aws api gateway for dummies

AWS API Gateway For Dummies

Welcome to part 6 of a multiple part course on passing your AWS Architect, Developer & Sysops Associate exams. The best part…this course is totally free of charge!

When I was studying for the AWS Architect Associate exam I knew that API Gateway was something that has recently been added to the exam. So I did a bunch of research, asked people who’ve recently passed the exam and documented exactly what you need to know about it.

What is API Gateway? API Gateway provides a clean interface for mobile and web applications to access business logic hosted on EC2, AWS Lambda and many more AWS services in a secure and easy fashion.

The article will take just 5 minutes to read and after doing so you’ll have all you need to know to answer any question around API Gateway in the AWS certifications.

Who should read this?

If you are studying for the:

  • AWS Associate Architect
  • AWS Associate Developer
  • AWS Associate SysOps

Or you are using AWS and want to learn more about API Gateway, then this is the article for you.

N.b. if you’re only interested in what you need to know for the AWS certifications then skip ahead to What do I need to know for the Exam section

What is AWS API Gateway?

API Gateway provides a simple and easy to understand access layer to underlying services hosted on AWS.

Let’s imagine you have a product running on AWS that has 5 Lambda functions. These functions provide useful business logic that external websites and mobile applications need to consume.

So how do we expose them to those apps? API Gateway to the rescue! By exposing those lambda functions via API Gateway, your mobile apps and websites can now make use of those lambda services.

The very same API Gateway can expose other services hosted on AWS such as web services hosted on EC2 instances.

The benefits of this approach are that you get a lot more control over how those services are exposed and deal with a single end point rather than multiple urls spread across your AWS estate.

Not only that, but you get a bunch of useful features such as caching responses to limit how much traffic your underlying endpoints receive (further reducing costs). Or if say you wanted to protect your site from over use then you could apply throttling limits on API endpoints to help reduce the threat of hacks.

What do I need to know for the Exam?

Ok, let’s get down to business. What do you need to know to pass the AWS certifications when it comes to API Gateway…Incidentally this list is a good summary of API gateway in general, even if you aren’t studying for the exam.

  • Caching API Calls
  • API Gateway is Low Cost
  • Scales Automatically
  • Throttles requests if Desired
  • CORS can be enabled

Caching API Calls

When a consumer makes a request to a resource exposed both the API Gateway, the response generated could be exactly the same for the next 100 requests. So you can set a TTL (Time To Live) on the cached response. Which means that when the next consumer requests this resource, it will receive the cached response and not be contact the lambda function or EC2 instance that originally produced the response.

This feature is often useful for data that doesn’t change to often. I.e. TV television guides, or hourly weather reports etc…

As we touched on in the What is API Gateway section, the resultant effect of caching is both performance improvements since the latency of a call is reduced, but also a reduction in costs since the underlying service is never hit.

API Gateway is Low Cost

 API Gateway falls under the free tier usage plan. Meaning you can make up to 1 Million API calls per month FREE for your first 12 months. If you go over that limit then the first tier of charges is $3.50 for every million calls up to 333 million.

With thresholds like this, you’re unlikely to incur any significant charges through the usage of API Gateway. Curiously though, direct calls to Lambda functions are even cheaper at $0.20 per million calls.

For cached results, the cost ranges depending on the size of the cache. Starting at 0.5 gigabytes and going all the way up to a massive 237 gigabytes worth of cache!

For a more detailed breakdown of API Gateway charges, checkout Amazons API Gateway pricing page here.

Scales Automatically

API Gateway is fully managed by AWS, meaning you won’t need to need to allocate more nodes, or configure auto scaling groups or any of that nonsense. AWS handles it all for you.

So, as your request traffic grows so will your API Gateway service to match that demand. This is great, especially when you have situations where you have a resource behind API gateway that hasn’t been configured for scaling i.e. a single EC2 instance. In this situation you could put it behind API Gateway, setup caching and a long TTL and your single instance can handle huge amounts of traffic without the need to create more instances via auto scaling groups.

This scenario is only really applicable if the response returned from the EC2 instance is fairly sticky though.

Throttle requests if Desired

Imagine some untoward hacker decides to attack your company. They go about this with DOS (Denial Of Service) attacks. Constantly contacting your servers in an attempt to overload your servers or cause massive bills to your account.

This scenario can be a real possibility and it’s vital that you put in place systems and procedures to handle them.

Fortunately API Gateway has a solution for this. You can set limits on each API endpoint. Which means requests can be throttled and reduce the vulnerability of your system to these types of attacks.

CORS can be enabled

If you’ve ever written any type of dynamic web application or complex mobile app then it’s likely that you’ll be connecting to multiple servers to service your website. CORS (Cross Origin Resource Sharing) can be enabled on your API Gateway to allow for these types of requests.

CORS is a subject in of itself, so I’ve dedicated a section next that goes into a little more detail on what CORS is.

What on earth is Cross Origin Resource Sharing (CORS)?

I thought about writing up my own explanation of CORS until I read the intro paragraphs from mozillas website and decided frankly that I couldn’t do a better job. So here’s the first few paragraph:

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. A web application makes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.

An example of a cross-origin request: The frontend JavaScript code for a web application served from uses XMLHttpRequest to make a request for

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request HTTP resources from the same origin the application was loaded from, unless the response from the other origin includes the right CORS headers.

Courtesy of

For a more comprehensive explanation of CORS head over to Mozilla’s website where you give a great run down of Cross Origin Resource Sharing.


Now you know all you need to pass the AWS Architect Associate exam and have a decent understanding of the concepts around AWS API Gateway. And it only took 5 minutes!

Check Out my next article on AWS Kinesis. It’ll take just 5 minutes to read at most and you’ll have all the info you need to answer questions around AWS Kinesis.

Leave a Comment