AWS re:Invent 2019: [REPEAT 2] I didn’t know Amazon API Gateway did that (SVS212-R2)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right good morning okay I'm glad three of you are here how you doing this morning good it's day four it's day four and we aren't reinvent and it has probably been crazy I don't know about you guys but it's been crazy for me this is the tenth session I'm speaking in this this week and it's been a lot of fun and I'm glad you're here my name is Eric Johnson let me tell you a little bit about Who I am I have to trust you're out there because I can't see anything the lights are so bright up here so my name is Eric Johnson you find me on twitter at edj geek I am a senior developer advocate for server lists and I am a to Lee you know automation nerd I've been a Software Architect or Solutions Architect since 1995 so I'm kind of an old guy I've been doing this for a long time either on the side or as my main gig I am a music lover I was a drummer I started life as a drummer I was gonna be a professional drummer so here's what I figured out turns out I am a phenomenal drummer for one finger but I'm fairly average in life so nobody's gonna pay me to drum so I was like well I gotta think something else to do here so a couple of rules when I'm speaking now that's probably more like guidelines it's gonna help you out but these are things are gonna help you understand what's going on okay and it's okay to laugh it's okay to be comfortable here but this is the first rule this is any number I want it to be okay I'm gonna hold this up and I'm gonna say a 7 or an 11 or a 52 and that's the number it's not what I'm holding up it's what I'm saying unless sometimes it does match sometimes it's a 1 ok I can get to 4 if I take my shoes off but that just gets awkward for everybody ok I have gone into like restaurants like table for 7 please because I have five kids yes believe it or not five kids it's table for seven and I find myself alone at the bar so second rule is these are quotes not apostrophes okay I know that but this looks matter than this okay I do this and someone's like is he doing a bunny rabbit I don't I don't know what he's doing okay and I guarantee you there's still people coming in I'm gonna do this later and they're gonna be like is he waving at us I'm not waving at you unless I am okay and it's contextual you have to figure it out okay the last rule is these are thumbs I do this a lot to use like yeah it was great and you just seen people like oh or if it's bumping nope okay I don't know what to do with that I do know I have one finger I did not wake up this way this morning okay no that didn't make sense I did wake up this way this morning I do Wow I didn't wake up for the first time like this this morning okay if I did as much as I loved you I would not be here with you I'd be somewhere coping okay just let you know I do tell one finger jokes I'm very comfortable with it you're welcome to ask me things but if it makes you uncomfortable I'm also comfortable with that so yeah thank you so either way I'm good enjoy so all right so today we're gonna be talking about api's specifically api gateway anybody hear the announcement we had yesterday HTTP api's good I'm glad that one person heard it we'll talk later excellent all right I'm gonna tell you a little bit about it today we're not gonna spend much time there but I'm pretty excited about it so I want to level set this just so you know this is a 200 level session and it is a service session so we're gonna be talking about api's in relation to service but this can actually apply all over the place so you know it'll be something hopefully will be helpful when you leave here I'm hoping that you'll say I didn't know API gateway did that okay and you'll be like wow or if you say well I already knew that well good I'm glad but hopefully I will teach you something today now how many I'll work with API now okay good part of the room how many y'all are like I can't even spell API nobody raised their hand Thank You trick question it's okay so real quick so we understand let me ask this question also how many are using API gateway on Amazon all right excellent ok so we have some dude how many y'all are evaluating it alright so we got a good mix in the room I won't make you raise your hands all day just I want to get some information there we have a good mix so let's do this real quick what is an API anyway okay and most of you probably know what it is but there's probably some of the rooms like I don't know is it a P is it aa P you get court Quinn in here you can help us pronounce apart properly so okay according to you the all authority of Wikipedia it says in building applications an API simplifies programming by abstracting the underlying implementation and only exposing objects or actions the developer needs okay so the idea here is and we're not going to get heavily into the definition because you're kind of getters we're going along but the idea is it abstracts off the communication between services and allows the allows your your services to speak to each other without having to contain that business logic within your application right so you kind of abstract that off there's very standard way of doing that with REST API is we have web socket API and there are other formats coming out but that's that's how services can talk to each other even within the same application or across application so we look at a really simple definition or diagram I drew this I'm pretty proud I started as a designer turns out I'm a really bad designer too but I did this very proud of it alright so you get the idea you have a client and this is an example of a REST API okay you have a client where they're gonna do a request they're going to talk to the API that API is then going to talk to the services behind it and it could be any number of things in our world it's usually a lambda but it might be something else so we'll talk on that and then it does a response back to the client so you have these patterns and these packages are getting passed in server list this is generally done through API gateway now the reason I want to do this is here's the truth about API gateway and you'll pardon me if I take a drink real quick here here's the truth about API or what about API gateway today you're gonna learn a lot about the functionality and and the features and some of the advanced features that it does now we're not gonna get into so much the how do you do it but more of the did you know you could do it okay you're gonna see the conceptual ideas and the truth here is if you're not using these if you're using API gateway and you're just proxying a lambda okay so all I'm doing is my API gate was just passing data back and forth you're probably overpaying okay now we're gonna cut that from the video with you know they don't need to know I'm in here going okay but if you're not using the tools that is that's one of the reasons we released HTTP high-camp say that HTTP API which is a new service we just released yesterday it's part of the API gateway what we're looking to do is if for simpler workflows that you're just proxying lambdas you can do it at 70 percent cheaper with the with the more intuitive workflow with the HTTP API so keep that in mind if you're looking look I don't need throttling I don't need caching I don't need Y for resource things or all the things that I'm going to talk about today then look at HTTP API it's in preview right now but it is in our goal over the next while as we're as we're moving into 2020 to advance the the user interface the API gateway give you more power and resources and reduce cost so just so you know that alright so let's get into API gateway and some of the things that can do right so first of all when you think about API gateway you want to think about it as kind of two parts what can talk to API gateway and what can a p.i gateway talk to you have a front and a back and you're gonna need to think about those separately so let's talk about the front for a minute there's three kinds of ways you can talk to API gateway how many ok good alright somebody in the back that one I know math I know numbers okay so first is an edge optimize these are in no particular order edge optimize what edge optimize does it will actually through API gateway it will maintain they will create and maintain a cloud front distribution for you so your API gateway may live here but we're gonna push your request and stuff out to the edge so yeah it's gonna be local and closer to your clients and reduce latency okay the second thing you have is a regional okay this is recommended API type for just make sure that's not my phone that would be horrible sorry about that reads I recommend an API type for general use cases okay now rejoins if you're if you spend something up with like Sam if you're using the service application model most likely it's gonna be a regional it's gonna be a proxy to lambda okay and then that one of the fun things is if you want more control over like a CDN and how your CDN is gonna work on the edge you can create a regional one and put your own CDN through cloud front in front of it okay so you have the power to do that and the third one is a private which is only accessible from within a V PC and networks connected to a V PC so you can actually have an API that look we're gonna we're gonna use this to give access you know we want internally we've got a service that we're using API get or we need an API for that we don't want to make public you can use a private API so let's expand this architecture a little bit sometimes this used to be the first slide I would show especially in a room of nobody where where people have not seen API gateway it's like whoa I'm leaving that's complex so this is not everything that what this slide is is designed to show you is everything kind of a that API gateway can do or some recommendations now remember I was saying when you think of maybe I gave when you think about how it can be talked to from the front so what can talk to it and what can it talk to him we talked about the three ways you can talk to it okay and you can see here again is kind of diagramming where services edge services can talk to but on the back side there's multiple things that it can talk to that it can give you access to now the first thing is obviously AWS services now it's service most the time that's gonna be a lambda but sometimes it doesn't have to be it can be over one of over a hundred plus services that you can connect to and integrate with directly okay the second thing is is you could connect to will go down here to VP stuff inside of EPC okay so if you have stuff privately contained like ec2 instances things like that inside of EPC you can use a API gateway through a VP see link to connect to that okay it does it through an NLB and then the other one I would point out to you is the idea of connecting to anything that has an HTTP endpoint okay one of the one of the proof of concepts that I did for for a group of people that were working on location service is they needed to be able to do some locational translations basically i've got i've got some geo coordinates I need address I've got addresses I need GL chord so they were using Google Trends or Google location services for that but what they didn't want to deal with was the licensing you know you have specific time amount of time that you can cache that you have a specific amount of time that you know how much you can how many times can you hit it in a second so what they did and what we hope to do is to take an API gateway and drop it in front of a Google location server so that was the proof of concept right so then all that control was handled at the perfect contour or at the API gateway and not at Google so the different clients they didn't have to do it for so you can point to anything we have a show that I do called happy little API is on twitch and we do an example of that where we build a front into github and get lab and and let me be able to switch it with just literally change its string but the client has no idea it's transparent to them all right so at the API gateway with support to protocols at the moment these are HTTP and which is you know a REST API and WebSocket now if you don't know the difference with hcp what that is is it is literally a round-trip conversation hey I'm asking you something and hey you tell me something okay we're done okay it's a request in response that's it with a WebSocket communication it is hey I'm going to connect to you and you're gonna be connected to me and we're gonna be chatty we're gonna send information back and forth as needed so the interesting thing here is once that's connected and that conversation is going back in can actually communicate with the front end without a request to to be made from the front end so this is great for like chat clients a lot of other things but that's the difference in a WebSocket in a REST API so one of the questions I get a lot of times all right how do I build API gateway what's the best practice for configuring an API gateway there are six ways you can you can configure API gateway six common ways okay you may there are some others am I getting somewhat terraform or something like that but on Amazon first is it through the management console that's a great place to learn and I encourage you if you've never been in the management console climb in create an API add a resource atom method connect it to a back-end follow that through okay especially with our new HTTP API take a look at that see what it does okay but a problem with that is if I have to build it again at another region where I delete it and I want to build it again I got to remember all those steps I have to have all those steps written down okay so so we encourage you to learn there but as you start to can't manage it and start to manage large configurations you want to move into some other steps the next one we have is the AWS command-line interface you can create an API gateway you can control this is good for scripting if you need to if you need to do some like your own bash clips things like that but where I would tell you to start when you're when you're managing API is to do it either through Sam or cloud formation okay now there's some other ones as well but these are these are where I tend to start now if you're not familiar with Sam Sam is the service application model it's designed specifically to build service applications okay and it does support much of API gateways syntax and setting it up okay it CloudFormation also does you can do cloud formation to build it Sam sits on top of cloud formation okay so you use Sam and and then it's transformed to cloud from the seas use those together if it's something that same can't handle like if you get in some really granular stuff or you're amazing a lot of big things or you're passing templates then you can use open API or swagger and swagger is just an older version of open API suppose it's a open API for the moment so that's another way you could do it and that isn't open that that's not just an AWS thing that's the you know a lot of people use up an API for that we have some specific API tags that are built in our API gateway tags that we add to our templates so you can pass those around from API gateway to API gateway but it's also the rest of it is conforms to the open API semantics so and the last one is a cloud development kit or the cdk anybody using the cdk now that's pretty cool in there yeah it's it's a it's a cool thing if you're not familiar the cdk it is a programmatic approach right whereas cloud formation is is very you know you're gonna do a template right now you have some logic you can put some logic in there but you're not gonna get into heavy looping and heavy heavy logic in your cloud formation so that's where you would get it like to see decay so that's those are the different ways that you can manage that alright so let's talk about integrating ok and this is where we're gonna climb into the Wow I didn't know it did that alright so there's multiple ways you can integrate on the back end and we kinda kind of pointed to some but let's get a little more specific ok so the first and most common way we see or at first I'm not gonna say it's the most common let's come away I see there's a lambda function and there's two ways you could connect to that and I know this kids confusing and I'm gonna break you down a little for you okay what the land of function I can't connect to it via proxy or I can connect it via integration okay and I'll break that down a minute I can also do the HTTP which I talked about earlier I can do an AWS service I can connect over 100 plus service endpoints directly integrated with those and I can hit throw a BP sevinc which I talked about earlier where we're going to connect via a NLB and you can hip stuff in a V PC now let's look at this mock here I kind of skipped it so this is an interesting one let me ask you yes how many y'all mean how many of them know what Korres is see ORS not at Coors the beer from Colorado where I'm from we know that too all right all right keep your hands up how many a lot of Coors is how many I'll love it yeah exactly how many y'all hate it with all your life and if Korres had a face you'd punch it in the nose me too okay Korres is not fun and I want to find the guy that created Korres and take his Bureau way okay now I'm not a beer drinker I'm a dad Dr Pepper drinker and if he had a dad Dr Pepper I would tackle him okay so what what we've done here is let me just quickly explain h4 you're not familiar with Korres Korres is the security at the browser level and if I'm a one domain and I'm calling another domain so let's say I'm at dub dub dub I hate course comm and I need to call API I hate cours badly com the browser is gonna go nuke I don't know what that is I'm not nope that's not secure I'm not gonna do it so what the what the server needs to do the browser does a pre-flight check okay it does this hey how are you checked so it calls outside hey I'm me and I need you to tell me what I can do and the server responds it says here's what you can do and that's called an options call all right and then what the server the browser would then do is okay here's what I want to do and the server says okay that's great but more likely your first 200 times like nope you didn't get it right because this is Coors in its heart okay so what we can do with a mock integration is this kind of a non integration it doesn't integrate to anything on the back side because it doesn't need anything on the back side to tell it hey respond with these headers respond with these values that to tell it so you can actually do your options call right at the API gateway and and then it's just a real quick response so that's what a mock is and you can do that for other things but that's one of the common usages all right so let's get to this question I love this was it so I'll ask people like oh yeah we're connected to we're connected to a lambda we use API gateway that's connected to a lambo go great are you doing that through a proxy or an integration and you can see their eyes do we're doing it through the internet they clicked a button we're doing it through a click button alright so there's two ways you can connect let's kind of explain this alright so if I do a proxy connection you'll see right in the dashboard in my proxy or am I not proxying okay that's the button we click okay so when I do a proxy the client is gonna send a packet it's a big pink square okay and the API gateways gonna wrap that so I can actually change that value but it's gonna wrap it with some metadata some contextual information that you might need on the back end okay about the request maybe about some security different things like that then the the service and in this case the lambda is gonna get that and then it's gonna do some work and then it's gonna send it back okay and when that comes back through if it's a proxy the API gateway says I didn't touch it all I did was push it on through he won't he won't handle your status codes he won't handle your headers anything like that he's not gonna touch it that's an integration so really what's happening here is the API gateway is just saying here you go here you go alright now can you see why I said if that's all you're using it for it's probably a little pricey okay so let's look at an integration so with an integration where I uncheck the box on the internet an integration the client sends a request through and it's it's a big pink square and then I use a thing called BTL which stands for velocity templating language and it's just that it's a templating language that apache created that supported an api gateway i can modify that request I can take that request from a pink square and I can turn it into a P green circle it's an amazing technology okay but I can with that I can make that look and I have logic I can use some if-then logic I can grab some parameters I can load some static data I can do all kinds of things okay so then the then what happens is the function gets and then it responds with its response and then I can once again I don't have to but I can once again through VTL sets and values changed and I change the shape of the response okay so through that I have a lot of control that's happening okay so let's get a little more practical example so let's say I have a before BTL that shows first name last name phone city state in your favorite pizza and somebody some crazy thinkin person says their favorite pizza is pineapple well everybody knows pineapples should not be on pizza that's the end of the session have a good day so after VTL so I'm gonna run through VTL and it's gonna take it it's gonna modify that and I'm going to combine my address okay my city in my state I'm gonna put in an object because that's how we like it in the backend and I'm of course gonna change the favorite pizza to pepperoni okay so there's a logical change everybody should do it so that's how that works so Beto again gives you the ability to change how that maps but there's a couple of things to understand with that so let's talk to the let's talk to the lifecycle of that request response and everything when we're doing an integration okay so the first thing when that comes in you're gonna get a method request and at the method request here's what's gonna happen I can do modeling validation and I can do transformation now this isn't the BTL transformation I was just talking about on the body but I can add some headers I can add some static values I can do some some changes to the values coming in right the next thing it's gonna do is it's gonna pass it to what we call an integration request now this can be in front of any number of the hundred plus services that I was saying that are supported in API gateway and here's where those transformations happen so here's where we can apply our BTL and so here's a great example I was in Copenhagen about two weeks ago and one of the identity demonstration on building a function las' URL shortener because the world needs another URL shortener as you well know okay and so the idea here is that is I was able to say I was able to connect a API gateway directly to a DynamoDB because there's really no logic that needed to happen I'm just passing in data and I'm making a response with what they value here's the key and I need the response with the right URL to go to you okay made it wicked fast lambdas are fast as well but anytime you have hops you have a little latency at it right so so you have this ability to do that transformation coming into your service now on the way out you have an integration response and it's kind of the same thing okay I converted the payload going in now I'm gonna convert the payload going out okay and I can change the headers I can change the the body do whatever I need to do and finally I can do the method response this is where I can add you set some other values headers climb in there and you handle your custom errors okay that was a 400 here's one a 400 to look like those are poor - here's what I want to look like ok let's go back to number one for a second not modeling validation I mean let me give you a use case for that okay so let's say I have a piece of data that I know requires let's say I'm doing a location like a where are you type application and in my data I need to know what the device is so device type or device ID and I need to know the location and then there might be extraneous information through like a message okay so those three I don't care if I have the message or not but I need the other two so I can add a model into the method response to evaluate the body against it says I have to have a device ID and it has to be a string and I have to have a location and it has to be a string okay and then I could pass another one and I say but I also want to get a message and it has to be an object but I don't require it okay so then when that payload is passed in from the client before it ever goes to the backend I can validate it right there and he can say nope not a string kick it out okay now let's think about what that means first of all with the validation you can do pattern matching you can do regex - to build that up so let's think about what that means in the pricing for AWS when you're looking at a lambda you get a million in folks a month for free per count okay and then you get excuse me you get a 400,000 gig of memory for free per count okay so if you're hearing that per count themed one of the things we say is split your API is across accounts to take use of that or your lambdas across accounts for kantor applications now let's say for some crazy reason we don't know all the payloads that are kind of come in they're gonna be kind of wild so let's say I get 10 million so that means I'm gonna pay for 9 million right but let's say 2 million of those are bad data structures okay now if I'm validating at the lambda I'm gonna pay for those 2 million right but if I'm validating at the API gateway that lambda will never be invoked and I've just saved two million invocations on a service I'm already paying for that's gonna kick it out you see in the savings there you're also reducing latency for your client okay not a lot because again service is very very very fast but at any time you can remove a hop anytime you can remove touching a service you would use latency it's the way it looks all right so that's kind of the overall how does API gateway work on a high level maybe a little more granular now we're gonna get into some of the features that API offers that we say are you taking advantages so that you can go I didn't know it did that all right so let's jump in so first of all authorization how many y'all have written your own authorization system Oh is that fine how many I love doing that all right yeah same here yeah first of all I'm not smart enough to do that I'm like look just call me and tell me who you are I'll let you in yeah so one of the things you can do is you can use authorization authentication authorization right at API gateway and I'll explain how that works so there's several different ways you can do out there's a so first of all you can do an open okay and you're like well that's not others yeah you're right but I wanted to say you can't have an API gateway that it's just open and sometimes that's the easiest kind of authorization look we're getting still ripped off but it works you know I'm not saying go that way okay don't quote me out in Twitter world but it that's that's when we go so the first thing we have we have this with the concept called authorizers okay and you build it you put you an attachment authorizer to api gateway and that authorizer can do several different things the first thing is it's what's called an iam permissions authorizer or I say I am and I don't care if it's wrong and it what it does it uses ioan policies to to let you to decide what you should be able to get access to in order to use that you need to have a signed request so your clients gonna build and sign the request using some different libraries uses a signal for format and that gets complicated one of the cool things is and I'll show you in a little bit is you can actually export the SDK you need from API gateway to do that work for you okay but that's the first way you can do that the second way is what's called an Amazon kognito authorize them this is a really common way of going so is anybody used Cognito alright great if you're not familiar with Cognito what Cognito allows you to do is you can do multiple things with it but one of these you can create a user pool experience so i can create a user pool where where customers can actually go they could sign up they can log in they can fix their forgotten passwords they can they can request their tokens again and it handles it all for you and you can interface with that via an api or you can actually have a host your login pages I have I have a CloudFormation or a Sam script that will build an entire authentication system you tell the domain name you tell the application name builds it all out literally and then so what i can do is i go to my you come to my website you hit login it pops over to the same domain but just a different domain or subdomain and you authenticate then it pops you back okay you see that all over the place so incognito host set so with that then we bolt an operator or an authorizer onto a api gateway and we say when they login with that and you get a token from this authentication then you validate it so let me watch you through that so like I said you come to my site you do the sign-in you're gonna get a set of credential or it works your token back from me then your web is gonna take that token and validate it against the Cognito service to make sure it's right and it's gonna get a JWT token back then you're gonna pass that on every request against the API gateway because it's Cognito because it's our service API gateway already has the the keys that it needs to make sure you are who you are based on the the client ID that comes out of Cognito so it's a very fast authentication boom you're in ok the last one is what's called a land to authorizer for those of you raise your hand who are have built their own this can come in really handy to you look with one of these api gateway we want to roll off the authorization tape yeah gateway but we have our own authentication system alright so what you can do is you add a lamda authorized at API gateway and lambda will actually and all it does is it calls a lambda and then your logic is run inside the lamda okay and then you pass back a set of credentials to API gateway or yes Authenticator to no I'm not authenticated so you may be hitting an ad you may have it you know call your mom say can I come in whatever you want to do that that logic is done at the lambda and then it's passed back so there's a lot of customization you can do there all right so we get past security the next thing we look at is optimization and the first thing for optimization is caching okay if you don't have a caching store I would heavily encourage you to look at one okay I mean you may say look Eric our data is so hot it's so dynamic we can't cash it doesn't make sense but I would tell you that even if it's the time to live at five seconds you can save if you're gonna hammered that fast and you could save some of that respond to same data okay so what what you're able to do here is you can turn on caching it's managed through API gateway and it's not effective for quick responses and to minimize load on your back-end especially if you're not using a service back in and your and your downstream doesn't have the the capacity to respond right you can leverage cache keys and you can do it on path headers query strings and can be set up by stage or methods so if I have a stage like a development stage I don't want to cache that I want to be able to test on that but my production stage I want to be caching okay so if you're not looking at cash I encourage you to do that the second way to optimize is throttling so those are you using API gateway have you set up throttling anybody okay a couple anybody use throttling elsewhere okay let me explain the throttling story to you on API gate win how it works and why it's helpful okay it comes in four phases let's start with the first one this is that an account level curry and it's really it's at your account but it's at per region what you get are 10,000 requests per second and 5,000 bursts so will you explain what that means let's say I have this hot up-and-coming application and I'm gonna get 5,000 hits at the same millisecond boom right and I get that well API game was gonna go I got you no problem okay but if it's 5,000 and one in the first millisecond it's gonna go okay we kicked that last one out but we handled the first 5,000 okay so that's how it works now if I have 5,000 the first millisecond and then I have 5,000 another 5,000 through the rest of the second that single second I handle them all because I can handle 10,000 per second with the 5,000 burst the fun thing is that's a soft limit if you think you need more than that go to AWS limits and you can raise that up okay you can request a raise on that so but you know evaluate you know how we're doing that now something is critical to know is that is shared across all api's in that region so if I have 17 api's in that region they're sharing 10,000 versus if I put one API per count see how that works I just got 170,000 I'm doing 17 is that my math right yeah my math right okay so that's how the throttling in stage 1 works okay the second way we do it we get my fancy button here is you can do it at a method level okay now this is important so let's say you have let's say you do need to have two API is in the same account and one API needs to dominate the bucket right it needs at least 8,000 okay but your second API is again as much I'd go easy on this so you know to that so what you can do is based on the meth and you can go in there you set it on the path or the or the method but it's gonna apply to all of it and you can you can get granular with that you could say this one is gonna have 2000 with a 1000 burst or 15 that you know however you want to do it okay now the thing you need to understand is I can put at the method level I can put 15,000 if I won but guess what I get 10,000 you can put that call it a pipe dream but you're only gonna get 10,000 so method cannot override the account okay it's important to understand so if you need more than 10,000 put it taught you go through the idioms limits and raise it okay so the next one we're gonna look at this is where we call this is called a client level and it's a client level because you you're going to create a data usage plan and you're gonna your use it or use its plan and you're gonna tie an API key to it so this is great if you have a bunch of services that are hitting that you want to limit how many times you don't want them to take all your bandwidth so you say okay this service you use this API key and you're gonna be regulated through the to the usage plane okay and so that just says if you have this key this is your regulation but you can get more granular with that and you could say if you have this key and you're doing a post on this resource this is your regulation okay really cool so let's say you have a service that they can get a bunch from it because you want to protect your downstream we don't want them to post over and over and over so you can say look your post to set at 1000 your get is set at 5,000 okay so you can get really granular throttling and I encourage you even if you're just saying look you know we only get five thousand maybe per second we're good plan for the future have it in place right because you don't you don't want to flood it you don't want to go down right I mean it's good you don't want to get rejected you want to be able to manage that and make sure hey I'm not getting hit from other places so that's throw it now the interesting thing about throttling is I told it to you back to front but how API gateways get evaluated is front to back it's gonna look at the per client per method that it's gonna go per client then it's gonna go method that it's gonna go account okay so I understand that and number one can't override number four all right that's throttling security we're just go back to security I'll talk about VPC okay I want to show this I know I've talked about it a couple times but I want to give you a use case for this all right let's say you have a monolithic app anybody have a monolith the gap they're working with all righty you loving that okay that's fun yeah I've spent many times on a monolithic app a lot of questions that you have people come and go how do i how do i migrate and I'd love to tell them well just shut it down rebuild it service Li bring it up you can afford that downtime all right that's not realistic okay that sounds like a great plan do you have anybody else we could talk to okay so what I'm gonna talk about real quick is let's say you've built alright you've got at AWS that's the first step right so we've done this migration over we got it we did a lift and shift it's running monolithic on AWS and now we want to start breaking it out we want to move it to service so what I'm able to do is I can slap an API gateway in front of it but if they're gonna be PC which if it's on ec2 instances it should be in a B PC alright cuz that's first you know the layers of security it's like an onion or a cake right so what you want to do is you can connect to your B PC through the network load balancer it does require that using a V PC link and and you initiate the API gateway to set that up you have all the tools that I've been talking about the cognitive eise's resource policies caching all that kind of stuff and it's transparent to user because right now it's just passing the data right to the back end right so you usually go that's fine I don't know so then what you can do is you can say let's say I finally break one of the services out I've got this monolithic I've been able to break this particular type of service out and it's running on lambda I've tested it we're happy with it so I can redirect that on the API gateway to the new service ok it's called the strangler pattern and so eventually what I've done is hopefully I've broken all my services down and I've been able to put them in into service architectures and then I haven't turn off my model at the cap I've strangled it out okay now I'm not gonna tell you that it's zero downtime but it's a minimal downtime and you might be able to do at zero downtime but it will help minimize your downtime so that's one places this comes in really handy all right API gateway stages now I'm gonna tell you best practice here and you're gonna be like what I don't use these and I would encourage you not to unless you have to okay let me tell you why okay so an api gateway we offer different stages that you can use you could have you could add as many stages as you want but you have a deployment stage a prod and and generally what I'll do is it'll look like this my appoint that'll have the hanging off you know prod beta death now you can get rid of that if you do path mapping with custom domains but that's essentially what it goes to now the fun thing here is if I'm running prod beta and dead those are development environments and what do we say about environments what'd I say earlier put them in different accounts because we use sand to build API gateway to build our applications because we're using infrastructure as code it's easy to go build here build here build here we're gonna do parameters to do that okay so I encourage if you're using this for separate environments for development don't do that it's complicated it's hard to move stuff around you can set it up if you if you do need to do it what you can do is you can pass variables and say alright if I'm on prod hit this alias in lambda and that alias will trigger this version of bo3 and a beta will hit vo6 and finally dev is bleeding-edge it's at point 9 but this is not again we want to build these in different environments now where this might come in handy is if I have to I have to maintain multiple versions in production of the same API okay that's where this comes in handy hopefully you don't have to do that but sometimes we do so rather than beta prod and dev here it would say v1 v2 v3 okay and that's what you can give your users to do that but you can maintain that and using some of the language templating you can dynamically choose where you're gonna point that on the back end and I've actually had that question hey we have some stuff coming in on a header how to just yesterday how do I choose my back end where you can dynamically do that at the stages alright so let's talk about releasing real quick did you know you could stagger how your api gateway is released now to be clear this is not the application itself it may be part of the application because you may be moving out changes to the API gateway while you're making changes to the rest of the application or you might just be pushing changes to that you could just write in the console you might be pushing changes to the API gateway itself and you need to stagger this so we do what's called a canary release okay and the idea here is I'm going to do in percent of traffic for X direction so I'm gonna say I want you to run 20% of my traffic for an hour and I'm gonna metrics the craziness out of it okay I'm gonna have metrics on it I'm gonna have people watching okay so then if all goes well the in the canary goes away and prod becomes that that +1 okay it's the new data okay or if it doesn't go well it stops shifting traffic over to there and you stay at your current version all right so you don't have to go blind on deployment okay you can yeah like you look we're just gonna put it out all at once we're gonna get Friday at 7 p.m. because we're that confident ok I call that silly okay that's a nice word for what I'm thinking that's stupid right now sometimes you know if we have testing things wrapped around it but you can test these so you know I'm gonna put a little bit out I want just 2% of my traffic I don't watch what metrics look like okay all right so next thing we're gonna talk about is security a little bit more security is the Web Application Firewall anybody using a laugh then that to be ours a wife in general ok laughs it fun laughs are hard laughs are joyful so what wife's come in really handy and you can bolt a wife as a web application firewall and you can bolt a web application firewall to wreck beyond API gateway right so if I create one and then I go into my stage that can be per stage I can add it and prod staged about dev v1 v2 however I want to do it and I turn it on and I apply it and I deploy my changes from then on any changes I make to the web are instantaneous and here's where that comes in helpful let's say I need to blacklists some some IPS or some cider ranges let's say I want to do some geo blacklisting let's say I want to do some sequel injection monitoring or I want to do some packet size hey you can't push any bigger than six which is our limit on on API gateway which by the way is the limit also on the new HTTP API so you have a bigger packet level coming through than some of the other options but if you need to limit it down to three instead of six because of your back-end you do a wife to do it yeah for black listing a white listing it's not the first place I'd go I would actually go to a resource policy and I'll tell you why in just a minute so we're gonna talk about that but this is a good way to handle different things like that all right monitor your metrics man so in a previous life I used to work for a partner and I loved it I was a Solutions Architect and I always like sitting down I would say all right tell me about your monitoring in your logging story are you are you collecting data oh yeah we're collecting data we are collecting it like crazy great what are you doing with that data we're collecting it okay then what do you do with it and they always look at me like I'm an idiot well we store it all right so is he useful absolutely useful okay so you're paying for storage when do you use it when something goes wrong okay that's fair something goes wrong we're gonna check our logs okay but let me give you a tip how about when something starts to go wrong or how about when something seems hinky or how about when we get some latency it's working because here's the true that if you've developed for any amount of time if you've done operations you know web sites are not boolean applications are not bulan it's up orts down now there is that because we all know what sums down because it always happens in the middle of the night when we're asleep because that's how life works right but what we know is they could degra nate or degrade I think is the word I was looking for right there's there's levels of down this it might be working but we're getting latency we're getting 20% errors things like that metrics allow you to monitor that and with API gateway it's no different you can dump logs in you can get and we'll talk about logs in a minute but you have Amazon CloudWatch you have Amla or any BS x-ray cloud trail config a real quick and Amazon Cloud watch you're gonna see the 400 airs the 500 airs and you can set metrics you can say hey if I get so many for hundreds call my wife she doesn't like it but I guarantee you I respond better ok get out of bed and fix it okay if I get so you can set those kind of metrics right with a DBS X ray welcome to distributed applications right distributed applications finding out the problem can sometimes be difficult because it's like where in the world is this happening with X ray it lets us see hey i'm latent here I'm getting percentage of errors here I'm getting a drag on my DynamoDB here so you're able to see that in a trace map you're able to drill down I on all my apps the first thing I do is flip on tracing I mean I may turn it off for production but in development I flip it on I actually leave it on a production as well right AWS cloud trail here's what I call any Miss cloud shell it is the cover my backside service ok let me tell you why anybody use cloud shell right now good all right the rest of you raise your hands next time okay cuz we're in my head I'm thinking you're nuts ok here's the thing when I was a consultant when I worked in contracting the first thing I would do is I'd flip on cloud trails and one night it was a Friday night I got a call and they were in panic which I don't know why they weren't in production yet but whatever they were in panic they said you have deleted all of our lambdas which had truth they were like 7 but you'd think the way he was Targa's like 9 million you've deleted all our lambdas and I litter is like no I just ate a pizza and watched a movie nope you deleted our lambdas I said all right let me get right back to you I hung up the phone I got in the account I looked up cloud trails I found the offending developer that was not my name I took a screenshot of it I put him I brought him back up I did bring the Lambos back up I emailed him the screenshot and said I'm going back to my pizza okay this is a great way to know what's going on it's an internal auditing for lack of a better term and then finally a double yes config where you can actually set a kind of a desired state this is what Ari this is what it should look like these are the things we can use if we go outside the boundary of that I need to know all right so that's some that's some governance wrapped around that so say that we have is logging two types of logs execution logs great for debugging and troubleshooting issues error you get error info level you log for requests and responses it comes really handy okay you can also have access logs ok customize log format you need to see a left with the standard you can customize how you want it found this is really handy too you can dump these in you can't hurt now I'm going back I just store them but you can you can dump these directly I haven't peaked there because we just added you can directly drop these in in fire hoses so you can do real-time analytics on this so as data is coming in I drop it into firehose it goes up to Kinesis data analytics and I'm looking at a dashboard that's showing me what's going on ok if you and that's something you can build out if you don't want to build that out look at one of the partners and this isn't a sales pitch but look at something look at one of our partners because they build that and they build that observability they work on that all day long and you might see the I'll say some money I don't have to build that right now how many of does anybody build API is it stuff for lots of different people lots of different customers we have different api's ok I encourage you to look at the developer portal this is literally just an app that we put in our server this application repository that you can it helps you do API self discovery API registration and key generation you do api monitoring usage documentation testing and then that last one is what i referred to earlier this session is the sdk generation let me show you a little bit of that okay what the developer portal I can go in hey here's my family back in this is a port this is a ap I'm using for another session we ended this year and these are some of the this is some of the ways I can test it I can look at documentation I can see the different portals going down the side there I can search on things okay the next thing is I can go in and as a user if I have access to it I've logged in or created a user I've got access and I can create an API key and I just can subscribe to a usage plan and then I could see how much am I doing this okay how much what am i statistics look like okay and then finally this is the one on this API back-end I was telling you if I needed to use an IM permissions or I need to have a way to to init to integrate with my system and I'm using iOS or objective-c or Swift I'm using Java Ruby Android Java Script you can export your SDK and this is highly recommended if nothing else just to see how it's being done okay get the libraries you need it'll handle the thief sig before authentication signatures all that kind of things so really handy to look at and see how that's done now earlier I told you that if you needed to blacklist or whitelist I wouldn't do it at the laughs it is a place to do it and if you need instant changes that's a good place but you can do resource policies on on epi gateway and this is a great way to say hey I only want my corporate data center at this IP or this side are blocked to be able to reach my API boom lockdown okay I only want I want a bad add you know I need a black but I'm giving some IPS that are that are hitting me really weird I'm gonna block those out I'm getting some you know whatever I'm gonna I'm gonna localize this to a certain VP CID or an organization ID so you can do that through a resource policy it looks a lot like an ion policy okay you have a you have a source and a target and how you want to block that okay so that's that's resource policies the other thing is client certificates okay on API gateway you can actually create a client certificate I'm going to generate a client certificate I'm going to pass it off to my I'm gonna pass the public keys and stuff to my back end now this idea is great if you run like I mean anywhere you can do it but like ec2 instances things like that where I trust but I'm gonna verify and man there's nothing wrong with that right trust but verify so my back in can get that client they could check it against the key and they can say hey this is the person I know that can has rights to get there and this is really handy if I'm crossing accounts if I'm doing some migration stuff all kinds of stories there alright just a couple more features and then we'll wrap this up here next one I point out to you can do custom domains right in API gateway a lot of times I go out man that one two three four five dot X Q dot API dot US east one blue that's a long one okay I don't want to use that when I built that URL shortener I somehow snagged the domain I was so proud of it's called slipped link so that's really cool so I was able to slap that right into a custom domain you can also just recently in the last month or so we added two wild-card domain support ok so then what I can do is I can have multiple domains in an account ok let's say for this I'm let's say I'm building a single application but I want to break it down into some logistical separation and I could have one two three applications then I could point when I'm doing my custom domain because it's not tied to one single API it's part of the API service so I can say create this API it's custom IPI and if they hit cars hit this dumb this API gateway instance if they had dogs hit this one if they hit cats just throw it out I'm not a cat lover I'm not gonna lie my my six-year-old loves cats I'm allergic to cats okay so she actually asked me of the day she said hey if you die can we have a cat there's no point to that so I owe you like five seconds of your life but I just thought of it so anyway so you can you can break that out different domains and the last thing is kind of where we started okay I told you you could do things to the console if you're looking to learn how to do API gateway and you're trying to figure out what does that look like and swagger what does that look like it whatever well you could build it in the console and then you can export it as a swagger template or an open API now if you get confused between those swagger is just the older version of open API so really let's just say open API okay so you can export that and you can actually say export it with the special API API gateway tags in it and then you can actually take that template drop it in Sam template launch it again okay so it's a great way to learn it it's not pretty I'm not gonna lie but I'm not pretty and they let me talk so there it is folks I appreciate your time I encourage if you can we do some service training check this out and also follow me on Twitter if you can't I again I talk about service all the time I hope that you learned something today we're gonna we're gonna clear out just a few but I'm glad to answer questions I encourage you to hit me on Twitter that's one of the best ways I hope you have a great reinvent have a good day [Applause]
Info
Channel: AWS Events
Views: 45,429
Rating: undefined out of 5
Keywords: re:Invent 2019, Amazon, AWS re:Invent, SVS212-R2, Serverless, Amazon API Gateway
Id: yfJZc3sJZ8E
Channel Id: undefined
Length: 56min 25sec (3385 seconds)
Published: Mon Dec 09 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.