AWS Resource Reference
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. AWS Resource Reference

      API Gateway

      API Gateway Resource Replication with Arpio

      Arpio's API Gateway support covers both HTTP and REST APIs. Read on for more details on resource replication for each version.


      Jump to:

      HTTP APIs in API Gateway (v2)

      REST APIs in API Gateway (v1)

      Arpio Replication Restrictions

      HTTP APIs in API Gateway (v2)

      Arpio replicates the resources necessary to get your HTTP APIs in the API Gateway v2 service backed up into your recovery environment or account.  Arpio does not yet support Websocket APIs in API Gateway V2.  

      Because APIs are unlikely to be used (or usable) in standby mode, these resources are only replicated when your application is in failover or failover test mode.  Read on for a list of the specific resources that we replicate.

      API


      Only APIs with ProtocolType of ‘HTTP’ are supported for replication. These resources are automatically discovered and included in recover points when an API is selected for replication:

      • Deployed Stages of the API
      • Integrations used by the undeployed version of the API
      • Routes used by the undeployed version of the API
      • API Mappings that use this API

      API Mapping


      Here are the resources that are automatically  included in recovery points when an API Mapping is selected for replication:

      • API the API Mapping is referencing
      • Domain Name the API Mapping is referencing
      • The API Stage the API Mapping is referencing

      Authorizer


      Attribute

      Translation

      API ID

      ID of the replicated API containing this API Mapping. 

      Authorizer Credentials Arn

      If an IAM Role is used for authorization, the ARN of the replicated role is used.

      Authorizer URI

      The URI for lambda-based authorizers is translated so that the URI contains the ARN of the replicated lambda function, version or alias. 

      JWT Configuration

      The issuer for JWT Cognito Authorizers with a custom domain are translated to use the same domain prefix, but the issuer URL uses the replication region.   Cognito Authorizers without a custom domain are translated so that the issuer URL uses the replication region and the replicated user pool id.  The recipients in the list in the Audience for a JWT Cognito Authorizer are translated to the matching replicated Cognito user pool clients.


      If the identity provider is not Cognito, it is not translated and the replicated configuration is the same as the source configuration.

      When an Authorizer is selected for replication, these resources are discovered and included for replication:

      • The API that uses this Authorizer
      • Any IAM Roles used by the Authorizer
      • Any Lambda Functions, Versions, or Aliases used by the Authorizer
      • Cognito User Pools and Cognito User Pool Clients used by the Authorizer

      Domain Name

       

      Attribute

      Domain name configurations

      Certificate ARNs and ownership verification certificate ARNs in domain name configurations are translated to the corresponding replicated certificate ARNs

      These resources are automatically included when a DomainName is picked for replication:

      • Certificates used in the Domain Name’s configuration
      • API Mappings that reference this Domain Name

      Integration


      Attribute

      Translation

      API ID

      ID of the replicated API using this Integration

      Connection ID

      The ID of  the replicated VPC link.

      Credentials ARN

      If an IAM Role is used for the integration credentials, the ARN of the replicated role is used.

      Request Parameters

      SQS Queue URLs in the request parameters will be translated to the replicated Queue URL

      Integration URI

      The URI for lambda-backed Integrations is translated so that the URI contains the ARN of the replicated lambda function, lambda function version or lambda function alias. 


      The resources automatically included for replication when an Integration is selected for replication are:

      • The API using the Integration
      • IAM roles used as credentials by the Integration
      • VPC Links used by the Integration
      • Lambda functions, versions, or aliases used by the Integration
      • SQS Queues used by the Integration

      Route


      Attribute

      Translation

      API ID

      ID of the replicated API using this Route

      Authorizer ID

      ID of the corresponding replicated Authorizer for the source Route.

      Target

      The Integration ID referenced by the target will be translated to the ID of the replicated Integration for the source Route.

      When an API Route is selected for replication, these resources are automatically marked for replication:

      • The API using this route
      • The Authorizer used by the route
      • The Target Integration the Route is referencing
      • If a Route is used in a Staged API, the Stage whose name is alphabetically less than the Stage that uses the Route is selected
      • If the Route is not used in a Staged API, and there are Stages, the Stage whose name is alphabetically first is selected.

      Stage


      Attribute

      Translation

      Access Log Settings

      The CloudWatch log group in the replication region and account.

      API ID

      ID of the replicated API containing this API Mapping. 

      Route Settings

      If a stage does not have a deployment with routes, AWS will not let Arpio create replicated route settings. As a result, when Arpio replicates a stage without an associated deployment, and that Stage has route settings, Arpio will create the stage without any route settings.  

      When a Stage is selected for replication, these resources are also automatically included for replication:

      • The API using this stage
      • If there are other Stages, the Stage whose name is alphabetically less than this Stages name is selected
      • Any Routes used in this Stage

      VPC Link


      Attribute

      Translation

      API ID

      ID of the replicated API using this Route

      Subnet IDs

      IDs of the corresponding subnets in the replicated VPC the VPC Link points to

      Security Group IDs

      The IDs of the security groups in the replicated VPC the VPC Link points to

      When a VpcLink is selected for replication, these resources are also pulled in for replication:

      • Subnets used by the VPC Link
      • Security groups used by the VPC Link

      REST APIs in API Gateway (v1)

      Arpio supports replication of the following REST API Gateway resource types.  Because APIs are unlikely to be used (or usable) in standby mode, these resources are only replicated when your application is in failover or failover test mode.  

      Account

      Attribute

      Translation

      Cloudwatch Role ARN

      The Cloudwatch role is replicated, and the replicated ARN is used in translation

      Resources automatically discovered and included in recover points when an Account is selected for replication:

      • Cloudwatch IAM role used for writing API logs to Amazon Cloudwatch 

      API Key

      Arpio copies API keys linked to a usage plan though a usage plan key (see below).  This means only API Keys used for a replicated API Gateway stages are replicated.  Unused API keys are not replicated.  As with other API Gateway resources, API Keys are only replicated during failover.

      API Key StageKeys that are used for API Keys created prior to August 11, 2016 are not supported.  See the AWS Usage Plans docs for information on how to migrate to usage plans.

      Authorizer

      Attribute

      Translation

      Authorizer Credentials 

      If an IAM Role is used for authorization, the ARN of the replicated role is used.

      Authorizer URI

      The URI for lambda-based authorizers is translated so that the URI contains the ARN of the replicated lambda function, version or alias. 

      Provider ARNs

      The provider ARNs for Cognito Authorizers are translated to the matching replicated Cognito user pool clients.

      Rest API ID

      ID of the replicated API that uses this Authorizer

      Base Path Mapping

      Attribute

      Translation

      Rest API ID

      ID of the replicated API that the base path mapping links to the domain name

      Here are the resources that are automatically  included in recovery points when a Base Path Mapping is selected for replication:

      • Rest API the Base Path Mapping is referencing
      • Domain Name the Base Path Mapping is referencing
      • Deployed Stage of the Rest API the Base Path Mapping is referencing

      Documentation Part

      Documentation Parts used by a Rest API and all the Documentation Part attributes are replicated to the recovery environment.

      Domain Name

      Attribute

      Translation

      Domain name configurations

      Certificate ARNs and ownership verification certificate ARNs in domain name configurations are translated to the corresponding replicated certificate ARNs
      • Certificates used in the Domain Name’s configuration
      • Base Path Mappings that reference this Domain Name

      Edge-optimized APIs are delivered through CloudFront, using a CloudFront distribution that AWS creates and manages for you when you create the API.  CloudFront prevents domain names used in any distribution from being used in any other distribution, even in other AWS accounts and regions.  For this reason, Arpio recovers Edge-optimized APIs as regional APIs in your recovery environment so your custom domain names can be used. In a recovery situation, you will need to update your DNS configuration to send traffic to the API running in the replication region.

      Gateway Response

      Gateway Responses used by a Rest API and all the Gateway Response attributes are replicated to the recovery environment.

      Method

      Attribute

      Translation

      Authorizer ID

      The ID of the replicated Authorizer this Method will use for authorization

      Request Validator ID

      The ID of the replicated request validator used by this method.

      Resource ID

      The ID of the replicated Resource

      Rest API ID

      The ID of the replicated Rest API associated to this Method

      Model

      Attribute

      Translation

      Rest API ID

      The ID of the replicated Rest API associated to this Model

      Request Validator

      Attribute

      Translation

      Rest API ID

      The ID of the replicated Rest API that uses this Request Validator

      Resource

      Attribute

      Translation

      Rest API ID

      The ID of the replicated Rest API that uses this Resource

      Rest API

      Attribute

      Translation

      Endpoint Configuration

      VPC endpoints referenced in the source Rest API are translated to corresponding VPC endpoints in the recovery environment

      Policy

      The ARN in the policy document containing permissions for this Rest API is translated to match the ARN of the replicated API.

      These resources are automatically discovered and included in recover points when an API is selected for replication:

      • Deployed Stages of the API
      • IAM roles used in the policy document of the Rest API
      • Settings for the API gateway account for the recovery region
      • All Stages of the Rest API

      Stage

      Attribute

      Translation

      Access Log Settings

      The region and account id in the CloudWatch log group ARN in Access Log Settings is replaced by the region and account id of your recovery region/account.  Arpio does not currently support CloudWatch, so you’ll need to create the CloudWatch log group in the recovery environment yourself. 

      Rest API ID

      The ID of the replicated Rest API that uses this Resource

      When a Stage is selected for replication, these resources are also automatically included for replication:

      • The API using this stage
      • Stages deployed before this stage
      • WAF Web ACLs that use the stage as a service endpoint
      • Lambda functions, versions, or aliases that are used as authorizers or in a method integration.
      • Cognito User Pools that are used as authorizers
      • SQS queues that are used in a method integration
      • IAM Roles used in the Stage’s resource policy or used as authorizer credentials
      • VPC Links used for a method integration
      • Usage plans that reference the stage along with the API keys and usage plans keys used by that usage plan

      Usage Plan

      Only usage plans that reference a replicated API Gateway stage are copied to the recovery environment, and usage plans are only replicated during failover.

      Attribute

      Translation

      ApiStage API ID

      ID of the replicated REST API referenced in this Usage Plan

      ApiStage Stage Name   

      Name of the corresponding replicated stage name 

      A usage plan selected for replication causes the following dependencies to be included:

      • Usage plan keys that reference the usage plan
      • API Gateway REST API stages that the usage plan references

      Usage Plan Key

      The usage plan key ties a usage plan to an API key.  Usage plan keys that are used by replicated usage plans are copied to the recovery environment during failover.

      Attribute

      Translation

      Key ID

      ID the replicated API Key

      Usage Plan ID

      ID of the associated replicated Usage Plan

      When a usage plan key is selected for replication, the API keys and usage plans it references are also selected for replication.

      VPC Link

      Attribute

      Translation

      API ID

      ID of the replicated API using this Route

      Target Arns

      ARNs for any corresponding replicated network load balancers

       

      When a VpcLink is selected for replication, these resources are also pulled in for replication:

      • Network load balancers used by the VPC link

      Arpio Replication Restrictions

      The following API Gateway resources are not currently supported by Arpio:

      • Client Certificate

      Also, the state of the following resources is only replicated if they have been deployed in a stage.  If an attribute on one of the below resources is updated, but the resource is not deployed to a stage, the change to the attribute is not replicated.

      • Authorizer
      • Documentation Part
      • Gateway Response
      • Method
      • Model
      • Request Validator
      • Resource

      Finally, only these Integration types in the Method resource are supported for replication:

      • Mock
      • Lambda