AWS API Gateway

Adzerk Engineering Meeting, 2017-10-11

What is it?

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a "front door" for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any Web application. Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

- https://aws.amazon.com/api-gateway​

What is it? (tl;dr)

• AWS product providing a managed API frontend
• Emphasis on API performance
  • worldwide network of edge locations -> low latency
  • caches output of API calls
  • throttling
• Flexible security/authorization, including
  • AWS IAM
  • AWS Cognito
  • Custom
• Generate an Android, iOS SDK or JavaScript library ready for release as a client for your API.
• Can use it to build a "serverless" API

What problems does it try to solve?

• Scalability
• Performance
• Caching
• Throttling
• Low latency everywhere in the world
• Security / Authorization
• Deployment

What is it about?

• It's a managed REST API service with useful features and optimizations.
   
• You define and configure your API via the AWS Console or CLI, and have it call through to existing applications.
   
• The API Gateway acts as a proxy, (optionally transforming and) sending the requests through to your existing service(s).

What are the primary operations?

• Create and edit a REST API via the AWS Console or CLI.
• View your REST API as a tree view in the Console.
• Create and edit resources.
• Create and edit methods (HTTP verbs) for each resource.
• Define how requests and responses are transformed.
• Configure each method's security settings.
• Manage and deploy stages.
• Download an Android, iOS SDK, or JavaScript client libraries for your API.

Why/when would you use it?

• Performance, latency, and/or resiliency are critical to your operations.
• You want to improve an existing API's security and authorization mechanisms.
• You have an existing Swagger API definition.
• You're building an API from scratch and you've bought into AWS.
• You want to build a "serverless" API.

Why/when would you NOT use it?

When you want to build a private API that is not public to the Internet,

e.g. an API that you want to be internal to a VPC.

Limitations / Disadvantages

• AWS charges $3.50 per million API calls, plus the cost of data transfer out, in gigabytes, as well as hourly rates for the caching (if you choose to use it).
   
• There are account limits:
  • http://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#api-gateway-limits

Alternatives

• Off-hand, I don't know of any similar services.
• I did a quick google and found something called "Exchange Web Services (EWS) Managed API," but that's specific to .NET applications.
• Doing all this stuff manually.

Characteristics: Environment

• AWS
   
• Language/platform agnostic: can stand up a REST API in front of anything that can run in an EC2 instance or as a Lambda function.

Characteristics: Dependencies

• AWS
   
• ...that's it.

Characteristics: Documentation

• Seems on par with other AWS products.
   
• Good FAQ: https://aws.amazon.com/api-gateway/faqs/

Characteristics:
Logging, Monitoring, Metrics

• Available via CloudWatch
   
• Configurable

Characteristics:
API Quality

• Seems good. As usual, you can do just about everything via both the AWS Console and the AWS CLI.
   
• Creating an API using AWS CLI commands: http://docs.aws.amazon.com/apigateway/latest/developerguide/create-api-using-awscli.html

Community

• It's AWS, so there are bound to be a lot of people using it in production.
   
• Probably easy to find experience reports, support forum threads, etc. for common issues.

Operational Characteristics

• Performance, throughput, latency: probably good
• Deployment story seems nice
• Security/authorization is flexible; can make your API as secure (or insecure) as you want it to be
• Failure modes
  • API Gateway itself seems pretty resilient, but I guess your API is still only as resilient as your application code.
  • Your API is only as secure as you choose to make it.

Potential Adzerk usage

• Management API
  • Caching, performance, latency optimizations are appealing
  • We wouldn't need to implement throttling ourselves
  • Opportunity to build a new, better authorization system
  • Shower thought: could have API Gateway translate JSON requests into JSON-stuffed-into-a-form-field requests
• Decision API
  • Caching, performance, latency optimizations are even more compelling for ad serving.
  • Might make us more marketable outside the us-east region?
• The next time we have to build a simple API like the Instant Counts API, we might consider writing some Lambda functions and using API Gateway to make a serverless API that sits in front of them.