AWS User Group Oslo March 2018 - Short version of Serverless Best Practices including Design Principles for Serverless Architectures

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Heitor Lessa, Serverless Specialist SA
lessa@amazon.com
Serverless Best Practices
a.k.a lessons learned from the field
@heitor_lessa

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Design principles for Serverless Applications
• Best practices
• Deployment
• Testing
• Monitoring
• Security
• Performance
• Microservices

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Design principles for Serverless
applications

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General design principles
Speedy, simple, singular

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Instead of Lambda based “monoliths”….
GET /pets
PUT /pets
DELETE /pets
GET /describe/pet/$id
PUT /describe/pet/$id
ONE LARGE LAMBDA FUNCTIONEVENT DRIVEN

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda based “nano-services”
EVENT DRIVEN Constellation of functions
GET /pets
PUT /pets
DELETE /pets
GET /describe/pet/$id
PUT /describe/pet/$id
Amazon
API Gateway

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General design principles
Think concurrent requests, not total
requests

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute power: Don’t “guesstimate”
alexcasalboni
aws-lambda-power-tuning

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General design principles
Share nothing

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leverage container reuse but persistent storage for durable
state
s3 = boto3.resource('s3')
db = db.connect()
def lambda_handler(event, context):
global db
# verify if still connected
# otherwise carry on
if not db:
db = db.connect()
…
db.save(highly_durable_state)
...

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General design principles
Orchestrate your application with
state machines, not functions

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Don’t orchestrate within your functions…STARTJOB
JOB#XSTARTED
HTTPPOST
HTTPPOST
AREWETHEREYET?
NOPE!
WE’REDONE!
ZzZz
OR
time.sleep(10)

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step Functions with AWS Batch

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General design principles
Design for failures and duplicates

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Applying Saga pattern with AWS Step Functions
theburningmonk.com/2017/07/applying-the-saga-pattern-with-aws-lambda-and-step-functions

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best practices

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Single responsibility principle == Single function
• Share resource information across stacks via
Export value or SSM Parameter Store
• Build out multiple environments, such as for
Development, Test, Production and even DR using
the same template, even across accounts
• Shared code == Language specific packages
Shared Event Source == Same template
SAM Template
Source
Control
Dev
Test
Prod
Deployment best practices

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Testing

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Testing strategies
Run Unit tests locally
Run Integration/Acceptance tests with real services
Leverage SAM Local and Lambda runtime AMI

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloudwatch – Metrics and streaming
Alarm on individual and aggregate metrics
(Throttling alarm !== Errors/Duration alarm)
Create Custom Metrics via Metric Filter
(Centralize logs from multiple accounts to Amazon ES)
Drill down application insights with X-Ray
(Too much time spent at logs == Lack of metrics)
Log only what’s necessary
(Use Environment Variables to control logging level)
built-in custom
Amazon Cloudwatch

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
X-Ray – Application Insights

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application instrumentation (Node.js)
const AWSXRay = require('aws-xray-sdk-core');
# Wraps AWS SDK and trace subsequent AWS Services
const AWS = AWSXRay.captureAWS(require('aws-sdk'));
const dynamoDb = new AWS.DynamoDB.DocumentClient();
const sqs = new AWS.SQS();
# Wraps HTTP calls made
const https = AWSXRay.captureHTTPs(require('https'));

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vulnerabilities and security scan
Application Security Best practices still apply
(Input validation/sanitization, code review, etc..)
One IAM Role per function
(permissions are easy to add but hard to remove)
Encrypt secrets with KMS integration
(Leverage EC2 SSM Parameter Store for shared secrets)
Automate security scans/controls into CI/CD
(Dependency CVEs, static/dynamic analysis, etc.)

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What about cold starts?

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
As seen on TV…

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cold start: Understand the function lifecycle
Download
your code

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Download
your code
Start new
process
Cold start: Understand the function lifecycle

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bootstrap
the runtime
Cold start: Understand the function lifecycle
Download
your code
Start new
process

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bootstrap
the runtime
Start your
code
Cold start: Understand the function lifecycle
Download
your code
Start new
process

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bootstrap
the runtime
Start your
code
Cold start: Understand the function lifecycle
Full
cold start
Partial
cold start
Warm
start
Download
your code*
Start new
process
AWS optimization Your optimization

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Download
your code*
Start new
process
Create
VPC ENI
Start your
code
Attach
VPC ENI
Full
cold start
Warm
start
Bootstrap
runtime
Partial
cold start
AWS optimization Your optimization
Cold start: Understand the function lifecycle
(VPC)

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Don’t panic – Prod is consistent! VPC numbers

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Look at the distribution not average
TP99: 99% of reqs were
below this data point

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TP99: 99% of reqs were
below this data point
TP50/Median: 50% either
above or below
Look at the distribution not average

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What about Microservices?

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Just because you use Lambda, it’s not a micro
service
Ingest()
sanitize()
attach_
metadata()
cache()
This fails all three tenets: it’s not decoupled, has multiple
owners, it’s still a monolith to build

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We can isolate a few services here
Ingest() sanitize() attach_
metadata()
cache
• Ingestion and sanitization live together
• Metadata should be a separate database/service,
queried by the ingestion service
• Cache and frontend should be a separate service that
uses data from the previous two
• You need to own the interfaces!

42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do you re-use services? APIs are the contract
Ingestion service
Ingestion
API
ingest
&
sanitize()
Metadata service
CRUD
API
read & write
metadata()
Frontend service
Frontend
API
express()
• We can create a new ingestion service that re-uses the
same metadata service
• We can modify the frontend without touching how the data is received and
processed

43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap

44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key takeaways
Security application best
practices still apply
Decouple orchestration logic
from application logic
Optimize for single purpose;
leverage concurrency model

45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Appendix

46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources - Whitepaper
Serverless Architectures
with AWS Lambda
November 2017
bit.ly/2zVvp0w
Optimizing Enterprise
Economics with
Serverless
Architectures
October 2017
bit.ly/2hQdy44
Serverless Applications
Lens
November 2017
bit.ly/serverless_lens

47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources - Playlist
re:Invent 2017 – Serverless Breakout Sessions
bit.ly/serverless_playlist17