Enhancement of Amazon API Gateway Proxy connecting to Amazon DynamoDB in 3 phases

Introduction

The blog details how to build up a simple application to get/put items in Amazon DynamoDB faster using Amazon API Gateway. Further the solution is enhanced in two more phases.

Here the hypothetical use case considers a simple website review where user can put score for a product and check average score for the product. The score is stored in Amazon DynamoDB.

The solution considers Amazon DynamoDB since the website demands faster read and writes supported by Amazon DynamoDB. Also, flexible schema can be modified after prototyping is done or when solution is enhanced.

The Amazon API Gateway is considered here since it can be used for security and throttle features and it has proxy with Amazon DynamoDB and container not required during prototyping.

Architecture Diagram — Phase 1

Phase 1 — The simple prototype to build the use case faster.

In phase 1, the services used are Amazon API Gateway and Amazon DynamoDB. The Amazon API Gateway can connect with Amazon DynamoDB without customer defined VPC as both are public services. This way the solution can be build faster with simple architecture. The featuring points and extension of the phase 1 design are as follows.

Features

a. Quick setup — The solution is easy to configure and faster as the basic prototyping can start with only basic two services while storing in data in database.

b. Simplicity — No overhead for VPC, subnet, route tables are required to be created.

c. Cost savings — Amazon NAT gateway, network related costs can be planned for future phases.

How integration works

1. Traffic Management: Amazon API Gateway user requests intercepts the request before connecting with Amazon DynamoDB.
2. Data Transformation: Amazon API Gateway transforms the incoming request data into the format expected by Amazon DynamoDB’s API. This includes mapping request parameters to DynamoDB attributes.
3. Response Mapping: On receiving the response from Amazon DynamoDB api, the Amazon API Gateway can transform to JSON format which is expected in invoking API.

Existing solution features

i. Security considerations — The Amazon DynamoDB can be accessed by Amazon API Gateway through IAM roles/policies. However, both the services are on public domain for which Amazon API Gateway authentication and authorization mechanisms, and Amazon DynamoDB fine-grained access control policies required for the phase 1 design.

ii. Public connectivity and limited network isolation

The Amazon API Gateway can be used as proxy for Amazon DynamoDB to get/put scores with very limited functionality. The business logic can be implemented using a compute service which will be discussed in phase 2.

Architecture Diagram — Phase 2

Phase 2 — Scaling up solution using Amazon Lambda for business processing

Here’s an enhanced solution where API Gateway connects with a Amazon Lambda function in a customer defined VPC. The Amazon Lambda further connects with Amazon DynamoDB in a different VPC subnet.

Services used here: -

1. Amazon API Gateway — This will remain outside customer defined VPC only for internet access. The Amazon API Gateway will connect with Amazon Lambda for request processing for business logic.

2. Amazon Lambda function — This will read get/put requests from Amazon API Gateway and perform business logic processing before connecting with Amazon DynamoDB using proper authentication.

3. VPC, Subnet & Security Group — These will be required for various network related aspects.

4. Amazon DynamoDB — This will be used for storing and retrieval of data.

The above solution will be production ready solution with enhanced business logic, enhanced security and scalability.

The above solution can introduce little latency than Phase 1 as Amazon Lambda has minimal cold start when starting inside a customer VPC in certain situations. However, there are multiple solutions to handle this.

The solution can be optionally enhanced using VPC Endpoints for connecting to Amazon DynamoDB. Also, for asynchronous processing, Amazon SQS can be used.

Architecture Design — Phase 3

Phase 3 — Deployment of the solution in multiple regions with AWS Global Accelerator

Above solution can be further enhanced where the gateway, container and database services are deployed in multiple regions. There would be AWS Global Accelerator deployed to point to applicable region endpoint.

These are following steps to implement the solution.

1. Deploy API Gateway across Multiple Regions. This will give resiliency to solution and closer regional access.

2. Setting Up Amazon Network Load Balancer (NLB)

3. Configuring Amazon API Gateway Endpoints

4. Creating a AWS Global Accelerator

5. Registering NLBs as Endpoints

6. Obtaining Static IP Addresses

These enhanced solution gives better performance, high availability, scalability and disaster recovery.

Conclusion

In the blog, the phase wise integration is discussed between Amazon API Gateway, Amazon Lambda and Amazon DynamoDB. Further the blog discusses how AWS Global Accelerator can be used to connect with Amazon API Gateway for multiple region deployment.

References:-

Using Amazon API Gateway as a proxy for DynamoDB | Amazon Web Services

API Gateway use cases

https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/