AWS Deep Dive
author: Nathan Acks
Amazon API Gateway
Continued notes about the Amazon API Gateway.
Working with REST APIs
Creating a Private API in Amazon API Gateway
Private APIs can only be interacted with from inside of an AWS VPC, via a special VPC endpoint interface. These endpoints can also be accessed through on-prem systems via Amazon Direct Connect (the AWS site-to-site VPN). Access to VPC endpoints can be controlled by both security groups and resource policies with the
aws:SourceVpce conditions that are attached to the API (set) in API Gateway.
Setting up CloudWatch Logging for a REST API in API Gateway
API execution logs are set up and managed automatically by API Gateway, but access logging must be manually configured. Access logs can log any
$context variables, but cannot log any other API variables. Note that
$context.requestId can be overridden on the client side by setting the
x-amz-RequestId header, but
$context.extendedRequestId is set by API Gateway itself and only revealed to the client in the
x-amz-apigw-id response header). (Given these limitations, it’s unclear why anyone would ever bother with
$context.requestId, though I suppose it might be useful for debugging…)