This is the multi-page printable view of this section. Click here to print.
API Gateway
1 - Overview
Service Overview
API Gateway is a service that easily creates, manages, and monitors APIs. It defines resources and methods related to APIs in a consistent manner, and can apply built-in security access. Additionally, it can easily and conveniently monitor API usage status and performance metrics.
Features
- Convenient API Management: Through the console, you can conveniently register and manage APIs, and provide JWT (Json Web Token) for access permission management. It is also linked with SCP Cloud Functions, allowing Cloud Functions function calls via API Gateway.
- Stable Traffic Handling: API Gateway can manage backend system traffic through usage plans. Usage plans can set the maximum number of calls per hour (hour/day/month), and this prevents excessive traffic from entering, enabling stable service usage.
- Easy and convenient monitoring: Provides a dashboard that allows you to manage various functions such as API version management that links different deployment versions per stage, and to monitor API usage status. Through this, you can easily and quickly identify performance metrics such as API calls, response times, and error counts.
Service Architecture Diagram
- The developer (3rd party Developer) can access various backend services via a single endpoint (API Gateway) using Rest API.
- API Gateway can route the request to an appropriate backend service or Cloud Function.
- If authentication and authorization are required, the user is verified with JWT.
- Request data is transformed as needed, or responses from multiple services are aggregated into one through the API Gateway.
- When traffic is high, you can apply load balancing and rate limiting to improve service stability.
- Supports web clients to call APIs from other domains through CORS settings.
- All requests and responses are logged and monitored in the API Gateway service, allowing rapid detection of failures and anomalies.
- By separating stages for each environment such as development, testing, and production, you can manage API versions and utilize the required version. API management, security policy application, etc., can be handled consistently centrally through the API Gateway service.
Provided Features
API Gateway provides the following features.
API Management and Operations
- Custom Domain Name: Connect a custom domain to the API to provide a unique URL for the user
- REST API creation and management: Define resources and methods (GET, POST, etc.) and set authentication method
- API version and stage management: Operate the same API in multiple versions simultaneously and manage changes
- Routing: Routing requests to various backend services based on the URI path or request headers
- Monitoring and Logging: API performance monitoring and logging possible (available December 2025)
API security
- IP ACL setting: Control to allow only specific IPs to access, enhancing security
Cloud Functions integration: Execute business logic in response to external requests by integrating with serverless computing
- CORS support: Set Cross-Origin Resource Sharing (CORS) to allow resource access from other domains
Components
API
An API is a collection of resources and methods integrated with backend HTTP endpoints, Cloud Functions, or other SCP services. APIs provide a logical interface to the actual service and are deployed across multiple stages, allowing use in various environments (development, production, etc.).
Resources
Resources are logical units that represent specific endpoints (URI paths) within an API. Each resource can be organized in a tree structure and can have multiple HTTP methods. For example, paths such as
/users
,
/orders
become individual resources.
Method
The method defines the HTTP actions (e.g., GET, POST, PUT, DELETE, etc.) that can be performed on each resource. Each method is integrated with a specific backend to process actual data or execute functionality.
Stage
The stage is a named reference to a specific point in time (snapshot) of an API deployment, distinguishing environments in the API lifecycle such as development (dev), testing (test), and production (prod). Each stage has its own unique URL, and separate settings per environment are possible for caching, logging, throttling, stage variables, etc. Stages support various operational scenarios such as environment-specific configurations and traffic segregation.
Endpoint
The endpoint is a unique URL address used by the client to access the API. A separate endpoint is created for each stage.
Integration
Integration defines how API methods connect to the actual backend (HTTP endpoints, Functions). Through request and response data transformation, authentication, mapping templates, etc., you can finely control the integration with the backend.
JWT (Json Web Token)
It is a token-based web standard (RFC 7519) used for authentication and authorization. JWT encodes a JSON object composed of three parts (Header, Payload, Signature) in Base64 URL-safe format, and prevents tampering by digitally signing with a secret key or public key. When securely exchanging authentication information and permissions between a server and client, or between services, it is used by placing them in the HTTP header, allowing stateless authentication without session storage.
CORS (Cross-Origin Resource Sharing)
It is a mechanism that bypasses the Same-Origin Policy applied in web browsers for security reasons, allowing resource sharing between servers of different origins (when protocol, domain, or port differ). The server specifies which origins’ requests are allowed through HTTP response headers (e.g., Access-Control-Allow-Origin, etc.), enabling the client (browser) to safely perform cross-origin requests. If CORS is not properly configured, the browser blocks requests for resources from other origins, which is a web standard security policy that must be considered when using various resources such as external API calls, fonts, images, and videos.
Regional Provision Status
API Gateway can be provided in the environments below.
| Region | Availability |
|---|---|
| Korea West 1 (kr-west1) | Provided |
| Korea East1 (kr-east1) | Provided |
| South Korea 1(kr-south1) | Not provided |
| South Korea 2(kr-south2) | Not provided |
| South Korea 3(kr-south3) | Not provided |
Preliminary Service
This is a list of services that can be optionally configured before creating the service. Please refer to the guide provided for each service for details and prepare in advance.
| Service Category | Service | Detailed Description |
|---|---|---|
| Compute | Cloud Functions | A service that runs application code in a serverless computing environment
|
2 - How-to guides
Users can create the API Gateway service by entering required information through the Samsung Cloud Platform Console and selecting detailed options.
Creating an API
An API is a collection of resources and methods integrated with backend HTTP endpoints, Cloud Functions, or other SCP services. An API provides a logical interface to the actual service and can be deployed to multiple stages for use in different environments (development, production, etc.).
You can create and use APIs through the Samsung Cloud Platform Console.
To create an API, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the Create API button on the Service Home page. This will take you to the Create API page.
Enter the required information for creating the service and select detailed options on the Create API page.
- Select the required information in the Service Information section.
Item RequiredDescription API Name Required Enter API name - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-)
API Creation Method Required Select API creation method - Select from Create New, Clone Existing API
API to Clone Required When selecting Clone Existing API as the API creation method, select from already created APIs Description Optional Enter additional information or description about the API within 50 characters API Endpoint Type Required Path to access the API - Region: Process requests within the region where the API is deployed
- Private: Expose to receive API requests privately from other VPCs
- When Private is selected, JWT activation is applied
Table. API service information input items - Start with lowercase English letters, do not end with special characters (
- Enter or select the required information in the Additional Information section.
Item RequiredDescription Tags Optional Add tags - Click the Add Tag button to create and add a new tag or add an existing tag
- Up to 50 tags can be added
- Newly added tags are applied after service creation is complete
Table. API additional information input items
- Select the required information in the Service Information section.
Review the detailed information and estimated charges in the Summary panel, then click the Complete button.
- Once creation is complete, verify the created resource on the API List page.
Viewing API Details
You can view and modify the complete resource list and detailed information of API services. The API Details page consists of Details, Tags, and Operation History tabs.
To view detailed information of an API service, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API menu on the Service Home page. This will take you to the API List page.
- Click the resource for which you want to view detailed information on the API List page. This will take you to the API Details page.
- The API Details page displays status information and additional feature information, and consists of Details, Tags, and Operation History tabs.
Item Description Status Display Status of the API created by the user - Creating: API being created
- Active: API operating normally
- Deleting: API being deleted
- Error: Service unavailable due to API internal error
Service Termination Button to terminate the service Table. API status information and additional features
- The API Details page displays status information and additional feature information, and consists of Details, Tags, and Operation History tabs.
Details
On the API Details page, you can view detailed information of the selected resource and modify information if necessary.
| Item | Description |
|---|---|
| Service | Service name |
| Resource Type | Resource type |
| SRN | Unique resource ID in Samsung Cloud Platform |
| Resource Name | Resource name |
| Resource ID | Unique resource ID in the service |
| Creator | User who created the service |
| Creation Date | Date and time when the service was created |
| Modifier | User who modified the service information |
| Modification Date | Date and time when the service information was modified |
| API Name | API name |
| API Endpoint Type | API endpoint type |
| DNS Status | DNS status
|
| Description | Additional information or description about the API |
Connection Management
On the Connection Management page, you can manage connection requests for PrivateLink Service for API Gateway.
| Item | Description |
|---|---|
| Request Endpoint ID | Requested endpoint ID |
| Creation Date | Date and time when the service was created |
| Status | Resource status value |
| Reject | Reject PrivateLink Service connection request |
| Approve | Approve PrivateLink Service connection request |
| Block | Block connected PrivateLink Endpoint |
| Reconnect | Reconnect blocked PrivateLink Endpoint |
- If the connection status is Rejected or Error, requests such as approval/rejection are not possible.
Tags
On the API Details page, you can view tag information of the selected resource, and add, modify, or delete tags.
| Item | Description |
|---|---|
| Tag List | Tag list
|
Operation History
On the API Details page, you can view the operation history of the selected resource.
| Item | Description |
|---|---|
| Operation History List | Resource change history
|
Integrating with PrivateLink Service
By integrating API Gateway service with PrivateLink service, you can connect ‘API Gateway and VPC’ or ‘API Gateway and other SCP services’ without external internet. Data uses only the internal network, providing high security, and no public IP, NAT, VPN, or internet gateway is required.
Creating PrivateLink Service for API Gateway Service
When creating an API, select the endpoint type as Private. You can expose the API to be accessed privately from other VPCs or services.
- You can use the internal network by specifying it as a target of Private Endpoint. For instructions on creating a PrivateLink Endpoint in your VPC, see Creating a PrivateLink Endpoint.
- For connection management for PrivateLink Service for API Gateway, see Viewing API Details > Connection Management.
Creating a PrivateLink Endpoint
You can create an entry point to access other PrivateLinks in API Gateway service.
To create a PrivateLink Endpoint, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the PrivateLink Endpoint menu on the Service Home page. This will take you to the PrivateLink Endpoint List page.
Click the Create PrivateLink Endpoint button on the PrivateLink Endpoint List page. This will take you to the Create PrivateLink Endpoint page.
- Enter or select the required information.
Item RequiredDescription PrivateLink Endpoint Name Required Enter PrivateLink Endpoint name - Enter 3 ~ 20 characters using English letters and numbers
Description Optional Enter additional information or description within 50 characters PrivateLink Service ID Required Enter the ID of the PrivateLink Service to connect - Check the Service ID with the PrivateLink Service provider in advance, and after creating the Endpoint, provide the Endpoint ID to the provider
- Enter 3 ~ 60 characters using English letters and numbers
Table. PrivateLink Endpoint creation information input items
- Enter or select the required information.
When information entry and selection is complete, click the Confirm button.
Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the PrivateLink Endpoint list.
- To delete a PrivateLink Endpoint, select the resource to delete from the list and click the Delete button.
- To request a connection to a service provider through PrivateLink, you must go through an approval process.
- When applying for a service connection, you must check the PrivateLink Service ID to be connected in advance.
- Usage agreement with the service provider must be completed before applying for the service.
- After the user creates a PrivateLink Endpoint, they must provide the Endpoint ID to the service provider. The service provider can check the user’s Endpoint ID and proceed with usage approval quickly.
Viewing PrivateLink Endpoint Details
You can view and modify the complete resource list and detailed information of PrivateLink Endpoint. The PrivateLink Endpoint Details page consists of Details and Operation History tabs.
To view detailed information of an API service, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the PrivateLink Endpoint menu on the Service Home page. This will take you to the PrivateLink Endpoint List page.
- Click the resource for which you want to view detailed information on the PrivateLink Endpoint List page. This will take you to the PrivateLink Endpoint Details page.
- The PrivateLink Endpoint Details page displays status information and additional feature information, and consists of Details and Operation History tabs.
Item Description Status Display Status of PrivateLink Endpoint - Requesting: Connection request/approval pending, Cancel Request button displayed
- Active: Creation complete, operating
- Creating: Being created
- Deleting: Being deleted
- Disconnected: Connection blocked
- Rejected: Connection rejected, Request Approval Again button displayed
- Error: Error occurred
- Canceled: Connection request canceled, Request Approval Again button displayed
Cancel Request Request connection cancellation Request Approval Again Request connection again when connection request is in canceled status Table. PrivateLink Endpoint status information and additional features
- The PrivateLink Endpoint Details page displays status information and additional feature information, and consists of Details and Operation History tabs.
Details
On the PrivateLink Endpoint Details page, you can view detailed information of the selected resource.
| Item | Description |
|---|---|
| Service | Service name |
| Resource Type | Resource type |
| SRN | Unique resource ID in Samsung Cloud Platform |
| Resource Name | Resource name |
| Resource ID | Unique resource ID in the service |
| Creator | User who created the service |
| Creation Date | Date and time when the service was created |
| Modifier | User who modified the service information |
| Modification Date | Date and time when the service information was modified |
| PrivateLink Endpoint Name | PrivateLink Endpoint name |
| PrivateLink Endpoint ID | PrivateLink Endpoint ID |
| PrivateLink Service ID | Connected PrivateLink Service ID |
| API Endpoint Type | API endpoint type |
| Description | Additional information or description about the PrivateLink Endpoint |
Operation History
On the PrivateLink Endpoint Details page, you can view the operation history of the selected resource.
| Item | Description |
|---|---|
| Operation History List | Resource change history
|
Creating a Resource
A resource is a logical unit representing a specific endpoint (URI path) within an API. Each resource can be organized in a tree structure and can have multiple HTTP methods.
To create a resource, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Resource menu on the Service Home page. This will take you to the Resource page.
Click the Create Resource button on the Resource page. This will take you to the Create Resource popup window.
- Enter or select the required information.
Item RequiredDescription Resource Name Required Enter resource name - Start with lowercase English letters and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (
-{})
- When using braces, only the format
{character}is allowed and cannot be empty
Resource Path Required Select the path selected from the resource menu tree Table. Resource creation information input items - Start with lowercase English letters and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (
- Enter or select the required information.
When information entry and selection is complete, click the Confirm button.
Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the resource list.
- To delete a resource, select the resource to delete from the list and click the Delete button.
- Up to 300 resources can be created.
- The depth of resources is up to 30 including Root.
Creating a Method
A method defines HTTP actions (e.g., GET, POST, PUT, DELETE, etc.) that can be performed on each resource. Each method is integrated with a specific backend to process actual data or execute functions.
To create a method, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Resource menu on the Service Home page. This will take you to the Resource page.
Click the Create Method button on the Resource page. This will take you to the Create Method popup window.
- Enter or select the required information.
Item RequiredDescription Method Type Required Select method type - Already created values are not displayed in the list.
- When ANY is selected, all types of methods are created
Integration Type Required Select endpoint type - Select from HTTP, Cloud Function, PrivateLink
Endpoint URL Required Enter endpoint URL when selecting HTTP type - An endpoint is a unique URL used by clients to access the API. Separate endpoints are created for each stage. Various types such as Regional, Edge-Optimized, Private, etc.
- Must be a valid URL starting with http:// or https://, and enter within 500 characters using English letters and special characters (
$-_.+!*’:(){}/)
Endpoint Required Select endpoint when selecting Cloud Function type - Region is provided as the current region and cannot be changed
URL Query String Parameters Optional Check Use and then enter Name - Enter using English letters, numbers, and special characters (
_)
HTTP Request Headers Optional Check Use and then enter Name - Enter using English letters, numbers, and special characters (
-)
API Key Usage Optional Check Use to limit usage through usage policy Table. Method creation information input items
- Enter or select the required information.
When information entry and selection is complete, click the Save button.
Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the method list.
- To delete a method, select the resource to delete from the list and click the Delete button.
Methods can be created up to 7, one of each type. When created as Any, all types of methods are created.
| Item | Description |
|---|---|
| Service | Service name |
| GET | Retrieve (read) resource |
| POST | Create (register) resource |
| PUT | Modify (update) entire resource |
| PATCH | Partially modify only part of resource |
| DELETE | Delete resource |
| OPTIONS | Retrieve list of HTTP methods supported by the endpoint |
| HEAD | Retrieve only headers without body (return only metadata without response body) |
Deploying an API
To reflect an API under development to the actual service environment, API deployment is required.
To deploy a created API, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Resource menu on the Service Home page. This will take you to the Resource page.
Click the Deploy API button on the Resource page. This will take you to the Deploy API popup window.
- Enter or select the required information.
Item RequiredDescription Stage Required Select stage to deploy API - New Stage: Deploy by creating a new stage
- None Stage: Deploy without selecting a stage
Stage Name Required When selecting New Stage, enter new stage name - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 30 characters using lowercase letters, numbers, and special characters (-)
Deployment Description Optional Enter additional information or description about API deployment within 50 characters Table. API deployment information input items
- Enter or select the required information.
When information entry and selection is complete, click the Deploy button.
Check the message in the notification popup window, then click the Confirm button.
Creating a Stage
A stage is a named reference to a specific point in time (snapshot) of an API deployment, distinguishing environments for each lifecycle of the API such as development (dev), test (test), production (prod), etc. Each stage has a unique URL, and separate settings can be made per environment such as caching, logging, throttling, and stage variables. Through stages, various operational scenarios such as Canary release, environment-specific settings, and traffic separation are supported.
To create a stage to deploy an API, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Stage menu on the Service Home page. This will take you to the Stage page.
Click the Create Stage button on the Stage page. This will take you to the Create Stage popup window.
- Enter or select the required information.
Item RequiredDescription Stage Name Required When selecting New Stage, enter new stage name - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-)
Stage Description Optional Enter additional information or description about the stage within 100 characters API Deployment Version Required Select API version to deploy - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-)
Table. Stage creation information input items - Start with lowercase English letters, do not end with special characters (
- Enter or select the required information.
When information entry and selection is complete, click the Confirm button.
Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the stage list.
Viewing Stage Details
You can view and modify the stage list and detailed information. The details page consists of Stage Details information and API Deployment Version Management, CORS, Usage Policy tabs.
To view detailed information of a stage, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Stage menu on the Service Home page. This will take you to the Stage page.
- Click the resource for which you want to view detailed information in the stage list.
- The Stage Details displays status information and additional feature information, and consists of API Deployment Version Management, CORS, and Usage Policy tabs.
- To delete a stage, select the resource to delete from the list and click the Delete button.
- To modify a stage, select the resource to modify from the list and click the Modify button.
Stage Details
On the Stage Details page, you can view detailed information of the selected resource.
| Item | Description |
|---|---|
| Stage Name | Stage name |
| CORS | CORS operation status |
| Stage Description | Stage information |
| JWT | JSON Web Token usage status |
| API Key | API Key usage status |
| Invoke URL | URL for API invocation |
| Activation Date | Stage activation date/time |
| Deployment ID | API deployment ID |
API Deployment Version Management
On the API Deployment Version Management tab, you can view API deployment history.
| Item | Description |
|---|---|
| API Deployment Version Management List | API deployment history
|
| Change Deployment | Select the resource to change deployment from the list and click the Change Deployment button. When you click the Confirm button in the notification popup window, the active deployment ID is immediately updated. |
CORS (Cross-Origin Resource Sharing)
On the CORS tab, you can view the CORS list.
| Item | Description |
|---|---|
| Name | CORS name |
| Mapping Value | Mapping value applied to CORS |
Usage Policy
On the Usage Policy tab, you can view the usage policy connected to the stage.
| Item | Description |
|---|---|
| Usage Policy Name | Usage policy name |
| Usage Policy ID | Usage policy ID |
| Quota | Quota set in the usage policy |
| Connected API Key Name | API Key name connected to the usage policy |
- When calling an API, you must call with the Key value of the API Key connected to the stage in the ‘x-scp-apikey’ header.
- Usage policies are connected at the stage level, but quotas are calculated per method checked for API Key usage.
Creating Authentication
JWT (JSON Web Token) is an open standard (RFC 7519) used for user authentication. JWT is a claim-based web token that stores information about the user in an encrypted token using JSON format.
To create a JWT, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Authentication menu on the Service Home page. This will take you to the Authentication List page.
Click the Create JSON Web Token button on the Authentication List page. This will take you to the Create JSON Web Token popup window.
- Enter or select the required information.
Item RequiredDescription JWT Name Required Enter token name - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-)
Stage to Connect Optional Check Use and then select a stage Table. Authentication creation information input items - Start with lowercase English letters, do not end with special characters (
- Enter or select the required information.
When information entry and selection is complete, click the Confirm button.
Check the message in the notification popup window, then click the Confirm button. This will take you to the Access Token notification popup window.
- Tokens can only be viewed in the Access Token notification popup window. If necessary, download the Access Token file.
Check the message in the Access Token notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the authentication list.
- To delete a token, select the resource to delete from the list and click the Delete button.
- To modify a token, select Modify from the context menu of the resource to be modified.
Creating Access Control
You can add access allowed IPs so that API calls are made only from specific IPs when calling an API.
- A stage is connected to one access control. When a stage is initially created, the Default access control is applied by default to block access from all IPs (All deny). By creating a new access control and connecting it to the stage, you can configure it to be called only from specific IPs.
- Access control cannot be created in the following cases:
- When the available service quota limit is exceeded: Check the current allocated value and additional possible value in Quota Service.
- When there is no available API: Create an API first.
- When the API endpoint type is Private: Access control is not supported, but JWT activation is mandatorily applied to the stage of that API.
To create an access control, follow these steps:
Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
Click the API Gateway > Access Control menu on the Service Home page. This will take you to the Access Control List page.
Click the Create Access Control button on the Access Control List page. This will take you to the Create Access Control popup window.
- Enter or select the required information.
Item RequiredDescription Access Control Name Required Enter access control name - Start with lowercase English letters, do not end with special characters (
-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-)
Public Access Allowed IP Required Enter IP to allow access - Enter up to 100 using ‘,’
Stage to Connect Optional Check Use and then select a stage Description Optional Enter additional information or description about access control within 50 characters Table. Access control creation information input items - Start with lowercase English letters, do not end with special characters (
- Enter or select the required information.
When information entry and selection is complete, click the Confirm button.
Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the access control list.
- To delete the access control list, select the resource to delete from the list and click the Delete button. The Default access control cannot be deleted.
- To modify an access control, select Modify from the context menu of the resource to be modified.
Terminating an API
You can reduce operating costs by terminating services that are not in use. However, since terminating a service may immediately stop the operating service, you should proceed with termination after fully considering the impact of service interruption.
To terminate an API, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API menu on the Service Home page. This will take you to the API List page.
- Select the resource to terminate on the API List page and click the Terminate Service button.
- When termination is complete, verify that the resource has been terminated on the API List page.
Using Report
You can check API traffic, performance, and error status.
To use Report, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Report menu on the Service Home page. This will take you to the Report page.
- Enter or select the required information.
| Item | Description |
|---|---|
| Query Period | Select date to query (default 1 week from current date, can query up to one month) |
| Stage Name | Stage name under API |
- When information entry and selection is complete, you can view Report information.
| Item | Description |
|---|---|
| Top 5 Resources | Top 5 most called resources among resources called by the user with API status code 2XX (if identical, not shown as duplicate rank) |
| API Call Count | Number of calls with API status code 2XX |
| Latency | Time from when the user sends a request to API Gateway to when they receive a response |
| Integration Latency | Time from when API Gateway sends a request to the backend server to when it receives a response from the backend |
| 4XX Error | Number of calls with API status code 4XX |
| 5XX Error | Number of calls with API status code 5XX |
- When a stage is deleted, it cannot be queried in Report.
- Report queries data from 1 hour ago from the current time.
Creating a Usage Policy
Usage policies are established to ensure efficient distribution of server resources, secure service stability, and prevent unnecessary traffic and abuse.
To create a usage policy, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Usage Policy menu on the Service Home page. This will take you to the Usage Policy page.
- Click the Create Usage Policy button on the Usage Policy page. This will take you to the Create Usage Policy page.
- Enter or select the required information.
| Item | Required | Description |
|---|---|---|
| API Name to Connect | Required | Select from created APIs |
| Usage Policy Name | Required | Start with lowercase English letters, do not end with special characters (-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-) |
| Quota | Required | Enter between 1 ~ 2,000,000,000 based on monthly/daily/hourly |
| Description | Optional | Enter description of the usage policy within 50 characters |
- When information entry and selection is complete, click the Complete button.
- Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource in the usage policy list.
Creating an API Key
API Keys are used to identify which user or application is calling an API. They are mainly used to limit usage through usage policies.
To create an API Key, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Usage Policy menu on the Service Home page. This will take you to the Usage Policy page.
- Click the usage policy in the list. This will take you to the Usage Policy Details page.
- Click the Create API Key button on the Usage Policy Details page. This will take you to the Add API Key popup window.
- Enter or select the required information.
| Item | Required | Description |
|---|---|---|
| API Key Name | Required | Start with lowercase English letters, do not end with special characters (-), and enter 3 ~ 50 characters using lowercase letters, numbers, and special characters (-) |
| Description | Optional | Enter description of the API Key within 50 characters |
- When information entry and selection is complete, click the Confirm button.
- Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, verify the created resource on the Usage Policy Details page.
- Up to 10 usage policies and 5 API Keys can be created.
- Quotas are calculated per API Key.
Creating a Resource Policy
You can block unauthorized access from the source through resource-based policies and enhance the security level of the service.
To create a resource policy, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Resource Policy menu on the Service Home page. This will take you to the Resource Policy page.
- Click the Create Resource Policy button on the Resource Policy page. This will take you to the Create Resource Policy page.
- Enter or select the required information in the Service Information section.
| Item | Required | Description |
|---|---|---|
| Policy Template | Required | Select policy template
|
- When information entry and selection is complete, click the Complete button.
- Check the message in the notification popup window, then click the Confirm button.
- Once creation is complete, you can view, modify, or delete the resource policy.
2.1 - Resource-based Policy
Resource-based Policy Overview
API Gateway’s Resource-based Policy is a policy granted to a resource that allows you to decide whether to allow or deny (Effect) actions on specific resources to principals. Using resource-based policies, you can directly define the principals that can call the API.
Through resource-based policies, you can allow secure API calls by defining the following:
- Users of specific Samsung Cloud Platform accounts
- Specific source IP address ranges or CIDR blocks
Source policies are defined as JSON policy documents attached to an API to control whether a specified security principal (usually an IAM role or group) can call the API.
| Item | Description | Example |
|---|---|---|
| Principal | Specify the principal that will call the API | - |
| Action | Define the functions to allow | - |
| Condition | Restrict to allow only in specific situations | Allow only requests from specific SRN |
- API Gateway’s resource-based policy utilizes the rules of IAM’s resource-based policy.
- For instructions on creating or modifying policies using JSON, see JSON Writing Guide.
Resource-based Policy Usage Scenarios
The main usage scenarios for resource-based policies are as follows:
Resource-based Policy Scenarios
The resource-based policy scenarios used when specific features of API Gateway operate are as follows:
| Item | Description | Reference Example |
|---|---|---|
| Default Policy | This is the DEFAULT resource policy that is automatically created when an API is created.
| Default Policy Example |
| Account Allow List | You can define the account(s) that can call the API. | Account Allow List Example |
| IP Range Deny List | You can define the IP ranges that cannot call the API. | IP Range Deny List Example |
Additional User Usage Scenarios
While not automatically registered by API Gateway’s resource-based policy, users can add and utilize it as needed. Scenarios that users can add and utilize are as follows:
- Cross-account access
- When an IAM user of account A wants to execute Lambda of account B, register account A in the function policy of account B.
- Hybrid access control
- Instead of simply limiting accounts or IPs, you can configure it so that both specific users and specific IP bands must be satisfied simultaneously to allow access.
Managing API Gateway’s Resource-based Policy
To view and set API Gateway’s resource-based policy, follow these steps:
- Click the All Services > Application Service > API Gateway menu. This will take you to the API Gateway Service Home page.
- Click the API Gateway > Resource Policy menu on the Service Home page. This will take you to the Resource Policy page.
- Click the Modify button in the Policy Details item. The Modify Resource Policy popup window opens. * When you click the Delete button, the registered policy is deleted.
- In the Modify Resource Policy popup window, select a Policy Template and then write the policy. * For policy examples by policy template, see Resource-based Policy Examples.
- When writing is complete, click the Complete button.
Resource-based Policy Examples
Users can additionally define resource-based policies or modify existing policies as needed.
- For some features, a resource-based policy (or credentials) must be registered to use them in API Gateway.
- For the resource-based policy examples described in this guide, API Gateway automatically registers the example resource-based policies when each feature is activated or connected.
Default Policy
This is a policy that is automatically registered when an API is created.
Policy Template
{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Policy Example
{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}{
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "DefaultStatement"
}
],
"Version": "2024-07-01"
}Account Allow List
This is a policy that allows only users of specific SCP accounts (Root user or IAM Role) to call the API.
Policy Template
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}"
]
},
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:{{Offering}}::{{AccountID}}:::iam:user/{{UserSrn}}"
]
},
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}Policy Example
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1"
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}IP Range Deny List
This is a policy that allows or blocks only specific IP addresses or CIDR ranges.
Policy Template
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"{{sourceIpOrCIDRBlock}}",
"{{sourceIpOrCIDRBlock}}"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:method/{{ApiId}}/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"{{sourceIpOrCIDRBlock}}",
"{{sourceIpOrCIDRBlock}}"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:{{Offering}}::{{AccountID}}:kr-west1::apigateway:api/{{ApiId}}"
],
"Sid": "Statement1"
}
]
}Policy Example
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/stage1/GET/resource1"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Cross-account Access
This is a policy that allows UserId2 belonging to accountId2 to call API apiId1 belonging to accountId1.
Policy Example
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
"srn:e::accountId2:::iam:user/userId2",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
"srn:e::accountId2:::iam:user/userId2",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}Hybrid Access Control
This is a policy that allows UserId2 belonging to accountId2 to call API apiId1 belonging to accountId1.
- You can add conditions to simultaneously validate the User ID (Principal) and resource Condition (Condition). Below is an example that additionally defines inaccessible IPs.
Policy Example
{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}{
"Version": "",
"Statement": [
{
"Action": [
"apigateway:InvokeApigatewayRegion"
],
"Condition": {
"SrnLike": {
"scp:RequestAttribute/body['method-srn']": [
"srn:e::accountId1:kr-west1::apigateway:method/apiId1/*/*/*"
]
},
"NotIpAddress": {
"scp:SourceIp": [
"1.2.3.4/24",
"5.6.7.8/32"
]
}
},
"Effect": "Allow",
"Principal": {
"scp": [
"srn:e::accountId1:::iam:user/userId1",
]
},
"Resource": [
"srn:e::accountId1:kr-west1::apigateway:api/apiId1"
],
"Sid": "Statement1"
}
]
}3 - API Reference
4 - CLI Reference
5 - Release Notes
API Gateway
- You can set resource-based policies for APIs.
- A resource-based policy is a policy that is applied to the API itself to allow external access.
- Using resource-based policies, you can allow or deny actions on specific resources to specific principals.
- API Gateway service that allows easy management and monitoring of APIs has been released.
- You can easily define resources and methods related to APIs, and conveniently monitor API usage status and performance metrics.