Serverless & Edge Computing

Serverless API Gateway Setup

Your API gateway is the front door to every backend service. A misconfigured gateway means leaked data, runaway costs, and miserable developer experience. We configure serverless API gateways — AWS API Gateway HTTP/REST, Cloudflare Workers, or Kong on serverless — with authentication, rate limiting, request validation, CORS, and structured logging so your API is secure, fast, and observable from day one.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

AWS API Gateway Configuration

We configure AWS API Gateway v2 (HTTP API) for most use cases — it is faster, cheaper, and simpler than REST API. For advanced features like request transformation, API keys, or usage plans, we use REST API instead.

resource "aws_apigatewayv2_api" "http" {
  name          = "${var.project}-${var.env}"
  protocol_type = "HTTP"
  
  cors_configuration {
    allow_origins     = var.cors_origins
    allow_methods     = ["GET","POST","PUT","PATCH","DELETE","OPTIONS"]
    allow_headers     = ["Content-Type","Authorization","X-Request-ID"]
    expose_headers    = ["X-Request-ID","X-RateLimit-Remaining"]
    allow_credentials = true
    max_age           = 7200
  }
}

resource "aws_apigatewayv2_authorizer" "jwt" {
  api_id           = aws_apigatewayv2_api.http.id
  authorizer_type  = "JWT"
  identity_sources = ["$request.header.Authorization"]
  name             = "cognito-jwt"

  jwt_configuration {
    audience = [var.cognito_client_id]
    issuer   = "https://cognito-idp.${var.region}.amazonaws.com/${var.cognito_pool_id}"
  }
}

Routes are defined per-resource with explicit HTTP methods. Each route points to a Lambda integration with payload format version 2.0 for cleaner event structure. We never use the $default catch-all route in production — every endpoint is explicitly defined.

Authentication & Authorization Patterns

We implement authentication at the gateway layer so your Lambda functions receive pre-validated identity claims without any auth logic in business code.

  • Cognito JWT — Native API Gateway JWT authorizer validates tokens with zero Lambda invocations
  • Custom Lambda Authorizer — For API key validation, OAuth2 from non-Cognito providers, or multi-tenant authorization
  • IAM Authorization — For service-to-service calls using SigV4 signing
// Custom Lambda authorizer for multi-tenant API keys
export const handler = async (event: APIGatewayRequestAuthorizerEventV2) => {
  const apiKey = event.headers?.['x-api-key'];
  
  if (!apiKey) {
    return { isAuthorized: false };
  }

  const tenant = await lookupApiKey(apiKey);
  if (!tenant || !tenant.active) {
    return { isAuthorized: false };
  }

  return {
    isAuthorized: true,
    context: {
      tenantId: tenant.id,
      plan: tenant.plan,
      rateLimit: tenant.rateLimit,
    },
  };
};

Authorization context is passed to downstream Lambda functions via event.requestContext.authorizer, enabling per-tenant rate limits, feature flags, and data isolation without additional database lookups.

Rate Limiting & Throttling

We configure rate limiting at multiple layers to protect your backend from abuse and ensure fair usage across tenants.

# API Gateway throttling (account-level defaults)
resource "aws_apigatewayv2_stage" "prod" {
  api_id = aws_apigatewayv2_api.http.id
  name   = "prod"
  
  default_route_settings {
    throttling_burst_limit = 500
    throttling_rate_limit  = 1000
  }
}

# Per-route throttling for expensive operations
resource "aws_apigatewayv2_route" "generate_report" {
  api_id    = aws_apigatewayv2_api.http.id
  route_key = "POST /reports/generate"
  
  # Custom throttle via stage route settings
}

# WAF rate limiting for DDoS protection
resource "aws_wafv2_web_acl" "api" {
  name  = "api-waf-${var.env}"
  scope = "REGIONAL"
  
  rule {
    name     = "rate-limit"
    priority = 1
    action { block {} }
    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "api-rate-limit"
    }
  }
}

For per-tenant rate limiting beyond what API Gateway offers natively, we implement a DynamoDB-backed token bucket in a Lambda authorizer. This adds under 10ms of latency and scales to millions of requests.

Custom Domains & Observability

We configure custom domains with ACM certificates and Route 53 records so your API runs on api.yourdomain.com with automatic certificate renewal.

resource "aws_apigatewayv2_domain_name" "api" {
  domain_name = "api.${var.domain}"
  
  domain_name_configuration {
    certificate_arn = aws_acm_certificate.api.arn
    endpoint_type   = "REGIONAL"
    security_policy = "TLS_1_2"
  }
}

resource "aws_route53_record" "api" {
  zone_id = data.aws_route53_zone.main.zone_id
  name    = "api.${var.domain}"
  type    = "A"
  
  alias {
    name    = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].target_domain_name
    zone_id = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].hosted_zone_id
    evaluate_target_health = false
  }
}

Access logs stream to CloudWatch in JSON format with request ID, client IP, method, path, status code, latency, and integration error messages. We build CloudWatch dashboards showing p50/p95/p99 latency, 4xx/5xx error rates, and request volume per route. Alarms notify your team via SNS when error rates exceed 1% or p99 latency exceeds 3 seconds.

Why Anubiz Engineering

100% async — no calls, no meetings
Delivered in days, not weeks
Full documentation included
Production-grade from day one
Security-first approach
Post-delivery support included

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a BriefDevOps Implementation Service