Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)


Published on

Provisioning, scaling, and managing physical or virtual servers—and the applications that run on them—has long been a core activity for developers and system administrators. The expanding array of managed AWS cloud services, including AWS Lambda, Amazon DynamoDB, Amazon API Gateway and more, increasingly allows organizations to focus on delivering business value without worrying about managing the underlying infrastructure or paying for idle servers and other fixed costs of cloud services. In this session, we discuss the design, development, and operation of these next-generation solutions on AWS. Whether you're developing end-user web applications or back-end data processing systems, join us in this session to learn more about building your applications without servers.

Published in: Technology

AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. David Potes, AWS Partner Solutions Architect Ajay Nair, AWS Principal Product Manager November 29, 2016 GPST404 Building Complex Serverless Applications
  2. 2. Agenda • Why serverless? • Serverless elements on AWS • Securing your cloud • Tips and tricks • Design patterns
  3. 3. Why serverless?
  4. 4. • 52 million monthly users • 100 million events daily • 84% cost savings • 0 servers • 0 operating system patches • Automatic scaling
  5. 5. Amazon API Gateway AWS Lambda Amazon Kinesis AWS Lambda Redis Amazon Mobile Analytics Amazon CloudWatch Amazon Elasticsearch Service Amazon S3 Amazon RedshiftAmazon QuickSightEngineering Marketing & Operations Design users event stream processing
  6. 6. The serverless compute manifesto Functions are the unit of deployment and scaling. No machines, VMs, or containers visible in the programming model. Permanent storage lives elsewhere. Scales per request. Users cannot over- or under-provision capacity. Never pay for idle (no cold servers/containers or their costs). Implicitly fault-tolerant because functions can run anywhere. BYOC – Bring your own code. Metrics and logging are a universal right.
  7. 7. Multiple ways to put Lambda to work AWS CloudFormation custom resources Amazon Echo skills Amazon SWF tasks Customized notifications with Amazon SNS Amazon Cognito triggers Amazon S3 triggers Amazon Dynamo DB triggers Amazon Kinesis processors Microservices with API Gateway Alexa, do my expense report And the list continues to grow!
  8. 8. Mo APIs, Mo Problems Managing multiple versions and stages of an API is difficult. Monitoring third-party developers’ access is time consuming. Access authorization is a challenge. Traffic spikes create an operational burden. What if I don’t want servers at all?
  9. 9. • Host multiple versions and stages of your APIs • Create and distribute API keys to developers • Leverage signature version 4 to authorize access to APIs • Throttle and monitor requests to protect your back end • Managed cache to store API responses Amazon API Gateway
  10. 10. Throttle Usage plans: Throttle, Enforce and Track Internet Mobile apps Websites Partner Services AWS Lambda functions API Gateway response cache Endpoints on Amazon EC2 Any publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway
  11. 11. Microservices and AWS Lambda AWS Lambda + Amazon API Gateway is the easiest way to create microservices • Event handlers one function per event type • Serverless back ends one function per API / path • Data processing one function per data type
  12. 12. Tips and Tricks
  13. 13. Event Driven Scaling ASYNCHRONOUS “Event” SYNCHRONOUS “RequestResponse” STREAMS Lambda.Invoke
  14. 14. Things To Remember: Lambda Function  Memory = “Power Level”  Higher levels offer more memory and more CPU power  Performance tuning  Just-in-time initialization = latency cost the first time (‘cold starts”)  Container reuse to avoid latency on repeat calls  Use reuse to your advantage!  Functions don’t have a notion of state  Use DynamoDB, S3, or ElastiCache for persistence  OK to use local cache (just clean up after yourself)  Use environment variables to pass metadata into your code
  15. 15. Things To Remember: Lambda Application  Lambda scales by events/requests  Stream based = number of shards; request* duration for everything else  Plan for concurrent request rate on downstream services  Retries are built in for asynchronous and Stream invokes  Throttles and errors retried  Plan for retries within your client for synchronous applications  Use the right access control for downstream services  IAM roles and permissions for AWS services  KMS for storing credentials for downstream endpoints
  16. 16. AWS Lambda VPC essentials • All Lambda functions run in a VPC, all the time • You can also grant Lambda functions access to resources in your own VPC (optional) • Functions configured for VPC access lose internet access by default • The ENIs used by Lambda’s VPC feature hit your quota • Ensure your subnets have enough IPs for those ENIs. • Specify at least one subnet in each Availability Zone
  17. 17. AWS Serverless Application Model (“SAM”) • A common language for describing the contents of a serverless app. • CloudFormation now “speaks serverless” with native support for SAM. • New CloudFormation tools to package and deploy Lambda-based apps. • Export Lambda blueprints and functions in SAM from the AWS Lambda console
  18. 18. Best Practice – Use Versions And Aliases Versions = immutable copies of code + properties Aliases = mutable pointers to versions  Rollbacks  Staged promotions  “Lock” behavior for client
  19. 19. Design Patterns
  20. 20. Interactive Backends • Bots • Webhooks Autonomous IT • Policy engines • Infrastructure management Analytics • Operational management • Live Dashboards Data workflows • Content management • ETL workflows Multiple Application Types
  21. 21. Amazon API Gateway: Serverless APIs Internet Mobile apps Websites Services AWS Lambda functions AWS API Gateway cache Endpoints on Amazon EC2 Any other publicly accessible endpointAmazon CloudWatch Amazon CloudFront Amazon API Gateway
  22. 22. Amazon Cognito Authenticate & sync Amazon Mobile Analytics Analyze user behavior AWS Lambda Run business logic Amazon S3 Amazon DynamoDB Store content Store data Amazon SNS mobile push notifications Send push notifications Serverless Mobile App on AWS Mobile SDK Amazon API Gateway
  23. 23. Realtime analytics
  24. 24. Ingest/ Collect Consume/ visualize Store Process/ analyze Data 1 4 0 9 5 Outcomes & Insights Personalized recommendations within seconds (from 15-20 min) Scale the expertise of stylists to all shoppers Reduce costs by 2X order of magnitude … Mobile Users Desktop Users Analytics Tools Online Stylist Amazon Redshift Amazon Kinesis AWS Lambda Amazon DynamoDB AWS Lambda Amazon S3 Data Storage E commerce personalization
  25. 25. Laptop Encoders HLS S3 Playback VOD Stream mobile client CloudFront Streaming Live stream mobile client CloudFront S3 Ingest 480p Transcode HQ Copy 360p Transcode Audio-only Transcode Thumbnail QOS Analytics Cascading Lambda Functions Live video transcoding
  26. 26. Where NOT to consider Lambda (today) • Large software dependencies: Custom software applications with licensing agreements such as MS-Office document processing, EDA tools, Oracle databases, etc. • OS dependencies: Software packages or applications which rely on calling underlying Windows RPCs • Custom hardware: GPU acceleration, hardware affinity
  27. 27. Securing serverless
  28. 28. Security model for AWS API calls Mobile client IAM PermissionsAWS Security Token Service 1. Request token 2. Receive temporary credentials 3. Sign API request with temporary token AWS service APIs 4. Make API request against AWS service API
  29. 29. Web Identity Federation Users IAM Web identity federation (Fine-grained access control) Amazon DynamoDB
  30. 30. Fine-Grained Access Control Images Table User Image Date Link Bob aed4c 2013-10-01 s3://… Bob 5f2e2 2013-09-05 s3://… Bob f93bae 2013-10-08 s3://… Alice ca61a 2013-09-12 s3://… “Allow all authenticated Facebook users to query the Images table, but only on items where their Facebook ID is the hash key” Bob “logs in” using web identity federation
  31. 31. Fine-Grained Access Control Images Table User Image Date Link Bob aed4c 2013-10-01 s3://… Bob 5f2e2 2013-09-05 s3://… Bob f93bae 2013-10-08 s3://… Alice ca61a 2013-09-12 s3://… Bob Bob can query for images where User=“Bob” Bob cannot query for images where User=“Alice”
  32. 32. Authenticated flow in depth Mobile apps AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions DynamoDB
  33. 33. Amazon Cognito • Generate temporary credentials and enforce rotation to limit credential lifetime • Authenticate through 3rd-party or Cognito Identity Pools • Optionally allow anonymous access • Enables security best practices through IAM roles
  34. 34. Policy Variables – Amazon DynamoDB <!– DynamoDB policy --> { "Effect" : "Allow", "Action" : [ "dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource" : "arn:aws:dynamodb:REGION:12345678:table/UserData", "Condition" : { "ForAllValues:StringEquals" : { "dynamodb:LeadingKeys" : "${}" } } } Will be replaced by the identity ID
  35. 35. API call flows Mobile apps AWS Lambda lambdaHandler Register Login API Gateway Mobile apps AWS Lambda lambdaHandler ListPets GetPet API Gateway Assume Role CreatePet Sigv4 Invoke with caller credentials Authorized by IAM
  36. 36. Block “bad actors” with CloudFront WAF + API Gateway
  37. 37. Auto-import IP Address Reputation Lists Amazon CloudFront AWS WAF AWS Lambda Amazon CloudWatch Elastic Load Balancing Amazon EC2 Amazon RDS Bad Users (based on ip reputation) Good users (based on ip source) 3rd party Reputation lists
  38. 38. Auto-block by request rate & bad requests Amazon CloudFront AWS WAF AWS Lambda Amazon CloudWatch Elastic Load Balancing Amazon EC2 Amazon RDS Bad Users (based on ip source) Good users (based on ip source) | Static S3 content CloudFront Access Logs
  39. 39. Auto-block by request rate & bad requests |
  40. 40. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  41. 41. VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Log group CloudWatch alarm Source IP
  42. 42. Growing Serverless Ecosystem Logging and Monitoring Applications and Deployment Build and CI/CD
  43. 43. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Register for a Bootcamp Get in-depth knowledge and training from AWS Instructors and Solutions Architects. #AWSTraining Get AWS Certified Onsite Demonstrate your technical proficiency and receive special recognition onsite. Register today. #AWSCertified Take Hands-on Labs Practice with AWS in a live environment. Choose from 100+ lab topics and attend a Spotlight Lab session. Free Onsite
  44. 44. Thank you!
  45. 45. Remember to complete your evaluations!