Amazon API Gateway Cheat Sheet

• Amazon API Gateway is a fully managed service for creating, publishing, monitoring, securing, and scaling REST, HTTP, and WebSocket APIs. It serves as the application-facing entry point for serverless, containerized, on-premises, and hybrid workloads.

         Key Highlights:

• • HIPAA eligible service

  • HTTPS-only endpoints

  • Pay-per-use pricing

  • Integrates tightly with AWS Lambda and other AWS services

 Concepts

API Deployment

• A point-in-time snapshot of API Gateway resources and methods

• Must be associated with one or more API stages to be callable

API Endpoint

• Hostname where the API is invoked

• Format: https://{rest-api-id}.execute-api.{region}.amazonaws.com

API Key

• Alphanumeric identifier for an API client

• Used with usage plans to enforce throttling and quotas

API Stage

• Logical reference to an API lifecycle state (e.g., dev, test, prod)

• Identified by API ID + stage name

Model

• Defines the data schema for request or response payload validation

Private API

• Exposed only through interface VPC endpoints

• Completely isolated from the public internet

• Supports custom domain names

Intergrations

Private Integration

• Allows API Gateway to access resources inside a customer’s VPC



• No public internet exposure

• Supports Application Load Balancer (ALB) for REST APIs 

Proxy Integration

• Simplifies backend integration by forwarding full requests

HTTP Proxy Integration

• Entire request and response are passed between client and HTTP backend

Lambda Proxy Integration

• Entire request is sent as input to a Lambda function

• Backend controls response formatting

Other Integration Capabilities:

• REST APIs can be added as a target for Amazon Bedrock AgentCore Gateway 

Usage Plans

• Provide selected API clients access to one or more deployed APIs

• Enforce:

  • Request throttling (RPS and burst)

  • Quota limits

• Applied per API key

API Endpoint Types

Edge-Optimized Endpoint

• Default option

• Uses Amazon CloudFront

• Requests routed to the nearest CloudFront Point of Presence

• Best for global client access

Regional Endpoint

• Direct access to a specific AWS Region

• Does not use CloudFront by default

• Supports latency-based routing with Route 53

• Allows the same custom domain name across multiple Regions

Private Endpoint

• Accessible only from within a VPC

• Uses VPC endpoints for API Gateway

• Traffic never leaves the AWS network

• Custom domain names supported

Supported API Types

• EST APIs, HTTP APIs, WebSocket APIs

• Supports serverless, containerized, and on-premises workloads

• All APIs expose HTTPS endpoints only (no unencrypted HTTP)

• Dual-stack IPv4/IPv6 endpoints supported

Features

Invocation Targets:

• AWS Lambda, Step Functions, EventBridge, Amazon SQS, Amazon Kinesis Data Streams

• Elastic Beanstalk, EC2, and public HTTP endpoints

Traffic Management:

• Method-level throttling

• Burst and steady-state request limits

Caching:

• Configurable cache keys and TTL

• Reduces backend load

API Lifecycle:

• Run multiple versions of the same API simultaneously

• Canary deployments for testing

Monetization:

• Package APIs into usage plans

• Sell APIs as SaaS via AWS Marketplace

Documentation:

• Create, update, and export API documentation per method and resource

• Developer portals for API discovery & testing 

Response Handling:

• REST APIs support progressively streaming response payloads to clients 

• Routing rules for REST APIs using headers or URL paths 

HTTP APIs (General Availability)

• Optimized for low latency and lower cost (up to 71% cheaper than REST APIs)

• Supports routing to:

  • Private ELBs, AppConfig, EventBridge, Step Functions, Kinesis, SQS

  • IP-based services via AWS Cloud Map (e.g., ECS tasks)

Data Mapping:

• Map headers, query strings, and path parameters

• Map integration responses back to method responses

Custom Domains:

• Wildcard domains (*.example.com)

• Multi-level base path mappings

• Path-based API versioning and traffic migration

Authentication & Protection

• IAM (Signature Version 4 and SigV4a)

• Lambda authorizers

• Amazon Cognito user pools

• Mutual TLS (mTLS)

Protection:

• AWS WAF integration

• Resource policies

• VPC endpoint policies for private APIs

Transport Security:

• TLS 1.2 and TLS 1.3

• Enhanced TLS security policies for REST APIs and custom domains

Monitoring & Logging

• Integrated with Amazon CloudWatch:

  • API calls

  • Latency

  • 4XX / 5XX error rates

Logging:

• Execution logs

• Access logs

• Configurable log levels

Tracing:

• AWS X-Ray for full request visibility

Amazon API Gateway Pricing

• Pay only for API calls received and the amount of data transferred out

• Optional data caching charged hourly based on cache size

• Free Tier: 1 million API calls per month for 12 months

• HTTP APIs up to 71% cheaper than REST APIs

• Pay-per-call and data-transfer pricing confirmed

Building APIs with Amazon API Gateway:

• Amazon API Gateway-related Cheat Sheets:
• How to invalidate API Gateway Cache
• Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.
• 
• Validate Your Knowledge
• Question 1
• A startup is using Amazon RDS to store data from a web application. Most of the time, the application has low user activity but it receives bursts of traffic within seconds whenever there is a new product announcement. The Solutions Architect needs to create a solution that will allow users around the globe to access the data using an API.
• What should the Solutions Architect do meet the above requirement?

1. Create an API using Amazon API Gateway and use the Amazon ECS cluster with Service Auto Scaling to handle the bursts of traffic in seconds.
2. Create an API using Amazon API Gateway and use Amazon Elastic Beanstalk with Auto Scaling to handle the bursts of traffic in seconds.
3. Create an API using Amazon API Gateway and use AWS Lambda to handle the bursts of traffic in seconds.
4. Create an API using Amazon API Gateway and use an Auto Scaling group of Amazon EC2 instances to handle the bursts of traffic in seconds.

• Show me the answer!
• Correct Answer: 3
• AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service – all with zero administration. Just upload your code, and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
• The first time you invoke your function, AWS Lambda creates an instance of the function and runs its handler method to process the event. When the function returns a response, it stays active and waits to process additional events. If you invoke the function again while the first event is being processed, Lambda initializes another instance, and the function processes the two events concurrently. As more events come in, Lambda routes them to available instances and creates new instances as needed. When the number of requests decreases, Lambda stops unused instances to free up the scaling capacity for other functions.
• 
• Your functions’ concurrency is the number of instances that serve requests at a given time. For an initial burst of traffic, your functions’ cumulative concurrency in a Region can reach an initial level of between 500 and 3000, which varies per Region.
• Based on the given scenario, you need to create a solution that will satisfy the two requirements. The first requirement is to create a solution that will allow the users to access the data using an API. To implement this solution, you can use Amazon API Gateway. The second requirement is to handle the burst of traffic within seconds. You should use AWS Lambda in this scenario because Lambda functions can absorb reasonable bursts of traffic for approximately 15-30 minutes.
• Lambda can scale faster than the regular Auto Scaling feature of Amazon EC2, Amazon Elastic Beanstalk, or Amazon ECS. This is because AWS Lambda is more lightweight than other computing services. Under the hood, Lambda can run your code to thousands of available AWS-managed EC2 instances (that could already be running) within seconds to accommodate traffic. This is faster than the Auto Scaling process of launching new EC2 instances that could take a few minutes or so. An alternative is to overprovision your compute capacity but that will incur significant costs. The best option to implement given the requirements is a combination of AWS Lambda and Amazon API Gateway.
• Hence, the correct answer is: Create an API using Amazon API Gateway and use AWS Lambda to handle the bursts of traffic.
• The option that says: Create an API using Amazon API Gateway and use the Amazon ECS cluster with Service Auto Scaling to handle the bursts of traffic in seconds is incorrect. AWS Lambda is a better option than Amazon ECS since it can handle a sudden burst of traffic within seconds and not minutes.
• The option that says: Create an API using Amazon API Gateway and use Amazon Elastic Beanstalk with Auto Scaling to handle the bursts of traffic in seconds is incorrect because just like the previous option, the use of Auto Scaling has a delay of a few minutes as it launches new EC2 instances that will be used by Amazon Elastic Beanstalk.
• The option that says: Create an API using Amazon API Gateway and use an Auto Scaling group of Amazon EC2 instances to handle the bursts of traffic in seconds is incorrect because the processing time of Amazon EC2 Auto Scaling to provision new resources takes minutes. Take note that in the scenario, a burst of traffic within seconds is expected to happen.
• References:
  https://aws.amazon.com/blogs/startups/from-0-to-100-k-in-seconds-instant-scale-with-aws-lambda/
  https://docs.aws.amazon.com/lambda/latest/dg/invocation-scaling.html
• Note: This question was extracted from our AWS Certified Solutions Architect Associate Practice Exams.