Evaluating the Amazon API Gateway.


Amazon API Gateway is an API Management product and generating a lot of interest within the Cloud services and the API Management community, I’m getting a lot of calls from my colleagues and customers regarding the features set and the suitable use cases.
The product is built on top of the AWS infrastructure and utilizing the AWS management tools and capabilities.
The platform enables the customers to publish, maintain, monitor, and secure APIs.
The below is a high-level evaluation using some of the common API Managements features or requirements as guidelines, this evaluation as any other technology evaluation; might be only accurate at the time of writing, as the product spec and features might change along with time.

Service Level Management

This is running on Amazon highly available infrastructure, the solution design is supporting creating multiple environments, or stages to host the APIs, i.e. dev, test and production.
You can find the system default limitations here.

  • There’s a throttling capability to control both burst and average calls per second, the default burst is 1000 and the default average is 500 and you can set both on the stage (environment) level or the API Method level (Method is the AWS notion of HTTP/Rest verb that is set to access a resource, i.e. Get, Post, Put, etc.).
  • Caching, you can use caching to cache attributes on a specific stage (environment).
  • Operational Support, once the API is deployed on a certain stage (environment), the traffic information could be logged to the Amazon CloudWatch facility and the traffic info could be logged on both the stage and the method levels.
  • Administrative actions are logged to the Amazon CloudTrail facility, also, you can log the request and response attributes to the Amazon CloudWatch facility.

Gateway Capabilities

Security and Access Control

  • Authentication & Authorization, you can use the latest AWS proprietary IAM and security capabilities to sign the API methods, however, I’m not aware of SAML 2.0 or oAuth 2.0 out of the box support.
  • Amazon is suppling SDK to create client stubs.
  • Consumer/API Keys, although you can create API keys and assign those to a specific consumer, however API keys are used to track usage trends by consumers and not recommended for authentication and authorization.
  • Custom Domain Name and Secure Transport, you can create a custom domain name and install a TLS certificate to support SSL/TLS secure transport.

Mediation & Transformation

  • Message Transformation, you can do a simple message transformation using JSON schemas and AWS Lambda functions, however, there is no support for out of the box complex transformation such as Rest to SOAP wizard style that will automatically can read and interpret a WSDL.
  • Service Life-cycle management, you can create multiple version of the same API and you can clone the API and copy from one stage to another, however there’s no API revisions or deprecation capabilities.

Developer Services

  • API Documentation and Authoring tools, AWS gateway developer services is heavily dependent on Swagger and the AWS Lambda functions, there’s no out of the box ability to create your own custom and branded developer portal.


  • Reports, you can create basic reports utilizing CloudWatch where you can analyze traffic per API and per consumer/API key, however there’s no out of the box support for report editor or custom reports such as geographical or IP access comparison for the same API, or comparing access for the same API using different keys or consumer devices, for instance, creating a report to compare Android vs. iOS traffic for the same API.

Sign up

  • Signing up for evaluation was very easy and straightforward, this is very mainstream for someone who is familiar with API Management.


  • This is an amazing step in the right direction, while the product is possibly missing on some of the advanced features such as out of the box oAuth support, advanced protocol transformation, developer portal and advanced analytics, however the price model is revolutionary in that space and would definitely benefit the SMB consumer by encouraging the other vendors to create SMB offerings and similar pricing model.
  • This is a good fit for a variety of use cases where Amazon security is sufficient and you’re comfortable with Lambda functions or you need to offer free public APIs for marketing purposes and lead generation where you still need to control the cost and the access thresholds.
  • You can also use it for mobile enablement using native mobile apps where you can utilize the AWS SDK.



  • Those are my personal views and not representing the people I worked with, the companies I worked for, or my/our past and present customers in any shape or form. Any resemblance to real life use cases or situations is accidental and not intentional in any way, shape or form.
  • Hope this is helping some and again I understand other’s experience and views could be completely different than mine and I completely respect that.

One thought on “Evaluating the Amazon API Gateway.

Comments are closed.