API Gateway
API Gateway is a fully managed service for creating, deploying, and securing REST, HTTP, and WebSocket APIs. It handles authentication, throttling, caching, and request/response transformation without managing infrastructure.
API Gateway is a hotel concierge — they greet guests (requests), check credentials (auth), take requests to the right department (Lambda), and won't wait more than 29 seconds for an answer before apologizing to the guest (504).
Types: REST API (full features, higher cost), HTTP API (simpler, 70% cheaper, supports OIDC/JWT auth natively), WebSocket API (bidirectional, persistent connections). Features: API keys, usage plans (throttling per key), IAM auth, Lambda authorizers (custom auth), Cognito User Pool authorizers, request/response mapping templates (VTL), stage variables, canary deployments. Integration types: Lambda Proxy (pass-through), Lambda Custom (transform), HTTP, Mock. Throttling: 10,000 RPS default, 5,000 burst — can be increased.
API Gateway has a hard 29-second integration timeout — Lambda functions must complete within this window or the API returns 504. This is a critical production gotcha for long-running operations. Caching: REST API supports response caching per stage (TTL 0–3,600s), reducing backend hits. VPC Link connects API Gateway to resources in a VPC without public exposure. Binary support for REST APIs handles image, PDF, and other binary content. WebSocket APIs maintain persistent connections; $connect, $disconnect, and $default routes handle lifecycle and messages. For high-traffic APIs, consider using HTTP APIs (cheaper and faster) over REST APIs when you don't need REST-specific features.
API Gateway is the front door for serverless APIs. For new APIs, I use HTTP APIs for cost and simplicity, falling back to REST APIs when I need request transformation, caching, or usage plans. The 29-second timeout is a hard constraint — for long-running operations, I use async patterns: API Gateway → SQS → Lambda, returning a job ID and polling for results. Lambda authorizers provide flexible custom auth logic.
Lambda timeout longer than 29 seconds when connected to API Gateway. The API Gateway will timeout and return 504 before Lambda finishes. The caller sees an error even though Lambda is still running. Design long operations as async patterns.