Image for post
Image for post

Building a Microservices API in AWS

The advantages, disadvantages, problems, and solutions

Matias De Santi
Apr 6, 2017 · 5 min read

Architecturing a microservices app in AWS is a challenge. AWS offers a variety of services that can be used to address a wide range of problems. Putting those services together or building custom solutions is always a question that comes with a heavy analysis.

This post is the first of a series in which we’ll discuss an approach to building a microservices API in AWS, the advantages, disadvantages, problems, and solutions.

Starting point

In addition, API Gateway allows a request to be mocked, forwarded to an existing HTTP endpoint, execute a Lambda function or invoke an existing AWS Service. Therefore, we can build our services however way we think is best. In addition to gaining control over which requests end in which service. This looks something like:

Image for post
Image for post
Image created using creately.com

Login / Token Management

To customize within Cognito, there are triggers that execute a Lambda function on certain events. For example pre-registration confirmation message customization, custom authentication challenges, etc.

When logged in, Cognito gives the client three different JWT: access token, ID token and refresh token. The ID token can be sent to API Gateway to authorize requests. To do so, follow this documentation on the AWS’ portal.

Image for post
Image for post
Image created using creately.com

Using API Gateway + Cognito allows authentication at the API Gateway level, taking this responsibility away from the servers.

Application Security

Image for post
Image for post
Image created using creately.com

This brought to our attention one of API Gateway’s disadvantages. It cannot forward requests to a server that is placed inside a VPC that does not allow requests from the internet. The previous schema where API Gateway forwarded requests directly to our servers was now broken.

API Gateway + Lambda Proxy

Image for post
Image for post
Image created using creately.com

This stack is better explained in this AWS post.

One important disadvantage you may want to consider before choosing this option is that the Lambda function will only forward the request to the server once it receives the entire request. Similarly, the Lambda function will only return the response to API Gateway once it has received the entire response from the server. You can not stream anything in this way.

Advantages and drawbacks

Advantages

  • Detaching the authentication method from our services is something we advise you do. Not only does it take a load off the servers but also gives you the possibility of changing the authentication method without your servers.
  • Cognito handles signup, login, email and phone confirmation, and MFA. All of these are provided out of the box and can be easily customized with triggers. For a simple signup/login system, this is more than enough.
  • API Gateway provides logs that can help you easily track any issue with requests.
  • Server’s logs can be streamed to kibana to provide centralized logging

Drawbacks

  • Managing a subnet’s ACLs is complex. Each server has different needs and therefore requires specific rules to allow only necessary traffic in and out. When your servers access the internet they do it through a NAT Gateway. AWS’ NAT Gateway changes some ports and that makes the rules even more difficult to build.
  • Cognito’s ID token expires 1 hour after it is issued. The refresh token expires 24 hours after it is issued. There is no way to change token’s duration if your application requires shorter token life. If you want to do so, you will need to build a custom solution, something I’ll be addressing in the next post.

This is a basic microservices architecture you can try in your next project! It’s been a challenge to build it and get used to debugging and tracking errors, but the final result is great.

To find out how we limited Cognito’s tokens, hang tight for my next post.

Wolox

We are a tech company redefining the way things work.

Matias De Santi

Written by

Software Engineer and Infrastructure&Cloud leader at Wolox. I’m passionate about applying new technologies to the projects I work with to get the best result.

Wolox

Wolox

We specialize in end-to-end development of high impact products, providing technological solutions to start-ups and companies that are seeking to innovate and need support in developing their ideas.

Matias De Santi

Written by

Software Engineer and Infrastructure&Cloud leader at Wolox. I’m passionate about applying new technologies to the projects I work with to get the best result.

Wolox

Wolox

We specialize in end-to-end development of high impact products, providing technological solutions to start-ups and companies that are seeking to innovate and need support in developing their ideas.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store