Running Serverless at The Edge (CTD302) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Running Serverless at The Edge
George John
Sr. Product Manager
Amazon CloudFront/Lambda@Edge
C T D 3 0 2
Tyler Foster
VP, Technology
Sentient Technologies

What’s covered in this session
• Overview of Serverless & AWS Lambda
• Deep dive into Lambda@Edge
• Lambda@Edge usecases
• Sentient’s usecase for Lambda@Edge

Related reInvent sessions
CTD405 – Optimizing Lambda@Edge for Performance
and Cost Efficiency
Tuesday, Nov 27th, 4:00PM – 5:00PM | Venetian, Level 2, Veronese 2406
Wednesday, Nov 28th, 5:30PM – 6:30PM | MGM, Level 3, North Concourse 306
CTD409 – High Velocity DevOps: Four Ways to Leverage
CloudFront in Faster DevOps Workflows
Thursday, Nov 29th, 12:15PM – 1:15PM | MGM, Level 1, Grand Ballroom 122
CTD301 – How Disney Streaming Services and TrueCar Deliver Web
Applications for Scale, Performance, and Availability
Tuesday, Nov 27th , 1:45PM – 2:45PM | MGM, Level 1, Grand Ballroom 122

No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…

SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
EVENT SOURCE FUNCTION
Node.js
Python
Java
C#
Go
Serverless applications

Amazon
S3
Amazon
DynamoDB
Amazon
Kinesis
AWS
CloudFormation
AWS
CloudTrail
Amazon
CloudWatch
Amazon
Cognito
Amazon
SNS
Amazon
SES
Cron events
DATA STORES ENDPOINTS
DEVELOPMENT AND
MANAGEMENT TOOLS
EVENT/MESSAGE SERVICES
Event sources that trigger AWS Lambda
and more!
AWS
CodeCommit
Amazon
API Gateway
Amazon
Alexa
AWS
IoT
AWS Step
Functions
Amazon
CloudFront

Amazon CloudFront
(Event Source)
AWS Lambda
AWS Lambda@Edge
Lambda@Edge

AWS Lambda@Edge
Globally
distributed
No servers
to provision
or manage
Scales
with usage
Never pay
for idle
Availability and fault
tolerance built in
Bring your code closer to end users to improve viewer experience

Write once, run Lambda functions globally
N Virginia
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
Note: You have to select N.Virginia (us-east-1) when creating Lambda@Edge functions

Origin
Compute
Database
Storage
Why CloudFront + Lambda@Edge?

Amazon CloudFront
Origin
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location

Amazon CloudFront + Lambda@Edge
Origin
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location

CloudFront
Cache
End user/viewer
Amazon S3
CloudFront events for Lambda@Edge
Viewer request
Amazon CloudFront
Location
Origin
Amazon
ALB/ELB/EC2
HTTP Server
Origin request
Origin responseViewer response
Cache Miss ScenarioCache Hit Scenario

Anatomy of a Lambda function
Handler() function
Function to be executed
upon invocation
Event object
Data sent during Lambda
Function Invocation
Context object
Methods available to
interact with runtime
information (request ID,
log group, etc.)
public String handleRequest(Book , Context context) {
saveBook(book);
return book.getName() + " saved!";
}

Let’s look at a Lambda@Edge function
exports.handler = (event, context, callback) => {
/* viewer-request and origin-request events have the request as input */
const request = event.Records[0].cf.request;
/* viewer-response and origin-response events have the response as input */
/* const response = event.Records[0].cf.response; */
/* Do the processing – say add a header */
/* When I am done I let CloudFront what to do next */
callback(null, request); }
Lambda@Edge supports Node.js (JavaScript runtime)

Request Event
{ "Records": [ {
"cf": {
"config": {
"distributionDomainName":
"d123.cloudfront.net",
"distributionId": "EDFDVBD6EXAMPLE",
"eventType": "viewer-request", },
"request": {
"body": {
"action": "read-only",
"data": "eyJ1c2VybmFt=",
"encoding": "base64",
"inputTruncated": false
},
"clientIp": ”1.2.3.4",
"querystring": "size=large",
"uri": "/picture.jpg",
"method": "GET",
"headers": {
"host": [ {
"key": "Host",
"value":
"d111111abcdef8.cloudfront.net"
} ],
"user-agent": [ {
"key": "User-Agent",
"value": "curl/7.51.0"}
] },
……
"origin": {
"custom": {
"customHeaders": {
"my-origin-custom-header": [{
"key": ”My-Custom-Header",
"value": "Test"}]},
"domainName": "example.com",
"keepaliveTimeout": 5,
"path": "/custom_path",
"port": 443,
"protocol": "https",
"sslProtocols": [
"TLSv1", "TLSv1.1"
] },
"s3": {
"authMethod": "origin-access-
identity",
"customHeaders": {
"my-origin-custom-header": [
{
"key": "My-Custom-Header",
"value": "Test"
} ] },
"domainName": "my-
bucket.s3.amazonaws.com",
"path": "/s3_path",
"region": "us-east-1"
}

Response Event
"Records": [ {
"cf": {
"config": {
"distributionDomainName":
"d123.cloudfront.net",
"distributionId": "EDFDVBD6EXAMPLE",
"eventType": "viewer-response",
"requestId": "xGN7KWpVEmB"
},
"request": {
"clientIp":
"2001:0db8:85a3:0:0:8a2e:0370:7334",
"method": "GET",
"uri": "/picture.jpg",
"querystring": "size=large",
"headers": {
"host": [ {
"key": "Host",
"value":
"d111111abcdef8.cloudfront.net"
} ],
"user-agent": [
{
"key": "User-Agent",
"value": "curl/7.18.1"
} ] } },
"response": {
"status": "200",
"statusDescription": "OK",
"headers": {
"server": [
{
"key": "Server",
"value": "MyCustomOrigin"
}
],
"set-cookie": [
{
"key": "Set-Cookie",
"value": "theme=light"
},
{
"key": "Set-Cookie",
"value":
"sessionToken=abc123;
Expires=Wed, 09 Jun
2021 10:18:14 GMT"
}
]
}
}
}
}

Example
if (request.headers['cloudfront-viewer-country']) {
const countryCode = request.headers['cloudfront-
viewer-country'][0].value;
if (countryCode === 'UK' || countryCode === 'DE'
|| countryCode === 'IE' ) {
const domainName = 'eu.example.com';
request.origin.custom.domainName =
domainName;
request.headers['host'] = [{key: 'host',
value: domainName}];
}
}
callback(null, request);
};
• Based on the location of the
end viewer
• Route the viewer’s request to
the appropriate backend origin
server for latency, data locality,
load balancing or other reasons

1. Inject Security Headers
End user
Headers are
cached for subsequent requests
CloudFront
Cache
Amazon CloudFront
Location
Origin response
Insert headers
(CORS, HSTS,
CSP, etc.) Origin

'use strict';
const response = event.Records[0].cf.response;
const headers = response.headers;
const headerName = 'Strict-Transport-Security';
const headerValue = 'max-age=31536000;
includeSubDomains';
headers[headerName.toLowerCase()] = [{
key: headerName,
value: headerValue
}];
callback(null, response);
};
Inject Security Headers
Tip: For a complete example, refer to AWS Blog - Adding HTTP headers using Lambda@Edge
https://amzn.to/2FopHbt

2. Securely access origin
Origin request
End user
Signed URL or
Signed Cookies
CloudFront
Cache
Amazon CloudFront
Location
Origin
S3 OAI or
Custom headers
Web server
Tip: For a complete example, refer to AWS Blog - Serving private content https://amzn.to/2A4QJPg
Lambda function
to sign URL

3. Stateless Authorization
End user
HTTP 403, 3XX, etc.
NO
JWT
JWT
JWT public key
Viewer Request
Access decision CloudFront
Cache
Amazon CloudFront Location
Tip: For complete example, refer to AWS Blog Authorization@Edge https://amzn.to/2JMFq56
Legacy application
S3 Bucket
Origin application
OK

4. Stateful Authorization
End user
Viewer Request
CloudFront
Cache
Amazon CloudFront Location
NO
Paywall message,
403, redirect, etc.
$
HTTP request
Entitlement service Access decision
Origin
OK

1. Template rendering
<h1>{ page.title }</h1>
{{ for section in page.sections }}
<h2>{ section.title }</h2>
<p>{ section.body }</p>
{{ endfor }}
"page": {
"title": "Hello",
"sections": [ {
"title": "Introduction",
"body": "The quick..."
}, { ... } ]
Static Content
Dynamic Content

Template Rendering
End user
Cache Behavior
/blog
Origin Request
Event
Outbound
network calls
Rendered template
Cached response
CloudFront cache
Amazon CloudFront
Location
S3 Bucket
blog-templates.s3.amazonaws.com
DynamoDB table
blog-posts

2. Website Personalization
End user Origin Request
Event
Accept-Language?
CloudFront-Is-Desktop-Viewer?
CloudFront-Is-Mobile-Viewer
Cloudfront-Viewer-Country?
CloudFront cache
Amazon CloudFront
Location
HTTP redirect
www.example.com/de

Example – Redirects
const headers = request.headers;
let url = 'https://example.com/';
if (headers['cloudfront-viewer-country']) {
const countryCode = headers['cloudfront-viewer-
country'][0].value;
if (countryCode === ‘UK') {
url = 'https://uk.example.com/';
} else if (countryCode === 'US') {
url = 'https://us.example.com/';
}
}
const response = {
status: '302',
statusDescription: 'Found',
headers: {
location: [{
key: 'Location',
value: url,
}],
},
};
callback(null, response);};

CloudFront Cache
End user
Fetch Image
Amazon S3
Origin
Origin response
event
If image
doesn’t exist,
generate and
save
Amazon CloudFront
Location
Origin
3. Dynamic Image Manipulation
Tip: For complete example, refer to AWS Blog - Resizing Images with Lambda@Edge
https://amzn.to/2KEiWnt

CloudFront Cache
New user
Waiting room site
on S3
Amazon CloudFront
Location
Origin
4. Visitor prioritization
Tip: For complete example, refer to AWS Blog - Visitor Prioritization https://amzn.to/2OVfxyv
Prioritized user
Backend
application
Origin Request

CloudFront
Cache
End user
Amazon S3
5. Cache key customization
Viewer request
Amazon CloudFront
Edge Location
Origin
• A video distribution company had playback session ID in URL, that was logged in
CloudFront access logs, for billing/tracking their customer usage
• But this led to poor Cache Hit Ratio since multiple copies of the same object cached
• Leveraged Lambda@Edge to rewrite the URI for a more optimal Cache key
• Original URL: http://customer.com/34542-942820/file1
• Rewritten URL: http://customer.com/file1

Content Based Routing
CloudFront
Cache
End user
Amazon S3
(Tokyo)
Amazon CloudFront
Edge Location
Amazon
ALB/ELB/EC2
(London)
HTTP Server
(Customer’s
data center)
Origin request
Amazon S3
(N Virginia)
Route based on:
1. Incoming Request properties (URL,
Headers, Query String, Cookies)
2. External sources (Amazon DynamoDB,
other public HTTP Endpoints)
Origin

1. Balancing across origins
CloudFront
Cache
End user
Amazon CloudFront
Edge Location
Amazon ALB
Origin request
Amazon ALB
1. End user location in a custom header
2. Lambda function inspects that header,
and routes user to appropriate origin
AWS Region
(Frankfurt)
AWS Region
(London)

2. Data locality / Low Latency
CloudFront
Cache
End user
Amazon CloudFront
Edge Location
Origin request
Amazon S3
(Frankfurt)
Amazon S3
(N Virginia)
Amazon S3
(Sydney)
Amazon S3
(Mumbai)
Inspect CloudFront provided
Header “CloudFront-Viewer-
Country”, to route the request
to appropriate S3 bucket
Origin

3. A/B Testing
CloudFront
Cache
End user
Amazon CloudFront
Edge Location
Origin request
Origin A
Origin B
1. Check to see if this is an active
session. (Say, using a cookie.)
2. For active sessions, set the origin
based on the value in the cookie.
3. For a new session, decide whether to
show A or B variant. And set the
origin accordingly.

desiredOrigin = decide(request);
/* Set custom origin fields*/
request.origin = {
custom: {
domainName: desiredOrigin,
port: 443,
protocol: 'https',
}
};
request.headers['host'] = [{ key: 'host',
value: desiredOrigin
}];
};
Example – A/B Testing
function decide(request) {
if (request.headers[‘my-session-
cookie’]) {
cookie = request.headers[‘my-
session-cookie’].value;
return decodeOrigin(cookie);
} else {
return chooseOrigin(request);
}
};

4. Search Engine Optimization
Origin Request
Inspect User Agent:
• Is good bot?
• Is bad bot?
• Is real user?
CloudFront cache
Amazon CloudFront
Location
End User
Pre-rendered,
crawler friendly
version of app
Server-rendered
app
NO

5.Origin Failover
CloudFront
Cache
End user
Amazon CloudFront
Location
Primary Origin
(US)
Secondary Origin
(EU)

Running Serverless at The Edge
Tyler Foster
VP, Technology
Sentient Technologies
C T D 3 0 2
45

These are transformational times.
Transformation requires innovation.
Innovation requires experimentation.
“If you’re not trying 100 ideas, or
even 1,000 ideas, you’ll get stuck.”
Peter Diamandis
Futurist / Founder of XPRIZE

• Accelerates and automates
experience optimization
• Drives better results faster
• Frees resources
• Empowers innovation
Evolutionary Experience Optimization

The Genome
• Test dozens of ideas at the
same time
• Assess thousands of
combinations
• Analyze performance of each
element individually and in
combination
• Learn the best combination to
achieve the optimization
goal(s) for right now

How Ascend Works
• Multiple user experiences
tested in generations
• Each generation learns from
the previous
• Each generation gets closer to
the current optima
• Mutation continues to explore
the space for changes in
behavior

System Characteristics
< 50ms average impact, consistent across globally-distributed
participants / end users
Big swings in traffic depending on the season, who is experimenting,
and changes in traffic source

CloudFront behavior in front of 7 regions, each with 3-10 m4-large instances behind Elastic
Load Balancing, supported by 3-node Amazon ElastiCache (Redis) clusters
The Old Way
Batch
Participants
Customers
website
runtime.*
CloudFront
Participant Impact
Static Assets
API Worker
rt.*
ElastiCache

• High latency
• High cost to scale
• Difficult to support new regions
• A lot of under utilized resources, even with auto-scaling
The Issues

Ascend Participant API
Participant Impact
Customer Impact
Batch
Participants
Customers
website
participant.*
CloudFront
Events Event Logs
Allocation
Allocation Logs
Static Assets

Ascend Architecture
Participants
Customers
website
participant.*
CloudFront
Participant API (Geographically Distributed)
Allocation
Allocation Logs
Event Logs
Events Event Logs
Allocation
Stream
Event Stream Event Store
Athena
Allocation
Store
editor.*
Scheduler
Auto-Seg
API
Worker
Worker
Worker
Participant Impact
Customer Impact
Batch
Event
Transform
Allocation
Transform
Static Assets

Participant API – Request Flow in Excruciating Detail

The Outcome
Low latency
• All work is done in the participants closest edge location
Extremely inexpensive scale and
almost automatically supports new regions
• Lambda@Edge automatically distributes and spins up
instances based on utilization in new regions
No unutilized resources in our Participant APIs
• With CloudFront, Lambda@Edge, CloudWatch, Amazon
Kinesis Data Firehose, Amazon Simple Storage Service
(Amazon S3), Lambda, and Amazon Athena we have
predictable cost per request, which allows for a stable
margin
0
10
20
30
40
50
60
0
100
200
300
400
500
600
700
800
900
1000
Millions
Total AWS Costs versus ALL Lambda Traffic - Aug 1 through Aug 25,
2018
Series2 Series3 Series4 Series6 Series8 Series9
Series14 Series21 Series25 Series28 Series34

Ascend Participant API - Allocation
Participants
Customers
website
participant.*
CloudFront
Allocation Logs
• Bot Detection
• Traffic Filtering (Allocation)
• Content Negotiation
Participant Impact
Batch

1. Quick & Dirty Good Bot Detection
This is good when you need
to deliver specific content
for SEO.
You can use this in a Viewer
Request or Origin Request
triggered lambda.
const BOT_PATTERN_QUICK = /.*AdsBot-Google.*|.*Amazon
Route 53.*|.*PhantomJS.*|.*googlebot.*|.*slurp.*|.*Yahoo Ad
Monitoring.*|.*BingPreview.*|.*bingbot.*|.*gomezagent.*|.*Google
Page Speed Insights.*|.*Pingdom.*|.*yandex.*|.*
catchpoint.*|.*PTST.*|.*AppEngine-
Google.*|.*googleweblight.*/i;
module.exports = function(userAgent) {
if (!userAgent){
// Missing user agent should be considered NOT a bot
return false;
}
return BOT_PATTERN_QUICK.test(userAgent);
}

2. Useful Content for Traffic Filtering
Standard Headers
• User-Agent – Device Type, Platform, Browser
• IP – Location, ISP, Network Info
• Referer – Requesting Page In AJAX or asset request
• Origin – Current Origin Scope
• Accept-Language – Language Preferences
CloudFront Specific Headers
(Origin Request-Only)
• CloudFront-Is-Desktop-Viewer
• CloudFront-Is-Mobile-Viewer
• CloudFront-Is-Tablet-Viewer
• CloudFront-Viewer-Country
const bot = require('bot');
const { headers } =
event.Records[0].cf.request;
const ua = headers['user-agent'][0].value;
// Perform filtering using User-Agent
if (bot(ua)) {
…
}
};

Tip – Use Origin Request Event for Location Info
If you want to access the CloudFront-Viewer-Country header,
you’ll need to use an Origin Request event.

Tip – Whitelist Headers in CloudFront Behavior
CloudFront will only pass the
headers you’ve whitelisted.
Note: When debugging, always
check your CloudFront Behavior
configuration. This is where we
found the cause of most issues.

3. Simple Content Negotiation
Useful for…
• Delivering custom JavaScript
• Delivering device specific images
• Delivering localized assets
• And other stuff
Most content negotiation can be
handled in Viewer Requests, before
the edge-cache lookup.
const allocate = require('allocate');
const { request } = event.Records[0].cf;
const allocation = allocate(request);
// If allocated, rewrite origin
if (allocation) {
console.log(JSON.stringify(allocation));
request.uri = `/candidates/${allocation.cid}.js`;
}
};

Tip – You Can Rewrite the Whole Origin
Useful for…
• Proxying requests to third-party
services
• Using customer-specific Amazon S3
buckets
const origin = 'my-es-bucket.s3.amazonaws.com';
request.origin = {
s3: {
domainName: origin,
region: '',
authMethod: 'none',
path: ’’,
customHeaders: {}
}
};
request.headers['host'] = [
{ key: 'host', value: origin}
];
...

Tip: Use Another CF Behavior as an Origin
Participants
Origin
Request
Viewer
Request
Origin
CloudFront
Cache
If you need the data or functionality that is specific to an Origin Request triggered
Lambda, you can use another CloudFront Behavior, to significantly improve your
performance of cache-able origin calls.

Ascend Participant API - Events
Participants
Customers
website
participant.*
CloudFront
Events Logs
• Accessing request body
• Content Validation
• Persisting data through
CloudFront
Participant Impact
Batch

Handle Millions of Client Messages a Minute With CloudWatch
Lambda@Edge CloudWatch Data
Firehose
S3Lambda Athena
Participants
participant.*
CloudFront

4. Accessing the Request Body
Lambda@Edge recently
started allowing access to the
request body, which allows
you to build far cleaner
interfaces.
const querystring = require('querystring');
if (request.method === 'POST') {
const body = Buffer
.from(request.body.data, 'base64')
.toString();
const params = querystring.parse(body);
// Log for later processing
console.log(JSON.stringify(params));
}
return callback(null, request);
};

Tip – Allow Access to Body in Your Behavior Configuration

Tip – Make Simple Requests to Avoid CORS Pre-flights
You can avoid the pesky
ORIGIN request that proceeds
your cross-origin request by
using a “Simple request”.
Either way, always set your
Access-Control-Max-Age.
Definition of “Simple request”
Simple Methods
GET, HEAD, POST
Simple Headers
Accept, Accept-Language, Content-Language,
Content-Type, DPR, Downlink, Save-Data, Viewport-
Width, Width
Simple Content Types
application/x-www-form-urlencoded
multipart/form-data
text/plain

5. Content Validation with JSON Schema
JSON schema provides a
simple and robust
mechanism for validating
request bodies and query
strings.
const querystring = require('querystring');
const validate = require('jsonschema').validate;
const schemas = require('./schemas');
…
const body = …;
const params = querystring.parse(body);
if (!validate(schemas.event)) {
// Handle invalid request
}
// Log for later processing
console.log(JSON.stringify(params));
…
return callback(null, request);
};

Tip – Creating Message Subscriptions
CloudWatch messages are stored in the region where the Lambda was
executed, and you can’t subscribe until the log group in the region is
created.
Solution: Use a Lambda triggered when a log group is created in a new
region to create the subscription.
Sample Code https://github.com/tfoster/aws_reinvent_2018

Tip – Logging data for later processing
Subscribing to messages in the logs is easy when they’re JSON, and if you
want to get tricky you can use the RequestId to track cost per request.
START RequestId: c8f81037-d235-11e8-a0a0-337a26a790b2 Version: 130
2018-10-17T17:55:08.249Z c8f81037-d235-11e8-a0a0-337a26a790b2 { … }
END RequestId: c8f81037-d235-11e8-a0a0-337a26a790b2
REPORT RequestId: c8f81037-d235-11e8-a0a0-337a26a790b2 Duration: 82.04 ms Billed
Duration: 100 ms Memory Size: 128 MB Max Memory Used: 21 MB
LOG STRUCTURE

Tip – Use Parquet Serialization for Stored Messages
With a couple clicks when
you’re setting up your Amazon
Kinesis Data Firehose, you can
turn on Parquet serialization
for your stored messages.
This lets you work in JSON in
your transform Lambda, and
then automatically convert the
messages to the more efficient
Parquet format.

Thank you!
George John
georjohn@amazon.com
linkedin.com/in/find-george-john
Tyler Foster
tyler.foster@sentient.ai
linkedin.com/in/tylerfoster

Running Serverless at The Edge (CTD302) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Running Serverless at The Edge (CTD302) - AWS re:Invent 2018

Similar to Running Serverless at The Edge (CTD302) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Running Serverless at The Edge (CTD302) - AWS re:Invent 2018