Serve Tiles with API Gateway
TL;DR
Use API Gateway in front of S3 (or other stores) to securely serve tiles using a Lambda authorizer, and with caching out-the-box as a bonus. Good for use cases where tiles need to be secure, with moderate to high traffic volumes.
Description
User requests a tile → API Gateway authorizes request → API Gateway checks its edge cache → if not found, it fetches from S3 → response is cached at the edge for future use.
This pattern extends Public Tiles with S3 by placing an API Gateway instance in front of the S3 bucket. API Gateway can secure requests using a Lambda authorizer, and also provides out-the-box caching at either edge locations or on a per-region basis, reducing latency and S3 request charges. This setup is especially useful for production deployments of private tile sets.
When to Use
- Serving private tile sets at scale
- Reducing S3 request and data transfer costs
- Strong access controls
- Run tile services alongside other API endpoints
- Use regional deployments if data residency is a consideration
Trade-offs
- Higher complexity than other solutios
- Authorization typically requires custom logic
- Likely more expensive than CloudFront
Alternatives
- Serve Tiles with S3 – simpler but less performant
- Secure Tiles with API Gateway – when authentication is a priority