and protect your backend systems from traffic spikes.
- It now supports AWS Certificate Manager - free SSL/TLS certs.

Cross-Origin Resource Sharing

- A web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin (domain name).
- This is done to prevent Cross-Site Scripting (XSS) attacks and is enforced by all web browsers, although ignored by tools like PostMan and curl.
- Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.
- Browser makes an HTTP OPTIONS call for a URL (OPTIONS is an HTTP method like GET, PUT and POST).
- Server returns a response that says: "These other domains are approved to GET this URL"
- Error - "Origin policy cannot be read at the remote resource?" You need to enable CORS on API Gateway.
- CORS is enforced by the client.

- Amazon API Gateway provides throttling at multiple levels including global and by a service call.
- Throttling limits can be set for standard rates and bursts.
- For example, API owners can set a rate limit of 1,000 requests per second for a specific method in their REST APIs, and also configure Amazon API Gateway to handle a burst of 2,000 requests per second for a few seconds.
- Amazon API Gateway tracks the number of requests per second. Any requests over the limit will receive a 429 HTTP response.
- The client SDKs generated by Amazon API Gateway retry calls automatically when met with this response.

Exam Tips

- You can enable API caching in Amazon API Gateway to cache your endpoint response.
- When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds.
- API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint.

radXfactory 1.0.0 © 2017-2020