Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It allows developers to create a unified API that acts as a gateway for multiple backend services, providing features like authentication, throttling, monitoring and documentation. The document discusses Amazon API Gateway and how it can be used with AWS Lambda to build scalable and secure APIs. It also provides a case study of how shipping company Temando used API Gateway and Lambda to migrate their monolithic architecture to a microservices approach.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stefano Buliani – Product Manager, AWS
Geremy Davey – Chief Architect, Temando
Paul Chiu, Principal Architect, Temando
April 2016
Building scalable APIs with
Amazon API Gateway
Technical 201

2. Agenda
• What is Amazon API Gateway
• Why use Amazon API Gateway
• Amazon API Gateway and AWS Lambda
• Temando Case Study
• AWS Service Proxy

3. What is Amazon API Gateway
Internet
Mobile Apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
Cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpointAmazon
CloudWatch
Amazon
CloudFront
Amazon
API Gateway

4. Why Amazon API Gateway
Create a unified API
frontend for multiple
micro-­services
DDoS protection
and throttling for
your backend
Authenticate and
authorise requests
to a backend

5. Unified Frontend

6. Unified Frontend – Migrating to AWS
InternetMobile Apps Amazon
API Gateway
On premise
web server
1. Use API Gateway in front of an on-­premise web service
2. Port the web service to AWS
3. Change integration in API Gateway to call the
new service

7. DDoS Protection and Throttling

8. DDoS and Network Protection
Internet
Mobile Apps
Websites
Services
AWS Lambda
functions
Endpoints on
Amazon EC2
Amazon
CloudFront
Amazon
API Gateway
Layer 7 and layer 3 DDoS protection
Request throttling for backend services

9. Authorisation

10. Authorisation – AWS Signature Version 4
Mobile Apps AWS Lambda LambdaHandler
API Gateway
Sigv4
Invoke with
caller credentials
Service calls are
authorised using
the IAM Role
DynamoDB

11. Authorisation – Custom authorisers in Lambda
Client
Lambda Auth
function
API Gateway
OAuth token
OAuth
provider
Policy is
evaluated
Policy is
cached
Endpoints on
Amazon EC2
Any other publicly
accessible endpoint
AWS Lambda
functions
403

12. Scalability, Out of the Box

13. Unmanaged Scalability
VPC subnet
Availability Zone A Availability Zone B
VPC subnet
Auto Scaling group
WEB WEB
Oregon
Tokyo
VPC subnet
Cleanup
loop
EC2 API
start/stop
instances
JOBS

14. Managed
Managed Scalability
InternetMobile apps
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
API Gateway
Other AWS
services
AWS Lambda
functions

15. Our Customers

16. Why they use Amazon API Gateway
• Running as high as 200,000 requests per second
• Migrating legacy software to AWS Lambda
• Using AWS Signature Version 4 for strong auth
• Exposing AWS managed services as their own APIs

17. API Gateway and Lambda

18. Building Secure, Scalable Backends

19. Method and Integration

20. Lambda Invocations
API Gateway
1. Receives the request
2. Authorizes the request
3. Applies mapping templates
4. Invokes Lambda function
5. Applies output mappings
6. Responds to the client

21. Input Mapping: Lambda Accepts an Event Body
#set($inputRoot = $input.path(‘$’)
{
“firstName”: “$input.params(‘firstName’)”,
“apiKey”: “$context.identity.apiKey”,
“items” : [
#foreach($elem in $inputRoot.Items)
{
“serviceName” :
“$util.escapeJavascript($elem.serviceName.S)”
,
“serviceId” : “$elem.serviceId.S”
}
#if(foreach.hasNext),#end
#end
]
}
POST: /dev/hello?firstName=Bob
{
“Items” : [
{
“serviceName” : {
“S” : “Amazon API GAteway”
},
“serviceId” : {
“S” : “ApiGateway”
}
},
{
…
}
]
}
Invoke: arn:aws:lambda:us-­east-­1:XXXXX:function:helloWorld

22. Output Mapping: Lambda Returns a Body
{
“authHeader” : “XXXXXXXXXXXXXX”,
“body” : {
“name”: “Bob”,
“dateCreated” : 132323124123
}
}
HTTP STATUS: 200
HEADER:
x-Custom-Auth : XXXXXXXXXXX
BODY:
{
“name”: “Bob”,
“dateCreated” : 132323124123
}
X-Custom-Auth:
integration.response.body.authHeader
Mapping template:
$input.json(‘$.body’)
X-Amz-Function-Error: “” HTTP STATUS: ^$
Lambda response Generated HTTP responseAPI Gateway mapping

24. -­ Over 50,000 registered users and counting
-­ Global Presence
-­ Offices in Brisbane, Sydney, San Francisco, Vietnam, France
We offer the world’s logistical resources in a single intelligent platform to
make commerce easy and universally accessible.

26. First Build
Scripting Languages and Relational Databases
are awesome!

27. Initial Architecture
Frameworks and ORM will solve all our problems!

28. Increasing Load
Load Balancing & Vertical Scaling will solve
all our problems!

29. Database Performance
Active-­Active database clustering will solve
all our problems!

32. Big AWS Band-­Aid
*.temando.com
sso.temando.com
kpi-­dashboard.temando.com
dashboard.temando.com
my.temando.com
api.temando.com
shipping.temando.com
*.temando.io
Latency Based
Routing
*.nala1.temando.io *.apac1.temando.io
CNAME
CNAME
Standard Ingress
Forced Localised
Ingress
Custom Sub-­domain
CNAME
Future Stacks*.emea1.temando.io
left.temando.io left.temando.io left.temando.io
NGINX NGINX NGINX
Future Stacks
Future Stacks
NALA1 SET APAC1 SET EMEA1 SET
MEMCAHED MEMCACHED MEMCACHED

33. Breaking the Cycle

34. Modular
Development
Micro-services
with Lambda
Service
Orientation
With API Gateway

35. Temando’s leading enterprise technology will be Magento’s
preferred method for carriers to integrate into Magento

36. API Gateway & Lambda
Demonstration
Examples of seamlessly surfacing existing functionality including authentication
with new Lambda Functionality

38. AWS Service Proxy

39. Expose AWS Services as Your Own API
1. Kinesis
• Customers collecting metrics from external developers
2. SQS
• APIs that only insert a record in a queue
3. DynamoDB
• Easy CRUD APIs with Sigv4
4. AWS IoT
• Expose device shadows as API endpoints

40. Kinesis: Configure AWS Service Proxy
1. Select AWS Service Proxy
2. Select the AWS service: Kinesis
3. HTTP method from the service API: POST
4. Set the desired action: PutRecord
5. The Execution Role can perform the action
and trusts apigateway.amazonaws.com

41. Kinesis: Transform the Request
1. Set Kinesis’ content-­type: x-­amz-­json-­1.1
2. Static values use Single Quotes: ‘value’
3. Configure Mapping Template
1. Use $util to base64 encode
2. Use $input to read incoming json
3. Static Partition and Stream Name

42. Demo

43. Takeaways
• Use API Gateway to:
1. Abstract the implementation
2. Protect your service from attacks
3. Offload authentication and authorization
• Serverless Architectures allow you to:
1. Build scalable services without managing any
infrastructure
2. Easily build micro-­services’ driven applications

44. Next steps
• Go to the API Gateway console: https://console.aws.amazon.com/apigateway/home
• Use the example API to get started quickly
• Learn more about mapping templates: http://amzn.to/1L1hSF5
• Follow the AWS compute blog for updates: http://amzn.to/1SfzoWD

45. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-­person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training

46. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training

47. Thank you!