Securing Serverless APIs

You should never expose a raw Lambda or Azure Function directly to the internet. You must use an API Gateway as a protective shield and routing layer.

1. Authentication & Authorization

The Gateway verifies the **JWT Token** or **API Key** before the function is even invoked. This saves you money because you don't pay for "Execution Time" for unauthorized requests.

2. Throttling & Usage Plans

Want to limit "Free Tier" users to 100 requests per day while giving "Premium" users unlimited access? The API Gateway handles this via **Usage Plans**. It protects your backend from getting overwhelmed by a single client.

3. Request Transformation

The Gateway can transform a complex XML request into a simple JSON object before passing it to your function. This keeps your serverless code clean and focused on business logic, not protocol parsing.

4. Interview Mastery

Q: "How do you handle API Versioning in an API Gateway?"

Architect Answer: "We use **Stages** or **Path Routing**. You can have `/v1/users` point to the old Lambda and `/v2/users` point to the new one. This allows you to support legacy mobile apps while rolling out major breaking changes. You can also use **Canary Stages** to send 10% of users to the new version for testing."