stackoom
  简体   繁体   中英

AWS serverless architecture – Why should I use API gateway?

 原文  2018-06-05 07:36:45       amazon-web-services/ amazon-s3/ aws-lambda/ aws-api-gateway

Question

Here is my use case:

  • Static react frontend hosted on s3
  • Python backend on lambda conduction long running data analysis
  • Postgres database on rds
  • Backend and frontend communicate exclusively with JSON
  • Occasionally backend creates and stores powerpoint files in s3 bucket and then serves them up by sending s3 link to frontend

Convince me that it is worthwhile going through all the headaches of setting up API gateway to connect the frontend and backend rather than invoking lambda directly from the frontend!

Especially given the 29s timeout which is not long enough for my app meaning I need to implement asynchronous processing and add a whole other layer of aws architecture (messaging, queuing and polling with SNS and SQS) which increases cost, time and potential for problems. I understand there are some security concerns, is there no way to securely invoke a lambda function?

1 answers

solution1
 3 ACCPTED  2018-06-05 11:09:06

You are talking about invoking a lambda directly from JavaScript running on a client machine.

I believe the only way to do that would be embedding the AWS SDK for JavaScript in your react frontend. See: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/browser-invoke-lambda-function-example.html

There are several security concerns with this, only some of which can be mitigated.

First off, you will need to hardcode AWS credentials in to your frontend for the world to see. The access those credentials have can be limited in scope, but be very careful to get this right, or otherwise you'll be paying for someone's cryptomining operation.

Assuming you only want certain people to upload files to a storage service you are paying for, you will need some form of authentication and authorisation. API Gateway doesn't really do authentication, but it can do authorisation, albeit by connecting to other AWS services like Cognito or Lambda (custom authorizers). You'll have to build this into your backend Lambda yourself. Absolutely doable and probably not much more effort than using a custom authorizer from the API Gateway.

The main issue with connecting to Lambda direct is that Lambda has the ability to scale rapidly, which can be an issue if someone tries to hit you with a denial of service attack. Lambda is cheap, but running 1000 concurrent instances 24 hours a day is going to add up.

API Gateway allows you rate limit per second/minute/hour/etc., Lambda only allows you to limit the number of concurrent instances at any given time. So if you were to set that limit at 1, an attacker could cause that 1 instance to run for 24 hours a day.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why would you use AWS Lambda/API Gateway to serve up HTML content vs. S3 bucket for serverless architecture What is serverless? If the AWS Lambda and API Gateway use servers then Why are they called 'Serverless'? AmazonWebService - Should i use AWS API Gateway or AWS SDK When should I Use AWS API Gateway Proxy Integration? Lambda architecture on AWS and API Gateway Migrating an API to a serverless architecture with aws lambda AWS Serverless 403 forbidden API gateway AWS Serverless - Can I configure my provider or lambda function in my serverless.yml file to use an API Gateway resource in the same yml file? Setting CORS via API Gateway for Serverless Architecture Model Proxy Endpoint Which AWS API Gateway Authorizer Type should I use to protect my APIs with Okta? Lambda/Cognito?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM