Learn what is GraphQL, Serverless, AWS AppSync and how they can be combined to build a Serverless GraphQL application with AWS AppSync and deployed using Serverless framework.
What is GraphQL?
GraphQL is basically two things in one name.
- A simple query language for APIs
- A server-side runtime to automatically parse and resolve those queries
- Designed by Facebook in 2012, Open-sourced in 2015
Moving on — what is Serverless?
Let’s Discuss, Serverless — Service vs The Framework
- No server management (no need to manage any form of machines)
- Pay-per-execution (never pay for idle)
- Auto-scale (scale based on demand)
- Function as a unit of application logic
- Example) AWS Lambda, API Gateway, AWS AppSync
- Open-source framework ( https://www.serverless.com/)
- Develop and debug serverless apps locally
- Deploy serverless applications in seconds
- Integrates with AWS, Azure, GCP and more
Now — what is AWS AppSync?
AppSync is a managed service offered by AWS that uses GraphQL to make it easy for applications to get exactly the data they need.
Per the above definition of a Serverless service — AWS AppSync is Serverless!
Let’s look at few frequently used AppSync use cases
Use case 1— Real-Time Collaboration
E.g. Chat Applications
Use case 2— Data Layer
E.g. Microservices Access Layer, combine data from multiple microservices
More use cases like Polyglot Backend Data Access, Offline Delta Sync can be found here — https://aws.amazon.com/appsync/
Is AWS AppSync Secure?
Yes, AppSync is a secure service by nature, however, it is on the user to secure the Graph API in AppSync using the supported authentication methods.
What are the supported auth methods?
Graph API Level (for all fields)
We can use the below authentication methods to secure all the fields, that is authentication is imposed at the Graph API level.
- API Key
- AWS IAM
- OpenID Connect
- Amazon Cognito User Pools
Field Level (for individual fields)
We can use the below authentication directives to secure the individual fields in a GraphQL Schema.
- @aws_api_key (when used on a field, the field is API_KEY authorized)
Naturally, the next question is whether we can have different authentications at both Graph API level as well as Field level?
— YES, we can have different combinations of authentication methods in both places.
For example) API Key Authentication can be imposed for the Graph API and @aws_cognito_user_pools directive authentication can be imposed for a particular field in the GraphQL Schema — meaning only a Cognito authenticated user with a valid API key will be able to query that authenticated field.
One may want to filter information during a request or while the response is returned for security purposes or may want to add custom logic during request entry and response exit points.
- For such use cases, use Resolver Mapping Templates provided by AppSync.
- You can create Request and Response Mapping Templates where filter logic can be added.
- Resolver Mapping Templates use Apache VTL (Velocity Template Language).
Pay only for what you use - never pay for idle
Query and Mutation operations = $4 per million operations
Subscription operations – real-time updates = $2 per million updates, $.08 per million minutes of connection
Note: above pricing is at the time of writing this article in June 2020.
Serverless GraphQL with AWS AppSync
A Serverless GraphQL application with AppSync can be deployed using the Serverless framework.
Everything you need to build a Serverless GraphQL application with AWS AppSync and deploy using Serverless framework is given in the below links.
Thanks to the Serverless community!
Github Code: https://github.com/serverless/serverless-graphql
Documentation with an example app: https://medium.com/hackernoon/running-a-scalable-reliable-graphql-endpoint-with-serverless-24c3bb5acb43
Setup API Gateway as a proxy to AWS AppSync:
Alternative Serverless GraphQL setup using API Gateway + Lambda: https://serverless.com/blog/running-scalable-reliable-graphql-endpoint-with-serverless/