AWS Webinar Series - Developing and Implementing APIs at Scale

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Ed Lima – Solutions Architect, AWS
Vanessa Thornton – Senior Developer, Xero
October 2018
Developing and Implementing APIs at
Scale, the Serverless Way

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Agenda
• Building your API
• REST APIs and GraphQL APIs on AWS
• Securing your API
• Serverless API Backends with AWS Lambda
• Going Global with Serverless APIs
• Developer Tools
• Real world API at Scale use case with Xero

https://www.flickr.com/photos/arbron/7213225316
“Software is Eating the World” – Marc
Andreessen
“APIs are Eating Software” – Dr. Steve Willmott

Building your
API
https://secure.flickr.com/photos/spenceyc/7481166880

InternetMobile/Web
apps
Databases/
Data stores
Basic API Technology Stack
Fail Over
Load Balancers
Web/Application Servers
Message Buses
Workers
?API
backend
?API
“server”

InternetMobile/Web
apps
AWS
Basic API Technology Stack
?API
backend
?API
“server”
Databases/
Data stores
Auto Scaling
Availability Zones
Fail Over
Load Balancers
Web/Application Servers
Message Buses
Workers

API Management Challenges
Managing multiple versions and stages of an API is difficult.
Monitoring third-party developers’ access is time consuming.
Access authorization is a challenge.
Traffic spikes create an operational burden.
Dealing with increased management overhead

Introducing Amazon API Gateway
Create a unified
API front end for
multiple
microservices
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling
for your backend
Throttle, meter,
and monetize
API usage by
third-party
developers

?InternetMobile/Web
apps
AWS
Basic API Technology Stack - REST
API
backend
Databases/
Data stores
API Gateway

Amazon API Gateway
API Gateway Integrations

Mobile Apps
Websites
Services
Amazon API Gateway
API Gateway
Cache
Public
Endpoints on
Amazon EC2
Amazon
CloudWatch
Monitoring
All publicly
accessible
endpoints
Lambda
Functions
Endpoints
in VPC
Applications
& Services
in VPC
Any other
AWS service
Fully-managed
CloudFront
Distribution
Edge-OptimizedRegionalPrivate
Customer-managed
CloudFront
Distribution
Applications
& Services
in the same
AWS Region
AWS Direct
Connect
On-premises
API Gateway Integrations
NEW

Mobile Apps
Websites
Services
Amazon API Gateway
API Gateway
Cache
Amazon
CloudWatch
Monitoring
Applications
& Services
in VPC
Fully-managed
CloudFront
Distribution
Edge-OptimizedRegionalPrivate
Customer-managed
CloudFront
Distribution
Applications
& Services
in the same
AWS Region
Public
Endpoints on
Amazon EC2
All publicly
accessible
endpoints
Lambda
Functions
Endpoints
in VPC
Any other
AWS service
AWS Direct
Connect
On-premises
API Gateway Backend Integrations

“A one size fits all database doesn’t fit anyone”
Werner Vogels

What Is GraphQL?
Describe what’s possible
with a type system
Uniform API across data stores
and APIs
Network optimized
requests and responses
Powerful developer tools Integrated
documentation and
introspection
Query language for your API
and a runtime for fulfilling
queries with existing data

Managed Serverless
GraphQL service
Connect to data
sources in your account
Add data sync, real-time and
offline capabilities for any data
source or API
GraphQL façade for any
AWS service
Conflict detection and
resolution in the cloud
Enterprise security features:
IAM, Cognito, OIDC,
API keys
Introducing AWS AppSync

?InternetMobile/Web
apps
AWS
Basic API Technology Stack - GraphQL
API
backend
AppSync
Databases/
Data stores

AppSync Integrations
Internet
Mobile Apps
Websites
Services
AWS Lambda
functions
Amazon
DynamoDB
Amazon
CloudWatch
Monitoring
AWS AppSync
All publicly HTTP/S
accessible endpoints
Amazon
Elasticsearch
Amazon RDS
Amazon EC2
Any other
AWS service NEW
WebSockets
WebSockets

Internet
Mobile Apps
Websites
Services
Amazon
CloudWatch
Monitoring
AWS AppSync
AppSync Backend Integrations
AWS Lambda
functions
Amazon
DynamoDB
All publicly HTTP/S
accessible endpoints
Amazon
Elasticsearch
Amazon RDS
Amazon EC2
Any other
AWS service NEW

Internet
Mobile Apps
Websites
Services
Amazon
CloudWatch
Monitoring
AWS AppSync
AppSync Backend Integrations
AWS Lambda
functions
Amazon
DynamoDB
Amazon
Elasticsearch
Amazon RDS
Amazon EC2
Any other
AWS service
API
Gateway

InternetMobile/Web
apps
AWS
Databases/
Data stores
Basic API Serverless Technology Stack -
GraphQL
AWS Lambda
functions
AppSync
Amazon
DynamoDB

Use GraphQL Use REST
When data drives UI
• Structured Data
• Complex Data
• Query-driven
• Real-time/Offline
Client-driven development
Pros: Contract-driven,
Introspection, Relations, Types
Conns: Not as ubiquitous as REST
When you leverage HTTP
• Caching
• Content Types
• Hypermedia (HATEOAS)
For Resources (e.g. Kinesis)
Pros: HTTP Client, Golden Standard,
HTTP/2 Performance gains
Conns: Over fetching/Under fetching
GraphQL or REST?

Bottom Line:
It depends on the use case and, most importantly…
GraphQL or REST?
Good API Design!

1. REST and GraphQL are totally different
2. GraphQL isn't a magic bullet, nor is it "better"
3. You can definitely use both at the same time
4. GraphQL is dope if used for the right thing
https://philsturgeon.uk/api/2017/01/24/graphql-vs-rest-overview/
“
”
GraphQL or REST?

Secure your
API
https://www.flickr.com/photos/modernrelics/1093797721/

Basic Serverless API Technology Stack
Places where we can secure our Application
InternetMobile/Web
apps
AWS
Databases/
Data stores
API Gateway AWS Lambda
functions

Edge Security
InternetMobile/Web
apps
API Gateway
(Regional Endpoint)
Amazon
CloudFront
AWS WAF
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-2/

Amazon API Gateway Security
Several mechanisms for adding AuthN/AuthZ to our API:
• IAM Permissions
• Use IAM policies and AWS credentials to grant access
• Custom Authorizers
• Use Lambda to validate a bearer token (OAuth or SAML as
examples) or request parameters and grant access
• Cognito User Pools
• Create a completely managed user management system

AWS AppSync Security
Several mechanisms for adding AuthN/AuthZ to our API:
• IAM Permissions
• Use IAM policies and AWS credentials to grant access
• Cognito User Pools
• Create a completely managed user management system
• OpenID Connect (OIDC)
• External OpenID Connect provider

Amazon
EC2
Amazon Elastic
Container Service (ECS)
Amazon EKS AWS FargateALBE/NLB
Auto Scaling
API Backend - AWS Compute Services
AWS
Lambda

InternetMobile/Web
apps
AWS
Databases/
Data stores
Basic API Serverless Technology Stack -
REST
functions

No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…

Infrastructure
Network
Machine / Instance
Operating System
Application

Infrastructure
Network
Instance
Operating System
Application
AWS

SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
EVENT SOURCE FUNCTION
Node.js
Python
Java
C#
Go
Power Shell
Serverless Applications
NEW

Lambda Execution Model
Synchronous (push) Asynchronous (event) Stream-based (pull)
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function

Amazon S3
Amazon DynamoDB
Amazon Kinesis Data Streams
Amazon Simple Notification Service
Amazon Simple Email Service
Amazon Simple Queue Service
Amazon Cognito
AWS CloudFormation
AWS AppSync
Lambda Event Sources
Amazon CloudWatch Logs
Amazon CloudWatch Events
AWS CodeCommit
Scheduled Events
AWS Config
Amazon Alexa
Amazon Lex
Amazon API Gateway
AWS IoT
Amazon CloudFront
Amazon Kinesis Data Firehose

Lambda Event Sources
Amazon S3
Amazon DynamoDB
Amazon Kinesis Data Streams
Amazon Simple Notification Service
Amazon Simple Email Service
Amazon Simple Queue Service
Amazon Cognito
AWS CloudFormation
AWS AppSync
Amazon CloudWatch Logs
Amazon CloudWatch Events
AWS CodeCommit
Scheduled Events
AWS Config
Amazon Alexa
Amazon Lex
Amazon API Gateway
AWS IoT
Amazon CloudFront
Amazon Kinesis Data Firehose

1. Message inserted
into to a queue
message
Amazon
SQS
Lambda
function
3. Function
removes
message from
queue
2. Lambda polls
queue and
invokes function
Amazon SQS + Lambda
Simple, flexible, fully managed message
queuing service for reliably and
continuously exchanging any volume of
messages from anywhere
Processed in batches
At least once delivery
Visibility timeout allows for handling of
failures during processing
NEW

Lambda
function
2. Lambda invoked
SNS
Topic
1. Data published to a topic
Data
Amazon SNS + Lambda
Simple, flexible, fully managed
publish/subscribe messaging and mobile
push notification service for high
throughput, highly reliable message
delivery
Messages are published to a Topic
Topics can have multiple subscribers
(fanout)
Messages can be filtered and only sent to
certain subscribers

Lambda
function
2. Lambda polls
stream
Amazon
Kinesis
Stream
1. Data published to a
stream
3. Kinesis returns
stream data
Data
Amazon Kinesis Streams + Lambda
Fully managed, highly scalable service for
collecting and processing real-time data
streams for analytics and machine
learning
Stream consists of shards with a fixed
amount of capacity and throughput
Lambda receives batches and potentially
batches of batches
Can have different applications consuming
the same stream

Going Global

Global Active-Active Serverless APIs
https://read.acloud.guru/building-a-serverless-multi-region-active-active-backend-36f28bed4ecf
https://myglobal.api.com

Global Active-Active Serverless APIs
https://read.acloud.guru/build-a-cost-effective-mobile-backend-for-scale-and-security-4c0c143e898c

Where do you ..
https://secure.flickr.com/photos/stevendepolo/5749192025/

AWS CloudFormation
Declarative templates of your resources
Manages AWS resources based on dependencies
Manage with Source Control

Meet
SAM!

SAM Template
AWSTemplateFormatVersion: '2010-09-09’
Transform: AWS::Serverless-2016-10-31
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
Handler: app.lambda_handler
Runtime: nodejs8.10
Events:
Add:
Type: Api
Properties:
Path: /
Method: get
Environment:
Variables:
TABLE_NAME: !Ref Table
Table:
Type: AWS::Serverless::SimpleTable

SAM Template
Resources:
HelloWorldFunction:
Properties:
Runtime: nodejs8.10
Events:
Add:
Type: Api
Properties:
Path: /
Method: get
Environment:
Variables:
Table:
Lambda Function

SAM Template
Resources:
HelloWorldFunction:
Properties:
Runtime: nodejs8.10
Events:
Add:
Type: Api
Properties:
Path: /
Method: get
Environment:
Variables:
Table:
API Gateway API

SAM Template
Resources:
HelloWorldFunction:
Properties:
Runtime: nodejs8.10
Events:
Add:
Type: Api
Properties:
Path: /
Method: get
Environment:
Variables:
Table:
Type: AWS::Serverless::SimpleTable DynamoDB Table

SAM Commands: Easier Deployment
Package
•Creates a deployment package (.zip file)
•Uploads deployment package to an Amazon S3 Bucket
•Adds a CodeUri property with S3 URI
Deploy
•Calls CloudFormation ‘CreateChangeSet’ API
•Calls CloudFormation ‘ExecuteChangeSet’ API

Transformed Template

AWS Amplify
CLI

APIGW
Lambda
DynamoDB
Amazon
DynamoDB

GraphQL Transformer
type Post {
id: ID!
content: String
description: String
ups: Int
downs: Int
}
NEW

GraphQL Transformer
Amazon DynamoDB
type Post
@model {
id: ID!
content: String
description: String
ups: Int
downs: Int
}
createPost
readPost
updatePost
deletePost
AWS AppSync

GraphQL Transformer
Amazon DynamoDB
type Post
@model
@auth(rules:
[{allow: owner}]){
id: ID!
content: String
description: String
ups: Int
downs: Int
}
Amazon
Cognito
User Pools
mutations
queries
createPost
readPost
updatePost
deletePost
AWS AppSync

GraphQL Transformer
Amazon DynamoDB
type Post
@model
@auth(rules:
[{allow: owner}])
@searchable{
id: ID!
content: String
description: String
ups: Int
downs: Int
}
Amazon Elasticsearch
searchPosts
Amazon
Cognito
User Pools
mutations
queries
createPost
readPost
updatePost
deletePost
AWS AppSync
https://medium.com/open-graphql/create-a-multiuser-graphql-crud-l-app-in-10-minutes-with-the-new-aws-amplify-cli-and-in-a-few-73aef3d49545

Local Development
SAM CLI (Node.js, Java, Python, Go, .NET Core)
Amplify CLI (Node.js)

A Scalable Serverless API Use
Case

Buildingserverless
applicationsat scale

The Challenge
Build asolution that handleslargeamountsof data, scalesat thedrop of ahat and also
reducestheload on our public API

● TheXero API serves115million callsper
week. That averagesout to be16
million callsaday.
● Alargenumber of callsinto theAPI are
HTTPGet requests. Creatinga‘polling
effect’.
● Thiscaused unnecessary load on our
gateway and upstream API’s.
● Thispattern wasnot sustainablenor
scalable.
The Problem
Picturecredits LornaMitchell

● Weneeded away to effortlessly scaleand respond to thepeaksand
troughsof dataflow
● Provideour appswith anotification when an end user makesachange
in near real-time.
● Follow industry standards, not re-invent thewheel.
Architecture Challenges

The Solution
Implement webhookson Xero’spublic API

● Awebhook isaway to provide
applicationsdatain near real-timevia
HTTPpost.
● Dataimmediately arrivesafter a change
hasoccurred in theoriginatingsystem.
● Webhooksaremoreefficient for both
theprovider and theconsumer.
● Reduction in polling.
Webhooks
Picturecredits LornaMitchell

Registering For Events

Dispatching of Events

Storage of Events

Delivery of Events

● How to secureour payloads
● How do handle‘misbehavingapps’ so they don’t affect delivery and
causebottlenecks
● How do wehandleretriesfor unsuccessful deliveries
● PerformanceTesting
Development Challenges

● Wedeliver eventsto apps
within 10secondsof a
changeoccuringin Xero
● Wehaveover 470active
subscriptions
● Deliveringon average30
million eventsamonth/ 1.5
million webhook batches
How isit performing

● Updatingour delivery system to betriggered off SQSinstead of a
CloudWatch event timer.
● Moreevent types
● Support for MultipleURLs
What isnext?

Come join us across 6 cities in Australia and New Zealand for the Serverless Workshops: Wild Rydes!
Build an innovative unicorn transportation service using AWS Lambda, AWS Step Functions, Amazon DynamoDB,
Amazon API Gateway, and Amazon Kinesis to get people to their destination faster and hassle-free. Challenge yourself with your
peers and enjoy a free day of learning, food and networking.
Register (spots are limited in each city): https://splashthat.com/sites/view/aws-serverlessworkshop-wildrydes.splashthat.com
23 Oct: Perth
25 Oct: Auckland
26 Oct: Wellington
29 Oct: Melbourne
30 Oct: Brisbane
30 Oct: Sydney

Q&A

Thank you!

AWS Webinar Series - Developing and Implementing APIs at Scale

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Webinar Series - Developing and Implementing APIs at Scale

Similar to AWS Webinar Series - Developing and Implementing APIs at Scale (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Webinar Series - Developing and Implementing APIs at Scale