Skip to Content

API Gateway & HTTP APIs

When to use

Expose HTTP endpoints, validate requests, throttle callers, integrate with Lambda or backend services.

Analogy

API Gateway is the front desk of an office building; visitors talk to the desk, not directly to employees.

Data-flow diagram

  Client --HTTPS--> API GW
                      - authentication (Cognito/IAM/Lambda authorizer)
                      - request validation (schema)
                      - throttling (RPS / Quota)
                      - request/response transforms
                      v
                 Backend integration (Lambda, ALB, EKS)

Deep explanation

Two flavours: REST API (feature-rich, request/response transforms, canary) and HTTP API (cheaper, faster, JWT/OIDC, basic). Both integrate with Lambda, ALB, ECS, or any HTTP backend. Throttling caps requests/sec (default 10000 burst, 5000 steady for REST; 200 burst / 100 steady for HTTP). Custom domain via ACM. Authorizers (Lambda or IAM) check tokens/JWTs. Lambda Proxy integration = you must construct the response shape.

Examples

Example 1

aws apigatewayv2 create-api --name myapi --protocol-type HTTP

creates an HTTP API (v2) - 70% cheaper than REST API for simple cases.

Example 2

aws apigatewayv2 create-integration --api-id abc123 \
  --integration-type AWS_PROXY \
  --integration-uri arn:aws:lambda:us-east-1:...:function:myfn
aws apigatewayv2 create-route --api-id abc123 \
  --route-key 'POST /orders' --target integrations/abc

creates AWS_PROXY integration to Lambda and routes POST /orders to it.

Example 3

aws apigatewayv2 create-stage --api-id abc123 --stage-name '$default' \
  --default-route-settings throttling_burst_limit=200,throttling_rate_limit=100

configures throttling: 200 burst, 100 RPS steady per stage.

Common mistake

No throttling -> bill spike during abuse. Missing authorizer -> data leak. Not returning proper CORS headers. Forgetting that Lambda Proxy integration means YOU construct the response shape.

Key takeaway

HTTP API for new projects; always throttle; configure custom domain with ACM; usage plans for B2B partners; CloudWatch logs; integrate with WAF for OWASP top-10.

Production Failure Playbook

Failure scenario 1: no-throttle-abusive-client

Failure scenario 2: no-auth-on-admin