API Gateway & REST APIs
Difficulty: medium
Overview
Amazon API Gateway is a fully managed service for creating, publishing, and securing APIs.
API Types:
- REST API: Full-featured. Supports stages, usage plans, caching, throttling, X-Ray.
- HTTP API: Lower latency, 71% cheaper. Supports OIDC/JWT, Lambda, HTTP backends. Does NOT support API keys, usage plans, per-method throttling.
- WebSocket API: Persistent bidirectional connections. Routes by routeSelectionExpression.
Integration Types:
- Lambda Proxy: Request/response passed as-is. Lambda returns formatted response.
- Lambda Custom (Non-Proxy): Transform request/response with VTL mapping templates.
- AWS Service: Directly invoke SQS, DynamoDB, etc. without Lambda.
- Mock: Return fixed response without backend.
Stages & Deployments: Must deploy to stage for changes to take effect. Stage variables: environment variables for API Gateway (point to different Lambda aliases per stage).
Throttling: Default 10,000 req/sec burst, 5,000 req/sec steady state. Returns 429 Too Many Requests.
Authorization:
- IAM Auth: Sign requests with SigV4. For service-to-service.
- Cognito Authorizer: Validate JWT tokens. No custom code.
- Lambda Authorizer: Token-based or request-based. Returns IAM policy. Cacheable.
Caching: Per-stage. TTL 0–3,600s (default 300s). Invalidate with Cache-Control: max-age=0.
Practice Linked Questions
Q1. A developer needs to expose a Lambda function via API Gateway with the lowest possible latency and cost. The API does not need API keys, usage plans, or per-method throttling. Which API type should the developer choose?
Select one answer before revealing.
Q2. An API Gateway REST API is experiencing occasional 429 Too Many Requests errors under burst traffic. The developer wants to protect the backend Lambda function while still serving as many requests as possible. Which API Gateway feature should the developer configure?
Select one answer before revealing.
Q3. A developer configures an API Gateway Lambda proxy integration. The Lambda function returns the following object: `{ "statusCode": 200, "body": "Hello" }`. After deployment, all API calls return a 502 Bad Gateway error. What is the most likely cause?
Select one answer before revealing.
Q4. A developer needs to validate incoming API requests before they reach the Lambda backend. The validation should check that required query string parameters and headers are present. Which API Gateway feature accomplishes this with no Lambda code changes?
Select one answer before revealing.
Q5. A mobile app calls API Gateway with valid JWT tokens issued by Amazon Cognito User Pools. The developer wants API Gateway to verify these tokens automatically without writing a custom Lambda authorizer. Which authorizer type should be configured?
Select one answer before revealing.
Q6. An API Gateway stage has caching enabled with a 5-minute TTL. A developer needs certain requests (those with a specific header) to always bypass the cache. What should the developer configure?
Select one answer before revealing.
Q7. A developer needs API Gateway to transform an incoming XML request body into JSON before forwarding it to a Lambda function. The Lambda function only understands JSON. Which API Gateway feature should be used?
Select one answer before revealing.