AWS API Gateway
Amazon API Gateway is a fully managed service for creating, publishing, and securing APIs at any scale. Supports REST APIs, HTTP APIs, and WebSocket APIs.
Table of Contents
Core Concepts
API Types
| Type | Description | Use Case | |------|-------------|----------| | HTTP API | Low-latency, cost-effective | Simple APIs, Lambda proxy | | REST API | Full-featured, more control | Complex APIs, transformation | | WebSocket API | Bidirectional communication | Real-time apps, chat |
Key Components
- Resources: URL paths (/users, /orders/{id})
- Methods: HTTP verbs (GET, POST, PUT, DELETE)
- Integrations: Backend connections (Lambda, HTTP, AWS services)
- Stages: Deployment environments (dev, prod)
Integration Types
| Type | Description | |------|-------------| | Lambda Proxy | Pass-through to Lambda (recommended) | | Lambda Custom | Transform request/response | | HTTP Proxy | Pass-through to HTTP endpoint | | AWS Service | Direct integration with AWS services | | Mock | Return static response |
Common Patterns
Create HTTP API with Lambda
AWS CLI:
# Create HTTP API
aws apigatewayv2 create-api \
--name my-api \
--protocol-type HTTP \
--target arn:aws:lambda:us-east-1:123456789012:function:MyFunction
# Get API endpoint
aws apigatewayv2 get-api --api-id abc123 --query 'ApiEndpoint'
SAM Template:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
MyApi:
Type: AWS::Serverless::HttpApi
Properties:
StageName: prod
MyFunction:
Type: AWS::Serverless::Function
Properties:
Handler: app.handler
Runtime: python3.12
Events:
ApiEvent:
Type: HttpApi
Properties:
ApiId: !Ref MyApi
Path: /items
Method: GET
Create REST API with Lambda Proxy
# Create REST API
aws apigateway create-rest-api \
--name my-rest-api \
--endpoint-configuration types=REGIONAL
API_ID=abc123
# Get root resource ID
ROOT_ID=$(aws apigateway get-resources --rest-api-id $API_ID --query 'items[0].id' --output text)
# Create resource
aws apigateway create-resource \
--rest-api-id $API_ID \
--parent-id $ROOT_ID \
--path-part items
RESOURCE_ID=xyz789
# Create method
aws apigateway put-method \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method GET \
--authorization-type NONE
# Create Lambda integration
aws apigateway put-integration \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method GET \
--type AWS_PROXY \
--integration-http-method POST \
--uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MyFunction/invocations
# Deploy to stage
aws apigateway create-deployment \
--rest-api-id $API_ID \
--stage-name prod
Lambda Handler for API Gateway
import json
def handler(event, context):
# HTTP API event
http_method = event.get('requestContext', {}).get('http', {}).get('method')
path = event.get('rawPath', '')
query_params = event.get('queryStringParameters', {})
body = event.get('body', '')
if body and event.get('isBase64Encoded'):
import base64
body = base64.b64decode(body).decode('utf-8')
# Process request
response_body = {'message': 'Success', 'path': path}
return {
'statusCode': 200,
'headers': {
'Content-Type': 'application/json'
},
'body': json.dumps(response_body)
}
Configure CORS
HTTP API:
aws apigatewayv2 update-api \
--api-id abc123 \
--cors-configuration '{
"AllowOrigins": ["https://example.com"],
"AllowMethods": ["GET", "POST", "PUT", "DELETE"],
"AllowHeaders": ["Content-Type", "Authorization"],
"MaxAge": 86400
}'
REST API:
# Enable CORS on resource
aws apigateway put-method \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method OPTIONS \
--authorization-type NONE
aws apigateway put-integration \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method OPTIONS \
--type MOCK \
--request-templates '{"application/json": "{\"statusCode\": 200}"}'
aws apigateway put-method-response \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method OPTIONS \
--status-code 200 \
--response-parameters '{
"method.response.header.Access-Control-Allow-Headers": true,
"method.response.header.Access-Control-Allow-Methods": true,
"method.response.header.Access-Control-Allow-Origin": true
}'
aws apigateway put-integration-response \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method OPTIONS \
--status-code 200 \
--response-parameters '{
"method.response.header.Access-Control-Allow-Headers": "'\''Content-Type,Authorization'\''",
"method.response.header.Access-Control-Allow-Methods": "'\''GET,POST,PUT,DELETE,OPTIONS'\''",
"method.response.header.Access-Control-Allow-Origin": "'\''*'\''"
}'
JWT Authorization (HTTP API)
aws apigatewayv2 create-authorizer \
--api-id abc123 \
--name jwt-authorizer \
--authorizer-type JWT \
--identity-source '$request.header.Authorization' \
--jwt-configuration '{
"Issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123",
"Audience": ["client-id"]
}'
CLI Reference
HTTP API (apigatewayv2)
| Command | Description |
|---------|-------------|
| aws apigatewayv2 create-api | Create API |
| aws apigatewayv2 get-apis | List APIs |
| aws apigatewayv2 create-route | Create route |
| aws apigatewayv2 create-integration | Create integration |
| aws apigatewayv2 create-stage | Create stage |
| aws apigatewayv2 create-authorizer | Create authorizer |
REST API (apigateway)
| Command | Description |
|---------|-------------|
| aws apigateway create-rest-api | Create API |
| aws apigateway get-rest-apis | List APIs |
| aws apigateway create-resource | Create resource |
| aws apigateway put-method | Create method |
| aws apigateway put-integration | Create integration |
| aws apigateway create-deployment | Deploy API |
Best Practices
Performance
- Use HTTP APIs for simple use cases (70% cheaper, lower latency)
- Enable caching for REST APIs
- Use regional endpoints unless global distribution needed
- Implement pagination for list endpoints
Security
- Use authorization on all endpoints
- Enable WAF for REST APIs
- Use API keys for rate limiting (not authentication)
- Enable access logging
- Use HTTPS only
Reliability
- Set up throttling to protect backends
- Configure timeout appropriately
- Use canary deployments for updates
- Monitor with CloudWatch
Troubleshooting
403 Forbidden
Causes:
- Missing authorization
- Invalid API key
- WAF blocking
- Resource policy denying
Debug:
# Check API key
aws apigateway get-api-key --api-key abc123 --include-value
# Check authorizer
aws apigatewayv2 get-authorizer --api-id abc123 --authorizer-id xyz789
502 Bad Gateway
Causes:
- Lambda error
- Integration timeout
- Invalid response format
Lambda response format:
# Correct format
return {
'statusCode': 200,
'headers': {'Content-Type': 'application/json'},
'body': json.dumps({'message': 'success'})
}
# Wrong - missing statusCode
return {'message': 'success'}
504 Gateway Timeout
Causes:
- Backend timeout (Lambda max 29 seconds for REST API)
- Integration timeout too short
Solutions:
- Increase Lambda timeout
- Use async processing for long operations
- Increase integration timeout (max 29s for REST, 30s for HTTP)
CORS Errors
Debug:
- Check OPTIONS method exists
- Verify headers in response
- Check origin matches allowed origins