© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

David Potes, AWS Partner Solutions Architect

Ajay Nair, AWS Principal Product Manager

November 29, 2016

GPST404

Building Complex

Serverless Applications

Agenda

• Why serverless?

• Serverless elements on AWS

• Securing your cloud

• Tips and tricks

• Design patterns

Why serverless?

Bustle.com

• 52 million monthly users

• 100 million events daily

• 84% cost savings

• 0 servers

• 0 operating system patches

• Automatic scaling

Amazon

API GatewayAWS Lambda Amazon Kinesis AWS Lambda

Redis

Amazon Mobile

Analytics

Amazon CloudWatch

Amazon Elasticsearch

Service

Amazon S3

Amazon RedshiftAmazon QuickSightEngineering

Marketing & Operations

Design

Bustle.com users

Bustle.com event stream processing

The serverless compute manifesto

Functions are the unit of deployment and scaling.

No machines, VMs, or containers visible in the programming model.

Permanent storage lives elsewhere.

Scales per request. Users cannot over- or under-provision capacity.

Never pay for idle (no cold servers/containers or their costs).

Implicitly fault-tolerant because functions can run anywhere.

BYOC – Bring your own code.

Metrics and logging are a universal right.

Multiple ways to put Lambda to work

AWS

CloudFormation

custom

resources

Amazon Echo

skills

Amazon SWF

tasksCustomized

notifications with

Amazon SNS

Amazon Cognito

triggers

Amazon S3

triggers

Amazon

Dynamo DB

triggers

Amazon

Kinesis

processors

Microservices

with API

Gateway

Alexa, do

my expense

report

And the list

continues

to grow!

Mo APIs, Mo Problems

Managing multiple versions and stages of an API is difficult.

Monitoring third-party developers’ access is time consuming.

Access authorization is a challenge.

Traffic spikes create an operational burden.

What if I don’t want servers at all?

• Host multiple versions and stages of your APIs

• Create and distribute API keys to developers

• Leverage signature version 4 to authorize access to APIs

• Throttle and monitor requests to protect your back end

• Managed cache to store API responses

Amazon API Gateway

Throttle

Usage plans: Throttle, Enforce and Track

Internet

Mobile

apps

Websites

Partner

Services

AWS Lambda

functions

API

Gateway

response

cache

Endpoints on

Amazon EC2

Any publicly

accessible

endpoint

Amazon

CloudWatch

Amazon

CloudFront

API

Gateway

Microservices and AWS Lambda

AWS Lambda + Amazon API Gateway is the

easiest way to create microservices

• Event handlers one function per event type

• Serverless back ends one function per API / path

• Data processing one function per data type

Tips and Tricks

Event Driven Scaling

ASYNCHRONOUS

“Event”

SYNCHRONOUS

“RequestResponse”

STREAMS

Lambda.Invoke

Things To Remember: Lambda Function

Memory = “Power Level”

Higher levels offer more memory and more CPU power

Performance tuning

Just-in-time initialization = latency cost the first time (‘cold starts”)

Container reuse to avoid latency on repeat calls

Use reuse to your advantage!

Functions don’t have a notion of state

Use DynamoDB, S3, or ElastiCache for persistence

OK to use local cache (just clean up after yourself)

Use environment variables to pass metadata into your code

Things To Remember: Lambda Application

Lambda scales by events/requests

Stream based = number of shards; request* duration for everything else

Plan for concurrent request rate on downstream services

Retries are built in for asynchronous and Stream invokes

Throttles and errors retried

Plan for retries within your client for synchronous applications

Use the right access control for downstream services

IAM roles and permissions for AWS services

KMS for storing credentials for downstream endpoints

AWS Lambda VPC essentials

• All Lambda functions run in a VPC, all the time

• You can also grant Lambda functions access to resources in

your own VPC (optional)

• Functions configured for VPC access lose internet access by

default

• The ENIs used by Lambda’s VPC feature hit your quota

• Ensure your subnets have enough IPs for those ENIs.

• Specify at least one subnet in each Availability Zone

AWS Serverless Application Model (“SAM”)

• A common language for describing the contents of a serverless app.

• CloudFormation now “speaks serverless” with native support for

SAM.

• New CloudFormation tools to package and deploy Lambda-based

apps.

• Export Lambda blueprints and functions in SAM

from the AWS Lambda console

Best Practice – Use Versions And Aliases

Versions = immutable copies of code + properties

Aliases = mutable pointers to versions

Rollbacks

Staged

promotions

“Lock” behavior

for client

Design Patterns

Interactive Backends

• Bots

• Webhooks

Autonomous IT

• Policy engines

• Infrastructure management

Analytics

• Operational management

• Live Dashboards

Data workflows

• Content management

• ETL workflows

Multiple Application Types

Amazon API Gateway: Serverless APIs

Internet

Mobile apps

Websites

Services

AWS Lambda

functions

AWS

API Gateway

cache

Endpoints on

Amazon EC2

Any other publicly

accessible endpointAmazon

CloudWatch

Amazon

CloudFrontAmazon

API Gateway

Amazon Cognito

Authenticate & sync

Amazon Mobile Analytics

Analyze user behavior

AWS Lambda

Run business logic

Amazon S3

Amazon DynamoDB

Store content

Store data

Amazon SNS mobile push

notifications

Send push notifications

Serverless Mobile App on AWS

Mobile SDK

Amazon API Gateway

Realtime analytics

Ingest/

Collect

Consume/

visualizeStore

Process/

analyze

Data

1 40 9

5

Outcomes

& Insights

Personalized

recommendations within

seconds (from 15-20 min)

Scale the expertise of

stylists to all shoppers

Reduce costs by 2X order

of magnitude

…

Mobile Users

Desktop Users

Analytics

Tools

Online Stylist

Amazon

Redshift

Amazon

Kinesis

AWS

Lambda

Amazon

DynamoDBAWS

Lambda

Amazon S3

Data Storage

E commerce personalization

Laptop

Encoders

HLS

S3

Playback

VOD Stream

mobile client

CloudFront

Streaming

Live stream

mobile client

CloudFront S3 Ingest

480p

Transcode

HQ Copy

360p

Transcode

Audio-only

Transcode

Thumbnail

QOS

Analytics

Cascading Lambda Functions

Live video transcoding

Where NOT to consider Lambda (today)

• Large software dependencies: Custom software applications with

licensing agreements such as MS-Office document processing, EDA

tools, Oracle databases, etc.

• OS dependencies: Software packages or applications which rely

on calling underlying Windows RPCs

• Custom hardware: GPU acceleration, hardware affinity

Securing serverless

Security model for AWS API calls

Mobile client

IAM PermissionsAWS Security

Token Service

1. Request token

2. Receive temporary

credentials

3. Sign API request

with temporary token

AWS service APIs

4. Make API request

against AWS service API

Web Identity Federation

Users

IAM

Web identity federation

(Fine-grained access control)

Amazon

DynamoDB

Fine-Grained Access Control

Images Table

User Image Date Link

Bob aed4c 2013-10-01 s3://…

Bob 5f2e2 2013-09-05 s3://…

Bob f93bae 2013-10-08 s3://…

Alice ca61a 2013-09-12 s3://…

“Allow all authenticated

Facebook users to query the

Images table, but only on items

where their Facebook ID is the

hash key”

Bob “logs in” using

web identity federation

Fine-Grained Access Control

Images Table

User Image Date Link

Bob aed4c 2013-10-01 s3://…

Bob 5f2e2 2013-09-05 s3://…

Bob f93bae 2013-10-08 s3://…

Alice ca61a 2013-09-12 s3://…

Bob

Bob can query for images

where User=“Bob”

Bob cannot query for images

where User=“Alice”

Authenticated flow in depth

Mobile apps AWS Lambda lambdaHandlerAPI Gateway

Sigv4Invoke with

caller credentials

Service calls are

authorized using

the IAM role

Learn more about fine-grained access permissions

http://amzn.to/1YkxcjR

DynamoDB

Amazon Cognito

• Generate temporary credentials

and enforce rotation to limit

credential lifetime

• Authenticate through 3rd-party or

Cognito Identity Pools

• Optionally allow anonymous access

• Enables security best practices

through IAM roles

Policy Variables – Amazon DynamoDB

<!– DynamoDB policy -->

{

"Effect" : "Allow",

"Action" : [ "dynamodb:GetItem", "dynamodb:Query",

"dynamodb:PutItem", "dynamodb:UpdateItem" ],

"Resource" : "arn:aws:dynamodb:REGION:12345678:table/UserData",

"Condition" : {

"ForAllValues:StringEquals" : {

"dynamodb:LeadingKeys" : "${cognito-identity.amazonaws.com:sub}"

}

}

} Will be replaced by the identity ID

API call flows

Mobile apps AWS Lambda lambdaHandler

Register

LoginAPI Gateway

Mobile apps AWS Lambda lambdaHandler

ListPets

GetPet

API Gateway

Assume Role

CreatePet

Sigv4 Invoke with

caller credentialsAuthorized by IAM

http://bit.ly/28P5ypl

Block “bad actors” with CloudFront WAF + API Gateway

http://amzn.to/28SekaB

Auto-import IP Address Reputation Lists

Amazon

CloudFront

AWS WAF AWS Lambda Amazon

CloudWatch

Elastic Load

BalancingAmazon

EC2

Amazon

RDS

Bad Users

(based on ip

reputation)

Good users

(based on ip

source)

3rd party

Reputation listshttp://amzn.to/28O6I6O

Auto-block by request rate & bad requests

Amazon

CloudFront

AWS WAFAWS Lambda Amazon

CloudWatch

Elastic Load

BalancingAmazon

EC2

Amazon

RDS

Bad Users

(based on ip

source)

Good users

(based on ip

source)

http://amzn.to/28P16XX | http://amzn.to/28Uqz6l

Static S3 content

CloudFront Access Logs

Auto-block by request rate & bad requests

http://amzn.to/28P16XX | http://amzn.to/28Uqz6l

VPC Flow Logs

• Agentless

• Enable per ENI, per subnet, or per VPC

• Logged to CloudWatch Logs

• Create CloudWatch metrics from log data

• Alarm on those metrics

AWS

account

Source IP

Destination IP

Source port

Destination port

Interface Protocol Packets

Bytes Start/end time

Accept

or reject

VPC Flow Logs: Automation

Amazon

SNS

CloudWatch

Logs

Private subnet

Compliance

app

AWS

Lambda

If SSH REJECT > 10,

then…

Elastic

Network

Interface

Metric filter

Filter on all

SSH REJECTFlow Log group

CloudWatch

alarm

Source IP

Growing Serverless Ecosystem

Logging and Monitoring Applications and Deployment

Build and CI/CD

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Register for a Bootcamp

Get in-depth knowledge and

training from AWS Instructors and

Solutions Architects.

reinvent.awsevents.com/training

#AWSTraining

Get AWS Certified Onsite

Demonstrate your technical

proficiency and receive special

recognition onsite. Register today.

reinvent.awsevents.com/certification

#AWSCertified

Take Hands-on Labs

Practice with AWS in a live

environment. Choose from 100+

lab topics and attend a Spotlight

Lab session.

Free Onsite

Thank you!

Remember to complete

your evaluations!