AWS Deep Dive

Amazon API Gateway

Continued notes about the Amazon API Gateway.

Working with REST APIs

Creating a Private API in Amazon API Gateway

Private APIs can only be interacted with from inside of an AWS VPC, via a special VPC endpoint interface. These endpoints can also be accessed through on-prem systems via Amazon Direct Connect (the AWS site-to-site VPN). Access to VPC endpoints can be controlled by both security groups and resource policies with the aws:SourceVpc / aws:SourceVpce conditions that are attached to the API (set) in API Gateway.

Setting up CloudWatch Logging for a REST API in API Gateway

API execution logs are set up and managed automatically by API Gateway, but access logging must be manually configured. Access logs can log any $context variables, but cannot log any other API variables. Note that $context.requestId can be overridden on the client side by setting the x-amz-RequestId header, but $context.extendedRequestId is set by API Gateway itself and only revealed to the client in the x-amz-apigw-id response header). (Given these limitations, it’s unclear why anyone would ever bother with $context.requestId, though I suppose it might be useful for debugging…)