An API endpoint type determines the hostname of the API:

• Edge-optimized: Routes traffic to the nearest CloudFront Point of Presence. This is the default endpoint type for API Gateway REST APIs.
• Regional: Intended for clients in the same region.
• Private: Accessible only from your VPC using an interface endpoint.

There are five integration types:

• AWS: Exposes AWS service actions. Requires integration request and response mappings.
• AWS_PROXY: Exposes AWS Lambda functions. Does not require integration request and response mappings, passing data as-is from the client.
• HTTP: Exposes HTTP endpoints. Requires integration request and response mappings.
• HTTP_PROXY: Exposes HTTP endpoints as-is. Does not require integration request and response mappings.
• MOCK: Returns a response without actually sending a request.

Use your own domain names instead of the default ones generated by API Gateway. Things to keep in mind:

• You can disable the default endpoint for your API. Clients attempting to connect to the default endpoint will receive a 403 Forbidden status code.
• A Regional custom domain name can be associated with REST APIs and HTTP APIs.
• A custom domain name must be unique within a Region across all AWS accounts.
• You can migrate your custom domain name between edge-optimized and Regional endpoints, but you cannot migrate a public custom domain to a private custom domain.
• You must create or update your DNS provider's resource record to map it to your API endpoint.
• You can support a large number of domain names without exceeding the default quota by using a wildcard certificate.
• You can select a security policy for your custom domain name.
• To configure API mappings with multiple levels, you must use a Regional custom domain name and the TLS 1.2 security policy.

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale.

• API Gateway creates RESTful APIs that:
  • Are HTTP-based.
  • Enable stateless client-server communication.
  • Implement standard HTTP methods such as GET, POST, PATCH, and DELETE.
• API Gateway creates WebSocket APIs that:
  • Adhere to the WebSocket protocol.
  • Route incoming messages based on message content.

REST APIs and HTTP APIs are both RESTful API products:

• Choose REST APIs if you need features such as API keys, per-client throttling, request validation, AWS WAF integration, or private API endpoints.
• Choose HTTP APIs if you don't require the additional features included with REST APIs.

In Amazon API Gateway, you build a REST API as a collection of programmable entities known as API Gateway resources.

You can transform your data to:

• Match the payload to a format specified by the API.
• Override an API's request and response parameters and status codes.
• Return client-selected response headers.
• Associate path parameters, query string parameters, or header parameters in the method request of an HTTP proxy or AWS service proxy.
• Select which data to send when integrating with AWS services (e.g., DynamoDB, Lambda functions) or HTTP endpoints.

A gateway response is a response generated by the API Gateway service. This type of response is sent when the service cannot process a request. By default, the error response contains a short message, which can be modified along with its headers. Note:

• VTL mapping templates cannot be used for gateway responses.
• Only simple variable substitutions (without conditions and loops) are allowed.

Validate request parameters in the URI, query string, headers, and/or request body (using a JSON schema).

Enable caching for specific requests. Limitations include:

• The default TTL is 300 seconds, which can be adjusted up to 3600 seconds.
• The maximum size of the response that can be cached is approximately 1 MB.
• Only GET methods have caching enabled by default, but this setting can be modified.
• Caching is billed on an hourly basis.

API Gateway WebSocket APIs enable bidirectional communication. Clients can send messages to a service, and the service can independently send messages back to clients.

There are three ways to authorize access to APIs:

• Using IAM permissions.
• Using tokens from an Amazon Cognito user pool.
• Using a Lambda custom authorizer.

Use a Lambda authorizer to implement a custom authorization scheme. There are two types of Lambda authorizers:

• Request Authorizer: Receives the caller's identity in a combination of headers, query string parameters, and stage variables.
• Token Authorizer: Receives the caller's identity in a bearer token, such as a JWT or OAuth token.

The function can authenticate in the following ways:

• By calling an OAuth provider to get an OAuth access token.
• By calling a SAML provider to get a SAML assertion.
• By generating an IAM policy based on the request parameter values.
• By retrieving credentials from a database.

API Gateway usage plans can be utilized as product offerings for your customers. API keys help control the number of API calls per client. Features include:

• API keys must be unique.
• An API key can be associated with multiple usage plans, and a usage plan can be associated with multiple stages.
• A throttling limit specifies the threshold at which request throttling begins. This can be configured at the API or API method level.
• A quota limit sets the maximum number of requests allowed with a given API key within a specific time interval.
• Throttling and quota limits apply to individual API keys and are aggregated across all API stages within a usage plan.

Protect your API Gateway using the following methods:

• Mutual TLS: Requires two-way authentication between the client and the server. Clients must present X.509 certificates to verify their identity before accessing the API.
• SSL Certificate Verification: Use API Gateway to generate an SSL certificate and use its public key in the backend to verify that HTTP requests to your backend system originate from API Gateway.
• AWS WAF: Configure a web access control list (web ACL) with customizable rules and conditions to allow, block, or count web requests.
• Throttling: Configure throttling and quotas to prevent your APIs from being overwhelmed by excessive requests.