AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
•
7 likes•1,780 views
Provisioning, scaling, and managing physical or virtual servers—and the applications that run on them—has long been a core activity for developers and system administrators. The expanding array of managed AWS cloud services, including AWS Lambda, Amazon DynamoDB, Amazon API Gateway and more, increasingly allows organizations to focus on delivering business value without worrying about managing the underlying infrastructure or paying for idle servers and other fixed costs of cloud services. In this session, we discuss the design, development, and operation of these next-generation solutions on AWS. Whether you're developing end-user web applications or back-end data processing systems, join us in this session to learn more about building your applications without servers.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
Similar to AWS re:Invent 2016: Building Complex Serverless Applications (GPST404) (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. David Potes, AWS Partner Solutions Architect Ajay Nair, AWS Principal Product Manager November 29, 2016 GPST404 Building Complex Serverless Applications
- 2. Agenda • Why serverless? • Serverless elements on AWS • Securing your cloud • Tips and tricks • Design patterns
- 4. Bustle.com • 52 million monthly users • 100 million events daily • 84% cost savings • 0 servers • 0 operating system patches • Automatic scaling
- 5. Amazon API Gateway AWS Lambda Amazon Kinesis AWS Lambda Redis Amazon Mobile Analytics Amazon CloudWatch Amazon Elasticsearch Service Amazon S3 Amazon RedshiftAmazon QuickSightEngineering Marketing & Operations Design Bustle.com users Bustle.com event stream processing
- 6. The serverless compute manifesto Functions are the unit of deployment and scaling. No machines, VMs, or containers visible in the programming model. Permanent storage lives elsewhere. Scales per request. Users cannot over- or under-provision capacity. Never pay for idle (no cold servers/containers or their costs). Implicitly fault-tolerant because functions can run anywhere. BYOC – Bring your own code. Metrics and logging are a universal right.
- 7. Multiple ways to put Lambda to work AWS CloudFormation custom resources Amazon Echo skills Amazon SWF tasks Customized notifications with Amazon SNS Amazon Cognito triggers Amazon S3 triggers Amazon Dynamo DB triggers Amazon Kinesis processors Microservices with API Gateway Alexa, do my expense report And the list continues to grow!
- 8. Mo APIs, Mo Problems Managing multiple versions and stages of an API is difficult. Monitoring third-party developers’ access is time consuming. Access authorization is a challenge. Traffic spikes create an operational burden. What if I don’t want servers at all?
- 9. • Host multiple versions and stages of your APIs • Create and distribute API keys to developers • Leverage signature version 4 to authorize access to APIs • Throttle and monitor requests to protect your back end • Managed cache to store API responses Amazon API Gateway
- 10. Throttle Usage plans: Throttle, Enforce and Track Internet Mobile apps Websites Partner Services AWS Lambda functions API Gateway response cache Endpoints on Amazon EC2 Any publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway
- 11. Microservices and AWS Lambda AWS Lambda + Amazon API Gateway is the easiest way to create microservices • Event handlers one function per event type • Serverless back ends one function per API / path • Data processing one function per data type
- 12. Tips and Tricks
- 14. Things To Remember: Lambda Function Memory = “Power Level” Higher levels offer more memory and more CPU power Performance tuning Just-in-time initialization = latency cost the first time (‘cold starts”) Container reuse to avoid latency on repeat calls Use reuse to your advantage! Functions don’t have a notion of state Use DynamoDB, S3, or ElastiCache for persistence OK to use local cache (just clean up after yourself) Use environment variables to pass metadata into your code
- 15. Things To Remember: Lambda Application Lambda scales by events/requests Stream based = number of shards; request* duration for everything else Plan for concurrent request rate on downstream services Retries are built in for asynchronous and Stream invokes Throttles and errors retried Plan for retries within your client for synchronous applications Use the right access control for downstream services IAM roles and permissions for AWS services KMS for storing credentials for downstream endpoints
- 16. AWS Lambda VPC essentials • All Lambda functions run in a VPC, all the time • You can also grant Lambda functions access to resources in your own VPC (optional) • Functions configured for VPC access lose internet access by default • The ENIs used by Lambda’s VPC feature hit your quota • Ensure your subnets have enough IPs for those ENIs. • Specify at least one subnet in each Availability Zone
- 17. AWS Serverless Application Model (“SAM”) • A common language for describing the contents of a serverless app. • CloudFormation now “speaks serverless” with native support for SAM. • New CloudFormation tools to package and deploy Lambda-based apps. • Export Lambda blueprints and functions in SAM from the AWS Lambda console
- 18. Best Practice – Use Versions And Aliases Versions = immutable copies of code + properties Aliases = mutable pointers to versions Rollbacks Staged promotions “Lock” behavior for client
- 19. Design Patterns
- 20. Interactive Backends • Bots • Webhooks Autonomous IT • Policy engines • Infrastructure management Analytics • Operational management • Live Dashboards Data workflows • Content management • ETL workflows Multiple Application Types
- 21. Amazon API Gateway: Serverless APIs Internet Mobile apps Websites Services AWS Lambda functions AWS API Gateway cache Endpoints on Amazon EC2 Any other publicly accessible endpointAmazon CloudWatch Amazon CloudFront Amazon API Gateway
- 22. Amazon Cognito Authenticate & sync Amazon Mobile Analytics Analyze user behavior AWS Lambda Run business logic Amazon S3 Amazon DynamoDB Store content Store data Amazon SNS mobile push notifications Send push notifications Serverless Mobile App on AWS Mobile SDK Amazon API Gateway
- 24. Ingest/ Collect Consume/ visualize Store Process/ analyze Data 1 4 0 9 5 Outcomes & Insights Personalized recommendations within seconds (from 15-20 min) Scale the expertise of stylists to all shoppers Reduce costs by 2X order of magnitude … Mobile Users Desktop Users Analytics Tools Online Stylist Amazon Redshift Amazon Kinesis AWS Lambda Amazon DynamoDB AWS Lambda Amazon S3 Data Storage E commerce personalization
- 25. Laptop Encoders HLS S3 Playback VOD Stream mobile client CloudFront Streaming Live stream mobile client CloudFront S3 Ingest 480p Transcode HQ Copy 360p Transcode Audio-only Transcode Thumbnail QOS Analytics Cascading Lambda Functions Live video transcoding
- 26. Where NOT to consider Lambda (today) • Large software dependencies: Custom software applications with licensing agreements such as MS-Office document processing, EDA tools, Oracle databases, etc. • OS dependencies: Software packages or applications which rely on calling underlying Windows RPCs • Custom hardware: GPU acceleration, hardware affinity
- 28. Security model for AWS API calls Mobile client IAM PermissionsAWS Security Token Service 1. Request token 2. Receive temporary credentials 3. Sign API request with temporary token AWS service APIs 4. Make API request against AWS service API
- 29. Web Identity Federation Users IAM Web identity federation (Fine-grained access control) Amazon DynamoDB
- 30. Fine-Grained Access Control Images Table User Image Date Link Bob aed4c 2013-10-01 s3://… Bob 5f2e2 2013-09-05 s3://… Bob f93bae 2013-10-08 s3://… Alice ca61a 2013-09-12 s3://… “Allow all authenticated Facebook users to query the Images table, but only on items where their Facebook ID is the hash key” Bob “logs in” using web identity federation
- 31. Fine-Grained Access Control Images Table User Image Date Link Bob aed4c 2013-10-01 s3://… Bob 5f2e2 2013-09-05 s3://… Bob f93bae 2013-10-08 s3://… Alice ca61a 2013-09-12 s3://… Bob Bob can query for images where User=“Bob” Bob cannot query for images where User=“Alice”
- 32. Authenticated flow in depth Mobile apps AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions http://amzn.to/1YkxcjR DynamoDB
- 33. Amazon Cognito • Generate temporary credentials and enforce rotation to limit credential lifetime • Authenticate through 3rd-party or Cognito Identity Pools • Optionally allow anonymous access • Enables security best practices through IAM roles
- 34. Policy Variables – Amazon DynamoDB <!– DynamoDB policy --> { "Effect" : "Allow", "Action" : [ "dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource" : "arn:aws:dynamodb:REGION:12345678:table/UserData", "Condition" : { "ForAllValues:StringEquals" : { "dynamodb:LeadingKeys" : "${cognito-identity.amazonaws.com:sub}" } } } Will be replaced by the identity ID
- 35. API call flows Mobile apps AWS Lambda lambdaHandler Register Login API Gateway Mobile apps AWS Lambda lambdaHandler ListPets GetPet API Gateway Assume Role CreatePet Sigv4 Invoke with caller credentials Authorized by IAM http://bit.ly/28P5ypl
- 36. Block “bad actors” with CloudFront WAF + API Gateway http://amzn.to/28SekaB
- 37. Auto-import IP Address Reputation Lists Amazon CloudFront AWS WAF AWS Lambda Amazon CloudWatch Elastic Load Balancing Amazon EC2 Amazon RDS Bad Users (based on ip reputation) Good users (based on ip source) 3rd party Reputation listshttp://amzn.to/28O6I6O
- 38. Auto-block by request rate & bad requests Amazon CloudFront AWS WAF AWS Lambda Amazon CloudWatch Elastic Load Balancing Amazon EC2 Amazon RDS Bad Users (based on ip source) Good users (based on ip source) http://amzn.to/28P16XX | http://amzn.to/28Uqz6l Static S3 content CloudFront Access Logs
- 39. Auto-block by request rate & bad requests http://amzn.to/28P16XX | http://amzn.to/28Uqz6l
- 40. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
- 41. VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Log group CloudWatch alarm Source IP
- 42. Growing Serverless Ecosystem Logging and Monitoring Applications and Deployment Build and CI/CD
- 43. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Register for a Bootcamp Get in-depth knowledge and training from AWS Instructors and Solutions Architects. reinvent.awsevents.com/training #AWSTraining Get AWS Certified Onsite Demonstrate your technical proficiency and receive special recognition onsite. Register today. reinvent.awsevents.com/certification #AWSCertified Take Hands-on Labs Practice with AWS in a live environment. Choose from 100+ lab topics and attend a Spotlight Lab session. Free Onsite
- 44. Thank you!
- 45. Remember to complete your evaluations!