For a stage belonging to an API in AWS API Gateway I have the option to limit Default Method Throttling. Does this limit the total number of requests per second, or the number of requests from a particular client per second?
Default Method Throttling (like Account Level Throttling) is the total number of requests per second across everyone hitting your API.
Client-level limits are enforced with Usage Plans, based on api-keys.
For more detailed information about API Gateway throttling checkout:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
Related
For example if I set the limit at 100 requests per min per project, will I get billed for requests after the limit is hit in that min? API Gateway pricing indicates
API Gateway charges by its calls to Service Control. Each API call processed by API Gateway is reported as a tracked operation by the Service Control API and is listed as a line item for Service Control on your bill.
The price for API Gateway depends on the number of calls to your API, as described in the following table:
API calls per month per billing account Cost per million API calls
0-2M $0.00
2M-1B $3.00
1B+ $1.50
if there is a ddos attack will I get billed for all the requests hitting the api gateway or will I only get billed for requests within the limit specified?
What is the hard limit for the resources per REST api in Api Gateway? As per AWS docs https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#api-gateway-execution-service-limits-table, default quota is 300 per api which can be increased on request.
My use is I have multiple versions of the apis which I am trying to add in single REST api in Api Gateway. Is there a hard limit at AWS beyond which they won't increase?
I have an API Gateway invoking an AWS Lambda which sends Text messages.
In case of an accident or an attack, I would like to limit the max invocations per hour to mitigate the cost of an infinite loop for example.
What is the easiest way to do that ? I can't see such options in AWS Lambda, SQS or event Cloudwatch Alarm
API Gateway supports rate limiting. You can set limits for individual API stages or methods and you can enable usage plans to restrict client request submissions to within specified request rates and quotas.
In addition, per the API Gateway FAQ:
API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3).
And, finally, be aware of Protecting API Endpoints guidance.
If I create a public endpoint using AWS API Gateway, the entire world could access it. This would be a problem because the end point would trigger an AWS Lambda function. If we assume that I can't query a data source to determine the frequency that the incoming IP address queried the resource in the past, what would be the best practice for protecting this end point from abuse? Do I have any other security options?
I realize I could use a reCaptcha but this would still invoke the AWS Lambda function and would incur costs if done a million times over a short window of time.
A very simple way of protecting your API gateway
Use AWS Cloudfront with TTL 0 and pass custom headers from AWS Cloudfront to API gateway
Use AWS WAF with AWS Cloudfront
AWS API Gateway also handles some basic level of DDOS attacks.
Kindly also view these blogs for securing AWS API Gateway
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-2/
You are probably looking for throttling limit configuration or usage plan definition:
To prevent your API from being overwhelmed by too many requests,
Amazon API Gateway throttles requests to your API using the token
bucket algorithm, where a token counts for a request. Specifically,
API Gateway sets a limit on a steady-state rate and a burst of request
submissions against all APIs in your account. In the token bucket
algorithm, the burst is the maximum bucket size.
When request submissions exceed the steady-state request rate and
burst limits, API Gateway fails the limit-exceeding requests and
returns 429 Too Many Requests error responses to the client. Upon
catching such exceptions, the client can resubmit the failed requests
in a rate-limiting fashion, while complying with the API Gateway
throttling limits.
As an API developer, you can set the limits for individual API stages
or methods to improve overall performance across all APIs in your
account. Alternatively, you can enable usage plans to restrict client
request submissions to within specified request rates and quotas. This
restricts the overall request submissions so that they don't go
significantly past the account-level throttling limits.
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html#api-gateway-usage-plan-create
I would like to have a policy on an API Gateway that would throttle requests based on a header value. For example, header value "AAA" would be allowed up to 10 requests per day, "BBB", 20 requests. Is this possible? How can I achieve this? Note: I am trying to avoid writing a lambda function for this purpose, because then I would need to keep state, etc.
API Gateway has Usage Plans, which support what you are attempting to do.
Each usage plan can have a throttling limit, which restricts requests per second and burst rate. Usage plans can also have quotas, which would allow you to add limits on requests per day.
API Gateway allows you to add API Keys to a usage plan. API Keys are sent HTTP header (x-api-key).
You can find more details in the Usage Plans for API Gateway launch blog and API Gateway Usage Plan docs.