This document discusses serverless architecture using AWS services. It describes how Open Class Tickets uses AWS Lambda for backend business logic, API Gateway to access the logic, and DynamoDB for data persistence. It also covers authentication with Cognito, event handling with SNS, ticket delivery with SES, file storage with S3, and management with CloudFront. Infrastructure is defined with CloudFormation. Key benefits are no servers to manage and continuous scaling, while potential downsides include vendor lock-in and cold start latency.

1. Going Serverless…
Dirk Ehms, Open Class Tickets
 Serverless Computing
 Serverless Architecture
 Serverless Operations

2. Open Class Tickets
https://unsplash.com/photos/NSVJAAXOYHs

3. Open Class Tickets - Platform
Tickets -
Studio App
Management
Console
Business Logic
e-Tickets
Building Blocks

4. Open Class Tickets - Facts
 Pure Serverless
 Software as a Service (SaaS)
 Multi Tenant
 Frameworks and Technologies
 Back-end Business Logic: AWS Lambda
 Tickets – Studio App: Ionic3 (Angular, HTML5, Cordova)
 Attendee e-Tickets: Apple Wallet (Passbook)
 Management Console: Bootstrap, Angular
 Dev-Tools: Serverless Framework

5. Tickets–StudioApp
Amazon
Polly

6. 1. Create Ticket Assemble
pass.json file
Collect artwork
as PNG files
Create manifest.json file
Create digital signature
file for manifest
Zip it all up and change
extension to *.pkpass
icon.pgn,
logo.png,
strip.png
WWDR
intermediate cert,
Pass-signing cert +
private key
Apple Wallet

7. 1. Create Ticket
AWS Lambda
 Heart of AWS Serverless Computing
 Never pay for idle: pay as you go
 Event driven, multiple event sources
 Available in (almost) all regions

8. 1. Create Ticket (2)
System Architecture
Mobile Client
Web Browser
AWS SDK
AWS
AWS Lambda
Internet

9. 2. API to access business logic
API Gateway
 Important part of the AWS Serverless Infrastructure
 Provides (consistent) RESTful APIs
 But API-ID changes per redeploy
 API protection and monitoring
 Supports
 Proxy integration
 Binary support

10. 2. API to access business logic
System Architecture
Internet
https://90varu7pzb.execute-api.eu-central-1.amazonaws.com/prod/tickets
ionic

11. 3. Persist ticket data
Amazon DynamoDB
 NoSQL database, fully managed
 Replicated continuously to 3 AZs
 Read / Write Provisioning
 Different multi tenant database approaches
 Tenant field per table
 Separate tables per tenant
 AWS account per tenant
 Alternative: RDS (Managed Service)

12. 3. Persist attendee data
System Architecture
Internet
Mobile Client
ionic

13. 4. Authenticate and Authorize
Cognito User Pool, Cognito Identity Pool
 API Gateway: Provides 3 types of authorization
 User Pools Authorizers
 AWS IAM authorization
 Custom Authorizers
 JSON Web Tokens (JWT)
 Custom fields :: tenantId
 No data export function (IaC -> don’t remove)

14. User Pool
1. Authenticate 
 2. JWT tokens
Cognito User Pool
4. Authenticate Users (2)
3. Call API Gateway 
…
AWS SDK

15. User Pool
Identity Pool
6. Request AWS creds 
 7. Temporary AWS creds
AWS Security
Token Service
(STS)
Cognito User Pool + Cognito Identity Pool
4. Authenticate Users (3)
AWS SDK
9. Call API Gateway 
…

16. 5. Event Handling
Simple Notification Service (SNS)
 Publish/Subscribe Messaging
 One SNS topic per event type
 Mobile Notifications
 Push notifications
 SMS
 Alternatives:
 DDB Streams
 Amazon Kinesis Streams

17. 5. Event Handling (2)
API Gateway
SNS AWS Lambda DynamoDB
(Projection)
DynamoDB
System
Architecture
Internet
Mobile Client
ionic

18. 6. Send Ticket to attendee
Simple Email Service (SES)
 Sending and receiving emails
 Available in only 3 Region
 (us-east-1, us-west-2, eu-west-1)
 Starts in Sandbox mode
 200 emails per day to verified addresses
 Handling Bounces and Complaints
 Define rules for receiving emails

19. 6. Send Ticket to attendee (3)
API Gateway
SNS AWS Lambda SES
DynamoDB
Internet
Mobile Client
ionic
System
Architecture

20. 7. Store Resource Files
Amazon S3 (Simple Storage Service)
 Event Bucket
 Ticket Bucket (Apple Wallet)
 Tenant Resource Bucket
 Email Template
 Ticket Images
 Management Console:
 Static Website hosting

21. 7. Store Resource Files (2)
API Gateway
SNS AWS Lambda S3 Bucket
DynamoDB
System
Architecture
Internet
Mobile Client
ionic

22. 8. Provide a Management Console
Amazon CloudFront
 Content Delivery Network (CDN-Service)
 Configure Tenant Settings
 Management Console:
 Static Website hosting -> S3 Bucket
 Alternative: S3 Bucket direct access

23. 9. Use Custom Domains and HTTPS
AWS Certificate Manager (ACM)
 Custom Domains must be verified to be used
 API Gateway
 Base path mapping
 Now integrated with AWS Certificate Manager
 Amazon CloudFront

24. 10. Hide Secrets
AWS Key Management Service (KMS)
 Create and control the encryption keys
 Each customer master key costs $1/month
KMS_ENCRYPT_CMD=”aws kms encrypt --key-id $AWS_KMS_ARN
--output text --query CiphertextBlob”
export SECRET_ENCRYPTED=$( echo $( $KMS_ENCRYPT_CMD --plaintext ”secret" ) )

25. 10. Hide Secrets (2)
AWS Key Management Service (KMS)
const aws = require('aws-sdk');
const kms = new aws.KMS();
...
kms.decrypt({ CiphertextBlob: new Buffer(process.env.SECRET_ENCRYPTED,
'base64') }, (err, data) => {
if (err) {
return callback(err);
}
const decrypted = data.Plaintext.toString('ascii');
console.log('AFTER DECRYPTION:' + decrypted);
});

26. Infrastructure as Code (IaC)
AWS CloudFormation
 Create templates of your infrastructure
 CloudFormation provisions AWS resources based on
dependency needs
 Nested CloudFormation stacks vs cross-stack references
 Alternatives: Terraform, CLI

27. Infrastructure as Code (2)
AWS CloudFormation
 Lambda-backed Custom Resource
 Insert DB records
 (Create Cognito instances)
 Delete Your Stacks But Keep Your Data
 Beware of renaming immutable attributes
 Best practice: resource-only CloudFormation stack
"myS3Bucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain"
}

28. Summary
Pros
 No servers to manage
 Don’t pay for idle servers
 Continuous Scaling
 Fits well with microservices
Cons
 Vendor lock-in
 Depending on single AWS region
 Cold server latency
 Doesn't support legacy apps
 Local development & testing

29. Hype Driven Development
https://blog.daftcode.pl/hype-driven-development-3469fc2e9b22
A good hockey player plays
where the puck is. A great
hockey player plays where
the puck is going to be.
★ ★ ★
Wayne Gretzky

30. Thank You