Where to Keep Application load balancer (ALB), API gateway - Design suggestion required

Hi,

The answer is depends ;)

API Gateway comes with a series of mechanism/features/integrations that make it a typical case as API facade. For instance, you get:

• well separated authorization layer (via Lambda authorizers, Cognito or JWT)
• Usage plan with throttling and request limits
• API versioning via stages
• canary releases
• integration with CloudFront, WAF depending on the type (REST vs HTTP)

There are some limitations as number of request per seconds (10000), payload size and more (https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html). It is more expensive than ALB.

With ALB you can do OIDC and Cognito, achieve throttling via WAF, and generally scales better, but then you lose some of above.

Without having data on usage, users distribution, organization size and more, is bit tricky, but I have seen following architectures:

• CloudFront + WAF -> API GW ->Lambda
• CloudFront + WAF -> ALB -> Lambda/EKS
• Cloudfront + WAF -> API GW -> ALB -> Lambda/EKS
• Cloudfront + WAF -> ALB -> APIGW -> Lambda/EKS

So you can use them individually or have api gw in front of or behind apigw. The first 2 are the easiest cases and will fit most of cases. CloudFront can be omitted but typically is good for latency and edge optimized APIs. The latter ones I have seen in case of heavy multi account setup and traffic inspection in regulated environment, many internal APIs and more complex.

Eventually, if you expect massive traffic, ALB is better, but then you lose out of box features I mentioned. API GW will scale too, with certain limits.

Finally another option for mobile could be AppSync (GraphQL) but I left it out as wasn’t of your ask, though it can reduce the number of http apis from client to server.

Hope it helps