JONHNL

API Gateway: Your Front Door to the Cloud

Application Programming Interfaces (APIs): Act as a bridge between different software applications, enabling them to communicate, exchange data, and share functionality efficiently.

APIs foster innovation by providing standardized ways to access features like geolocation, payments, or social logins. Businesses can deliver richer user experiences more quickly.

AWS API Gateway is a fully managed service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. It serves as a "front door" for applications to connect with backend services such as Lambda, EC2, ECS, or web apps.

🔐 Security First: Protect your endpoints with authentication, authorization, and throttling..
⚡ Scalability: Seamlessly handle thousands of requests.
🌐 Universal Access: Expose services reliably to apps, devices, and users worldwide.

Let’s dive in

History of APIs

1951: Early API concept introduced in “The Preparation of Programs for an Electronic Digital Computer.” published by Maurice Wilkes and David Wheeler
1964: APIs connect mainframes to terminals and printers.
1974: The term "API" formally introduced in a paper by C. J. Date.
1980s: Remote Procedure Calls (RPCs) expand API use.
1990s: APIs enable internet-based communication.
2000s: REST APIs popularized by Roy Fielding.
2010s: APIs dominate social media and microservices architectures.
2020s: APIs drive IoT, distributed systems, and AI integration.

API Architecture Styles

1. SOAP (Simple Object Access Protocol)

What: XML-based, secure, reliable.
Best for: Financial services.
Avoid if: You need lightweight APIs.

2. REST (Representational State Transfer)

What: HTTP-based, widely adopted.
Best for: Most web services.
Avoid if: Complex relationships or real-time updates are needed.

3. GraphQL

What: Query language, flexible data fetching.
Best for: Complex, interconnected data.
Avoid if: You want simple requests without overhead.

4. gRPC (Remote Procedure Call)

What: High-performance, uses Protocol Buffers.
Best for: Microservices where speed matters.
Avoid if: You need broad browser support.

5. WebSocket

What: Real-time, two-way communication.
Best for: Chat, gaming, dashboards.
Avoid if: Request-response is enough.

6. Webhook

What: Event-driven callbacks.
Best for: Notifications & integrations.
Avoid if: You need synchronous responses.

AWS API Gateway Features

API Creation & Management: REST, HTTP, and WebSocket APIs are avaiable to use in AWS.
Request Handling: Route traffic to backends.
Security: IAM, Cognito, custom authorizers.
Traffic Management: Throttling & usage plans.
Monitoring: CloudWatch metrics & logging.
Caching: Reduce latency with cached responses.
Versioning: Support multiple API versions.
Integrations: Works with Lambda, S3, DynamoDB, and more.
Cost-effective: Pay only for usage.

Create Your First API Gateway

Create a Lambda Function: In AWS Lambda → Create Function (use "Author from scratch") → Function name: JONHNL-Function → Runtime: Python 3.13 (Use any langauge that you're comfortable with). → Architecture: x86_64. → Create function → Give it 1 to 2 minutes to create

Test Lambda: Paste the code below in the "code" section of your Lambda function, then deploy → Look for the "test" tab → Clear the JSON, but keep the curly brackets (keeping the curly brackets makes this a valid syntax) → That should be sucessful, you should see "Hello, World! Your request was successful".

import json

def lambda_handler(event, context):
	# Sets "World" as the default name, in case no input is given.
	name = "World"
	#If the request includes query parameters, it looks for "name".
	if event.get('queryStringParameters'):
		name = event.get('queryStringParameters').get('name', name)

	#Friendly message with the chosen name.  A "status": "success" field.
	response_data = {
		"message": f"Hello, {name}! Your request was successful.",
		"status": "success"
	}
	#Returns a valid API Gateway Lambda Proxy Integration response:
	return {
		"statusCode": 200,
		"headers": {"Content-Type": "application/json"},
		"body": json.dumps(response_data)
	}

Configure API Gateway: In AWS API Gateway create HTTP API → API name: test → Aside from the name, keep all Default settings and Create.
Attach Lambda: You should still be in AWS API Gateway → Create GET route → Attach Integration → Select Lambda (Our Lambda function is named "JONHNL").
Access the API: Copy the Invoke URL, paste in browser.
Verify with Developer Tools: In your browser, go to Developer Tools → Check network requests and response codes.

We are able to a web browser to test GET request you'll need to ese Postman to validate POST, PUT, PATCH requests that require payloads (Download Postman here). It is also worth noting in AWS API Gateway you'll notice "Stages". In our lab we are working with 1 Stage where "Automatic Deployment" is enabled. Think of Stages as different enviorments for your APIs. Automatic Deployment on the other hand will use the latest integration that is mapped to the route. When you start to have multiple APIs you'll want to segment these out. In a real enviorment its a good idea to have atleast Dev, Test, and Production Stages.

Proxy vs Non-Proxy Integration

1. Lambda Proxy Integration (Default)

API Gateway passes the full request to Lambda. Flexible, but Lambda must handle everything. We created this in our first tutorial.

2. Lambda Non-Proxy Integration

API Gateway maps the request before sending to Lambda. Cleaner for strict contracts, but requires VTL mapping templates. Lets build a Non-Proxy function.

Testing Non-Proxy Integration

Create a Lambda Function: Name: Non-Proxy-Function, Runtime: Python 3.13.

Deploy Lambda Code: Paste provided code, deploy.

import json

def lambda_handler(event, context):
	# 1. Try to pull "name" directly from the event
	name = event.get ('name')
	
	# 2. If "name" wasn't found at the top level,look for it inside query string parameters
	if not name:
		params = event.get('queryStringParameters', {})
		# Default to "World" if still not found
		name = params.get ('name', 'World')
		
	# 3. Return an HTTP response
	return {
		"statusCode": 200,
		"body": f"Hello, {name}!"
	}

Test Lambda: Send event {"name":"JONHNL"}.
Create REST API: In API Gateway → Name: non-proxy-api → Create Resource → POST method → Attach Lambda (non-proxy).
Edit Method Request: Require name query param.

Edit Integration Request: In API Gateway → "Edit" Integration Request → Add VTL to mapping template:

#set($originalParam = $input.params('name'))
#set($prefix = "non_proxy_")
#if(!$originalParam.startsWith($prefix))
#set ($originalParam = $prefix + $originalParam)
#end
{
	"name": "$originalParam"
}

Deploy API: Deploy to stage.
Test with Postman: Send POST with name param.

There are a couple of things we should cover. 1. When should we use non-proxy APIs? When you want to integrate with legacy systems or AWS services directly or when you need API Gateway to do transformation work, instead of pushing it into your backend code. 2. Velocity Template Language (VTL), t’s a lightweight scripting language used in API Gateway mapping templates. It reshapes data going into or out of your API.

Validators (REST APIs)

AWS API Gateway has a feature called Validators, which can only be used for REST APIs. While HTTP APIs offer advantages like being lighter and 71% less expensive than REST APIs, they lack support for request validation. Request validators in API Gateway (REST APIs) let the gateway reject bad requests before they hit your backend. For example, if you want to pass information that requires and email address and a phone number we'll use a validator to valid the format is correct before passing it to the backend.

Create REST API In AWS API Gateway create a REST API → API Name: validator-api → Create API
Create Resource Create resource → Resource Name: validator-api-resource → Create resource
Create Method Create resource → Method type: POST → Integration type: Lambda → For this example we will use our existing "Non-Proxy-Function" → Create method

Create Model In your API within API Gateway → Look for "Models", create model → Name: "Requestvalidator" → Content type: "application/json" → Model schema: copy the code below

{
	"$schema": "http://json-schema.org/draft-04/schema#",
	"title": "RequestModel",
	"type": "object",
	"required": ["name", "email", "mobile-number"],
	"properties": {
		"name": { "type": "string", "minLength": 1 },
		"email": { "type": "string", "format": "email" },
		"mobile-number": { "type": "integer", "minimum": 1000000000, "maximum": 9999999999 }
	},
	"additionalProperties": false
	}

Edit Method Request Set Request validator: "validate body, query string parameters, and headers" → Request body set Content type: "application/json" and select our model "Requestvalidator" → Click "Save" → Deploy API → Select Stage
Verify Validator Copy "Invoke URL" from validator-api → Test POST request in Postman → Select "Body" → Select "RAW" → Select "JSON" → Below is the request body you can experiment with
```
"name": "JONHNL"
"email": "jon@JONHNL.com"
"mobile-number": "7778889999"
									
```

Authorizers

Authorizers act as a first line of defense for securing API endpoints by verifying that incoming requests are authorized before they reach the backend services. When a request is made to an endpoint protected by an authorizer, API Gateway first sends the request to the authorizer for validation; only if the request passes the authorizer's checks is it forwarded to the backend service, otherwise, it is denied.

Create Lambda Authorizer In AWS Lambda, create function → Function name: "Lambdaauthorizer" → Runtime: Python 3.13 → Create function

Update Lambda Code Copy the below code snippet into your lambda function → After, Deploy.

import json

def generate_policy(principal_id, effect, resource):
	return {
		"principalId": principal_id,
		"policyDocument": {
			"Version": "2012-10-17",
			"Statement": [{
				"Action": "execute-api:Invoke",
				"Effect": effect,
				"Resource": resource
			}]
		}
	}

def lambda_handler(event, context):
	token = event['authorizationToken']
	valid_token = "SKVoi4XjSynnN5LEc8ZtQDtiaA4tj4f277OG1HdwzVr0NovyC7k2aoSHRi"

	if token == "Bearer mysecrettoken":
		return generate_policy("user", "Allow", method_arn)
	else:
		return generate_policy("user", "Deny", method_arn)

Choose API In AWS API Gateway select an API, we will use "validator-api"

Create Authorizer In our API, Create an Authorizer → Authorizer name: Authorizerforvalidator → Authorizer type: "Lambda" → Select our lambda Authorizer "Lambdaauthorizer" → Specify Token Source: "authorizationToken" → Create Authorizer

Validate Authorizer In AWS API Gateway Authorizer section "test Authorizer" → Enter token value: SKVoi4XjSynnN5LEc8ZtQDtiaA4tj4f277OG1HdwzVr0NovyC7k2aoSHRi → You should see a status code of 200 and effect allow

Edit Method Request In Method Request, select our Lambda Authorizer → Click Save. → Deploy API to our stage

Experiment in Postman Experiemnt in postman with different values

Congratulations

You’ve now built both Proxy, Non-Proxy API, created a validator and authorizer in AWS using Lambda and API Gateway!

Jon Yoshikawa

Honolulu, Hawaii

Cloud and Healthcare IT