Expose HTTP endpoints, validate requests, throttle callers, integrate with Lambda or backend services.
API Gateway is the front desk of an office building; visitors talk to the desk, not directly to employees.
Client --HTTPS--> API GW
- authentication (Cognito/IAM/Lambda authorizer)
- request validation (schema)
- throttling (RPS / Quota)
- request/response transforms
v
Backend integration (Lambda, ALB, EKS)
Two flavours: REST API (feature-rich, request/response transforms, canary) and HTTP API (cheaper, faster, JWT/OIDC, basic). Both integrate with Lambda, ALB, ECS, or any HTTP backend. Throttling caps requests/sec (default 10000 burst, 5000 steady for REST; 200 burst / 100 steady for HTTP). Custom domain via ACM. Authorizers (Lambda or IAM) check tokens/JWTs. Lambda Proxy integration = you must construct the response shape.
aws apigatewayv2 create-api --name myapi --protocol-type HTTP
creates an HTTP API (v2) - 70% cheaper than REST API for simple cases.
aws apigatewayv2 create-integration --api-id abc123 \
--integration-type AWS_PROXY \
--integration-uri arn:aws:lambda:us-east-1:...:function:myfn
aws apigatewayv2 create-route --api-id abc123 \
--route-key 'POST /orders' --target integrations/abc
creates AWS_PROXY integration to Lambda and routes POST /orders to it.
aws apigatewayv2 create-stage --api-id abc123 --stage-name '$default' \
--default-route-settings throttling_burst_limit=200,throttling_rate_limit=100
configures throttling: 200 burst, 100 RPS steady per stage.
No throttling -> bill spike during abuse. Missing authorizer -> data leak. Not returning proper CORS headers. Forgetting that Lambda Proxy integration means YOU construct the response shape.
HTTP API for new projects; always throttle; configure custom domain with ACM; usage plans for B2B partners; CloudWatch logs; integrate with WAF for OWASP top-10.