In July 2015, AWS announced Amazon API Gateway. This enabled developers to build secure, scalable APIs quickly in front of a variety of different types of architectures. Since then, the API Gateway team continues to build new features and services for customers.

Figure 1: API Gateway feature highlights timeline

In early 2019, the team evaluated the current services and made plans for the next chapter of API Gateway. They prototyped new languages and technologies, applied lessons learned from building the REST and WebSocket APIs, and looked closely at customer feedback. The result is HTTP APIs for Amazon API Gateway, a service built from the ground up to be faster, lower cost, and simpler to use. In short, HTTP APIs offers a better solution for building APIs. If you are building an API and HTTP APIs fit your requirements, this is the place to start.

Faster

For the majority of use cases, HTTP APIs offers up to 60% reduction in latency. Developers strive to build applications with minimal latency and maximum functionality. They understand that each service involved in the application process can introduce latency.

Figure 2: All services add latency

With that in mind, HTTP APIs is built to reduce the latency overhead of the API Gateway service. Combining both the request and response, 99% of all requests (p99) have less than 10 ms of additional latency from HTTP API.

Lower cost

At Amazon, one of our core leadership principles is frugality. We believe in doing things in a cost-effective manner and passing those savings to our customers. With the availability of new technology, and the expertise of running API Gateway for almost five years, we built HTTP APIs to run more efficiently.

Figure 3: REST/HTTP APIs price comparison

Using the pricing for us-east-1, figure 3 shows a cost comparison for 100 million, 500 million, and 1 billion requests a month. Overall, HTTP APIs is at least 71% lower cost compared to API Gateway REST APIs.

Simpler

On the user interface for HTTP API, the API Gateway team has made the entire experience more intuitive and easier to use.

Figure 4: CORS configuration

Another example is the configuration of cross origin resource scripting (CORS). CORS provides security by controlling cross-domain access to servers and can be difficult to understand and configure. HTTP APIs enables a developer to configure CORS settings quickly using a simple, easy-to-understand UI. This same approach throughout the UI creates a powerful, yet easy approach to building APIs.

New features

HTTP APIs beta was announced at AWS re:Invent 2019 with powerful features like JWT authorizers, auto-deploying stages, and simplified route integrations. Today, HTTP APIs is generally available (GA) with more features to help developers build APIs faster, lower cost and better.

Private integrations

HTTP APIs now offers developers the ability to integrate with resources secured in a Amazon VPC. When developing with technologies like containers via Amazon Elastic Container Service (ECS) or Amazon Elastic Kubernetes Service (EKS), the underlying Amazon EC2 clusters must reside inside a VPC. While it is possible to make these services available through Elastic Load Balancing, developers can also take advantage of HTTP APIs to front their applications.

Figure 5: VPC link configuration

To create a private integration, you need a VPC link. VPC links take advantage of AWS Hyperplane, the Network Function Virtualization platform used for Network Load Balancer and NAT Gateway. With this technology, multiple HTTP APIs can use a single VPC link to a VPC. Likewise, multiple REST APIs can use a REST APIs VPC link.

Figure 6: Private integration configuration

Once a VPC link exists, you can configure an HTTP APIs private integration using a Network Load Balancer (NLB), an Application Load Balancer (ALB), or the resource discovery service, AWS Cloud Map.

Custom domain cross compatibility

Amazon API Gateway now offers the ability to share custom domains across REST APIs and HTTP API. This flexibility allows developers to mix and match between REST APIs and HTTP APIs while building applications.

Figure 7: Custom domain cross compatibility

Previously, when building applications needing a consistent domain name, developers could only use a single type of API. Because applications often require features only available on REST, REST APIs are a common choice. From today, you can distribute these routes between HTTP APIs and REST APIs based on feature requirement.

Request throttling

HTTP APIs now offers the ability to do granular throttling at the stage and route level. API throttling is an often-overlooked API feature that is critical to the health of APIs and their infrastructure. By default, API Gateway limits the steady-state request rate to 10,000 requests per second (rps) with a 5,000 request burst limit. These are soft limits and can be raised via AWS Service Quotas.

HTTP APIs has the concept of stages that can be used for different purposes. Applications can have dev, beta, and prod stages on the same API. Additionally, for backwards compatibility, you can configure multiple production stages of the same API. Each stage has optional burst and rate limit settings that override the account level setting of 10,000 rps.

Figure 8: Stage level throttling

Throttling can also be set at the route level. A route is a combination of the path and method. For example, the GET method on a root path (/) combine to make a route. At the time of this writing, route level throttling must be created with the AWS Command Line Interface (CLI) or an AWS SDK. To set the throttling on a route of / [ANY] on the $default stage, use the following CLI command:

aws apigatewayv2 update-stage --api-id <your API ID> --stage-name $default --route-settings '{"ANY /": {"ThrottlingBurstLimit":1000, "ThrottlingRateLimit":2000}}'

Stage variables

HTTP APIs now supports the use of stage variables to pass dynamic data to the backend integration or even define the integration itself. When a stage is defined on HTTP API, it creates a new path to the backend integration. The following table shows a domain with several stages:

Stage Path $default www.mydomain.com dev www.mydomain.com/dev beta www.mydomain.com/beta

When you access the link for the dev stage, the dev stage variables are passed to the backend integration in the event object. The backend uses this information when processing the request. While not a best practice for passing secrets, it is useful for designating non-secret data, like environment-specific endpoints or feature switches.

Stage variables are also used to dynamically define the backend integration. For example, if the integration uses one AWS Lambda function for production and another for testing, you can use stage variables to dynamically route to the appropriate Lambda function as shown below:

Figure 9: Dynamically choosing an integration point

When building dynamic integrations, it is also important to update permissions accordingly. HTTP APIs automatically adds invocation rights when an integration points to a single Lambda function. However, when using multiple functions, you must create and manage the role manually. Do this by turning off the Grant API Gateway permission to invoke your Lambda function option and entering a custom role with the appropriate permissions.

Figure 10: Integration custom role

Lambda payload version 2.0

HTTP APIs now supports an updated event payload and response format for the Lambda function integration. Version 2.0 payload simplifies the format of the event object sent to the Lambda function. Here is a comparison of the event object that is sent to a Lambda function in version 1.0 and 2.0:

Version 1.0

{ "version": "1.0", "resource": "/Echo", "path": "/Echo", "httpMethod": "GET", "headers": { "Content-Length": "0", "Host": "0000000000.execute-api.us-east-1.amazonaws.com", "User-Agent": "TestClient", "X-Amzn-Trace-Id": "Root=1-5e6ab926-933e1530e55773a0709dfaa6", "X-Forwarded-For": "1.1.1.1", "X-Forwarded-Port": "443", "X-Forwarded-Proto": "https", "accept": "*/*", "accept-encoding": "gzip, deflate, br", "cache-control": "no-cache", "clientInformation": "private", "cookie": "Cookie_2=value; Cookie_3=value; Cookie_4=value" }, "multiValueHeaders": { "Content-Length": [ "0" ], "Host": [ "0000000000.execute-api.us-east-1.amazonaws.com" ], "X-Amzn-Trace-Id": [ "Root=1-5e6ab926-933e1530e55773a0709dfaa6" ], "X-Forwarded-For": [ "1.1.1.1" ], "X-Forwarded-Port": [ "443" ], "X-Forwarded-Proto": [ "https" ], "accept": [ "*/*" ], "accept-encoding": [ "gzip, deflate, br" ], "cache-control": [ "no-cache" ], "clientInformation": [ "public", "private" ], "cookie": [ "Cookie_2=value; Cookie_3=value; Cookie_4=value" ] }, "queryStringParameters": { "getValueFor": "newClient" }, "multiValueQueryStringParameters": { "getValueFor": [ "newClient" ] }, "requestContext": { "accountId": "0000000000", "apiId": "0000000000", "domainName": "0000000000.execute-api.us-east-1.amazonaws.com", "domainPrefix": "0000000000", "extendedRequestId": "JTHd9j2EoAMEPEA=", "httpMethod": "GET", "identity": { "accessKey": null, "accountId": null, "caller": null, "cognitoAuthenticationProvider": null, "cognitoAuthenticationType": null, "cognitoIdentityId": null, "cognitoIdentityPoolId": null, "principalOrgId": null, "sourceIp": "1.1.1.1", "user": null, "userAgent": "TestClient", "userArn": null }, "path": "/Echo", "protocol": "HTTP/1.1", "requestId": "JTHd9j2EoAMEPEA=", "requestTime": "12/Mar/2020:22:35:18 +0000", "requestTimeEpoch": 1584052518094, "resourceId": null, "resourcePath": "/Echo", "stage": "$default" }, "pathParameters": null, "stageVariables": null, "body": null, "isBase64Encoded": true }

Version 2.0

{ "version": "2.0", "routeKey": "ANY /Echo", "rawPath": "/Echo", "rawQueryString": "getValueFor=newClient", "cookies": [ "Cookie_2=value", "Cookie_3=value", "Cookie_4=value" ], "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "cache-control": "no-cache", "clientinformation": "public,private", "content-length": "0", "host": "0000000000.execute-api.us-east-1.amazonaws.com", "user-agent": "TestClient", "x-amzn-trace-id": "Root=1-5e6ab967-cfe253ce6f8b90986a678c40", "x-forwarded-for": "1.1.1.1", "x-forwarded-port": "443", "x-forwarded-proto": "https" }, "queryStringParameters": { "getValueFor": "newClient" }, "requestContext": { "accountId": "0000000000", "apiId": "0000000000", "domainName": "0000000000.execute-api.us-east-1.amazonaws.com", "domainPrefix": "0000000000", "http": { "method": "GET", "path": "/Echo", "protocol": "HTTP/1.1", "sourceIp": "1.1.1.1", "userAgent": "TestClient" }, "requestId": "JTHoQgr2oAMEPMg=", "routeId": "47matwk", "routeKey": "ANY /Echo", "stage": "$default", "time": "12/Mar/2020:22:36:23 +0000", "timeEpoch": 1584052583903 }, "isBase64Encoded": true }

Additionally, version 2.0 allows more flexibility in the format of the response object from the Lambda function. Previously, this was the required format of the response:

{ “statusCode”: 200, “body”: { “Name”: “Eric Johnson”, “TwitterHandle”: “@edjgeek” }, Headers: { “Access-Control-Allow-Origin”: “https://amazon.com” } }

When using version 2.0, the response is simpler:

{ “Name”: “Eric Johnson”, “TwitterHandle”: “@edjgeek” }

When HTTP APIs receives the response, it uses data like CORS settings and integration response codes to populate the missing data.

By default, new Lambda function integrations use version 2.0. You can change this under the Advanced settings toggle for the Lambda function integration. The version applies to both the event and response payloads. If you choose version 1.0, the old event format is sent to the Lambda function and the full response object must be returned.

Figure 11: Lambda integration advanced settings

OpenAPI/Swagger support

HTTP APIs now supports importing Swagger or OpenAPI configuration files. This makes it simple to migrate from other API Gateway services to HTTP API. When importing a configuration file, HTTP APIs implements all supported features and reports any features that are not currently supported.

AWS Serverless Application Model (SAM) support

At the time of this writing, the AWS Serverless Application Framework (SAM) supports most features released in beta at re:Invent 2019. AWS SAM support for many GA features is scheduled for release by March 20, 2020.

Conclusion

For almost five years, Amazon API Gateway has enabled developers to build highly scalable and durable application programming interfaces. It has allowed the abstraction of tasks like authorization, throttling, and data validation from within the application code to a managed service. With the introduction of HTTP APIs for Amazon API Gateway, developers can now use this powerful service in a faster, lower cost, and better way.