WebSocket API Resource Policy for Scalable Applications

Author

Reads 374

A vintage walkie talkie placed on a sunlit table, conveying communication and nostalgia.
Credit: pexels.com, A vintage walkie talkie placed on a sunlit table, conveying communication and nostalgia.

The WebSocket API Resource Policy is a crucial aspect of building scalable applications. It helps manage WebSocket connections efficiently, ensuring that your application can handle a large number of concurrent users.

Implementing a resource policy is essential to prevent resource exhaustion, which can lead to performance issues and even crashes. This can be achieved by setting limits on the number of WebSocket connections allowed per user.

A well-designed resource policy also enables you to implement features like connection pooling, which can significantly improve application performance.

For another approach, see: Azure Policy Definition

WebSocket API Gateway

Setting up a WebSocket API Gateway involves several key steps. To begin with, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it so it can integrate with the Lambda JWT Authorizer and other components.

API Gateway V2 Websocket API resources require specifying selection expressions for the route and API Keys. This involves defining the authorization type as REQUEST, which is used in conjunction with a request authorizer.

Credit: youtube.com, AWS API Gateway Websocket Tutorial With Lambda | COMPLETELY SERVERLESS!

The Lambda JWT Authorizer is a crucial component in this setup, allowing integration with any JWT token provider and verifying user's JWT token integrity using provider's public keys. It also checks token expiration, audience, and binds the JWT's sub user attribute to the API Gateway authorization policy.

To integrate the Request Authorizer with API Gateway, you'll need to instruct API Gateway to get the authorization header from the query string, using route.request.querystring.authorization. This is because the JavaScript WebSockets API does not have a method for specifying additional headers for the client/browser to send.

Here's a summary of the key components involved in setting up a WebSocket API Gateway:

  • IAM Role for API Gateway to assume
  • IAM Policy for API Gateway to integrate with Lambda JWT Authorizer and other components
  • API Gateway V2 Websocket API resource with selection expressions for route and API Keys
  • Lambda JWT Authorizer for authentication and authorization
  • Request Authorizer for verifying JWT tokens and user identity

In addition to these components, you'll also need to grant API Gateway access to invoke the Authorizer Lambda Function by creating an additional Lambda Permission.

For your interest: Python Websocket Aws Lambda

WebSocket Security

WebSocket Security is crucial for protecting your WebSocket API from unauthorized access. The use of WebSockets is controlled by the connect-src directive.

Credit: youtube.com, WebSockets Aren’t as Reliable as You Think.. Here's Why

To ensure secure connections, you can configure authorization on the $connect route only, as this is a stateful connection. AuthN/AuthZ will be performed only at connection time, and if the $connect request fails due to AuthN/AuthZ failure, the connection will not be made.

Here are some key features of a Lambda JWT Authorizer:

  • Integrate with any JWT token provider.
  • Verify user's JWT token integrity using provider's public keys.
  • Verify token expiration.
  • Check that the token is issued for an audience in the allowed audiences list.
  • Bind the JWT's sub user attribute to the API Gateway authorization policy.
  • Return a deny or allow authorization policy to API Gateway.

WebSocket Connection

Connecting to the SUMU Websocket API requires an authorization query string to establish the connection. You can use the native Websocket component or a helper package like Sockette to connect.

To keep the user's connection active, send ping frames periodically, and API Gateway will respond with a pong frame immediately. This ensures the connection remains active.

API Gateway provides a default $connect route, but you can also set up a custom $connect route for more control over connections. This allows you to be notified when clients connect and disconnect, throttle connections, and control who connects.

Here are some reasons to set up a custom $connect route:

  • We want to be notified when clients connect and disconnect.
  • We want to throttle connections and control who connects.
  • We want our backend to publish users presence messages (online, offline) back to clients using Fanout SNS Topics.
  • We want to store each connection ID and other information into a database (Amazon DynamoDB).

Connecting Users

Credit: youtube.com, How to Send Private Messages to Selected Users Using Quart and Websockets

Connecting users to a WebSocket API can be a bit tricky, but it's essential to establish a secure connection. You can connect to the SUMU Websocket API using the native Websocket component or a helper package like Sockette.

To keep the user's connection active, you'll need to send ping frames periodically, and API Gateway will respond with a pong frame immediately. This helps prevent the connection from timing out.

The WebSocket connection is a stateful connection, which means you can configure the authorization on the $connect route only. AuthN/AuthZ will be performed only at connection time, and if the $connect request fails due to AuthN/AuthZ failure, the connection will not be made.

API Gateway provides a default $connect route, but you can set up a custom $connect route for more control over the connection process. This is useful for tasks like throttling connections and storing connection information in a database.

Take a look at this: Api Gateway in Azure

Credit: youtube.com, How to scale WebSockets to millions of connections

Here are some benefits of setting up a custom $connect route:

  • We want to be notified when clients connect and disconnect.
  • We want to throttle connections and control who connects.
  • We want our backend to publish users presence messages (online, offline) back to clients using Fanout SNS Topics.
  • We want to store each connection ID and other information into a database (Amazon DynamoDB).

Keep Alive Route

To keep a WebSocket connection alive, we need to implement a ping/pong mechanism to prevent API Gateway from considering the client's connection IDLE after 10 minutes of timeout. This mechanism involves sending a Ping request periodically from the client to the server.

The ping request will be sent to a MOCK service, which will receive the request and return an HTTP_OK status code. This service will act as a middleman, allowing the client to send a Ping request without actually connecting to the server.

We need to create two request templates: one for the MOCK service that will receive the Ping request, and another for the actual Pong response sent to the client. The Pong response will be sent by API Gateway in response to a Ping request, unless it has already received a disconnect request.

The ping route we've created allows users to send a Ping message periodically to keep their connection active. This is essential for maintaining an active connection, especially in scenarios where data needs to be exchanged between the client and server in real-time.

Broaden your view: Websocket Create Connection

WebSocket Integration

Credit: youtube.com, Websocket APIs - #15

WebSocket integration can be a bit tricky, but don't worry, I've got you covered.

To integrate WebSocket API with API Gateway, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it. This allows API Gateway to integrate with components like Lambda JWT Authorizer.

API Gateway V2 Websocket API resource requires specifying selection expressions for the route and API Keys. This is a crucial step in setting up the WebSocket API.

You'll also need to integrate the API Gateway Websocket API with the Lambda JWT Authorizer, setting the authorization type to REQUEST. This is because you're using a request authorizer.

In some cases, you might need to instruct API Gateway to get the authorization header from the query string, using route.request.querystring.authorization.

To do this, you'll need an additional Lambda Permission to give API Gateway access to invoke the Authorizer Lambda Function.

Here's a quick rundown of the steps:

Remember, integrating WebSocket API with API Gateway requires careful planning and configuration. But with these steps, you'll be well on your way to setting up a secure and scalable WebSocket API.

WebSocket Troubleshooting

Credit: youtube.com, Keep Those WebSocket Connections Alive!

Troubleshooting WebSocket Issues can be a real challenge, but don't worry, we've got you covered.

If the backend server or network connection with the WS dies, the affected endpoint becomes non-operational.

You'll see WARNING messages in the logs when clients demand information from KrakenD, which can't pass data from/to the backend server.

KrakenD will keep retrying broken connections as defined through max_retries and backoff_strategy.

Each failed retry will show an ERROR in the log, following the backoff_strategy.

All writes remain in queue while the connection with the backend is retrying.

If you've set a limited number of max_retries, when KrakenD has exhausted all retries, it will stop trying and forget the WebSocket connection.

This will show up as a CRITICAL in the logs, and all remaining queued messages will show an error.

The client will also receive an error and be disconnected.

To avoid this, you can set max_retries to 0 to keep trying indefinitely.

For another approach, see: Websocket Error

WebSockets

WebSockets are controlled by the connect-src directive. This is a crucial consideration for anyone working with WebSockets.

Credit: youtube.com, HTTP Vs. Web Socket | Which To Use When? | #http #websocket

To set up a WebSocket API resource in AWS API Gateway, you'll need to create an IAM Role for API Gateway to assume and attach an IAM Policy to it. This is necessary for integration with other components.

API Gateway V2 Websocket API resources require specifying selection expressions for the route and API Keys. This is an important step in setting up the API.

There is no method in the JavaScript WebSockets API for specifying additional headers for the client/browser to send. Instead, you instruct API Gateway to get the authorization header from the query string.

To integrate the Request Authorizer with API Gateway, you need to give API Gateway access to invoke the Authorizer Lambda Function. This requires an additional Lambda Permission.

Rosemary Boyer

Writer

Rosemary Boyer is a skilled writer with a passion for crafting engaging and informative content. With a focus on technical and educational topics, she has established herself as a reliable voice in the industry. Her writing has been featured in a variety of publications, covering subjects such as CSS Precedence, where she breaks down complex concepts into clear and concise language.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.