API Gateway

API Gateway Resource Replication with Arpio

Arpio's API Gateway support covers both HTTP and REST APIs. Read on for more details on resource replication for each version.


Jump to:

HTTP APIs in API Gateway (v2)

REST APIs in API Gateway (v1)

Arpio Replication Restrictions

HTTP APIs in API Gateway (v2)

Arpio replicates the resources necessary to get your HTTP APIs in the API Gateway v2 service backed up into your recovery environment or account.  Arpio does not yet support Websocket APIs in API Gateway V2.  

Because APIs are unlikely to be used (or usable) in standby mode, these resources are only replicated when your application is in failover or failover test mode.  Read on for a list of the specific resources that we replicate.

API


Only APIs with ProtocolType of ‘HTTP’ are supported for replication. These resources are automatically discovered and included in recover points when an API is selected for replication:

  • Deployed Stages of the API
  • Integrations used by the undeployed version of the API
  • Routes used by the undeployed version of the API
  • API Mappings that use this API

API Mapping


Here are the resources that are automatically  included in recovery points when an API Mapping is selected for replication:

  • API the API Mapping is referencing
  • Domain Name the API Mapping is referencing
  • The API Stage the API Mapping is referencing

Authorizer


Attribute

Translation

API ID

ID of the replicated API containing this API Mapping. 

Authorizer Credentials Arn

If an IAM Role is used for authorization, the ARN of the replicated role is used.

Authorizer URI

The URI for lambda-based authorizers is translated so that the URI contains the ARN of the replicated lambda function, version or alias. 

JWT Configuration

The issuer for JWT Cognito Authorizers with a custom domain are translated to use the same domain prefix, but the issuer URL uses the replication region.   Cognito Authorizers without a custom domain are translated so that the issuer URL uses the replication region and the replicated user pool id.  The recipients in the list in the Audience for a JWT Cognito Authorizer are translated to the matching replicated Cognito user pool clients.


If the identity provider is not Cognito, it is not translated and the replicated configuration is the same as the source configuration.


When an Authorizer is selected for replication, these resources are discovered and included for replication:

  • The API that uses this Authorizer
  • Any IAM Roles used by the Authorizer
  • Any Lambda Functions, Versions, or Aliases used by the Authorizer
  • Cognito User Pools and Cognito User Pool Clients used by the Authorizer

Domain Name

 

Attribute

Domain name configurations

Certificate ARNs and ownership verification certificate ARNs in domain name configurations are translated to the corresponding replicated certificate ARNs

These resources are automatically included when a DomainName is picked for replication:

  • Certificates used in the Domain Name’s configuration
  • API Mappings that reference this Domain Name

Integration


Attribute

Translation

API ID

ID of the replicated API using this Integration

Connection ID

The ID of  the replicated VPC link.

Credentials ARN

If an IAM Role is used for the integration credentials, the ARN of the replicated role is used.

Request Parameters

SQS Queue URLs in the request parameters will be translated to the replicated Queue URL

Integration URI

The URI for lambda-backed Integrations is translated so that the URI contains the ARN of the replicated lambda function, lambda function version or lambda function alias. 



The resources automatically included for replication when an Integration is selected for replication are:

  • The API using the Integration
  • IAM roles used as credentials by the Integration
  • VPC Links used by the Integration
  • Lambda functions, versions, or aliases used by the Integration
  • SQS Queues used by the Integration

Route


Attribute

Translation

API ID

ID of the replicated API using this Route

Authorizer ID

ID of the corresponding replicated Authorizer for the source Route.

Target

The Integration ID referenced by the target will be translated to the ID of the replicated Integration for the source Route.


When an API Route is selected for replication, these resources are automatically marked for replication:

  • The API using this route
  • The Authorizer used by the route
  • The Target Integration the Route is referencing
  • If a Route is used in a Staged API, the Stage whose name is alphabetically less than the Stage that uses the Route is selected
  • If the Route is not used in a Staged API, and there are Stages, the Stage whose name is alphabetically first is selected.

Stage


Attribute

Translation

Access Log Settings

The CloudWatch log group in the replication region and account.

API ID

ID of the replicated API containing this API Mapping. 

Route Settings

If a stage does not have a deployment with routes, AWS will not let Arpio create replicated route settings. As a result, when Arpio replicates a stage without an associated deployment, and that Stage has route settings, Arpio will create the stage without any route settings.  


When a Stage is selected for replication, these resources are also automatically included for replication:

  • The API using this stage
  • If there are other Stages, the Stage whose name is alphabetically less than this Stages name is selected
  • Any Routes used in this Stage

VPC Link


Attribute

Translation

API ID

ID of the replicated API using this Route

Subnet IDs

IDs of the corresponding subnets in the replicated VPC the VPC Link points to

Security Group IDs

The IDs of the security groups in the replicated VPC the VPC Link points to


When a VpcLink is selected for replication, these resources are also pulled in for replication:

  • Subnets used by the VPC Link
  • Security groups used by the VPC Link


REST APIs in API Gateway (v1)

Arpio supports replication of the following REST API Gateway resource types.  Because APIs are unlikely to be used (or usable) in standby mode, these resources are only replicated when your application is in failover or failover test mode.  

Account

Attribute

Translation

Cloudwatch Role ARN

The Cloudwatch role is replicated, and the replicated ARN is used in translation

Resources automatically discovered and included in recover points when an Account is selected for replication:

  • Cloudwatch IAM role used for writing API logs to Amazon Cloudwatch 

API Key

Arpio copies API keys linked to a usage plan though a usage plan key (see below).  This means only API Keys used for a replicated API Gateway stages are replicated.  Unused API keys are not replicated.  As with other API Gateway resources, API Keys are only replicated during failover.

API Key StageKeys that are used for API Keys created prior to August 11, 2016 are not supported.  See the AWS Usage Plans docs for information on how to migrate to usage plans.

Authorizer

Attribute

Translation

Authorizer Credentials 

If an IAM Role is used for authorization, the ARN of the replicated role is used.

Authorizer URI

The URI for lambda-based authorizers is translated so that the URI contains the ARN of the replicated lambda function, version or alias. 

Provider ARNs

The provider ARNs for Cognito Authorizers are translated to the matching replicated Cognito user pool clients.

Rest API ID

ID of the replicated API that uses this Authorizer

Base Path Mapping

Attribute

Translation

Rest API ID

ID of the replicated API that the base path mapping links to the domain name

Here are the resources that are automatically  included in recovery points when a Base Path Mapping is selected for replication:

  • Rest API the Base Path Mapping is referencing
  • Domain Name the Base Path Mapping is referencing
  • Deployed Stage of the Rest API the Base Path Mapping is referencing

Documentation Part

Documentation Parts used by a Rest API and all the Documentation Part attributes are replicated to the recovery environment.

Domain Name

Attribute

Translation

Domain name configurations

Certificate ARNs and ownership verification certificate ARNs in domain name configurations are translated to the corresponding replicated certificate ARNs

  • Certificates used in the Domain Name’s configuration
  • Base Path Mappings that reference this Domain Name

Edge-optimized APIs are delivered through CloudFront, using a CloudFront distribution that AWS creates and manages for you when you create the API.  CloudFront prevents domain names used in any distribution from being used in any other distribution, even in other AWS accounts and regions.  For this reason, Arpio recovers Edge-optimized APIs as regional APIs in your recovery environment so your custom domain names can be used. In a recovery situation, you will need to update your DNS configuration to send traffic to the API running in the replication region.

Gateway Response

Gateway Responses used by a Rest API and all the Gateway Response attributes are replicated to the recovery environment.

Method

Attribute

Translation

Authorizer ID

The ID of the replicated Authorizer this Method will use for authorization

Request Validator ID

The ID of the replicated request validator used by this method.

Resource ID

The ID of the replicated Resource

Rest API ID

The ID of the replicated Rest API associated to this Method

Model

Attribute

Translation

Rest API ID

The ID of the replicated Rest API associated to this Model

Request Validator

Attribute

Translation

Rest API ID

The ID of the replicated Rest API that uses this Request Validator

Resource

Attribute

Translation

Rest API ID

The ID of the replicated Rest API that uses this Resource

Rest API

Attribute

Translation

Endpoint Configuration

VPC endpoints referenced in the source Rest API are translated to corresponding VPC endpoints in the recovery environment

Policy

The ARN in the policy document containing permissions for this Rest API is translated to match the ARN of the replicated API.

These resources are automatically discovered and included in recover points when an API is selected for replication:

  • Deployed Stages of the API
  • IAM roles used in the policy document of the Rest API
  • Settings for the API gateway account for the recovery region
  • All Stages of the Rest API

Stage

Attribute

Translation

Access Log Settings

The region and account id in the CloudWatch log group ARN in Access Log Settings is replaced by the region and account id of your recovery region/account.  Arpio does not currently support CloudWatch, so you’ll need to create the CloudWatch log group in the recovery environment yourself. 

Rest API ID

The ID of the replicated Rest API that uses this Resource

When a Stage is selected for replication, these resources are also automatically included for replication:

  • The API using this stage
  • Stages deployed before this stage
  • WAF Web ACLs that use the stage as a service endpoint
  • Lambda functions, versions, or aliases that are used as authorizers or in a method integration.
  • Cognito User Pools that are used as authorizers
  • SQS queues that are used in a method integration
  • IAM Roles used in the Stage’s resource policy or used as authorizer credentials
  • VPC Links used for a method integration
  • Usage plans that reference the stage along with the API keys and usage plans keys used by that usage plan

Usage Plan

Only usage plans that reference a replicated API Gateway stage are copied to the recovery environment, and usage plans are only replicated during failover.

Attribute

Translation

ApiStage API ID

ID of the replicated REST API referenced in this Usage Plan

ApiStage Stage Name   

Name of the corresponding replicated stage name 

A usage plan selected for replication causes the following dependencies to be included:

  • Usage plan keys that reference the usage plan
  • API Gateway REST API stages that the usage plan references

Usage Plan Key

The usage plan key ties a usage plan to an API key.  Usage plan keys that are used by replicated usage plans are copied to the recovery environment during failover.

Attribute

Translation

Key ID

ID the replicated API Key

Usage Plan ID

ID of the associated replicated Usage Plan

When a usage plan key is selected for replication, the API keys and usage plans it references are also selected for replication.

VPC Link

Attribute

Translation

API ID

ID of the replicated API using this Route

Target Arns

ARNs for any corresponding replicated network load balancers

 

When a VpcLink is selected for replication, these resources are also pulled in for replication:

  • Network load balancers used by the VPC link


Arpio Replication Restrictions

The following API Gateway resources are not currently supported by Arpio:

  • Client Certificate

Also, the state of the following resources is only replicated if they have been deployed in a stage.  If an attribute on one of the below resources is updated, but the resource is not deployed to a stage, the change to the attribute is not replicated.

  • Authorizer
  • Documentation Part
  • Gateway Response
  • Method
  • Model
  • Request Validator
  • Resource

Finally, only these Integration types in the Method resource are supported for replication:

  • Mock
  • Lambda