1.2 Amazon API Gateway
Key Takeaways
- REST APIs offer the full feature set (usage plans/API keys, VTL mapping templates, response caching, AWS WAF, edge-optimized endpoints); HTTP APIs are ~70% cheaper, lower-latency, with built-in JWT/OIDC auth.
- Lambda proxy integration passes the raw request through and expects a {statusCode, headers, body} response; non-proxy integration uses VTL mapping templates inside API Gateway.
- Throttling uses a token-bucket model (steady rate + burst); exceeding limits returns HTTP 429 Too Many Requests, and usage plans tie API keys to per-tier rate and quota.
- Authorizers can be IAM (SigV4), Cognito user pool (JWT), or a Lambda authorizer returning an IAM policy; API keys identify and meter callers, they do not authenticate.
- CORS must be enabled for cross-origin browser calls so API Gateway answers the OPTIONS preflight with Access-Control-* headers; caching is per-stage with a TTL.
What API Gateway Does
Amazon API Gateway publishes, secures, and scales HTTP and WebSocket APIs that front Lambda functions, public HTTP endpoints, or other AWS services through direct service integrations. It handles authorization, throttling, caching, request validation, and traffic management so your backend stays thin. On the DVA-C02 exam, nearly every API Gateway item is a service-selection or troubleshooting scenario — cross-origin failure, tiered rate limits, who authenticates the caller, or transform the payload without touching backend code.
REST vs HTTP vs WebSocket
| API Type | Best For | Key facts |
|---|---|---|
| REST API | Full features | Usage plans/API keys, VTL request/response transformation, response caching, AWS WAF, edge-optimized/regional/private endpoints, request validation |
| HTTP API | Cost-sensitive proxies | ~70% lower cost and lower latency, native JWT/OIDC and Lambda authorizers, automatic deployments; no API keys/usage plans, no caching |
| WebSocket API | Bidirectional, stateful | Routes by message content ($connect, $disconnect, custom); chat, live dashboards, push notifications |
The selection rule: choose HTTP API for simple, low-cost Lambda/HTTP proxy APIs; choose REST API when you need its advanced features such as API keys, caching, WAF, or VTL mapping; choose WebSocket API only when you need persistent two-way connections.
Proxy vs Non-Proxy Integration
- Lambda proxy integration passes the entire raw HTTP request to the function as a structured event and expects the function to return the exact shape
{ "statusCode": 200, "headers": {...}, "body": "..." }. All mapping lives in your code — simple and flexible. A common bug: returning a raw object instead of a JSON-stringifiedbody, which yields a 502 Bad Gateway ("malformed Lambda proxy response"). - Non-proxy (custom) integration uses mapping templates written in Velocity Template Language (VTL) inside API Gateway to transform requests and responses, rename fields, and inject values. This decouples the public API contract from the backend so you can reshape JSON without redeploying the function.
Stages, Throttling, and Usage Plans
A stage (for example dev, test, prod) is a named deployment snapshot of an API with its own settings, variables, logging, and throttling. Stage variables let one stage point at a dev Lambda alias and another at prod. Throttling uses a token-bucket model — a steady-state rate (requests per second) plus a burst (bucket capacity) — and returns HTTP 429 Too Many Requests when callers exceed it. There is an account-level default, per-stage, per-method, and per-client (usage plan) throttling, applied from broadest to most specific.
Usage plans associate API keys with specific rate and quota (for example, 1,000 requests per day) so you can meter and tier consumers. The critical exam distinction: an API key identifies and meters a caller; it does not authenticate the caller. Authentication is the authorizer's job.
Authorizers
| Authorizer | How it works | Typical use |
|---|---|---|
| IAM authorization | Callers sign requests with SigV4; API Gateway checks IAM policy | Service-to-service, internal AWS callers |
| Cognito user pool | Validates a JWT (ID/access token) from a user pool | App users signed in via Cognito |
| Lambda authorizer | Your function runs custom logic (TOKEN or REQUEST) and returns an IAM policy plus optional context | Third-party tokens, custom headers, OAuth |
Lambda authorizer results can be cached by token for a configurable TTL to cut invocations.
Caching and CORS
Enable per-stage response caching with a TTL (default 300 s, 0-3,600 s) to cut backend calls; it is billed by cache size and supports cache-key parameters and per-method invalidation. For browsers calling a different origin, configure CORS (Cross-Origin Resource Sharing) so API Gateway answers the preflight OPTIONS request with Access-Control-Allow-Origin, -Methods, and -Headers. A request that works in curl but fails in the browser with a preflight error is the textbook CORS symptom, because curl ignores CORS while browsers enforce it.
Request Validation, Logging, and Custom Domains
REST APIs can perform request validation against a JSON Schema model to reject malformed bodies, query strings, or headers before they ever reach your backend, saving Lambda invocations and cost. Enable CloudWatch access logs and execution logs per stage to troubleshoot integration latency and errors, and turn on X-Ray tracing to follow a request from API Gateway through Lambda to DynamoDB. For production you typically attach a custom domain name with an ACM TLS certificate and map base paths (/v1, /v2) to stages, so consumers see a stable branded URL rather than the default execute-api endpoint.
Latency, WAF, and Common Traps
Edge-optimized REST endpoints route through CloudFront for global callers; choose regional endpoints when callers are in-region or when you front the API with your own CloudFront distribution, and private endpoints (interface VPC endpoint) for internal-only APIs. Attach AWS WAF to a REST API stage to block SQL injection, cross-site scripting, and rate-based floods. Watch these traps on the exam: a 502 from a proxy integration almost always means the function returned the wrong response shape; a 429 means throttling, not a code bug; and an API key by itself authorizes nothing without a usage plan.
Also remember HTTP APIs do not support API keys, usage plans, or response caching — if a scenario needs those, it must be a REST API.
A browser-based single-page app calls an API Gateway REST API on a different domain. The GET request succeeds with curl but fails in the browser with a preflight error. What is the most likely fix?
A team wants tiered access where 'free' customers get 100 requests/second and 'premium' customers get 1,000, with each customer identified by a key. Which feature combination delivers this on a REST API?
Developers need request and response payloads transformed (rename fields, reshape JSON) inside API Gateway without changing backend code. Which integration type supports this?