- Newest
- Most votes
- Most comments
Update: I ended up creating a second authorizer that uses the same lambda function, and I created a health resource on the API gateway for invoking it. The Route 53 health checks support query parameters, so by setting the second authorizer to request type you can configure Authorization as a query string and specify the same in the identitySource parameter. I just provided a dummy value for the authorization in the health check url. I was also able to keep the existing authorizer token-based. This totally worked out!
Given the challenges you've described, here are some suggestions for setting up a Route 53 health check for your API Gateway token-based Lambda authorizer:
-
Custom Lambda Health Check: Instead of using the API Gateway directly, you could create a separate Lambda function specifically for health checks. This function would internally invoke your authorizer Lambda with the necessary token. You can then set up a Route 53 health check against an API Gateway endpoint that triggers this health check Lambda. This approach bypasses the need for the Authorization header in the Route 53 health check itself.
-
CloudWatch Metric Combination: While Route 53 doesn't support metric math directly, you can create a custom metric that combines multiple Lambda metrics. For example, you could create a metric that represents the ratio of errors to invocations. Then, set up a CloudWatch alarm based on this custom metric. Route 53 can then use this alarm for health checking.
-
Multi-metric Alarm: Create a CloudWatch composite alarm that considers both the error count and the invocation count. This alarm can trigger if there are too many errors OR if there are no invocations for a specified period. Route 53 can then use this composite alarm for health checking.
-
Synthetic Canary: Use AWS CloudWatch Synthetics to create a canary that periodically invokes your API with the proper authorization token. Set up a CloudWatch alarm based on the canary's success rate, and use this alarm for your Route 53 health check.
-
External Monitoring: Set up an external monitoring service that can make authenticated requests to your API. This service can then update a CloudWatch custom metric, which you can use for alarming and Route 53 health checks.
Each of these approaches has its own trade-offs in terms of complexity, cost, and accuracy. The best solution will depend on your specific requirements and constraints. Remember to thoroughly test your chosen solution to ensure it accurately reflects the health of your Lambda authorizer and triggers failover appropriately.
Sources
Input to an API Gateway Lambda authorizer - Amazon API Gateway
How Amazon Route 53 determines whether a health check is healthy - Amazon Route 53
HealthCheckConfig - Amazon Route 53
Relevant content
- Accepted Answerasked 3 years ago
- asked 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago