1. in production
an experience reportan experience report
what you should know before you go to production
ServerlessServerless

2. Yan Cui
http://theburningmonk.com
@theburningmonk
Domas Lasauskas

5. apr, 2016

7. hey guys, vote on this post
and I’ll announce a winner at
10PM tonight

8. 10PM
traffic

9. 10PM
traffic
70-100x

10. low utilisation to leave room for spikes
EC2 scaling is slow, so scale earlier

11. lots of $$$ for unused resources

12. up to 30 mins for deployment
deployment required downtime

13. - Dan North
“lead time to someone saying
thank you is the only reputation
metric that matters.”

15. “what would good
look like for us?”

16. be small
be fast
have zero downtime
have no lock-step
DEPLOYMENTS SHOULD...

17. FEATURES SHOULD...
be deployable independently
be loosely-coupled

18. WE WANT TO...
minimise cost for unused resources
minimise ops effort
reduce tech mess
deliver visible improvements faster

19. nov, 2016

20. 170 Lambda functions in prod
1.2 GB deployment packages in prod
95% cost saving vs EC2
15x no. of prod releases per month

21. time
is a good fit

22. 1st function in prod!
time
is a good fit

23. ?
time
is a good fit
1st function in prod!

24. ALERTING
CI / CD
TESTING
LOGGING
MONITORING

25. Practices ToolsPrinciples
what is good? how to make it good? with what?

26. Principles outlast Tools

27. 170 functions
? ?
time
is a good fit
1st function in prod!

28. SECURITY
DISTRIBUTED TRACING
CONFIG MANAGEMENT

29. rebuilt search

30. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearch

31. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearchAmazon API Gateway Amazon Lambda

32. new analytics pipeline

33. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery

34. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery
1 developer, 2 days
design production
(his 1st serverless project)

35. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery
“nothing ever got done
this fast at Skype!”
- Chris Twamley

36. - Dan North
“lead time to someone saying
thank you is the only reputation
metric that matters.”

37. Rebuilt
with Lambda

45. nov, 2016

46. evolving the PLATFORM

47. rebuilt search

48. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearch

49. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearchAmazon API Gateway Amazon Lambda

50. new analytics pipeline

51. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery

52. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery
1 developer, 2 days
design production
(his 1st serverless project)

53. Legacy Monolith Amazon Kinesis Amazon Lambda
Google BigQuery
“nothing ever got done
this fast at Skype!”
- Chris Twamley

54. - Dan North
“lead time to someone saying
thank you is the only reputation
metric that matters.”

55. Rebuilt
with Lambda

61. Expensive operations
SNS retries for “free”

64. nov, 2016

65. nov, 2016
Decouple using events
Small iterative features
Proxy old endpoints
Focus on delivering value
Leverage cloud services
recap

66. getting PRODUCTION READY

67. choose a tried-and-tested
deployment framework,
don’t invent your own

68. http://serverless.com

69. https://github.com/awslabs/serverless-application-model

70. http://apex.run

71. https://apex.github.io/up

72. https://github.com/claudiajs/claudia

73. https://github.com/Miserlou/Zappa

74. http://gosparta.io/

75. TESTING

76. amzn.to/29Lxuzu

77. Level of Testing
1.Unit
do our objects do the right thing?
are they easy to work with?

79. Level of Testing
1.Unit
2.Integration
does our code work against code we
can’t change?

80. handler

81. handler
test by invoking
the handler

82. Level of Testing
1.Unit
2.Integration
3.Acceptance
does the whole system work?

83. Level of Testing
unit
integration
acceptance
feedback
confidence

84. Don’t Mock Types You Can’t Change

85. Don’t Mock Types You Can’t Change
Services

86. Paul Johnston
The serverless approach to
testing is different and may
actually be easier.
http://bit.ly/2t5viwK

87. LambdaAPI Gateway DynamoDB

88. LambdaAPI Gateway DynamoDB
Unit Tests

89. LambdaAPI Gateway DynamoDB
Unit Tests
Mock/Stub

90. is our request correct?
is the request mapping
set up correctly?is the API resources
configured correctly?
are we assuming the
correct schema?
LambdaAPI Gateway DynamoDB
is Lambda proxy
configured correctly?
is IAM policy set
up correctly?
is the table created?
what unit tests will not tell you…

92. most Lambda functions are simple
have single purpose, the risk of
shipping broken software has largely
shifted to how they integrate with
external services
observation

94. optimize towards shipping working
software, even if it means slowing
down your feedback loop…

95. learning the wrong thing faster does not
help us deliver working software faster

96. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearchAmazon API Gateway Amazon Lambda

97. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearchAmazon API Gateway Amazon Lambda
Test Input

98. Legacy Monolith Amazon Kinesis Amazon Lambda
Amazon CloudSearchAmazon API Gateway Amazon Lambda
Test Input
Validate

99. integration tests exercise
system’s Integration with its
external dependencies
my code

100. acceptance tests exercise
system End-to-End from
the outside
my code

101. integration tests differ from
acceptance tests only in HOW the
Lambda functions are invoked
observation

104. CI + CD PIPELINE

105. end-to-end tests exercise both
the system and the process by which
it’s built and deployed
…has to be done
anyway repeatedly
during the software’s
lifetime…

106. Yan
the earlier you consider CI/CD
the more time you save in the
long run

107. Yan
deployment scripts that only
live on the CI box is a disaster
waiting to happen…

108. Jenkins build config deploys and tests
unit + integration tests
deploy
acceptance tests

109. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi

110. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi
install Serverless Framework
as dev dependency

111. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi
install Serverless Framework
as dev dependency
mitigate version
conflicts

112. build.sh allows repeatable
builds on both local & CI
or NPM script, or Gradle, or …

114. Auto Auto Manual

116. nov, 2016
Automate early
Reproducible locally & on CI
Use version control
Release process to fit your team
recap

117. LOGGING

119. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae
GOT is off air, what do I do now?

120. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae
GOT is off air, what do I do now?
UTC Timestamp API Gateway Request Id
your log message

121. CloudWatch Logs are too basic

122. …but you can stream them somewhere else
CloudWatch Logs are too basic

123. CloudWatch Logs AWS Lambda ELK stack

124. …

125. AWS CloudTrail
events on resource operations
CloudWatch Events

126. Serverless Framework

128. DISTRIBUTED TRACING

130. a user
my followers didn’t receive
my new post!

131. where could the
problem be?

132. correlation IDs*
* eg. request-id, user-id, yubl-id, etc.

133. wrap HTTP client & AWS SDK clients
to forward captured correlation IDs

134. kinesis client
http client
sns client

135. use X-Ray for performance tracing

136. Amazon X-Ray

137. Amazon X-Ray

138. X-Ray traces do not span over API
Gateway, or async event sources

139. MONITORING + ALERTING

140. no place to install agents/daemons

141. • invocation Count
• error Count
• latency
• throttling
• granular to the minute
• support custom metrics

142. • same metrics as CW
• better dashboard
• support custom metrics
https://www.datadoghq.com/blog/monitoring-lambda-functions-datadog/

146. my code

147. my code

148. my code
internet internet
press button something happens

149. those extra 10-20ms for
sending custom metrics
would compound when
you have microservices
and multiple APIs are
called within one slice
of user event

150. Amazon found every 100ms of latency
cost them 1% in sales.
http://bit.ly/2EXPfbA

151. no more background processing,
other than what the platform provides

152. console.log(“hydrating yubls from db…”);
console.log(“fetching user info from user-api”);
console.log(“MONITORING|1489795335|27.4|latency|user-api-latency”);
console.log(“MONITORING|1489795335|8|count|yubls-served”);
timestamp metric value
metric type
metric namemetrics
logs

153. CloudWatch Logs AWS Lambda
ELK stack
logs
metrics
CloudWatch

154. don’t forget to setup dashboards
& CW alarms

155. CONFIG MANAGEMENT

156. design for easy & quick
propagation of config changes

158. me
Environment variables make it
hard to share configurations
across functions.

159. me
Environment variables make it
hard to implement fine-grained
access to sensitive info.

160. config service
goes here

164. SSM
Parameter
Store

165. sensitive data should be encrypted
in-flight, and at-rest

166. enforce role-based access to sensitive
configuration values

167. SSM Parameter Store
HTTPS
role-based access
encrypted in-flight

168. SSM Parameter Store
encrypt
role-based access

169. SSM Parameter Store
encrypted at-rest

170. HTTPS
role-based access
SSM Parameter Store
encrypted in-flight

171. invest into a robust client library

172. fetch & cache at cold-start

173. invalidate at interval & weak signals

174. that’s all for now, folks ;-)

175. API Gateway and Kinesis
Authentication & authorisation (IAM, Cognito)
Testing
Running & Debugging functions locally
Log aggregation
Monitoring & Alerting
X-Ray
Correlation IDs
CI/CD
Performance and Cost optimisation
Error Handling
Configuration management
VPC
Security
Leading practices (API Gateway, Kinesis, Lambda)
Canary deployments
http://bit.ly/production-ready-serverless
get 40% off
with: ytcui

176. @theburningmonk
theburningmonk.com
github.com/theburningmonk