Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Serverless Architecture - Design Patterns and Best Practices

1,271 views

Published on

As serverless architectures become more popular, customers are looking for a framework of patterns to help them identify how they can leverage AWS to deploy their workloads without managing servers or operating systems.

This webinar session describes reusable serverless patterns. For each pattern, operational and security best practices with potential pitfalls and nuances will be described. The patterns involve services including but not limited to AWS Lambda, Amazon API Gateway, Amazon Kinesis Data Streams and Data Firehose, Amazon DynamoDB, Amazon S3, AWS Step Functions, AWS Config, AWS X-Ray, and Amazon Athena.

This session can help audience recognise candidates for various serverless architectures in an organisation and understand areas of potential savings and increased agility. For example, using X-Ray in Lambda for tracing and operational insight; a pattern on high performance computing (HPC) using Lambda at scale; Step Functions as a way to handle orchestration for both the Automation and Batch patterns; a pattern for Security Automation using AWS Config rules to detect and automatically remediate violations of security standards; CI/CD development pipelines for serverless, which includes testing, deploying, and versioning (SAM tools); working with services from AI/ML area; plus tips to optimise Lambda functions for performance and cost-effectiveness.

  • Be the first to comment

Serverless Architecture - Design Patterns and Best Practices

  1. 1. Nickk Sun – Solutions Architect July 2018 Serverless Architecture Design Patterns and Best Practices nickksun
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Serverless Foundations • Web application • Stream processing • Data Lake • Operations automation
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Spectrum of AWS offerings AWS Lambda Amazon Kinesis Amazon S3 Amazon API Gateway Amazon SQS Amazon DynamoDB AWS IoT Amazon EMR Amazon ElastiCache Amazon RDS Amazon Redshift Amazon ES Managed Serverless Amazon EC2 Microsoft SQL Server “On EC2” Amazon Cognito Amazon CloudWatch AWS AppSync AWS Glue Amazon Athena
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless means… • No servers to provision or manage • Never pay for idle • Built-in High-Availability and Disaster Recovery • Scales with usage
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda considerations and best practices Can your Lambda functions survive the cold? • Instantiate AWS clients and database clients outside the scope of the handler to take advantage of container re-use. • Schedule with CloudWatch Events for warmth • Logic for “pre-warm” events • ENIs for VPC support are attached during cold start import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda Best Practices • Minimize package size to necessities • Separate the Lambda handler from core logic • Use Environment Variables to modify operational behavior • Self-contain dependencies in your function package • Leverage “Max Memory Used” to right-size your functions • Delete large unused functions (75GB limit)
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS X-Ray Integration with Serverless • Lambda instruments incoming requests for all supported languages • Lambda runs the X-Ray daemon on all languages with an SDK var AWSXRay = require(‘aws-xray-sdk-core‘); AWSXRay.middleware.setSamplingRules(‘sampling-rules.json’); var AWS = AWSXRay.captureAWS(require(‘aws-sdk’)); S3Client = AWS.S3();
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. X-Ray Trace Example Cold start
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Serverless Application Model (SAM) • CloudFormation extension optimized for serverless • New serverless resource types: functions, APIs, and tables • Open specification (Apache 2.0) https://github.com/awslabs/serverless-application-model
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAM CLI • Develop and test Lambda locally • Invoke functions with mock serverless events • Local template validation • Local API Gateway with hot- reloading https://github.com/awslabs/aws-sam-cli
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CodeDeploy and Lambda Canary Deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your SAM templates DeploymentPreference: Type: Canary10Percent30Minutes AWS CodeDeploy
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pattern 1: Web App / Microservice / API
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web application Data stored in Amazon DynamoDB Dynamic content in AWS Lambda Amazon API Gateway Browser Amazon CloudFront Amazon S3 Amazon Cognito
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon S3 Amazon CloudFront • Bucket Policies • ACLs • OAI • Geo-Restriction • Signed Cookies • Signed URLs • DDOS Protection IAM IAM IAM Serverless web app security • Throttling • Caching • Usage Plans • ACM Static Content Browser Amazon Cognito
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Client Lambda function Amazon API Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers SAML Two types: • TOKEN - authorization token passed in a header • REQUEST – all headers, query strings, paths, stage variables or context variables.
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Authorization with Amazon Cognito Cognito User Pool (CUP) Amazon API Gateway Web Identity Provider User A User B User C Cognito Identity Pool (CIP) /web /cip /cup AWS Lambda Amazon DynamoDB Token AWS Credentials UserAData User B Data UserC Data IAM Authorization IAM Authorization Cognito UserPool Authorizer API Resources C C A A A B BB
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Region with API Gateway us-west-2 us-east-1 Client Amazon Route 53 Regional API Endpoint Regional API Endpoint Custom Domain Name Custom Domain Name API Gateway API Gateway Lambda Lambda api.mycorp.com CNAME CNAM E DynamoDB Global Tables
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data stored in Amazon DynamoDB Dynamic content in AWS Lambda Amazon API Gateway Browser Amazon CloudFront Amazon S3 Amazon Cognito AWS AppSync
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GraphQL
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Real-Time App After AppSync /graphql AWS AppSync Subscription Amazon DynamoDB Amazon Elasticsearch AWS Lambda Third-party service
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Useful Frameworks for Serverless Web Apps • AWS Chalice Python Serverless Framework https://github.com/aws/chalice Familiar decorator-based api similar to Flask/Bottle Similar to 3rd Party frameworks, Zappa or Claudia.js • AWS Serverless Express Run Node.js Express apps https://github.com/awslabs/aws-serverless-express • Java - HttpServlet, Spring, Spark and Jersey https://github.com/awslabs/aws-serverless-java-container
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pattern 2: Stream Processing
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Stream processing characteristics • High ingest rate • Near real-time processing (low latency from ingest to process) • Spiky traffic (lots of devices with intermittent network connections) • Message durability • Message ordering
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Streaming data ingestion Kinesis Agent Record Producers Amazon CloudWatch: Delivery metrics Amazon S3: Buffered files Amazon Redshift: Table loads Amazon ElasticSearch Service: Domain loads Transformed recordsRaw records Amazon Kinesis Firehose: Delivery stream AWS Lambda: Transformations & enrichment Amazon DynamoDB: Lookup tables Raw records Lookup Transformed records Amazon S3: Source record backup Raw records
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best practices • Tune Firehose buffer size and buffer interval • Larger objects = fewer Lambda invocations, fewer S3 PUTs • Enable compression to reduce storage costs • Enable Source Record Backup for transformations • Recover from transformation errors • Amazon Redshift Best Practices for Loading Data https://docs.aws.amazon.com/redshift/latest/dg/c_loading-data-best-practices.html
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sensor data collection IoT rules IoT actions MQTT Amazon S3: Raw records Amazon Kinesis Firehose: Delivery stream Amazon S3: Batched records Amazon Kinesis Streams: Real-time stream AWS IoT: Data collection IoT Sensors Real-time processing applications
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Kinesis Streams and AWS Lambda Amazon Kinesis: Stream AWS Lambda: Processor function Streaming source Other AWS services • Number of Amazon Kinesis Streams shards corresponds to concurrent invocations of Lambda function • Batch size sets maximum number of records per Lambda function invocation • Scaling – UpdateShardCount - limits: • can only scale up to double shard count • cannot perform more than twice per 24 hours per stream • cannot down below half of current shard count for a stream
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fan-out pattern Trades strict message ordering vs higher throughput & lower latency Amazon Kinesis: Stream Lambda: Dispatcher function Lambda: Processor function Increase throughput, reduce processing latency Streaming source
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best practices • Tune batch size when Lambda is triggered by Amazon Kinesis Streams • Higher batch size = fewer Lambda invocations • Tune memory setting for your Lambda function • Higher memory = shorter execution time • Use Kinesis Producer Library (KPL) to batch messages and saturate Amazon Kinesis Stream capacity https://github.com/awslabs/amazon-kinesis-producer
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pattern 3: Data Lake
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless Data Lake Characteristics • Collect/Store/Process/Consume and Analyze all organizational data • Structured/Semi-Structured/Unstructured data • AI/ML and BI/Analytical use cases • Fast automated ingestion • Decoupled Compute and Storage
  32. 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Serverless Data Lake S3 Bucket(s) Key Management Service Amazon Athena AWS CloudTrail Amazon Cognito AWS IAM Amazon Kinesis Streams Amazon Kinesis Firehose Amazon QuickSight Amazon Macie Amazon API Gateway AWS IAM Amazon Redshift Spectrum AWS Direct Connect Ingest Amazon ESAWS Glue Amazon DynamoDB Catalog & Search Security & Auditing API/UI Analytics & Processing AWS Glue AWS Lambda
  33. 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Foundation…S3 • No need to run compute clusters for storage • Virtually unlimited number of objects and volume • Very high bandwidth – no aggregate throughput limit • Multiple storage classes • Versioning • Encryption • CloudTrail Data Events • S3 Analytics and Inventory • S3 Object Tagging • AWS Config automated checks
  34. 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Record configuration changes continuously • Time-series view of resource changes • Archive & Compare • Enforce best practices • Automatically roll-back unwanted changes • Trigger additional workflow AWS Config Amazon Config Rules AWS Config & Config Rules
  35. 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config Amazon Config Rules Amazon S3 Bucket AWS SNS Lambda remediation function PUBLIC PRIVATE
  36. 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Update Index Update Stream Search and Data Catalog • DynamoDB as Metadata repository • Amazon Elasticsearch Catalog & Search AWS Lambda AWS Lambda Metadata Index (DynamoDB) Search Index (Amazon ES) ObjectCreated ObjectDeleted PutItem Extract Search Fields S3 Bucket https://aws.amazon.com/answers/big-data/data-lake-solution/
  37. 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instantly query your data lake on Amazon S3 AWS Glue Crawlers AWS Glue Data Catalog Amazon QuickSight Amazon Redshift Spectrum Amazon Athena S3 Bucket(s) Catalog & Search ETL Target databases AWS Glue
  38. 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Athena – Serverless Interactive Query Service 44.66 seconds...Data scanned: 169.53GB Cost: $5/TB or $0.005/GB = $0.85 SELECT gram, year, sum(count) FROM ngram WHERE gram = 'just say no' GROUP BY gram,year ORDER BY year ASC; Analytics & Processing
  39. 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Athena – Best Practices • Partition data s3://bucket/flight/parquet/year=1991/month=1/day=2/ OR ALTER TABLE <tablename> ADD PARTITION …… • Aggregated Queries -> Columnar formats Apache Parquet, AVRO, ORC • Optimize file sizes • Compress files with splittable compression (bzip2) https://aws.amazon.com/blogs/big-data/top-10-performance-tuning-tips-for- amazon-athena/ Analytics & Processing
  40. 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless batch processing AWS Lambda: Splitter Amazon S3 Object Amazon DynamoDB: Mapper Results AWS Lambda: Mappers …. …. AWS Lambda: Reducer Amazon S3 Results Analytics & Processing
  41. 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pattern 4: Operations Automation
  42. 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automation characteristics • Periodic jobs • Event triggered workflows • Enforce security policies • Audit and notification • Respond to alarms • Extend AWS functionality … All while being Highly Available, Scalable and Auditable
  43. 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Ops Automator Amazon CloudWatch: Time-based events AWS Lambda: Event handler AWS Lambda: Task executors AWS SNS: Error and warning notifications Resources in multiple AWS Regions and Accounts Amazon EBS Volumes Tags OpsAutomatorTaskList CreateSnapshot Amazon DynamoDB: Task configuration & tracking Amazon CloudWatch: Logs Amazon Redshift Clusters https://aws.amazon.com/answers/infrastructure-management/ops-automator/ Amazon DynamoDB
  44. 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Image recognition and processing Web App Amazon DynamoDB: Image meta-data & tags Amazon Cognito: User authentication Amazon S3: Image uploads AWS Step Functions: Workflow orchestration Start state machine execution 1 Extract image meta-data 2 Amazon Rekognition: Object detection Invoke Rekognition Generate image thumbnail 3 3Store meta-data and tags 4 https://github.com/awslabs/lambda-refarch-imagerecognition
  45. 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step Functions state machine
  46. 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scanner & Probe Protection OWASP Top 10 Protection Bad Bot & Scraper Protection IP Whitelist / Blacklist Known Attacker Protection HTTP Flood Protection AWS WAF Amazon API Gateway AWS Step Functions Amazon S3 Bucket Access Logs Application Requests (Static + Dynamic) Honey Pot Endpoint AWS Lambda Access Handler AWS ShieldAmazon CloudFront Amazon API Gateway Static Hosting in S3 X
  47. 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detected Attack Blacklist Router New Attack Type Manual Approval Update WAF Scraper ACL Update WAF BadBot ACL Update EC2 Guest Firewall Known Attack Start End
  48. 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detected Attack New Attack Type Manual Approval Known Attack Start End Update WAF Scraper ACL Update WAF BadBot ACL Update EC2 Guest Firewall Blacklist Router
  49. 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Detected Attack New Attack Type Manual Approval Known Attack Start End Update WAF Scraper ACL Update WAF BadBot ACL Update EC2 Guest Firewall Blacklist Router
  50. 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scanner & Probe Protection OWASP Top 10 Protection Bad Bot & Scraper Protection IP Whitelist / Blacklist Known Attacker Protection HTTP Flood Protection AWS WAF Amazon API Gateway AWS Step Functions AWS Lambda Log Parser AWS Guard Duty Amazon S3 Bucket Access Logs Application Requests (Static + Dynamic) Honey Pot Endpoint AWS Lambda Guard Duty and 3rd Party IP Lists AWS Lambda Access Handler Amazon CloudWatch AWS ShieldAmazon CloudFront Amazon API Gateway Static Hosting in S3
  51. 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://aws.amazon.com/events/aws-innovate/ Thursday, 19 July 2018
  52. 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary Apply serverless patterns for common use-cases: • Web application • Stream processing • Data Lake Foundation • Operations automation What will you build with Serverless?
  53. 53. Thank You!
  54. 54. Dev Day Australia 2018 Tuesday, 7 August 2018 City: Melbourne Venue: Melbourne Convention & Exhibition Centre Registration: https://aws.amazon.com/devday/australia/ Live: twitch.tv/aws https://live.awsevents.com

×