Reputation: 2527
AWS serverless architecture – Why should I use API gateway?
Here is my use case:
- Static react frontend hosted on s3
- Python backend on lambda conduction long running data analysis
- Postgres database on rds
- Backend and frontend communicate exclusively with JSON
- Occasionally backend creates and stores powerpoint files in s3 bucket and then serves them up by sending s3 link to frontend
Convince me that it is worthwhile going through all the headaches of setting up API gateway to connect the frontend and backend rather than invoking lambda directly from the frontend!
Especially given the 29s timeout which is not long enough for my app meaning I need to implement asynchronous processing and add a whole other layer of aws architecture (messaging, queuing and polling with SNS and SQS) which increases cost, time and potential for problems. I understand there are some security concerns, is there no way to securely invoke a lambda function?
Upvotes: 1
Views: 467
Answers (1)
Reputation: 2155
You are talking about invoking a lambda directly from JavaScript running on a client machine.
I believe the only way to do that would be embedding the AWS SDK for JavaScript in your react frontend. See: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/browser-invoke-lambda-function-example.html
There are several security concerns with this, only some of which can be mitigated.
First off, you will need to hardcode AWS credentials in to your frontend for the world to see. The access those credentials have can be limited in scope, but be very careful to get this right, or otherwise you'll be paying for someone's cryptomining operation.
Assuming you only want certain people to upload files to a storage service you are paying for, you will need some form of authentication and authorisation. API Gateway doesn't really do authentication, but it can do authorisation, albeit by connecting to other AWS services like Cognito or Lambda (custom authorizers). You'll have to build this into your backend Lambda yourself. Absolutely doable and probably not much more effort than using a custom authorizer from the API Gateway.
The main issue with connecting to Lambda direct is that Lambda has the ability to scale rapidly, which can be an issue if someone tries to hit you with a denial of service attack. Lambda is cheap, but running 1000 concurrent instances 24 hours a day is going to add up.
API Gateway allows you rate limit per second/minute/hour/etc., Lambda only allows you to limit the number of concurrent instances at any given time. So if you were to set that limit at 1, an attacker could cause that 1 instance to run for 24 hours a day.
Upvotes: 3
Related Questions
- Lambda Integration vs. Lambda Proxy: Pros and Cons
- What is serverless? If the AWS Lambda and API Gateway use servers then Why are they called 'Serverless'?
- Should I use API gateway as a proxy to S3?
- Why do we need Lambda in between API Gateway and Dynamo DB in AWS?
- Why use SNS to trigger a lambda function, and not API gateway?
- AWS API Gateway: When to create another API?
- Node.js RESTful API server on AWS EC2 vs AWS API Gateway
- Invoking AWS Lambda - API Gateway vs direct invocation
- When should I Use AWS API Gateway Proxy Integration?
- AWS Lambda + API Gateway Development Best Practices