aws re:invent 2016: building complex serverless applications (gpst404)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
David Potes, AWS Partner Solutions Architect
Ajay Nair, AWS Principal Product Manager
November 29, 2016
GPST404
Building Complex
Serverless Applications
Agenda
• Why serverless?
• Serverless elements on AWS
• Securing your cloud
• Tips and tricks
• Design patterns
Why serverless?
Bustle.com
• 52 million monthly users
• 100 million events daily
• 84% cost savings
• 0 servers
• 0 operating system patches
• Automatic scaling
Amazon
API GatewayAWS Lambda Amazon Kinesis AWS Lambda
Redis
Amazon Mobile
Analytics
Amazon CloudWatch
Amazon Elasticsearch
Service
Amazon S3
Amazon RedshiftAmazon QuickSightEngineering
Marketing & Operations
Design
Bustle.com users
Bustle.com event stream processing
The serverless compute manifesto
Functions are the unit of deployment and scaling.
No machines, VMs, or containers visible in the programming model.
Permanent storage lives elsewhere.
Scales per request. Users cannot over- or under-provision capacity.
Never pay for idle (no cold servers/containers or their costs).
Implicitly fault-tolerant because functions can run anywhere.
BYOC – Bring your own code.
Metrics and logging are a universal right.
Multiple ways to put Lambda to work
AWS
CloudFormation
custom
resources
Amazon Echo
skills
Amazon SWF
tasksCustomized
notifications with
Amazon SNS
Amazon Cognito
triggers
Amazon S3
triggers
Amazon
Dynamo DB
triggers
Amazon
Kinesis
processors
Microservices
with API
Gateway
Alexa, do
my expense
report
And the list
continues
to grow!
Mo APIs, Mo Problems
Managing multiple versions and stages of an API is difficult.
Monitoring third-party developers’ access is time consuming.
Access authorization is a challenge.
Traffic spikes create an operational burden.
What if I don’t want servers at all?
• Host multiple versions and stages of your APIs
• Create and distribute API keys to developers
• Leverage signature version 4 to authorize access to APIs
• Throttle and monitor requests to protect your back end
• Managed cache to store API responses
Amazon API Gateway
Throttle
Usage plans: Throttle, Enforce and Track
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
Microservices and AWS Lambda
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless back ends one function per API / path
• Data processing one function per data type
Tips and Tricks
Event Driven Scaling
ASYNCHRONOUS
“Event”
SYNCHRONOUS
“RequestResponse”
STREAMS
Lambda.Invoke
Things To Remember: Lambda Function
Memory = “Power Level”
Higher levels offer more memory and more CPU power
Performance tuning
Just-in-time initialization = latency cost the first time (‘cold starts”)
Container reuse to avoid latency on repeat calls
Use reuse to your advantage!
Functions don’t have a notion of state
Use DynamoDB, S3, or ElastiCache for persistence
OK to use local cache (just clean up after yourself)
Use environment variables to pass metadata into your code
Things To Remember: Lambda Application
Lambda scales by events/requests
Stream based = number of shards; request* duration for everything else
Plan for concurrent request rate on downstream services
Retries are built in for asynchronous and Stream invokes
Throttles and errors retried
Plan for retries within your client for synchronous applications
Use the right access control for downstream services
IAM roles and permissions for AWS services
KMS for storing credentials for downstream endpoints
AWS Lambda VPC essentials
• All Lambda functions run in a VPC, all the time
• You can also grant Lambda functions access to resources in
your own VPC (optional)
• Functions configured for VPC access lose internet access by
default
• The ENIs used by Lambda’s VPC feature hit your quota
• Ensure your subnets have enough IPs for those ENIs.
• Specify at least one subnet in each Availability Zone
AWS Serverless Application Model (“SAM”)
• A common language for describing the contents of a serverless app.
• CloudFormation now “speaks serverless” with native support for
SAM.
• New CloudFormation tools to package and deploy Lambda-based
apps.
• Export Lambda blueprints and functions in SAM
from the AWS Lambda console
Best Practice – Use Versions And Aliases
Versions = immutable copies of code + properties
Aliases = mutable pointers to versions
Rollbacks
Staged
promotions
“Lock” behavior
for client
Design Patterns
Interactive Backends
• Bots
• Webhooks
Autonomous IT
• Policy engines
• Infrastructure management
Analytics
• Operational management
• Live Dashboards
Data workflows
• Content management
• ETL workflows
Multiple Application Types
Amazon API Gateway: Serverless APIs
Internet
Mobile apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpointAmazon
CloudWatch
Amazon
CloudFrontAmazon
API Gateway
Amazon Cognito
Authenticate & sync
Amazon Mobile Analytics
Analyze user behavior
AWS Lambda
Run business logic
Amazon S3
Amazon DynamoDB
Store content
Store data
Amazon SNS mobile push
notifications
Send push notifications
Serverless Mobile App on AWS
Mobile SDK
Amazon API Gateway
Realtime analytics
Ingest/
Collect
Consume/
visualizeStore
Process/
analyze
Data
1 40 9
5
Outcomes
& Insights
Personalized
recommendations within
seconds (from 15-20 min)
Scale the expertise of
stylists to all shoppers
Reduce costs by 2X order
of magnitude
…
Mobile Users
Desktop Users
Analytics
Tools
Online Stylist
Amazon
Redshift
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDBAWS
Lambda
Amazon S3
Data Storage
E commerce personalization
Laptop
Encoders
HLS
S3
Playback
VOD Stream
mobile client
CloudFront
Streaming
Live stream
mobile client
CloudFront S3 Ingest
480p
Transcode
HQ Copy
360p
Transcode
Audio-only
Transcode
Thumbnail
QOS
Analytics
Cascading Lambda Functions
Live video transcoding
Where NOT to consider Lambda (today)
• Large software dependencies: Custom software applications with
licensing agreements such as MS-Office document processing, EDA
tools, Oracle databases, etc.
• OS dependencies: Software packages or applications which rely
on calling underlying Windows RPCs
• Custom hardware: GPU acceleration, hardware affinity
Securing serverless
Security model for AWS API calls
Mobile client
IAM PermissionsAWS Security
Token Service
1. Request token
2. Receive temporary
credentials
3. Sign API request
with temporary token
AWS service APIs
4. Make API request
against AWS service API
Web Identity Federation
Users
IAM
Web identity federation
(Fine-grained access control)
Amazon
DynamoDB
Fine-Grained Access Control
Images Table
User Image Date Link
Bob aed4c 2013-10-01 s3://…
Bob 5f2e2 2013-09-05 s3://…
Bob f93bae 2013-10-08 s3://…
Alice ca61a 2013-09-12 s3://…
“Allow all authenticated
Facebook users to query the
Images table, but only on items
where their Facebook ID is the
hash key”
Bob “logs in” using
web identity federation
Fine-Grained Access Control
Images Table
User Image Date Link
Bob aed4c 2013-10-01 s3://…
Bob 5f2e2 2013-09-05 s3://…
Bob f93bae 2013-10-08 s3://…
Alice ca61a 2013-09-12 s3://…
Bob
Bob can query for images
where User=“Bob”
Bob cannot query for images
where User=“Alice”
Authenticated flow in depth
Mobile apps AWS Lambda lambdaHandlerAPI Gateway
Sigv4Invoke with
caller credentials
Service calls are
authorized using
the IAM role
Learn more about fine-grained access permissions
http://amzn.to/1YkxcjR
DynamoDB
Amazon Cognito
• Generate temporary credentials
and enforce rotation to limit
credential lifetime
• Authenticate through 3rd-party or
Cognito Identity Pools
• Optionally allow anonymous access
• Enables security best practices
through IAM roles
Policy Variables – Amazon DynamoDB
<!– DynamoDB policy -->
{
"Effect" : "Allow",
"Action" : [ "dynamodb:GetItem", "dynamodb:Query",
"dynamodb:PutItem", "dynamodb:UpdateItem" ],
"Resource" : "arn:aws:dynamodb:REGION:12345678:table/UserData",
"Condition" : {
"ForAllValues:StringEquals" : {
"dynamodb:LeadingKeys" : "${cognito-identity.amazonaws.com:sub}"
}
}
} Will be replaced by the identity ID
API call flows
Mobile apps AWS Lambda lambdaHandler
Register
LoginAPI Gateway
Mobile apps AWS Lambda lambdaHandler
ListPets
GetPet
API Gateway
Assume Role
CreatePet
Sigv4 Invoke with
caller credentialsAuthorized by IAM
http://bit.ly/28P5ypl
Auto-import IP Address Reputation Lists
Amazon
CloudFront
AWS WAF AWS Lambda Amazon
CloudWatch
Elastic Load
BalancingAmazon
EC2
Amazon
RDS
Bad Users
(based on ip
reputation)
Good users
(based on ip
source)
3rd party
Reputation listshttp://amzn.to/28O6I6O
Auto-block by request rate & bad requests
Amazon
CloudFront
AWS WAFAWS Lambda Amazon
CloudWatch
Elastic Load
BalancingAmazon
EC2
Amazon
RDS
Bad Users
(based on ip
source)
Good users
(based on ip
source)
http://amzn.to/28P16XX | http://amzn.to/28Uqz6l
Static S3 content
CloudFront Access Logs
Auto-block by request rate & bad requests
http://amzn.to/28P16XX | http://amzn.to/28Uqz6l
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Compliance
app
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Log group
CloudWatch
alarm
Source IP
Growing Serverless Ecosystem
Logging and Monitoring Applications and Deployment
Build and CI/CD
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Register for a Bootcamp
Get in-depth knowledge and
training from AWS Instructors and
Solutions Architects.
reinvent.awsevents.com/training
#AWSTraining
Get AWS Certified Onsite
Demonstrate your technical
proficiency and receive special
recognition onsite. Register today.
reinvent.awsevents.com/certification
#AWSCertified
Take Hands-on Labs
Practice with AWS in a live
environment. Choose from 100+
lab topics and attend a Spotlight
Lab session.
Free Onsite
Thank you!
Remember to complete
your evaluations!