Things to Consider When You Build REST APIs with Amazon API Gateway


Request Rate (a.k.a. “TPS”)
Request rate is the first thing you should consider when designing REST APIs. By default, API Gateway allows for up to 10,000 requests per second. You should use the built in Amazon CloudWatch metrics to review how your API is being used. The Count metric in particular can help you review the total number of API requests in a given period.

It’s important to understand the actual request rate that your architecture is capable of supporting. For example, consider this architecture:

REST API 1

This API accepts GET requests to retrieve a user’s cart by using a Lambda function to perform SQL queries against a relational database managed in RDS.  If you receive a large burst of traffic, both API Gateway and Lambda will scale in response to the traffic. However, relational databases typically have limited memory/cpu capacity and will quickly exhaust the total number of connections.

As an API architect, you should design your APIs to protect your down stream applications.  You can start by defining API Keys and requiring your clients to deliver a key with incoming requests. This lets you track each application or client who is consuming your API.  This also lets you create Usage Plans and throttle your clients according to the plan you define.  For example, you if you know your architecture is capable of of sustaining 200 requests per second, you should define a Usage plan that sets a rate of 200 RPS and optionally configure a quota to allow a certain number of requests by day, week, or month.

Additionally, API Gateway lets you define throttling settings for the whole stage or per method. If you know that a GET operation is less resource intensive than a POST operation you can override the stage settings and set different throttling settings for each resource.

Integrations and Design patterns
The example above describes a synchronous, tightly coupled architecture where the request must wait for a response from the backend integration (RDS in this case). This results in system scaling characteristics that are the lowest common denominator of all components. Instead, you should look for opportunities to design an asynchronous, loosely coupled architecture. A decoupled architecture separates the data ingestion from the data processing and allows you to scale each system separately. Consider this new architecture:

REST API 2

This architecture enables ingestion of orders directly into a highly scalable and durable data store such as Amazon Simple Queue Service (SQS).  Your backend can process these orders at any speed that is suitable for your business requirements and system ability.  Most importantly,  the health of the backend processing system does not impact your ability to continue accepting orders.

Security
Security with API Gateway falls into three major buckets, and I’ll outline them below. Remember, you should enable all three options to combine multiple layers of security.

Option 1 (Application Firewall)
You can enable AWS Web Application Firewall (WAF) for your entire API. WAF will inspect all incoming requests and block requests that fail your inspection rules. For example, WAF can inspect requests for SQL Injection, Cross Site Scripting, or whitelisted IP addresses.

Option 2 (Resource Policy)
You can apply a Resource Policy that protects your entire API. This is an IAM policy that is applied to your API and you can use this to white/black list client IP ranges or allow AWS accounts and AWS principals to access your API.

Option 3 (AuthZ)
IAM:This AuthZ option requires clients to sign requests with the AWS v4 signing process. The associated IAM role or user must have permissions to perform the execute-api:Invoke action against the API.
Cognito: This AuthZ option requires clients to login into Cognito and then pass the returned ID or Access JWT token in the Authentication header.
Lambda Auth: This AuthZ option is the most flexible and lets you execute a Lambda function to perform any custom auth strategy needed. A common use case for this is OpenID Connect.
A Couple of Tips
Tip #1: Use Stage variables to avoid hard coding your backend Lambda and HTTP integrations. For example, you probably have multiple stages such as “QA” and “PROD” or “V1” and “V2.” You can define the same variable in each stage and specify different values. For example, you might an API that executes a Lambda function. In each stage, define the same variable called functionArn. You can reference this variable as your Lambda ARN during your integration configuration using this notation: ${stageVariables.functionArn}. API Gateway will inject the corresponding value for the stage dynamically at runtime, allowing you to execute different Lambda functions by stage.

Summary
This post covered strategies you should use to ensure your REST API architectures are scalable and easy to maintain.  I hope you’ve enjoyed this post and our next post will cover GraphQL API architectures with AWS AppSync.[Source]-https://aws.amazon.com/blogs/architecture/things-to-consider-when-you-build-rest-apis-with-amazon-api-gateway/
AWS Certification Course Courses in Mumbai. 30 hours practical training program on all avenues of Amazon Web Services. Learn under AWS Expert


Comments

Post a Comment

Popular posts from this blog

What Is Java? A Beginner’s Guide to Java and Its Evolution

What is Java used for? Before I answer the question, what is Java used for, let me brief you about why you should choose Java. Java is highly popular and has dominated this field from early 2000’s till the present 2018. Java has been used in different domains. Some of them are listed below: Banking: To deal with transaction management. Retail: Billing applications that you see in a store/restaurant are completely written in Java. Information Technology: Java is designed to solve implementation dependencies. Android: Applications are either written in Java or use Java API. Financial services: It is used in server-side applications. Stock market: To write algorithms as to which company they should invest in.   Big Data: Hadoop MapReduce framework is written using Java. Scientific and Research Community: To deal with huge amount of data. Wait! Java can do more. Let’s see how some of the technologies make use of Java as an essential core of their functionalit...
Read more

Is Data Scientist & Data Analyst are same? Learn the Differences Now!

Image
If we talk about the hottest jobs in tech right now, then only two names will pop up in your mind those are a data analyst or data scientist.  And, that’s not only we are saying even the Harvard Business Review declared “data scientist” as the“sexiest job of the 21st century .” But there is a lot of confusion between both the names even people who have some basic knowledge of data science consider both the job profiles as one.  Well, the reason behind this confusion is both of the professions deal with big data, rather defined vaguely and sometimes used interchangeably with one another. So, here we are to explain the differences between the two of them and that too in the easiest way. Let’s begin the brief introduction of both the terms, followed by skillsets each require to understand well.   Definition a. Data Analysts Data Analysts play a vital role in the Data Science domain. As a role, they play a variety of tasks associated with collectin...
Read more

Full Stack Development : All that you need to know

What is a Full Stack Development professional? A full stack development professional is the one who is having a sound technical knowledge of each and every aspect of development – front end, back end, various operating systems among other details of the technology. These people are usually termed as “developer generalists”. The significant thing to be noted here is that full stack developer should not be confused with senior developers. In nutshell, this stack of developers can create any complex application from the scratch, provided they would have understood how each technical layer should interact with the other. Why Full Stack Development? At the beginning of this post, we have mentioned about a query that had instantly popped in the mind – why would a company require full stack development professional. Here’s the answer: 1. Creation of unique code: The developer or the agency would be able to create a unique code for multiple technologies; as they could work with ...
Read more