Cargando...
Cargando...
GraphQL real-time data mesh vs. REST/HTTP/WebSocket universal API gateway — know exactly which to reach for
AppSync owns GraphQL + real-time subscriptions; API Gateway owns REST, HTTP, and WebSocket at universal scale
| Feature | AppSync Managed GraphQL with real-time subscriptions | API Gateway REST, HTTP, WebSocket APIs at any scale |
|---|---|---|
Primary Protocol If the question mentions GraphQL, the answer is almost always AppSync. If it mentions REST or HTTP, it's API Gateway. | GraphQL (query, mutation, subscription) — single /graphql endpoint | REST API, HTTP API, WebSocket API — multiple resource-based endpoints |
Real-Time / Push Capability AppSync subscriptions are zero-config real-time. API Gateway WebSocket requires you to manage connectionId state yourself (e.g., store in DynamoDB). | Native GraphQL Subscriptions over WebSocket (MQTT over WebSocket) — built-in, no extra infrastructure | WebSocket API support — requires custom Lambda/DynamoDB integration to manage connection state |
Data Sources / Integrations API Gateway can integrate with nearly ANY AWS service via AWS integration type. AppSync integrations are curated but powerful for data aggregation. | DynamoDB, Lambda, RDS (Aurora Serverless via RDS Data API), OpenSearch, HTTP endpoints, EventBridge, None (local resolvers) | Lambda, HTTP backends, AWS services (any via AWS integration), VPC Link (private), Step Functions, Kinesis, SQS, DynamoDB (REST only) |
Resolver / Transformation Logic AppSync pipeline resolvers can fan out to multiple data sources in a single GraphQL operation without Lambda — a key cost and latency advantage. | VTL (Velocity Template Language) resolvers OR JavaScript resolvers (pipeline resolvers supported) — can call multiple data sources per field | Mapping templates (VTL) for REST APIs, no transformation for HTTP APIs — complex logic requires Lambda |
Caching API Gateway caching only exists for REST APIs, NOT HTTP APIs. This is a frequent trap. AppSync caching is at the resolver level. | Server-side caching per resolver or per-request (TTL configurable, instance-based cache) | REST API: Stage-level response caching (0.5 GB to 237 GB cache capacity). HTTP API: No built-in caching. |
Authentication / Authorization AppSync uniquely supports MULTIPLE auth modes on a single API simultaneously (e.g., Cognito for users, IAM for services). API Gateway requires one primary authorizer per route. | API Key, AWS IAM, Amazon Cognito User Pools, OIDC, Lambda authorizer — multiple auth modes simultaneously on one API | API Key, IAM, Cognito User Pools, Lambda authorizer (TOKEN or REQUEST type), JWT authorizer (HTTP API only), mutual TLS |
Offline / Conflict Resolution If the exam mentions mobile offline sync, conflict resolution, or Amplify DataStore — AppSync is the answer. | Built-in conflict detection and resolution for offline-first apps (Optimistic Concurrency, Auto Merge, Lambda custom) via Amplify DataStore | No native offline support — must be handled entirely in client code |
API Types Supported API Gateway's HTTP API is ~70% cheaper than REST API for simple proxy use cases. Know when to use HTTP vs REST API. | GraphQL only | REST API (full-featured), HTTP API (lightweight, lower cost), WebSocket API |
Throttling / Rate Limits API Gateway's 10,000 RPS limit is account-wide across ALL APIs (REST + HTTP + WebSocket). This is a critical architectural constraint for multi-API accounts. | Not specified as a fixed number in public quotas — soft limits apply per account/region, adjustable via support | 10,000 RPS default with burst of 5,000 (token bucket) per account per Region. Some regions default to 2,500 RPS / 1,250 burst. |
Edge / Global Deployment Only API Gateway REST APIs have a native edge-optimized deployment type using CloudFront. AppSync requires manually adding CloudFront. | Regional endpoints only — use CloudFront in front for edge caching | REST API: Edge-optimized (CloudFront built-in), Regional, or Private. HTTP API: Regional only. WebSocket: Regional only. |
Private API Support Private APIs (accessible only within VPC) are exclusive to API Gateway REST APIs. This is tested in SAA-C03 and SAP-C02 architecture questions. | No native private endpoint — must use VPC endpoint for AppSync or place behind CloudFront + WAF | REST API: Private APIs via VPC Interface Endpoint (PrivateLink). HTTP API: No private endpoint. |
Usage Plans & API Keys Usage Plans + API Keys for third-party/partner API monetization = API Gateway. AppSync API Keys are simple auth tokens, not quota-managed. | API Key auth available but no tiered usage plans or quota management per consumer | Usage Plans: define throttle (RPS) + quota (requests/day/week/month) per API Key — monetization and partner API management |
Pricing Model HTTP API is significantly cheaper than REST API for simple Lambda proxy patterns. AppSync pricing is complex — subscriptions charge both connection time AND message volume. | Query/Mutation: per 4KB request unit. Subscription: per connection-minute + per 4KB message. Caching: per hour by instance size. Real-time updates: per million updates. | REST API: per million API calls + data transfer + caching. HTTP API: per million API calls (cheaper than REST). WebSocket: per million messages + connection-minutes. |
Monitoring & Observability Both support X-Ray. API Gateway has richer access logging options and native WAF integration at the stage level. | CloudWatch Logs (request/error logs), CloudWatch Metrics (latency, errors, requests), X-Ray tracing | CloudWatch Logs (execution + access logs), CloudWatch Metrics, X-Ray tracing, AWS WAF integration, CloudWatch dashboards |
WAF Integration Both support WAF. However, WAF does NOT protect against AI prompt injection attacks — a misconception flagged in exam question banks. | AWS WAF supported — attach Web ACL to AppSync API | AWS WAF supported — attach Web ACL to REST API or HTTP API stage |
Direct AWS Service Integration (no Lambda) Both can bypass Lambda for direct service calls. AppSync uses VTL/JS resolvers; API Gateway uses AWS integration with mapping templates. Reduces cost and latency. | Yes — direct resolvers to DynamoDB, Aurora Serverless, OpenSearch, EventBridge without Lambda | Yes (REST API only) — AWS integration type can call DynamoDB, SQS, SNS, Step Functions, Kinesis directly |
Schema / Contract Definition AppSync schema introspection enables automatic client SDK generation via Amplify. API Gateway uses OpenAPI for documentation and SDK generation. | GraphQL Schema Definition Language (SDL) — strongly typed, self-documenting, introspectable | OpenAPI / Swagger 3.0 for REST/HTTP APIs — industry standard, importable/exportable |
Amplify Integration Amplify + AppSync = fastest path to full-stack serverless with offline sync. DVA-C02 and mobile app questions favor this pattern. | First-class citizen — Amplify CLI auto-generates AppSync APIs, DataStore, real-time subscriptions from schema | Supported via Amplify API category but requires more manual configuration |
Bedrock / AI Integration For AIF-C01: API Gateway is the more common front-door for Bedrock-powered APIs. AppSync can work but adds GraphQL complexity where REST suffices for AI inference endpoints. | Can call Bedrock via HTTP resolver or Lambda resolver — not a native direct data source yet | Can proxy Bedrock API calls via Lambda or direct AWS integration — common pattern for AI application backends |
Summary
Choose AppSync when your use case centers on GraphQL, real-time data subscriptions, mobile offline sync, or aggregating multiple data sources into a single query. Choose API Gateway when you need REST or HTTP APIs, third-party API management with usage plans, private VPC endpoints, edge-optimized deployment, or a universal proxy to any AWS service. The two services are not mutually exclusive — large architectures often use both.
🎯 Decision Tree
If GraphQL → AppSync. If real-time push subscriptions with zero infra → AppSync. If REST/HTTP API → API Gateway. If private API (VPC-only) → API Gateway REST. If edge-optimized (CloudFront built-in) → API Gateway REST. If usage plans + API key quotas for partners → API Gateway. If offline mobile sync + conflict resolution → AppSync. If direct Bedrock/SageMaker proxy → API Gateway. If Amplify DataStore → AppSync. If WebSocket with custom routing logic → API Gateway WebSocket. If WebSocket with GraphQL subscriptions → AppSync.
GraphQL keyword = AppSync, always. Any exam scenario mentioning GraphQL schema, mutations, queries, or subscriptions points to AppSync. API Gateway does not support GraphQL natively — it would require a Lambda function to parse and route GraphQL requests manually.
API Gateway's 10,000 RPS throttle limit is ACCOUNT-WIDE and SHARED across all API types (REST + HTTP + WebSocket) in a region. If an exam asks how to prevent one API from throttling others, the answer involves per-stage or per-method throttling overrides, or separate AWS accounts. This limit CAN be increased via Support.
HTTP API vs REST API is a favorite trap: HTTP API is cheaper and faster for Lambda proxy and JWT auth, but LACKS caching, usage plans, request validation, and edge-optimized deployment. REST API has all features. If the scenario needs caching or usage plans → REST API. If it needs lowest cost simple proxy → HTTP API.
AppSync supports MULTIPLE authentication modes simultaneously on a single API (e.g., Cognito for end users + IAM for backend services + API Key for public read). API Gateway supports one primary authorizer per route/stage. This multi-auth capability is unique to AppSync and tested in DVA-C02 and SAA-C03.
Private APIs are REST-API-only in API Gateway — accessed via VPC Interface Endpoint (PrivateLink). HTTP APIs cannot be made private. AppSync has no native private endpoint. For scenarios requiring API access only within a VPC with no internet exposure → API Gateway REST Private API.
WAF can be attached to both AppSync and API Gateway to filter malicious HTTP traffic (SQLi, XSS, IP blocking, rate limiting). However, WAF does NOT protect against AI prompt injection attacks — this is a documented exam misconception. Prompt injection requires application-layer controls, not WAF rules.
AppSync pipeline resolvers can call multiple data sources sequentially or in parallel within a single GraphQL operation without requiring Lambda — reducing latency and cost. This is the key architectural advantage of AppSync over building a GraphQL layer on top of API Gateway + Lambda.
For Amplify-based mobile or web apps with offline-first requirements and automatic conflict resolution, AppSync + Amplify DataStore is the canonical AWS answer. The combination handles delta sync, conflict strategies (Optimistic Concurrency, Auto Merge, Lambda custom), and local storage automatically.
The #1 exam trap: Treating 'API Gateway' as a single product when it is actually THREE distinct products (REST API, HTTP API, WebSocket API) with different feature sets, pricing, and quotas. Specifically: selecting HTTP API when the scenario requires caching or usage plans (only REST API has these), or selecting REST API when the scenario requires the lowest possible cost for a simple Lambda proxy (HTTP API is significantly cheaper). Always identify WHICH type of API Gateway before answering.
CertAI Tutor · SAA-C03, CLF-C02, DVA-C02, DOP-C02, AIF-C01, SAP-C02, DEA-C01 · 2026-02-22
Services
Comparisons
Guides & Patterns