API Gateway and ALB Architecture on AWS for MVP SaaS

Building a robust and cost-effective cloud architecture requires balancing security, scalability, and efficiency. In a recent project, we designed a single-ingress architecture using AWS API Gateway as the public entry point and an internal Application Load Balancer (ALB) to handle API requests and web traffic for a multi-tenant SaaS application. This setup uses a custom JWT authentication solution, integrates Web Application Firewall (WAF) protections on API Gateway, and optimizes costs for a lean deployment. In this article, I’ll share the high-level solutions architecture, configuration details, security considerations, cost-saving strategies, pros/cons, alternative architectures, why it’s suited for MVPs/small SaaS, and paths to enterprise scaling—for developers and architects exploring similar setups on AWS. Let’s dive in!

Architecture Overview

The architecture supports a SaaS application with a React frontend (hosted on AWS Amplify) and a serverless backend pipeline. API Gateway, the sole public-facing component, handles API endpoints like file uploads with WAF protections. An internal ALB routes traffic to a monolith backend running on EC2 instances in an Auto Scaling Group (ASG). Data flows from client uploads to S3 via API Gateway, processed through a serverless pipeline (Lambda and Step Functions), and stored in a database for querying. This single-ingress design ensures secure, scalable access for tenants, blending serverless simplicity with traditional compute.

• API Gateway: Public ingress, manages API endpoints with serverless scalability, authentication, and WAF protections.
• ALB: Internal, routes traffic to the monolith backend (EC2 ASG) with load balancing and health checks.

This approach leverages API Gateway’s pay-per-use model for APIs and ALB’s control for compute-intensive workloads, ideal for dynamic SaaS applications.

Pros and Cons of the Single-Ingress Approach

This architecture combines API Gateway’s serverless strengths with internal ALB routing, tailored for multi-tenant SaaS, but it has trade-offs.

Pros

• Scalability Balance: API Gateway auto-scales for bursty API traffic (e.g., uploads), while ALB with ASG handles steady monolith loads based on CPU thresholds (>70%), supporting variable workloads without over-provisioning.
• Cost Efficiency: Serverless APIs avoid idle costs; ALB’s fixed ~$18.36/month suits consistent traffic. Total cost ~$23-28/month for low volume aligns with MVP needs.
• Security Layering: Custom JWT authentication via Lambda authorizer ensures tenant isolation; WAF on API Gateway blocks threats at the public ingress.
• Flexibility: Pre-signed S3 URLs offload large files, reducing backend latency; custom auth avoids managed provider lock-in.

Cons

• Management Complexity: Managing API Gateway and internal ALB requires separate Terraform configs and monitoring (CloudWatch/X-Ray), increasing overhead for small teams.
• Cost at Scale: API Gateway’s per-request fees (~$3.50/million after Free Tier) may exceed ALB for high RPS; ALB lacks native per-tenant throttling.
• Feature Gaps: API Gateway REST API lacks built-in WebSocket support; single-region setup risks downtime without Route 53 failover.
• RPS Limits: API Gateway caps at ~600 RPS (increasable), unsuitable for ultra-high traffic without sharding.

API Gateway Configuration

API Gateway is configured as a REGIONAL REST API for low-latency access within a specific AWS region. As the sole public ingress, it integrates WAF for security. Key configurations include:

• Endpoints: A POST /upload endpoint generates pre-signed S3 URLs for direct file uploads, offloading large payloads to reduce latency and costs. The endpoint accepts JSON payloads with tenant-specific parameters. Example payload:

  {"tenant_id": "abc123", "file_name": "report.pdf", "processing_type": "analyze"}

• Deployment and Staging: A prod stage with AWS X-Ray tracing for request monitoring. Terraform’s create_before_destroy ensures zero-downtime deployments.
• Rate Limiting: The /upload endpoint is throttled at 10 requests/second per tenant using aws_api_gateway_usage_plan, preventing abuse and ensuring fair resource allocation.
• CORS: Enabled for the React frontend (AWS Amplify) with OPTIONS method support for cross-origin requests.
• Logging: Access logs in CloudWatch capture request ID, source IP, HTTP method, and status code for debugging and performance analysis.

This setup enables API Gateway to handle bursty traffic efficiently, scaling automatically.

Example: API Gateway Rate Limiting (Terraform)

resource "aws_api_gateway_usage_plan" "upload_throttle" {
  name = "upload-usage-plan"
  api_stages {
    api_id = aws_api_gateway_rest_api.upload_api.id
    stage  = "prod"
  }
  throttle_settings {
    burst_limit = 10
    rate_limit  = 10
  }
}

ALB Configuration

The ALB, an internal load balancer, routes traffic to the monolith backend (EC2 instances in an ASG) within a VPC for high availability. Key configurations include:

• Type and Placement: Application-type ALB in private subnets, targeting the ASG, with deletion protection to prevent accidental removal.
• Listeners and Certificates: HTTPS listener on port 443 uses an AWS Certificate Manager (ACM) certificate for TLS termination.
• Target Groups: Instance-based targets (EC2 ASG) with HTTP health checks on a /health endpoint (15-second interval, 5-second timeout, 200-299 status codes).
• Tagging: Tags like Environment=prod, ManagedBy=Terraform aid resource tracking.

ALB integrates with ASG, scaling based on CPU utilization (>70%), suitable for variable web traffic.

Security Considerations

The architecture incorporates security measures, with WAF applied to the public-facing API Gateway:

• Authentication: A Lambda authorizer validates JWTs for tenant-specific access, providing flexible session management without managed providers.
• Rate Limiting: API Gateway’s throttling (10 req/s per tenant) mitigates abuse and ensures fair access.
• WAF Protections: Regional WAF ACL on API Gateway uses AWS-managed rules to block threats:
  • Free rules (e.g., Core rule set for SQLi/XSS, IP Reputation) filter malicious IPs at $0/month.
  • Paid rules ($1/month each, plus $0.60/million requests) cover essentials like OWASP Top 10 and OS exploits.
  • Custom IP rate-limiting rule (1000 req/5min) targets specific paths to reduce costs.
• TLS Encryption: API Gateway and ALB enforce HTTPS with ACM certificates.

Tenant isolation is enforced via S3 bucket policies, ensuring data separation.

Cost Optimization Strategies

Cost efficiency is key for early-stage SaaS. The architecture targets ~$23-28/month:

Component	Estimated Monthly Cost	Notes
API Gateway	$0.35	~30,000 requests (~1,000/day); Free Tier covers 1M REST API requests
ALB	$18.36	$0.0225/hr + $0.008/LCU-hr; minimal LCUs for low traffic
WAF	$4.60	4 paid rules ($1 each) + $0.60/million requests; free rules included
CloudWatch Logs	$0.50	~1 GB logs; Free Tier covers 5 GB
Total	~$23-28	Affordable for low-traffic MVPs; monitor with AWS Budgets ($100 limit, 80% alerts)

• Pay-Per-Use Billing: API Gateway ~$3.50/million requests; ~30,000 requests at $0.35.
• ALB Optimization: Fixed ~$16.20/month ($0.0225/hr) + ~$2.16 for LCUs (~10 LCUs).
• WAF Selection: Free rules + 4 paid rules ($4) + $0.60/million requests.
• Free Tier Utilization: Covers 1M API Gateway requests, 5 GB CloudWatch logs.
• Budget Monitoring: AWS Budgets prevents overruns (~$0.50/million evaluations, often free).

Alternative Architectures

While the single-ingress architecture (API Gateway public, ALB internal) suits many SaaS applications, alternative approaches may better align with specific needs. Below are three alternatives with comparisons:

1. Fully Serverless (API Gateway HTTP API + Lambda + Cognito)

• Components:
  • API Gateway HTTP API (public ingress, ~$1/million requests).
  • Lambda for all backend logic (no EC2).
  • Cognito for authentication (OAuth2/OpenID Connect).
  • S3, DynamoDB, Step Functions for storage/processing.
  • WAF on API Gateway.
• Pros:
  • Lower costs at scale (HTTP API vs. REST API).
  • Fully serverless scales to zero, eliminating EC2/ASG management.
  • Cognito simplifies authentication with managed user pools.
• Cons:
  • Less flexibility for custom authentication.
  • Lambda cold starts may impact latency.
  • Migrating monolith logic to Lambda can be complex.
• When to Use: High-traffic serverless apps with standard authentication needs (e.g., SaaS with predictable API usage, no legacy monolith).
• Cost Estimate: ~$10-20/month for low traffic (HTTP API: ~$0.10 for 100K requests, Lambda: ~$0.20, Cognito: ~$0.05/user, WAF: ~$4.60).
• Why Better: Cheaper for high traffic, simpler operations, but loses custom auth flexibility.

2. Public ALB + ECS/Fargate + Cognito

• Components:
  • Public ALB (single ingress) routes to ECS/Fargate tasks (containerized monolith).
  • Cognito integrated with ALB for authentication.
  • S3, DynamoDB for storage; optional Lambda for tasks.
  • WAF on ALB.
• Pros:
  • Containers simplify monolith scaling compared to EC2.
  • ALB authentication with Cognito eliminates Lambda authorizer.
  • Predictable costs (~$40-60/month), better for high RPS.
• Cons:
  • Higher setup complexity (ECS/Fargate configuration).
  • Fargate costs more for low traffic (~$20-30/month vs. $10-15 for EC2).
  • Less serverless flexibility for bursty workloads.
• When to Use: Growing SaaS with high traffic or containerized monolith needing modern orchestration.
• Cost Estimate: ~$40-60/month (ALB: ~$18.36, Fargate: ~$20, Cognito: ~$0.05/user, WAF: ~$4.60).
• Why Better: Scales better for high traffic, simpler authentication, but more expensive for MVPs.

3. API Gateway + AppSync + Custom Authentication

• Components:
  • API Gateway (public ingress) for REST APIs.
  • AppSync for GraphQL and real-time features (WebSockets).
  • Lambda with custom authentication for backend logic.
  • S3, DynamoDB, Step Functions for storage/processing.
  • WAF on API Gateway.
• Pros:
  • AppSync supports WebSockets/GraphQL for real-time or complex APIs.
  • Retains custom authentication flexibility.
  • Scales for API-heavy applications.
• Cons:
  • AppSync adds cost (~$4/million queries) and complexity.
  • GraphQL introduces a learning curve for teams.
• When to Use: SaaS with real-time needs (e.g., chat, live dashboards) or complex data models.
• Cost Estimate: ~$30-50/month (API Gateway: ~$0.35, AppSync: ~$4, Lambda: ~$0.20, WAF: ~$4.60).
• Why Better: Supports real-time features, but more complex and costly.

Why Custom Authentication?

Custom JWT authentication via a Lambda authorizer was chosen for flexibility in handling tenant-specific access. It integrates seamlessly with API Gateway, supports scalability, and avoids lock-in to managed providers, making it suitable for tailored session management.

Why This Architecture Suits MVPs and Small SaaS

This setup excels for MVPs and small SaaS due to:

• Low Entry Barrier: Terraform enables fast deployment; API Gateway auto-scales APIs, ALB simplifies monolith routing.
• Cost-Effective for Low Traffic: ~$23-28/month fits bootstraps; Free Tier absorbs early costs.
• Rapid Prototyping: S3 offloading simplifies file handling; custom auth supports quick iterations.
• Security Without Overhead: WAF and throttling provide enterprise-like protection at low cost.

It’s perfect for ~1,000 daily requests, launching quickly and scaling affordably.

Scaling to Enterprise: Next Steps

For high-scale SaaS (thousands of tenants, global users):

• Multi-Region/HA: Use Route 53 for failover, Global Accelerator/CloudFront for low latency, replicate ASG across regions.
• Advanced Security/Compliance: Add Shield Advanced for DDoS ($3,000/month), expand WAF with Bot Control, enable CloudTrail for audits (SOC2/ISO).
• Scalability Enhancements: Containerize monolith on ECS/Fargate, use VPC Links for private API Gateway-ALB integration, increase RPS limits.
• Cost/Monitoring: Use AWS Cost Explorer, X-Ray for tracing, dedicated DB schemas for tenant isolation.
• Tenant Isolation: Implement VPC peering, silo high-value tenants, use custom domains.

These enhancements build on the existing foundation.

Conclusion

This single-ingress architecture, with API Gateway as the public entry point and internal ALB routing to compute-heavy backends, offers a secure, scalable, cost-optimized solution for SaaS. API Gateway manages serverless APIs with WAF and throttling, while custom authentication ensures tenant isolation. Ideal for small SaaS, it scales to enterprise with targeted upgrades. Alternative architectures like fully serverless or containerized setups may suit specific needs like high traffic or real-time features. Tried this approach? Share insights on tenant isolation or WAF rules in the comments!