devops, microservices and serverless architecture
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mikhail Prudnikov, Solutions Architect, AWS
May 2016
DevOps, Microservices and Serverless Architecure
What to Expect from the Session
• DevOps and Software Delivery• Rise Of Microservices• ECS and Containers• Serverless Architecture• API Gateway + Lambda
Toolchains
Services
Microservices
Sam Newman : “Building Microservices” O’Reilly Publishing
Adrian Cockcroft : numerous talks, presentations, blog posts
• “Loosely coupled service oriented architecture with bounded contexts”
Martin Fowler : numerous blog posts2 sessions at AWS Re:Invent 20148 sessions at AWS Re:Invent 2015
Development Transformation at Amazon
2001 2009
monolithic application + teams
microservices + 2 pizza teams
Availability vs Velocity of Change
AWS re:Invent 2015 | (SPOT302) Availability: The New Kind of Innovator’s Dilemma
Availability and Velocity of Change Thoughts
• "Everything fails, all the time" Werner Vogels, CTO Amazon.com
• How long does it take to push a single line of code to production?
• Do you have the feedback loop?
Multiple Compute Options
• VMs• Machine as the unit of scale• Abstracts the hardware
• Containers• Application as the unit of scale• Abstracts the OS
• Serverless• Functions as the unit of scale• Abstracts the language runtime
ECS
EC2
Lambda
Which Option is Right?
• VMs• “I want to configure machines,
storage, networking, and my OS”
• Containers• “I want to run servers, configure
applications, and control scaling”
• Serverless• “Run my code when it’s needed”
ECS
EC2
Lambda
Hypervisor Containers
ECS on AWS
ECS Internals & Flow
Container InstanceCluster
Agent
Task
Agent
Task
Container
Task
Container
Run Task Schedule Task
Task Definition Task + Service
DefinitionECR
CodeCommit
Scaling ECS With Lambda
Cloudwatch metrics tied to SNS
SNS triggers Lambda Container Scaling function
Lambda scales task count on cluster
Bonus - Extensible ‘cluster intelligence’ layer
ECS Reference Service Discovery
Continuous Integration & Deployment to ECS
Container Registry
CodeCommit
Monitoring with Amazon CloudWatch
Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks
Available metrics: CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization
Available dimensions: ClusterName, ServiceName
Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor additional metrics, e.g. disk space
# Edit crontab> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used
--disk-space-avail --disk-path=/ --from-cron
Logging with Amazon CloudWatch Logs
Logging container with syslogd and CloudWatch Logs Agent
Attach /var/log Volume to Logging container
Link other containers syslogd
CloudWatch Logs Agent
CloudWatch Logs
Container instance
ECS Cluster
ECS Agent Logs
Docker Logs
syslogd
CloudWatch Logs Agent
Managing Infrastructure Is Sadness
The Serverless Compute Manifesto
• Functions are the unit of deployment and scaling.• No machines, VMs, or containers visible in the programming model.• Permanent storage lives elsewhere.• Scales per request. Users cannot over- or under-provision capacity.• Never pay for idle (no cold servers/containers or their costs).• Implicitly fault-tolerant because functions can run anywhere.• BYOC – Bring your own code.• Metrics and logging are a universal right.
Benefits of Amazon API Gateway
Create a unified API frontend for multiple micro-
services
DDoS protection and throttling for
your backend
Authenticate and authorize requests to a
backend
Code is all you need Event driven scaling
Never pay for idle Availability and fault tolerance built in
Benefits of AWS Lambda
Standard API Architecture
VPC subnet
Availability Zone A Availability Zone B
VPC subnetAuto Scaling
group
WEB WEB
Oregon
Tokyo
VPC subnet
Server h
eartbeat
Register v
ia API
Cleanuploop
EC2 APIstart/stopinstances
JOBS
Serverless API Architecture
Internet
Mobile apps
Websites
Services
AWS Lambda functions
AWS
API Gateway cache
Endpoints on Amazon EC2
Any other publicly accessible endpointAmazon
CloudWatch
Amazon CloudFront
Amazon API Gateway
Amazon S3
Amazon DynamoDB
Amazon Kinesis
AWS CloudFormati
on
AWS CloudTrail
Amazon CloudWatc
h LogsAmazon
SNSAmazon
SES
AmazonAPI Gateway
Amazon Cognito
AWSIoTAmazon
Alexa
Cron events
DATA STORES ENDPOINTS
REPOSITORIES EVENT/MESSAGE SERVICES
Lambda Service Integrations
… and the list will continue to grow!
Analytics• Operational management• Live Dashboards
Data workflows• Content management• ETL workflows
Multiple Application TypesInteractive Backends• Bots• Webhooks
Autonomous IT• Policy engines• Infrastructure management
Auth Option 1 – Pervasive throughout AWS
Mobile Apps AWS Lambda lambdaHandlerAPI Gateway
Sigv4 Invoke with caller credentials
Service calls areauthorized using
the IAM Role
DynamoDB
Auth Option 1 – Fine Grained Access
InternetClient AWS Lambda
functionsAmazon
CloudFrontDynamoDB
CognitoId2
…"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito-identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” }}…
Executes with this role
UserID Wins Losses
cognitoId1 3 2
cognitoId2 5 8
cognitoId3 2 3
The credentials and context (Cognito ID) are passed along
Both AWS Lambda & DynamoDB will follow the access policy
API Gateway
Auth Option 2 – Custom Auth With Lambda
Client
Lambda Auth function
API Gateway
OAuth token
OAuth provider
Policy is evaluated
Policy is cached
Endpoints on Amazon EC2
Any other publicly accessible endpoint
AWS Lambda functions
403
Managing Multiple Versions and Stages of APIs
Works like a source repository – clone your API to create a new version
API 1(v1) Stage (dev)
Stage (prod)
API 2(v2)
Stage (dev)
Custom Domain Names
Use custom domain names to put 2 different APIs (V1 and V2) under the same domain
• Custom domain names can point to an API or a Stage
• A custom domain name can include a base path
• Use v1 as your base path in the custom domain name• Pointing to an API you have access to all Stages
• Beta (e.g. yourapi.com/v1/beta)
• Prod (e.g. yourapi.com/v1/prod)
• Pointing directly to your “prod” Stage• Prod (e.g. yourapi.com/v1)
Stage Variables and Lambda Aliases
Using Stage Variables in API Gateway together with Lambda function Aliases helps you manage a single API configuration and Lambda function for multiple stages
myLambdaFunction123 = prod456 = beta78 = dev
My First API
Stage variable = lambdaAlias
ProdlambdaAlias =
prodBeta
lambdaAlias = betaDev
lambdaAlias = dev
Serverless Framework
Serverless is an application framework for building serverless web, mobile and IoT applications. Serverless comes in the form of a command line interface that provides structure, automation and optimization to help you build and maintain your serverless apps.
http://www.serverless.comhttps://github.com/serverless/serverless
Example: Backends
https://github.com/awslabs/lambda-refarch-webapp
Example: Real Time File Processing
https://github.com/awslabs/lambda-refarch-fileprocessing
Example: Stream Processing
https://github.com/awslabs/lambda-refarch-streamprocessing
Function schedules: The how-to guide
• How can I keep a function warm (no cold starts)?Schedule it!
• How can I poll a queue (like SQS)?Schedule a function to read the queue.
• How can I get more timers?Have one scheduled function async invoke other functions.
• How can I get granularity finer than 1 minute?Run a background timer in your scheduled function.
Function versioning: The how-to guide
• How can I get mutable configuration info?Read it (e.g. from DynamoDB) during function initialization.Wrap your config in a function and call it from your published code.
• How do I “roll back” in AWS Lambda?Using aliases, just switch what the alias points to.
• How do I do blue/green deployments?AWS Lambda handles fleet deployments, but if you want to shape traffic, put a second “traffic cop” function in front.
• How can I lock a client/device onto an old version?Point them directly to that version’s ARN.
AWS Lambda VPC basics
• All Lambda functions run in a VPC, all the timeYou never need to “turn on” security – it’s always on
• You can also grant Lambda functions access to resources in your VPCHow: Add VPC subnet IDs and security group IDs to the function configTypical uses: RDB, ElastiCache, private EC2 endpointsAllows access to peered VPCs, VPN endpoints, and private S3 endpoints
• Functions configured for VPC access lose internet access…unless you have managed NAT or a NAT instance in the VPC…Even if you have “Auto-assign Public IP” enabled…Even if you have an internet gateway set up in your VPC…Even if your security group allows all outbound traffic
Thank you!