AWS API Gateway with Lambda

Quick overview and tutorial

What is AWS API Gateway?

Amazon API Gateway enables you to publish, monitor, secure, and maintain APIs. This fully managed service is available through the AWS Management Console, where you can create an API in a few clicks.

This service lets you configure an API to give applications access to data, functionality, or business logic from back-end services, including:

  • Any web application.
  • Applications running on AWS services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Compute Cloud (Amazon EC2).
  • Code running on AWS Lambda.

Using AWS Lambda with Amazon API Gateway

Amazon API Gateway lets you create a web API with an HTTP endpoint for Lambda functions, providing you with various tools for documenting and creating web APIs that can route HTTP requests to your Lambda functions.

Resources and methods

Resources in an API can define one or several methods, including POST or GET. Methods include an integration that can route requests to a Lambda function or another integration. You can use the following methods to define resources and methods:

  • Define each resource and method separately.
  • Use special resource and method types to match the requests that fit a certain pattern.

Note that a proxy resource catches all paths beneath a certain resource, and the ANY method catches all HTTP methods.

API Gateway supports three APIs for invoking Lambda functions—a feature-rich, customizable RESTful API, a lightweight, low-latency RESTful API, and a WebSocket API that can maintain persistent connections with various clients for full-duplex communication.

Security

This service lets you use authentication and authorization controls to secure access to your APIs and configure APIs to serve traffic over the public Internet or only within a VPC.

What are API Gateway Lambda authorizers?

A Lambda authorizer uses a Lambda function to control access to an API. This API Gateway feature can help you implement a custom authorization scheme that uses request parameters to determine a caller’s identity or a bearer token authentication strategy like SAML or OAuth.

Here is what happens when a client makes a request to one of the API’s methods:

  1. API Gateway calls the Lambda authorizer
  2. The authorizer takes the caller’s identity and returns the associated IAM policy.

AWS provides the following Lambda authorizers:

  • A TOKEN authorizer—this token-based authorizer receives a caller’s identity inside a bearer token like an OAuth token or a JSON Web Token (JWT).
  • A REQUEST authorizer—this request parameter-based authorizer receives a caller’s identity within a set of headers, stageVariables, query string parameters, and $context variables.

Here is a diagram illustrating the API Gateway Lambda authorization workflow:

AWS workflow
Image Source: AWS

Here is a quick summary of this workflow:

  1. A client calls a method on an API method, passing request parameters or a bearer token.
  2. API Gateway looks for a Lambda authorizer configured for this method. If one is available, API Gateway calls the relevant Lambda function.
  3. A Lambda function can authenticate a caller using various ways. It can call an OAuth provider to receive an OAuth access token or a SAML provider to receive a SAML assertion. Alternatively, it can generate an IAM policy according to the request parameter values or retrieve credentials from a database.
  4. If a call succeeds, the Lambda function provides access by returning an output object containing an IAM policy, principal identifier, and other relevant data.
  5. During the last phase, API Gateway evaluates the policy and initiates the relevant response. If the policy denies access, API Gateway returns the appropriate HTTP status code, like 403 ACCESS_DENIED. If the policy allows access, API Gateway starts executing the method.

You can enable caching in the authorizer settings to set up API Gateway to cache the policy. It eliminates the need to invoke the Lambda authorizer function again.

Tutorial: Create a simple microservice using Lambda and API Gateway

You can use the following steps to a microservice via the Lambda console using AWS API Gateway:

  1. First, log in to the AWS Management Console and navigate to the Lambda service.
  2. Click on the Create function button to create a new Lambda function.
  3. Select Author from scratch and give your function a name, choose a runtime and choose Create a new role from template(s).
  4. In the new role template, give it a name and make sure to check the Simple Microservice permissions checkbox.
  5. Next, you can start writing your code. For this tutorial, we’ll use a simple example where the Lambda function will return a message when invoked.
exports.handler = async (event) =>
   const response = {
       statusCode: 200,
       body: JSON.stringify('Hello from Lambda!'),
   };
   return response;
};
  1. Save the changes, then navigate to the API Gateway service and click on the Create API button to create a new API.
  2. Select REST API and click on the Build button.
  3. In the next step, you can configure the settings for your API. Give it a name, and then click on the Create API button.
  4. Now that your API has been created, you can create a new resource. Click on the Create Resource button and give your resource a name.
  5. Once your resource has been created, you can create a new method for it. Click on the Create Method button and select the HTTP method (e.g. GET, POST, etc) that you want to use.
  6. Next, you can configure the settings for your method. Choose Lambda Function as the integration type and select the function that you created earlier.
  7. In the next step, you will configure the Lambda Proxy Integration, which will allow you to pass the input from the client to the Lambda function and to return the response from the Lambda function to the client.
  8. Save your changes and now you have created a simple microservice using Lambda and API Gateway.
  9. Deploy the API by creating a deployment stage and give it a name, you can use this url to test your service.
AWS API Gateway Lambda deployment stage
  1. You can also test your service by invoking the method you created in a browser window. The response should look something like this:
AWS API Gateway Lambda testing

Reducing the cost of AWS API Gateway with Solo

The combination of AWS Lambda and AWS API Gateway are a very common usage pattern with many companies. But AWS API Gateway can be a very expensive component of this application pattern, due to the pricing model being driven by volume of API calls and memory/cache usage. In contrast, many companies are beginning to look for ways to reduce the cost of the API Gateway. Solo Gloo Gateway can be an excellent way to not only reduce the cost of API Gateway, but also seamlessly integrate with AWS Lambda.

Get started with Gloo Mesh / Gloo Gateway today!

Cloud connectivity done right