
The WebSocket API Resource Policy is a crucial aspect of building scalable applications. It helps manage WebSocket connections efficiently, ensuring that your application can handle a large number of concurrent users.
Implementing a resource policy is essential to prevent resource exhaustion, which can lead to performance issues and even crashes. This can be achieved by setting limits on the number of WebSocket connections allowed per user.
A well-designed resource policy also enables you to implement features like connection pooling, which can significantly improve application performance.
For another approach, see: Azure Policy Definition
WebSocket API Gateway
Setting up a WebSocket API Gateway involves several key steps. To begin with, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it so it can integrate with the Lambda JWT Authorizer and other components.
API Gateway V2 Websocket API resources require specifying selection expressions for the route and API Keys. This involves defining the authorization type as REQUEST, which is used in conjunction with a request authorizer.
Intriguing read: Azure Api Management vs Api Gateway
The Lambda JWT Authorizer is a crucial component in this setup, allowing integration with any JWT token provider and verifying user's JWT token integrity using provider's public keys. It also checks token expiration, audience, and binds the JWT's sub user attribute to the API Gateway authorization policy.
To integrate the Request Authorizer with API Gateway, you'll need to instruct API Gateway to get the authorization header from the query string, using route.request.querystring.authorization. This is because the JavaScript WebSockets API does not have a method for specifying additional headers for the client/browser to send.
Here's a summary of the key components involved in setting up a WebSocket API Gateway:
- IAM Role for API Gateway to assume
- IAM Policy for API Gateway to integrate with Lambda JWT Authorizer and other components
- API Gateway V2 Websocket API resource with selection expressions for route and API Keys
- Lambda JWT Authorizer for authentication and authorization
- Request Authorizer for verifying JWT tokens and user identity
In addition to these components, you'll also need to grant API Gateway access to invoke the Authorizer Lambda Function by creating an additional Lambda Permission.
For your interest: Python Websocket Aws Lambda
WebSocket Security
WebSocket Security is crucial for protecting your WebSocket API from unauthorized access. The use of WebSockets is controlled by the connect-src directive.
To ensure secure connections, you can configure authorization on the $connect route only, as this is a stateful connection. AuthN/AuthZ will be performed only at connection time, and if the $connect request fails due to AuthN/AuthZ failure, the connection will not be made.
Here are some key features of a Lambda JWT Authorizer:
- Integrate with any JWT token provider.
- Verify user's JWT token integrity using provider's public keys.
- Verify token expiration.
- Check that the token is issued for an audience in the allowed audiences list.
- Bind the JWT's sub user attribute to the API Gateway authorization policy.
- Return a deny or allow authorization policy to API Gateway.
WebSocket Connection
Connecting to the SUMU Websocket API requires an authorization query string to establish the connection. You can use the native Websocket component or a helper package like Sockette to connect.
To keep the user's connection active, send ping frames periodically, and API Gateway will respond with a pong frame immediately. This ensures the connection remains active.
API Gateway provides a default $connect route, but you can also set up a custom $connect route for more control over connections. This allows you to be notified when clients connect and disconnect, throttle connections, and control who connects.
Here are some reasons to set up a custom $connect route:
- We want to be notified when clients connect and disconnect.
- We want to throttle connections and control who connects.
- We want our backend to publish users presence messages (online, offline) back to clients using Fanout SNS Topics.
- We want to store each connection ID and other information into a database (Amazon DynamoDB).
Connecting Users
Connecting users to a WebSocket API can be a bit tricky, but it's essential to establish a secure connection. You can connect to the SUMU Websocket API using the native Websocket component or a helper package like Sockette.
To keep the user's connection active, you'll need to send ping frames periodically, and API Gateway will respond with a pong frame immediately. This helps prevent the connection from timing out.
The WebSocket connection is a stateful connection, which means you can configure the authorization on the $connect route only. AuthN/AuthZ will be performed only at connection time, and if the $connect request fails due to AuthN/AuthZ failure, the connection will not be made.
API Gateway provides a default $connect route, but you can set up a custom $connect route for more control over the connection process. This is useful for tasks like throttling connections and storing connection information in a database.
Take a look at this: Api Gateway in Azure
Here are some benefits of setting up a custom $connect route:
- We want to be notified when clients connect and disconnect.
- We want to throttle connections and control who connects.
- We want our backend to publish users presence messages (online, offline) back to clients using Fanout SNS Topics.
- We want to store each connection ID and other information into a database (Amazon DynamoDB).
Keep Alive Route
To keep a WebSocket connection alive, we need to implement a ping/pong mechanism to prevent API Gateway from considering the client's connection IDLE after 10 minutes of timeout. This mechanism involves sending a Ping request periodically from the client to the server.
The ping request will be sent to a MOCK service, which will receive the request and return an HTTP_OK status code. This service will act as a middleman, allowing the client to send a Ping request without actually connecting to the server.
We need to create two request templates: one for the MOCK service that will receive the Ping request, and another for the actual Pong response sent to the client. The Pong response will be sent by API Gateway in response to a Ping request, unless it has already received a disconnect request.
The ping route we've created allows users to send a Ping message periodically to keep their connection active. This is essential for maintaining an active connection, especially in scenarios where data needs to be exchanged between the client and server in real-time.
Broaden your view: Websocket Create Connection
WebSocket Integration
WebSocket integration can be a bit tricky, but don't worry, I've got you covered.
To integrate WebSocket API with API Gateway, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it. This allows API Gateway to integrate with components like Lambda JWT Authorizer.
API Gateway V2 Websocket API resource requires specifying selection expressions for the route and API Keys. This is a crucial step in setting up the WebSocket API.
You'll also need to integrate the API Gateway Websocket API with the Lambda JWT Authorizer, setting the authorization type to REQUEST. This is because you're using a request authorizer.
In some cases, you might need to instruct API Gateway to get the authorization header from the query string, using route.request.querystring.authorization.
To do this, you'll need an additional Lambda Permission to give API Gateway access to invoke the Authorizer Lambda Function.
Here's a quick rundown of the steps:
Remember, integrating WebSocket API with API Gateway requires careful planning and configuration. But with these steps, you'll be well on your way to setting up a secure and scalable WebSocket API.
WebSocket Troubleshooting
Troubleshooting WebSocket Issues can be a real challenge, but don't worry, we've got you covered.
If the backend server or network connection with the WS dies, the affected endpoint becomes non-operational.
You'll see WARNING messages in the logs when clients demand information from KrakenD, which can't pass data from/to the backend server.
KrakenD will keep retrying broken connections as defined through max_retries and backoff_strategy.
Each failed retry will show an ERROR in the log, following the backoff_strategy.
All writes remain in queue while the connection with the backend is retrying.
If you've set a limited number of max_retries, when KrakenD has exhausted all retries, it will stop trying and forget the WebSocket connection.
This will show up as a CRITICAL in the logs, and all remaining queued messages will show an error.
The client will also receive an error and be disconnected.
To avoid this, you can set max_retries to 0 to keep trying indefinitely.
For another approach, see: Websocket Error
WebSockets
WebSockets are controlled by the connect-src directive. This is a crucial consideration for anyone working with WebSockets.
To set up a WebSocket API resource in AWS API Gateway, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it. This is necessary for integration with other components.
API Gateway V2 Websocket API resources require specifying selection expressions for the route and API Keys. This is an important step in setting up the API.
There is no method in the JavaScript WebSockets API for specifying additional headers for the client/browser to send. Instead, you instruct API Gateway to get the authorization header from the query string.
To integrate the Request Authorizer with API Gateway, you need to give API Gateway access to invoke the Authorizer Lambda Function. This requires an additional Lambda Permission.
Check this out: Websocket Api Gateway Permission
Featured Images: pexels.com


