Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SRV312_Taking Serverless to the Edge

1,092 views

Published on

AWS Lambda enables you to run code without provisioning or managing servers. Today, you can write your Lambda functions once and execute them everywhere your end viewers are present with AWS Lambda@Edge. This session walks through multiple examples of web applications that use the serverless programming model for authentication, customization, and security to address the question of how to design and deploy intelligent web applications with AWS Lambda@Edge and Amazon CloudFront. The startup DataDome will also share its experience with Lambda@Edge and CloudFront, and how it simplified the onboarding process for its customers. Deployed globally on CloudFront PoP locations, their bot protection service can now be activated in one-click through the AWS console.

  • Be the first to comment

SRV312_Taking Serverless to the Edge

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Taking Serverless to the Edge B e n j a m i n F a b r e , D a t a D o m e C o - f o u n d e r & C T O G e o r g e J o h n , A W S P r o d u c t M a n a g e r W i l l S t . C l a i r , A W S S r . S o l u t i o n s A r c h i t e c t N o v e m b e r 2 0 1 7 S R V 3 1 2
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is covered in this session • Why do serverless at the edge ? • How can AWS Lambda@Edge help? • How DataDome implemented real time bot protection ?
  3. 3. No servers to provision or manage Scales with usage Never pay for idle Built-in availability and fault tolerance Serverless means…
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. … but what if you could run your Lambda functions at the Edge?
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront Global Content Delivery Network 107 PoPs (96 Edge Locations + 11 Regional Edge Caches)
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFrontAWS Lambda Lambda@Edge Lambda@Edge
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Globally distributed No servers to provision or manage Scales with usage Never pay for idle Built-in availability and fault tolerance Lambda@Edge
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Write once, run Lambda functions globally N Virginia AWS Location AWS Location AWS Location AWS Location AWS Location AWS Location
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda@Edge Origin AWS Location AWS Location AWS Location AWS Location AWS Location AWS Location Compute Storage Database
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudFront Events CloudFront cache End users Viewer Request Viewer Response Origin Response Origin Origin Request
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda@Edge Content-based routing NEWNetwork calls • Origin events NEW Response generation • Binary Support • Larger functions (upto 1536 MB) • Larger Responses (upto 1MB) • Larger packages (upto 50MB) • Longer timeouts (upto 30 secs) NEW NEW NEW NEW NEW NEW• Viewer events
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Taking Serverless to the Edge
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FROM MONOLITH Authentication and authorization Content management and processing Localization, internationalization, and personalization
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FROM MONOLITH Authentication and authorization Content management and processing Localization, internationalization, and personalization Application code
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FROM MONOLITH Authentication and authorization Content management and processing Localization, internationalization, and personalization
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TO MICROSERVICES Amazon CloudFront Authentication and authorization Content management and processing Localization, internationalization, and personalization Lambda@Edge FunctionsUser Agents HTTP Origins
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER REQUEST EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Viewer Response Origin Response Origin RequestViewer Request
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER REQUEST EVENTS Executed on every request before CloudFront’s cache is checked Modify cache key (URL, cookies, headers, query string) Perform authentication and authorization checks Make external network calls Generate responses that will not be cached NEW
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER REQUEST: STATELESS AUTH User Agent User credentials Identity provider (IdP) JSON Web Token (JWT) Legacy application CloudFront distribution www.example.com JWT JWT public key Access decision Origin applicationJWT Amazon S3 Bucket ? ?
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. { "iss": "https://idp.example.com", "client_id": "exampleclient", "sub": "081e018d-0594-411a-bbe8-cccd7c6058a2", "custom:allowed_paths": [ "/customer/249/*", "/user/1360/*", "/videos/29492/*” ] } VIEWER REQUEST: STATELESS AUTH Example JWT payload: Private claims for making an access decision
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER REQUEST: STATELESS AUTH JWT JWT public key Viewer Request Event User Agent CloudFront distribution www.example.com JWT HTTP 403, 3XX, etc. NO Access decision Legacy application S3 Bucket Origin application OK
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER REQUEST: STATEFUL AUTH Viewer Request Event User Agent CloudFront distribution www.example.com NO Paywall message, 403, redirect, etc. $ Entitlement service HTTP request Access decision HTTP Origins OK
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Viewer Response Origin Response Viewer Request Origin Request
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST EVENTS Executed on cache miss, before a request is forwarded to the origin Make one or more external network calls Dynamically select an origin based on request headers Implement pretty URLs by rewriting the origin URL Generate responses that can be cached
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: BODY GENERATION <h1>{ page.title }</h1> {{ for section in page.sections }} <h2>{ section.title }</h2> <p>{ section.body }</p> {{ endfor }} "page": { "title": "Hello", "sections": [ { "title": "Introduction", "body": "The quick..." }, { ... } ]
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: BODY GENERATION User Agent CloudFront distribution www.example.com Cache Behavior /blog Origin Request Event S3 Bucket blog-templates.s3.amazonaws.com Amazon DynamoDB table blog-posts External network calls Rendered templateCached response
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. const templateBucket = 'blog-templates-123456789012'; const postTable = 'blog-posts'; var AWS = require('aws-sdk'); var Mustache = require('mustache'); var s3 = new AWS.S3({region: 'us-east-1'}); var documentClient = new AWS.DynamoDB.DocumentClient({ region: 'us-east-1'}); exports.handler = (event, context, callback) => { const request = event.Records[0].cf.request; const response = { status: '200', statusDescription: 'OK', headers: { 'cache-control': [{ key: 'Cache-Control', value: 'max-age=2628000, public’ }], 'content-type': [{ key: 'Content-Type', value: 'text/html; charset=utf-8’ }]}}; ORIGIN REQUEST: BODY GENERATION CODE const ddbParams = { TableName: postTable, Key: { slug: request['uri'].slice(1) }}; documentClient.get(ddbParams, function(err, resp) { if (err) { callback(err, null); return; } const template = resp['Item']['template']; const data = resp['Item']['data']; const s3Params = { Bucket: templateBucket, Key: template }; s3.getObject(s3Params, function(err, s3resp) { if (err) { callback(err, null); return; } const body = s3resp.Body.toString('utf-8'); response.body = Mustache.render(body, data); callback(null, response); }); }); };
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. FULL BODY GENERATION DEMO
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRETTY URLS FOR USER/API EXPERIENCE https://tiles.example.com/zoom/x/y.jpg S3 Bucket tiles-v1.s3.amazonaws.com Legacy Service old-tile-service.example.net Elastic Load Balancer tile-service-123456.us-east-1 .amazonaws.com
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST : PRETTY URLS https://tiles.example.com/zoom/x/y.jpg https://tiles-origin.s3.amazonaws.com/f5fdc6f658a49284b.jpg Origin Request Event originPath = sha256(requestPath) CloudFront cache Cache key: tiles.example.com/zoom/x/y.jpg Cached response
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: IMAGE PROCESSING User Agent CloudFront distribution www.example.com Origin Request Event PUT Amazon API Gateway Image Thumbnail Function S3 Bucket image-thumbnails.s3.amazonaws.com GET S3 Bucket image-originals.s3.amazonaws.com GET 404
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TRANSPARENT GLOBAL EXPANSION Region A customers Region A deployment Region B customers Region B deployment https://saas.example.com
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TRANSPARENT GLOBAL EXPANSION
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: ORIGIN SELECTION id user 1 alex 2 bob 3 joe 4 jane User database 200 OK Application User Agent POST /login user=jane&pass=*** home-region na eu ap eu Set-Cookie: home-region=eu
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: ORIGIN SELECTION User Agent CloudFront distribution www.example.com North America origin User DB Cache Behavior /login North America app DB Europe origin Europe app DB home-region=eu ? APAC origin APAC app DB Cache Behavior /app Origin Request Event
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: ROUTE ON USER AGENT User Agents Desktop Mobile Bots and crawlers CloudFront distribution www.example.com Origin Request Event Mobile optimized app Client-rendered app Server-rendered app Cloudfront-Is-Mobile-Viewer? Cloudfront-Is-Desktop-Viewer? Cloudfront-Is-Tablet-Viewer? User-Agent?
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST: GENERATE REDIRECT User Agent CloudFront distribution www.example.com HTTP redirect www.example.com/de Origin Request Event Cloudfront-Viewer-Country? Accept-Language?
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 'use strict'; const originDomainNames = { 'origin_1': 'origin.us-east-1.example.com', 'origin_2': 'origin.eu-west-1.example.com' }; const defaultOrigin = 'origin_1'; function chooseOrigin(headers) { /* Parse cookies, inspect headers, etc. */ if (condition1) { return 'origin_1'; } else if (condition2) { return 'origin_2'; } else { return default_origin; } } ORIGIN REQUEST: CUSTOM ROUTING CODE exports.handler = (event, context, callback) => { const request = event.Records[0].cf.request; const headers = request.headers; const selectedOrigin = chooseOrigin(headers); /* Modify the request's `origin` object. */ request.origin = { custom: { domainName: originDomainNames[selectedOrigin], keepAliveTimeout: 60, path: '/', port: 443, protocol: 'https', readTimeout: 5, sslProtocols: ['TLSv1', 'TLSv1.1'] } }; callback(null, request); };
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN REQUEST DEMO
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN RESPONSE EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Viewer Response Origin RequestViewer Request Origin Response
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORIGIN RESPONSE EVENTS Executed on cache miss, after a response is received from the origin Make external network calls Modify the response headers prior to caching
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 'use strict'; exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; const headers = response.headers; const headerName = 'Strict-Transport-Security'; const headerValue = 'max-age=31536000; includeSubDomains'; headers[headerName.toLowerCase()] = [{ key: headerName, value: headerValue }]; callback(null, response); }; ORIGIN RESPONSE: INJECT HEADERS Content-Type Cache-Control HTTP Strict Transport Security (HSTS) Content-Security-Policy and more!
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER RESPONSE EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Origin Response Origin RequestViewer Request Viewer Response
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER RESPONSE EVENTS Executed on all requests, after a response is received from the origin or cache Modify the response headers without caching the result Make external network calls NEW
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VIEWER RESPONSE: SET USER COOKIES User Agent CloudFront distribution www.example.com CloudFront cache Origin fetch Cache miss Viewer response event const sid = uuidv4(); headers['set-cookie'].push({ Key: 'Set-Cookie', Value: 'sessionid=' + sid });
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Real time bot protection taken to the edge
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benjamin Fabre, DataDome co-founder & CTO b@datadome.co benjaminfabre @bfabre datadome.co
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intelligent Data Protection
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intelligent bot mitigation Protection Analysis Re-action
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.The challenge of real time bot protection 2 . P r o t e c t t h e O r i g i n 3 . P r o t e c t t h e E d g e What to expect from this session
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bots?
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bots account for 50% of global web traffic
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advanced crawling technologies 2017
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bots are massively distributed
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The challenge of advanced bot protection Detection & Re-action <2ms
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 . T h e c h a l l e n g e o f r e a l t i m e b o t p r o t e c t i o n 2.Protect the Origin 3 . P r o t e c t t h e E d g e
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Functional logic
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IaaS Integration browser end client customer webserver customer application API 1 2 3 4
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Real time detection challenges Scalability Latency
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3 detection stages sync async seconds Fast Streaming engine Stream detection minutes Scalable Storage Behaviour detection mseconds Limit I/O RealTime detection
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ElastiCache Redis Regional PoP Realtime detection (< 2ms) AWS Elastic Beanstalk Multi Docker Container Load Balancer Async jobs DataDome Modules API Server instances Global Behaviour detection (~ minutes) Elasticsearch cluster Behaviour algorithmsApache Flink Global Streaming detection (~ seconds) Apache Kafka Architecture
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Achievements  Run real time detection under 2ms per hit  Shared detection across multiple AWS Regions  More than 15 billion hits protected per month
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 . T h e c h a l l e n g e o f r e a l t i m e b o t p r o t e c t i o n 2 . P r o t e c t t h e O r i g i n 3.Protect the Edge
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Lambda@Edge?
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront
  66. 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. + =
  67. 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda@Edge integration browser end client customer application API 1 3 AWS Lambda Viewer Request 4 Amazon CloudFront 2
  68. 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 11 DataDome Regional API PoP api-eu-france-1.datadome.co api-eu-west-1.datadome.co api-eu-central-1.datadome.co api-us-east-1.datadome.co api-us-west-1.datadome.co api-ap-south-1.datadome.co api-ap-southeast-1.datadome.co api-ap-southeast-2.datadome.co api-ap-northeast-1.datadome.co api-ap-northeast-2.datadome.co api-sa-east-1.datadome.co Datadome API server
  69. 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A single endpoint thanks to Amazon Route 53 Amazon Route 53 api-lambda.datadome.co Resolve to the closest DataDome Regional API
  70. 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Legitimate human request browser end client HTTP Origins DataDome API Viewer Request Origin Request Origin ResponseViewer Response CloudFront cache 200
  71. 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Illegitimate bot request BOT HTTP Origins Viewer Request Origin Request Origin ResponseViewer Response CloudFront cache DataDome API 403
  72. 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Some code for Lambda@Edge
  73. 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. /******************************/ /* Requirements and main app. */ /******************************/ const http = require('http'); const querystring = require('querystring'); const process = require('process'); const util = require('util'); exports.handler = (event, context, callback) => { /********************/ /* DataDome process */ /********************/ recordLog('debug', 'Initial request: ', event.Records[0].cf.request); const request = event.Records[0].cf.request; Hook the request event
  74. 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. // Builds request data var requestData = { "Key" : DATADOME_LICENSE_KEY, "ServerName" : context.invokedFunctionArn, "IP" : request.clientIp, "TimeRequest" : getCurrentMicroTime(), "Protocol" : getRequestProtocol(request), "Method" : request.method, "ServerHostname" : getHeader(request.headers, 'host'), "Request" : request.uri, "HeadersList" : getHeadersList(request.headers), "Host" : getHeader(request.headers, 'host'), "UserAgent" : getHeader(request.headers, 'user-agent'), "Referer" : getHeader(request.headers, 'referer'), "Accept" : getHeader(request.headers, 'accept'), "AcceptEncoding" : getHeader(request.headers, 'accept-encoding'), "AcceptLanguage" : getHeader(request.headers, 'accept-language'), Collect request information
  75. 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. /*********************/ /* DataDome const */ /*********************/ const datadomeHost = 'api-lambda.datadome.co'; const datadomePath = '/validate-request/'; ///////////////////////////////////// // Prepares request to DataDome API let req = http.request({ host : datadomeHost, path : datadomePath, method : 'POST’, agent : agent }, function (datadomeResponse) { Query DataDome API servers
  76. 76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. switch (datadomeResponse.statusCode) { case 200: callback(null, redirect200Response); return; case 403: var bodyData = ''; datadomeResponse.on('data', function (chunk) {bodyData += chunk;}); datadomeResponse.on('end', function() { // Builds response to send let response = { status : '403', statusDescription : 'HTTP Forbidden', body : bodyData }; callback(null, response); }); Handle the response
  77. 77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Extract information from incoming request  Prepare and send the fingerprint to the closest DataDome API Servers  Depending on the response • allow • block • redirect the request Lambda function sum-up
  78. 78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s next with lambda • Specific captcha based on browser detection • Different caching policy based on the Bot Status Viewer Request • Specific endpoint origin for Good Bot Origin Request • Generate fake content for scrapper Viewer Response
  79. 79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intelligent Data Protection all over the world
  80. 80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you for your feedbacks Let’s connect b@datadome.co benjaminfabre @bfabre datadome.co
  81. 81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! O t h e r L a m b d a @ E d g e s e s s i o n s : C T D 4 0 3 - S u p e r c h a r g e Y o u r W e b s i t e s w i t h t h e P o w e r o f L a m b d a @ E d g e C T D 3 0 9 - B u i l d i n g S e r v e r l e s s W e b s i t e s w i t h L a m b d a @ E d g e

×