Tuesday 1/25/22 Cloud Studies Update: AWS Step Functions and API Gateway

Adrian Cantrill’s SAA-C02 study course, 50 minutes: Serverless and Application services section: Step Functions and API Gateway

AWS Step Functions

Lambda is Faas

Best practice: create functions which are small, focused, and do one thing really well

Never try to put a full application inside a Lambda function:

– bad practice

– execution duration limit of 15 minutes

Lambda functions can be chained together

– gets messy a scale

Runtime environments are stateless

– state cannot be held through different Lambda function invocations

Step Functions allow for the creation of state machines

– think of a State machine as a workflow (start → states → end)

States are things which occur

– state machines are designed to perform and activity or flow which consists of lots of individual components and maintain the idea of data between those states

Maximum duration for invocations in state machines is one year

Standard Workflow and Express workflow

– choice influences speed of workflows and maximum duration

– standard is the default; one year execution limit

– express: high-volume, event-driven processing workloads such as IOT, streaming data processing and transformation, mobile application backends; runs up to five minutes

– generally used for backend processing

State machines can be started via API Gateway, IOT Rules, EventBridge, Lambda….

Amazon States Language – JSON Template

IAM Role is used for permissions


Succeed and Fail

Wait: certain period of time; date and time; waits for a certain period of time and then pauses the processing until the duration time or until that specific point in time

Choice: allows the state machine to take a different path depending on the input; can be used to influence state machine behavior based on the path taken

Parallel: used to create parallel branches

Map: accepts a list, and performs a specific action based on the item in the list

All these states control flow

Task: represents a single unit of work performed by a state machine (Lambda, Batch, DynamoDB, ECS, SNS, SQS, Glue, SageMaker, EMR, Step Functions)

– task states allow the state machine to perform things

– tasks can be integrated with lots of different services

– coordinates the work occurring; coordinates with external services to perform the work

Summary: Step functions let you create state machines. State machines are long running serverless workflows, they have a start and an end, and in between they have states. States can be directional decision points or they can be tasks which actually perform things on behalf of the State Machine. By using them you can build complex workflows which integrated with lots of different AWS services.

API Gateway

Create and manage APIs

API: Application Programming Interface

– how applications communicate with each other

API gateway acts as an end point or entry point for applications looking to talk to services

Sits between applications and integrations (services)

Highly available, scalable, handles authorisation, throttling, caching, CORS, transformations, OpenAPI spec, direct integration and much more

Can connect to services/endpoints in AWS or on-premises

HTTP APIs, REST APIs and WebSocket APIs

Three phases:

1. Integration request: authorize, validate transform

2. Integration

3. Response: Transform, prepare, return

CloudWatch logs can store and manage full stage request and response logs. CloudWatch can store metrics for client and integration sides

API Gateway Cache can be used to reduce the number of calls made to backend integrations and improve client performance


Cognito user pools: client authenticates with Cognito, receives authentication token in return; passes token in with a request to the API gateway; API gateway can natively verify the token

Lambda-based authorization: used to be called custom authorization; assumed that client has some form of bearer token, something which asserts and identification; passes this into API gateway with the request; API calls a Lambda authorizer, which validates the request (custom compute or local store); then invokes Lambda function or returns 403 access denied

IAM authorization: passes in credentials in the headers



– routed to nearest CloudFront POP (point of presence)


– Clients in same region


– Endpoint accessible only within a VPC via interface endpoints


Most things in API Gateway defined based on a stage

Each stage has it’s own unique endpoint URL and it’s own settings

Each stage can be deployed into individually

Stages can be enabled for canary deployments; deployments are made to the canary, not the stage

Stages enabled for canary deployments can be configured so a certain percentage of traffic is sent to the canary. This can be adjusted over time – or the canary can be promoted to make it the new base ‘stage’

API Gateway: Errors

4XX – Client Error: Invalid request on client side

5XX – Server Error: Valid request, backend issue

400 – Bad Request – Generic

403 – Access Denied – authorized denies.. WAF Filtered

429 – API Gateway can throttle – you’ve exceeded that amount

502 – Bad Gateway Exception: bad output returned by Lambda

503 – Service Unavailable: backing endpoint offline? Major service issues

504 – Integration Failuer/Timeout – 29s limit


– configured per stage

– without caching any services making request to the API gateway stage will invoke backend integrations every time

– caching is defined on a stage (500 mb to 237 GB in size)

– caches from 0 to 3,600 seconds

– cache can be encrypted

– calls only made to backend when there is a cache miss

– reduced load, reduced cost, improved performance

Published by pauldparadis

Working towards cloud networking security as a profession.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: