Amazon API Gateway
A fully managed service for creating, publishing, and managing REST APIs, HTTP APIs, and WebSocket APIs, serving as the front door to Lambda and other AWS services
Overview
Amazon API Gateway is a fully managed service for creating, publishing, maintaining, monitoring, and securing APIs at any scale. It supports three API types - REST API, HTTP API, and WebSocket API - and can connect to Lambda functions, EC2 instances, and arbitrary HTTP endpoints as backends. It provides comprehensive API management capabilities including API key management, usage plans, throttling, request/response transformation, authentication and authorization via Cognito or IAM, and custom domain name configuration. HTTP APIs are approximately 70% cheaper and lower latency than REST APIs, making them ideal for simple API proxies. WebSocket APIs support real-time bidirectional communication for building chat applications and live dashboards.
Selection Criteria for REST API vs HTTP API
API Gateway offers two HTTP-based API types - REST API and HTTP API - and you choose based on your requirements. REST API provides advanced features such as request/response transformation via mapping templates, access control through API keys and usage plans, request validation, caching, WAF integration, and canary releases. It is well suited for enterprise APIs or scenarios requiring complex request transformations. HTTP API omits some of these advanced features in exchange for pricing at roughly 30% of REST API (approximately $1.29 per million requests vs. approximately $4.25 per million requests) and lower latency. It natively supports JWT authorizers, automatic CORS configuration, and OpenID Connect / OAuth 2.0 integration, providing sufficient functionality as a simple proxy to Lambda or HTTP backends. By contrast, Azure API Management (APIM) focuses on broader API lifecycle management including a built-in developer portal and subscription management, but its Consumption plan costs approximately $4.24 per million calls, making API Gateway's HTTP API more cost-efficient for serverless workloads with irregular traffic.
Authentication, Authorization, and Throttling Design
API Gateway provides multiple authentication mechanisms to secure your APIs. Cognito User Pool authorizers validate JWT tokens and are ideal for mobile and web applications with user sign-up flows. IAM authorization uses AWS Signature Version 4 and is suited for service-to-service communication within AWS. Lambda authorizers (formerly custom authorizers) let you implement arbitrary authentication logic - validating custom tokens, checking IP allowlists, or integrating with third-party identity providers. For throttling, API Gateway enforces account-level limits (default 10,000 requests per second with a 5,000-request burst) and allows method-level throttling to protect specific endpoints. Usage plans combined with API keys enable per-client rate limiting and quota management, which is essential when exposing APIs to external partners. For a deeper understanding of API design, related books (Amazon) can also be helpful.
Stage Management and Canary Releases
Stages in API Gateway represent deployment snapshots of your API configuration, enabling you to maintain separate environments (dev, staging, prod) under a single API. Stage variables act as environment-specific configuration values - you can point to different Lambda aliases or backend endpoints per stage without modifying the API definition. Canary releases, available with REST API, let you gradually shift a percentage of production traffic to a new deployment version. For example, you can route 10% of traffic to the canary stage, monitor error rates and latency via CloudWatch, and then promote the canary to full production or roll back if issues arise. Combine custom domain names with ACM certificates and Route 53 to provide branded API endpoints (api.example.com), and use base path mappings to route different paths to different APIs or stages under a single domain.