What is AWS API Gateway

API Gateway is the thing AWS puts between your users and your actual services. It's basically a bouncer that checks IDs and deals with rate limiting so you don't have to write that tedious shit yourself. Works great until you get your first $3K AWS bill.

AWS API Gateway Architecture

You get three flavors: REST APIs with all the bells and whistles, HTTP APIs that are faster and cheaper but with fewer features, and WebSocket APIs for when you need real-time communication. Pick your poison based on what you actually need, not what sounds impressive.

How It Actually Works

API Gateway runs on AWS's edge locations (CloudFront's network) when you pick "edge-optimized," or stays in one region if you choose "regional." Edge-optimized is marketing bullshit for "double your CloudFront bill" - learned this when our API Gateway costs were $200/month but CloudFront hit $800. Those execute-api URLs look like https://abc123.execute-api.us-east-1.amazonaws.com/prod and you can't change the ugly bastards without custom domains.

AWS API Gateway Request Flow

It plays nice with AWS Lambda (probably what you'll use most), Amazon Cognito for user management, and IAM for permissions. CORS configuration will make you question your life choices - the error messages are complete garbage like "CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https." Deployment stages confuse the shit out of everyone: "prod" and "production" are different things to API Gateway because fuck consistency. CloudWatch handles monitoring, assuming you want to pay $0.50/GB for detailed logs.

Performance Reality Check

API Gateway scales automatically, but your backend better keep up. Default limits are 10,000 requests per second per account - sounds generous until you do the math: that's $35K/month on REST APIs if you max it out. You can request limit increases through AWS Support, but expect a 20-question Spanish Inquisition about your traffic patterns.

Since the 2019 HTTP API launch, nobody should use REST APIs unless they need the features. HTTP APIs are actually 71% cheaper than REST APIs and faster too, but you lose request validation and caching. Lambda cold starts can add 500ms+ to your first request - especially brutal for those "just checking if the API is up" health checks. Edge-optimized might help global latency but adds complexity and CloudFront costs.

Who Actually Uses This Thing

TiVo uses API Gateway for streaming because it auto-scales during peak viewing times (think Sunday night HBO premieres) without them having to provision servers. WirelessCar needed sub-100ms response times for connected cars - edge-optimized endpoints solved their latency problem.

Most people use it for microservices APIs, mobile app backends, or modernizing legacy systems. It's particularly good when you need something up fast and don't want to manage load balancers, SSL certificates, and all that infrastructure nonsense. Just remember: it's another layer that can break, so plan accordingly.

API Gateway Types - Choose Your Poison

Feature

REST API

HTTP API

WebSocket API

Pricing

$3.50 per million requests šŸ’ø

$0.90-$1.00 per million requests šŸ’°

$1.00 per million messages

Use Case

Feature-rich APIs (if you need the features)

Fast, cheap APIs (if you can live without validation)

Real-time stuff (chat, gaming)

Authentication

IAM, Cognito, API Keys, Lambda authorizers

IAM, Cognito, JWT, Lambda authorizers

IAM, Lambda authorizers

Caching

āœ… Built-in ($0.02/GB/hour though)

āŒ No caching (handle it yourself)

āŒ No caching

Request Validation

āœ… Built-in validation

āŒ Validate in your Lambda instead

āŒ No validation

Custom Domain

āœ… Works (ACM certificate required)

āœ… Works (ACM certificate required)

āœ… Works (ACM certificate required)

AWS WAF Integration

āœ… Protection against attacks

āŒ You're on your own

āŒ You're on your own

Private Endpoints

āœ… VPC endpoints (complex setup)

āŒ Internet-only

āŒ Internet-only

API Keys & Usage Plans

āœ… Built-in monetization

āŒ Roll your own

āŒ Roll your own

Request/Response Transformation

āœ… Full VTL mapping templates

āœ… Basic parameter mapping only

āœ… Route-based transformation

Performance

Standard latency (cold starts hurt)

Up to 71% faster (still cold starts)

Persistent connection (connection limits)

Monitoring

CloudWatch + X-Ray (extra cost)

CloudWatch only

CloudWatch only

Best For

Enterprise APIs that need every feature

Simple proxy APIs, microservices

Chat apps, live dashboards, multiplayer games

Questions Engineers Actually Ask at 3AM

Q

Why does my API randomly return 502 errors?

A

Usually Lambda cold starts, backend timeouts, or your Lambda function shitting itself.

Check CloudWatch logs first

  • look for "Task timed out after 30.00 seconds" or "RequestId: abc123 Process exited before completing request" or my personal favorite "Runtime exited with error: exit status 1".

Your backend needs to respond within 30 seconds or API Gateway gives up and returns that useless 502. If it's cold starts, consider provisioned concurrency (costs $41.67/month per GB but beats explaining to your CEO why the API is down).

Q

Why is my AWS bill so high when I'm only making a few API calls?

A

REST APIs cost $3.50 per million requests, HTTP APIs cost $0.90-$1.00 per million. Sounds cheap until you scale

  • 10M requests/month is $35 on REST APIs. Plus data transfer costs (first GB free, then $0.09/GB). If you enabled caching, that's $0.02/GB/hour whether you use it or not. Edge-optimized? CloudFront costs might exceed your API Gateway costs.
Q

How do I fix CORS errors that make no sense?

A

CORS preflight requests fail silently and you'll spend 2 hours debugging why OPTIONS returns 200 but your POST still gets blocked.

CORS errors in API Gateway are designed by sadists

Make sure you enabled CORS on your resource AND methods (both boxes checked in the console), set Access-Control-Allow-Origin to your domain (not * if you're using credentials), and include Access-Control-Allow-Credentials: true if needed.

For preflight requests, you need to handle OPTIONS method separately. VPC cold starts can take 15+ seconds if your ENIs aren't warm

  • learned this during a live demo that went to shit. This GitHub issue thread has more useful info than AWS's entire CORS documentation.
Q

Can I connect API Gateway to my private services?

A

Yes, but it's complicated. VPC Links let you connect to services in your VPC, but they require a Network Load Balancer (extra cost and complexity). For REST APIs only

  • HTTP APIs can't do private integrations. HTTP integrations work for any public endpoint though.
Q

Why does my API return "Missing Authentication Token" when I think auth is working?

A

That "Missing Authentication Token" error is AWS-speak for "your URL is probably wrong, genius." This cryptic bullshit error usually means:

  1. Your URL is wrong (/prod/users vs /users - yes, the stage matters)
  2. The HTTP method isn't deployed (GET /users works but POST /users returns 403)
  3. You forgot to deploy after making changes (classic mistake)
  4. Custom domain base path mapping is fucked

Check that you're hitting the right stage URL - /prod, /dev, /staging, whatever. If you're using custom domains, make sure the base path mapping actually points to something. That 29-second timeout is actually 30 seconds, but Lambda reserves 1 second for cleanup because reasons. IAM, Cognito, and Lambda authorizers work fine when configured correctly (emphasis on "correctly").

Q

How do I debug why my API is slow?

A

Cloud

Watch logs take 5-10 minutes to show up, so grab coffee while you wait for your debug info.

Enable X-Ray tracing (REST APIs only) to see where time is spent.

Lambda cold starts are usually the culprit

  • first request after idle can take 500ms+. API Gateway throttling is per-account, so one bad API can kill your others. CloudWatch metrics show latency breakdown. Check your backend response time vs. API Gateway latency to isolate the bottleneck.
Q

What's the maximum request size and other gotchas?

A

6MB payload limit will bite you if you're passing large datasets. 30-second timeout for Lambda integrations (use async if you need longer).

Throttling limits are per account

Q

Should I use API Gateway or just put ALB in front of my containers?

A

Depends. API Gateway gives you auth, rate limiting, and AWS integrations built-in. ALB is cheaper for high-volume traffic but you build auth/throttling yourself. If you're already on containers and don't need API Gateway's features, ALB + Kong/Envoy might be better. For serverless (Lambda), API Gateway makes more sense.

Q

Can I use custom domains without the ugly AWS URLs?

A

Yes, custom domains work with ACM certificates. You'll need to create the domain, get the CloudFront distribution ID (edge-optimized) or ALB DNS (regional), and update your DNS. Takes about 20 minutes if everything goes smoothly.

Q

What happens when API Gateway is down?

A

99.95% SLA sounds good until you realize that's 22 minutes of downtime per month. It runs across multiple AZs but regional outages happen. Edge-optimized APIs use CloudFront's global network for better resilience. Keep circuit breakers and timeouts in your clients.

Real-World Usage (What Actually Works)

Serverless APIs That Don't Suck

API Gateway + Lambda is probably what you'll use. It's the easiest way to build APIs without managing servers, until you discover Lambda cold starts during your first production demo. Cold starts are your biggest enemy - we've seen 2-second delays on first requests after idle periods, and 8+ seconds for Java Spring Boot apps. Provisioned concurrency starts at $0.015 per GB-second ($10.80/month for 1GB function running 24/7) and adds up fast, but fixes the problem if your budget can handle it.

Sync requests work for web APIs, async for long-running stuff. That $0.02/GB/hour caching fee adds up fast - we hit $400/month caching data we barely used. Response caching beats hitting your Lambda repeatedly, but cache invalidation is manual and takes 5-10 minutes to propagate.

Microservices Frontend (Single Point of Failure)

API Gateway works as a front door for microservices, but remember it's another layer that can break. It handles auth, rate limiting, and routing so your services don't have to. Just be aware that now everything depends on API Gateway being up.

You can integrate directly with DynamoDB, S3, and SNS without Lambda functions - saves latency and cost but adds complexity. Great for simple CRUD operations, terrible for anything requiring logic.

Security That Doesn't Get in Your Way

AWS WAF integration (REST APIs only) blocks common attacks like SQL injection. Worth it if you're getting hit by bots. Private APIs stay inside your VPC - great for internal services that shouldn't touch the internet.

Cognito handles OAuth/SAML if you need enterprise SSO. Resource policies let you restrict by IP or VPC. The security is solid, but each feature adds complexity - only enable what you actually need.

Making It Actually Fast

Caching works great if your data doesn't change often. Costs $0.02/GB/hour though, and cache misses still hit your backend. TTL settings are crucial - too short and you're wasting money, too long and you serve stale data.

Regional endpoints are faster and simpler. Edge-optimized sounds fancy but adds CloudFront costs and complexity. Pick regional unless your users are actually global. Lambda cold starts are your biggest enemy - keep functions warm with periodic pings if budget allows.

The Bill Reality Check

HTTP APIs are 71% cheaper than REST APIs - $1/million vs $3.50/million requests. Sounds great until you hit real scale: 100M requests/month is $100 (HTTP) vs $350 (REST). Add data transfer costs, caching fees, and CloudFront charges for edge-optimized APIs.

Usage plans are great until you realize customers will hit your rate limits in creative ways you didn't expect - like making 1000 requests in the first second of each minute to game your per-minute limits. Usage plans let you charge customers for API access and throttle them when they go over. CloudWatch metrics show where your money goes - sort by Count metric to find your most expensive APIs. Set billing alarms at $100, $500, and $1000 - we learned this the hard way when a traffic spike from a Reddit post mentioning our API cost us $2K overnight (mostly Lambda invocations, not API Gateway charges).

Resources That Actually Help

Related Tools & Recommendations

tool
Similar content

AWS Lambda Overview: Run Code Without Servers - Pros & Cons

Upload your function, AWS runs it when stuff happens. Works great until you need to debug something at 3am.

AWS Lambda
/tool/aws-lambda/overview
100%
tool
Similar content

Amazon SageMaker: AWS ML Platform Overview & Features Guide

AWS's managed ML service that handles the infrastructure so you can focus on not screwing up your models. Warning: This will cost you actual money.

Amazon SageMaker
/tool/aws-sagemaker/overview
80%
tool
Similar content

Amazon DynamoDB - AWS NoSQL Database That Actually Scales

Fast key-value lookups without the server headaches, but query patterns matter more than you think

Amazon DynamoDB
/tool/amazon-dynamodb/overview
80%
integration
Similar content

AWS Lambda DynamoDB: Serverless Data Processing in Production

The good, the bad, and the shit AWS doesn't tell you about serverless data processing

AWS Lambda
/integration/aws-lambda-dynamodb/serverless-architecture-guide
80%
tool
Similar content

AWS API Gateway Security Hardening: Protect Your APIs in Production

Learn how to harden AWS API Gateway for production. Implement WAF, mitigate DDoS attacks, and optimize performance during security incidents to protect your API

AWS API Gateway
/tool/aws-api-gateway/production-security-hardening
55%
tool
Similar content

Amazon EC2 Overview: Elastic Cloud Compute Explained

Rent Linux or Windows boxes by the hour, resize them on the fly, and description only pay for what you use

Amazon EC2
/tool/amazon-ec2/overview
49%
tool
Similar content

KrakenD Production Troubleshooting - Fix the 3AM Problems

When KrakenD breaks in production and you need solutions that actually work

Kraken.io
/tool/kraken/production-troubleshooting
46%
tool
Similar content

Kong Gateway: Cloud-Native API Gateway Overview & Features

Explore Kong Gateway, the open-source, cloud-native API gateway built on NGINX. Understand its core features, pricing structure, and find answers to common FAQs

Kong Gateway
/tool/kong/overview
46%
tool
Similar content

AWS Database Migration Service: Real-World Migrations & Costs

Explore AWS Database Migration Service (DMS): understand its true costs, functionality, and what actually happens during production migrations. Get practical, r

AWS Database Migration Service
/tool/aws-database-migration-service/overview
45%
tool
Similar content

KrakenD API Gateway: Fast, Open Source API Management Overview

The fastest stateless API Gateway that doesn't crash when you actually need it

Kraken.io
/tool/kraken/overview
43%
tool
Similar content

Firebase - Google's Backend Service for Serverless Development

Skip the infrastructure headaches - Firebase handles your database, auth, and hosting so you can actually build features instead of babysitting servers

Firebase
/tool/firebase/overview
42%
tool
Similar content

Neon Production Troubleshooting Guide: Fix Database Errors

When your serverless PostgreSQL breaks at 2AM - fixes that actually work

Neon
/tool/neon/production-troubleshooting
36%
tool
Similar content

Amazon Q Business vs. Developer: AWS AI Comparison & Pricing Guide

Confused by Amazon Q Business and Q Developer? This guide breaks down the differences, features, and pricing of AWS's AI assistants, including their CodeWhisper

Amazon Q Developer
/tool/amazon-q/business-vs-developer-comparison
34%
review
Recommended

MuleSoft Review - Is It Worth the Insane Price Tag?

After 18 months of production pain, here's what MuleSoft actually costs you

MuleSoft Anypoint Platform
/review/mulesoft-anypoint-platform/comprehensive-review
32%
alternatives
Recommended

Terraform Alternatives That Don't Suck to Migrate To

Stop paying HashiCorp's ransom and actually keep your infrastructure working

Terraform
/alternatives/terraform/migration-friendly-alternatives
31%
pricing
Recommended

Infrastructure as Code Pricing Reality Check: Terraform vs Pulumi vs CloudFormation

What these IaC tools actually cost you in 2025 - and why your AWS bill might double

Terraform
/pricing/terraform-pulumi-cloudformation/infrastructure-as-code-cost-analysis
31%
tool
Recommended

Terraform - Define Infrastructure in Code Instead of Clicking Through AWS Console for 3 Hours

The tool that lets you describe what you want instead of how to build it (assuming you enjoy YAML's evil twin)

Terraform
/tool/terraform/overview
31%
tool
Popular choice

Python 3.13 - You Can Finally Disable the GIL (But Probably Shouldn't)

After 20 years of asking, we got GIL removal. Your code will run slower unless you're doing very specific parallel math.

Python 3.13
/tool/python-3.13/overview
30%
tool
Similar content

Vercel Overview: Deploy Next.js Apps & Get Started Fast

Get a no-bullshit overview of Vercel for Next.js app deployment. Learn how to get started, understand costs, and avoid common pitfalls with this practical guide

Vercel
/tool/vercel/overview
28%
tool
Similar content

Neon Serverless PostgreSQL: An Honest Review & Production Insights

PostgreSQL hosting that costs less when you're not using it

Neon
/tool/neon/overview
28%

Recommendations combine user behavior, content similarity, research intelligence, and SEO optimization