AWS API Gateway: Technical Reference & Operational Intelligence
Executive Summary
AWS API Gateway is a managed API service that handles authentication, rate limiting, and routing. Critical cost difference: REST APIs cost $3.50/million requests vs HTTP APIs at $0.90-$1.00/million requests (71% cheaper). Default limits: 10,000 requests/second per account ($35K/month at max on REST APIs).
Service Types & Decision Matrix
| Feature | REST API | HTTP API | WebSocket API |
|---|---|---|---|
| Cost per million requests | $3.50 | $0.90-$1.00 | $1.00 |
| Use when | Need full features | Need speed/cost optimization | Real-time communication required |
| Authentication | IAM, Cognito, API Keys, Lambda | IAM, Cognito, JWT, Lambda | IAM, Lambda only |
| Built-in caching | ✅ ($0.02/GB/hour) | ❌ | ❌ |
| Request validation | ✅ | ❌ | ❌ |
| AWS WAF protection | ✅ | ❌ | ❌ |
| Private endpoints | ✅ (VPC Links required) | ❌ | ❌ |
| Performance | Standard | Up to 71% faster | Persistent connections |
Critical Configuration Requirements
Production Settings That Work
- Choose HTTP APIs over REST APIs unless you specifically need caching, request validation, or AWS WAF
- Use regional endpoints instead of edge-optimized (simpler, faster, cheaper)
- Enable CloudWatch logging before production - costs extra but essential for debugging
- Set custom domains early - execute-api URLs are ugly and can't be changed
Resource Requirements
- Time investment: 2-4 hours for basic setup, 1-2 days for production-ready configuration
- Expertise needed: Basic AWS knowledge, understanding of HTTP/REST principles
- Additional costs: ACM certificates (free), CloudWatch logs ($0.50/GB), caching ($0.02/GB/hour)
Critical Failure Modes & Solutions
502 Errors (Common)
Root causes:
- Lambda cold starts (500ms+ delay)
- Backend timeouts (30-second limit)
- Lambda function crashes
Solutions:
- Use provisioned concurrency ($41.67/month per GB)
- Implement proper error handling in Lambda
- Monitor CloudWatch logs for "Task timed out" messages
CORS Errors (Extremely Common)
Failure pattern: Browser shows generic CORS error, actual cause unclear
Hidden requirements:
- Enable CORS on both resource AND methods
- Handle OPTIONS method separately for preflight
- Set
Access-Control-Allow-Credentials: truewhen using authentication - Don't use
*for origins with credentials
"Missing Authentication Token" Error
Reality: Usually means wrong URL, not authentication issue
Common causes:
- Wrong stage path (
/prod/usersvs/users) - HTTP method not deployed
- Forgot to deploy after changes
- Custom domain base path mapping broken
Cost Explosions
Warning signs:
- Edge-optimized APIs can double CloudFront costs
- Caching fees apply whether used or not ($0.02/GB/hour)
- Traffic spikes can cause $2K+ overnight bills
Performance Thresholds & Bottlenecks
Critical Limits
- Payload limit: 6MB (hard limit)
- Timeout: 30 seconds for Lambda integrations
- Default throttling: 10,000 requests/second per account
- Cold start impact: 500ms+ for first request, 8+ seconds for Java Spring Boot
Real-World Performance
- CloudWatch logs delay: 5-10 minutes to appear
- Cache propagation: 5-10 minutes for invalidation
- Custom domain setup: ~20 minutes if everything works
- VPC cold starts: 15+ seconds if ENIs aren't warm
Hidden Costs & Trade-offs
Edge-Optimized Reality
- Marketing claim: Better global performance
- Reality: Often doubles CloudFront bill without significant benefit
- When it helps: Truly global user base with latency-sensitive operations
Caching Economics
- Cost: $0.02/GB/hour whether used or not
- Break-even: Only valuable for frequently accessed, slowly changing data
- Hidden cost: Manual cache invalidation adds operational overhead
Lambda Integration Costs
- Provisioned concurrency: $10.80/month for 1GB function running 24/7
- When worth it: APIs with strict latency requirements
- Alternative: Periodic pings to keep functions warm (cheaper but less reliable)
Integration Patterns & Limitations
Direct AWS Service Integration
Supports: DynamoDB, S3, SNS (without Lambda)
Benefits: Lower latency and cost
Limitations: No custom logic, limited transformations
Best for: Simple CRUD operations
VPC Integration
Requires: Network Load Balancer (additional cost)
Complexity: High - requires VPC Links configuration
Availability: REST APIs only
Use case: Private services that shouldn't be internet-accessible
Monitoring & Debugging Strategy
Essential Metrics to Track
- Count: Total request volume (billing impact)
- Latency: Response time breakdown
- 4XXError/5XXError: Error rates
- ThrottleCount: Rate limiting hits
X-Ray Tracing
- Availability: REST APIs only
- Cost: Additional charges apply
- Value: Essential for distributed debugging
- Setup time: 30 minutes for basic configuration
Migration & Breaking Changes
From REST to HTTP APIs
Benefits: 71% cost reduction, better performance
Losses: Caching, request validation, AWS WAF
Migration effort: 1-2 days for typical API
Compatibility: Not drop-in replacement
Common Migration Gotchas
- Custom domain certificates need reconfiguration
- CloudFormation templates require complete rewrite
- Monitoring dashboards break (different metric names)
Decision Criteria
Choose REST APIs when:
- Need built-in caching
- Require request validation
- Need AWS WAF protection
- Working with private VPC services
Choose HTTP APIs when:
- Cost optimization is priority
- Building simple proxy APIs
- Don't need advanced features
- Performance is critical
Choose WebSocket APIs when:
- Real-time communication required
- Chat applications, live dashboards
- Gaming backends
- Connection persistence needed
Production Readiness Checklist
Before Going Live
- Enable CloudWatch logging
- Set up billing alarms ($100, $500, $1000)
- Configure custom domains with ACM certificates
- Test CORS configuration thoroughly
- Implement proper error handling in Lambda functions
- Set up monitoring dashboards
- Plan for traffic spikes (request limit increases)
Operational Monitoring
- CloudWatch metrics for latency and errors
- Billing alerts for cost control
- Log analysis for debugging patterns
- Regular performance testing under load
Community Intelligence
What Documentation Doesn't Tell You
- Deployment stages confuse everyone - "prod" and "production" are different
- CORS error messages are intentionally unhelpful
- Cache invalidation is manual and slow
- VPC integration adds significant complexity
- Default settings will fail in production scenarios
Support Quality
- AWS Support requires 20-question interrogation for limit increases
- Community solutions often better than official documentation
- GitHub issues contain more practical information than AWS docs
- Stack Overflow has battle-tested CORS solutions
Useful Links for Further Investigation
Resources That Actually Help
| Link | Description |
|---|---|
| API Gateway Developer Guide | The actual manual. Comprehensive but dense - bookmark the sections you need instead of reading cover to cover. |
| API Gateway Pricing | The page you'll reference constantly. Know the numbers before you deploy to production. |
| Getting Started Tutorials | The getting started tutorials actually work (rare for AWS docs). Start here if you're new to API Gateway. |
| Service Limits and Quotas | The constraints that will bite you. 6MB payload limit, 30-second timeout, 10K RPS default throttling. |
| AWS Architecture Center | Reference architectures with API Gateway. Some are overkill, but good for understanding patterns. |
| AWS Well-Architected Framework | AWS's take on best practices. Heavy on theory, but the principles are solid. |
| Serverless Application Lens | Focused on serverless patterns. Worth reading if you're going Lambda-heavy. |
| CloudWatch Metrics for API Gateway | CloudWatch metrics documentation is comprehensive but good luck figuring out which ones actually matter. Focus on Count, Latency, and 4XXError/5XXError first. |
| AWS X-Ray Integration | X-Ray is essential for debugging, assuming you can afford the extra costs it adds. Distributed tracing for REST APIs only. |
| API Gateway Access Logging | Enable this before you need it. Costs extra but saves hours when debugging production issues. |
| API Gateway Security Guide | Security best practices. Read this before going to production. |
| AWS IAM Integration | IAM roles and policies for API Gateway. Complex but necessary for enterprise deployments. |
| Amazon Cognito Integration | User authentication with Cognito. Works well once you get past the initial setup complexity. |
| AWS CLI for API Gateway | Command-line tools for automation. Essential for CI/CD pipelines. |
| AWS SDK Documentation | SDKs for all major languages. Python and JavaScript are the most common for API Gateway work. |
| AWS SAM (Serverless Application Model) | CloudFormation templates are verbose as hell - use SAM or CDK instead. Much easier than raw CloudFormation for API Gateway. |
| Customer Success Stories | How TiVo, WirelessCar, and others use API Gateway. Focus on the challenges they faced. |
| AWS Samples Repository | AWS samples repository - 50% gold, 50% broken code that hasn't been updated since 2019. Search for "api-gateway" - some are actually useful. |
| AWS Solutions Library | The official tutorials skip the hard parts like CORS and custom domains. Good starting points but expect to modify for your needs. |
Related Tools & Recommendations
Lambda Alternatives That Won't Bankrupt You
integrates with AWS Lambda
Stop Your Lambda Functions From Sucking: A Guide to Not Getting Paged at 3am
Because nothing ruins your weekend like Java functions taking 8 seconds to respond while your CEO refreshes the dashboard wondering why the API is broken. Here'
AWS Lambda - Run Code Without Dealing With Servers
Upload your function, AWS runs it when stuff happens. Works great until you need to debug something at 3am.
Amazon DynamoDB - AWS NoSQL Database That Actually Scales
Fast key-value lookups without the server headaches, but query patterns matter more than you think
MuleSoft Review - Is It Worth the Insane Price Tag?
After 18 months of production pain, here's what MuleSoft actually costs you
Terraform CLI: Commands That Actually Matter
The CLI stuff nobody teaches you but you'll need when production breaks
12 Terraform Alternatives That Actually Solve Your Problems
HashiCorp screwed the community with BSL - here's where to go next
Terraform Performance at Scale Review - When Your Deploys Take Forever
integrates with Terraform
SaaSReviews - Software Reviews Without the Fake Crap
Finally, a review platform that gives a damn about quality
AWS X-Ray - Distributed Tracing Before the 2027 Sunset
integrates with AWS X-Ray
Fresh - Zero JavaScript by Default Web Framework
Discover Fresh, the zero JavaScript by default web framework for Deno. Get started with installation, understand its architecture, and see how it compares to Ne
Anthropic Raises $13B at $183B Valuation: AI Bubble Peak or Actual Revenue?
Another AI funding round that makes no sense - $183 billion for a chatbot company that burns through investor money faster than AWS bills in a misconfigured k8s
Google Pixel 10 Phones Launch with Triple Cameras and Tensor G5
Google unveils 10th-generation Pixel lineup including Pro XL model and foldable, hitting retail stores August 28 - August 23, 2025
Dutch Axelera AI Seeks €150M+ as Europe Bets on Chip Sovereignty
Axelera AI - Edge AI Processing Solutions
OpenAI Gets Sued After GPT-5 Convinced Kid to Kill Himself
Parents want $50M because ChatGPT spent hours coaching their son through suicide methods
AWS RDS - Amazon's Managed Database Service
depends on Amazon RDS
AWS Organizations - Stop Losing Your Mind Managing Dozens of AWS Accounts
When you've got 50+ AWS accounts scattered across teams and your monthly bill looks like someone's phone number, Organizations turns that chaos into something y
Samsung Wins 'Oscars of Innovation' for Revolutionary Cooling Tech
South Korean tech giant and Johns Hopkins develop Peltier cooling that's 75% more efficient than current technology
Nvidia's $45B Earnings Test: Beat Impossible Expectations or Watch Tech Crash
Wall Street set the bar so high that missing by $500M will crater the entire Nasdaq
API Gateway Pricing: AWS Will Destroy Your Budget, Kong Hides Their Prices, and Zuul Is Free But Costs Everything
similar to AWS API Gateway
Recommendations combine user behavior, content similarity, research intelligence, and SEO optimization