Of the different API gateways offered by AWS, which option fits your needs?
An API Gateway is “a server that acts as an API front-end, receives API requests, enforces throttling and security policies, passes requests to the back-end service, and then passes the response back to the requester.”
AWS offers five different types of API Gateways:
- API Gateway REST API
- API Gateway HTTP API
- API Gateway WebSocket API
- AppSync
- Application Load Balancer (ALB)
Typically, an API Gateway forwards requests to Lambda, DynamoDB, a load balancer (ELB), or even on-premises or third-party endpoints.
Take a look at more on API management here.
API Gateway REST API
The most mature API gateway option is called API Gateway REST API which is the full-feature flagship service to build REST APIs and has been available since 2015. As implied by the name, the service is about making RESTful web services, probably the most popular API schema those days.
A feature that makes the API Gateway REST API service stand out from the crowd is user/tenant-based throttling. The feature allows you to limit the number of requests per user or tenant. A functionality that is important for building APIs for a Software-as-a-Service business or any other scenario where 3rd parties interact with your API.
One point of criticism on API Gateway REST API is the mediocre user experience for developers. Configuring an API Gateway is complicated and cumbersome because of its feature-richness and flexibility.
In general, I recommend API Gateway REST API for Serverless applications consumed by 3rd parties as well as for enterprise scenarios.
API Gateway HTTP API
AWS announced HTTP APIs as a modern alternative to REST APIs. Despite the name, API Gateway HTTP API is also about RESTful APIs. AWS promises to deliver lower latency, reduced costs, and improved user experience with HTTP APIs.
However, API Gateway HTTP API is a very new service which was announced in December 2019 and has been generally available since March 2020. As usual, new AWS services are a minimum viable product, which means important features are missing and will probably be delivered step by step in the coming years.
I do recommend API Gateway HTTP API for prototyping. I’d be careful with using HTTP APIs for production-grade workloads due to missing user/tenant-based throttling capabilities.
API Gateway WebSocket API
Nowadays, many architectures utilize the request/response model. However, in many scenarios an event-driven approach is more promising. API Gateway WebSocket API offers an event-driven API that allows you to send messages from the client to the server but also the other way around.
The client establishes a connection to the API Gateway, while both sides aim to keep the connection alive. When the client sends an event over the WebSocket, the API Gateway forwards the event to a backend – for example a Lambda function. Whenever needed, it is possible to send API Gateway a message for the connected client as well.
The API Gateway WebSocket API is a perfect choice for scenarios where minimizing latency is critical or whenever you want to push events from the server to the client.
AppSync
RESTful APIs have been popular for years. However, more and more architects are looking into GraphQL. A GraphQL API is the perfect fit for mobile applications, because of two main design goals:
- The client asks only for the data that is needed. The API won’t return any useless attributes. Doing so reduces the amount of data that needs to be transferred.
- The client bundles multiple queries in a single request. For example, by specifying nested queries. Doing so reduces the amount of required requests.
- An API specification is built in automatically, defining the possible API queries in every detail. Doing so allows you to validate requests or to generate SDKs automatically.
AWS AppSync is a managed service to deploy GraphQL APIs. The service has been around since 2018. Personally, I do like the experience of building APIs with AppSync. The main reason for that, is everything starts with a GraphQL API specification. Everything else is built around that contract between client and server.
A typical use case for a GraphQL is to unify access to different backend systems (e.g., legacy applications, microservices, etc.). AppSync is definitely also a good choice for building top-notch Serverless applications.
Application Load Balancer (ALB)
Strictly speaking, an Application Load Balancer (ALB) is not an API Gateway. However, the ALB provides similar functionality. Compared to the alternatives an ALB is cost effective and very simple to use.
However, an ALB does not cover all features of a typical API Gateway. Most importantly, it is not possible to transform requests or responses. The possibilities for authentication are also limited.
Unfortunately, comparing costs between the ALB and the other options is not that simple, as their pricing models are completely different. Roughly speaking, an ALB should be more cost effective for high volume but steady workloads.
Comparison
Concluding the following table compares the different API Gateway options on AWS. As always, there is no one size fits all solution.
API Gateway REST API | API Gateway HTTP API | API Gateway WebSocket API | AppSync | ALB | |
Type | REST API | REST API | Websocket | GraphQL | REST API |
HTTPS/TLS | ✅ | ✅ | ✅ | ✅ | ✅ |
Backends | ✅ Lambda ✅ Public endpoint ✅ Private endpoint ✅ AWS Service APIs | ✅ Lambda ✅ Public endpoint ✅ Private endpoint ⚠️ AWS Service APIs | ✅ Lambda ✅ Public endpoint ✅ Private endpoint ✅ AWS Service APIs | ✅ Lambda ✅ Public endpoint ❌ Private endpoint ⚠️ AWS Service APIs | ✅ Lambda ❌ Public endpoint ✅ Private endpoint ❌ AWS Service APIs |
Costs | 💰💰 | 💰 | 💰 | 💰💰💰 | 💰💰 |
Maturity | ⭐️⭐️⭐️⭐️⭐️ | ⭐️⭐️ | ⭐️⭐️⭐️⭐️ | ⭐️⭐️⭐️⭐️ | ⭐️⭐️⭐️⭐️ |
Authentication | ✅ IAM ✅ API Key ✅ OpenID Connect ✅ SAML ✅ Social ✅ Custom | ✅ IAM ❌ API Key ✅ OpenID Connect ❌ SAML ❌ Social ✅ Custom | ✅ IAM ❌ API Key ❌ OpenID Connect ❌ SAML ❌ Social ✅ Custom | ✅ IAM ✅ API Key ✅ OpenID Connect ✅ SAML ✅ Social ❌ Custom | ❌ IAM ❌ API Key ✅ OpenID Connect ✅ SAML ✅ Social ❌ Custom |
Throttling | ✅ | ❌ | ❌ | ❌ | ❌ |
Request Validation | ✅ | ❌ | ✅ | ✅ | ❌ |
Request/ Response Transformation | ✅ | ❌ | ✅ | ✅ | ❌ |
Endpoints | ✅ Public ✅ Private | ✅ Public ❌ Private | ✅ Public | ✅ Public | ✅ Public ✅ Private |
WAF | ✅ | ❌ | ❌ | ✅ | ✅ |