![Page 1: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
David Potes, AWS Partner Solutions Architect
Ajay Nair, AWS Principal Product Manager
November 29, 2016
GPST404
Building Complex
Serverless Applications
![Page 2: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/2.jpg)
Agenda
• Why serverless?
• Serverless elements on AWS
• Securing your cloud
• Tips and tricks
• Design patterns
![Page 3: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/3.jpg)
Why serverless?
![Page 4: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/4.jpg)
Bustle.com
• 52 million monthly users
• 100 million events daily
• 84% cost savings
• 0 servers
• 0 operating system patches
• Automatic scaling
![Page 5: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/5.jpg)
Amazon
API GatewayAWS Lambda Amazon Kinesis AWS Lambda
Redis
Amazon Mobile
Analytics
Amazon CloudWatch
Amazon Elasticsearch
Service
Amazon S3
Amazon RedshiftAmazon QuickSightEngineering
Marketing & Operations
Design
Bustle.com users
Bustle.com event stream processing
![Page 6: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/6.jpg)
The serverless compute manifesto
Functions are the unit of deployment and scaling.
No machines, VMs, or containers visible in the programming model.
Permanent storage lives elsewhere.
Scales per request. Users cannot over- or under-provision capacity.
Never pay for idle (no cold servers/containers or their costs).
Implicitly fault-tolerant because functions can run anywhere.
BYOC – Bring your own code.
Metrics and logging are a universal right.
![Page 7: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/7.jpg)
Multiple ways to put Lambda to work
AWS
CloudFormation
custom
resources
Amazon Echo
skills
Amazon SWF
tasksCustomized
notifications with
Amazon SNS
Amazon Cognito
triggers
Amazon S3
triggers
Amazon
Dynamo DB
triggers
Amazon
Kinesis
processors
Microservices
with API
Gateway
Alexa, do
my expense
report
And the list
continues
to grow!
![Page 8: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/8.jpg)
Mo APIs, Mo Problems
Managing multiple versions and stages of an API is difficult.
Monitoring third-party developers’ access is time consuming.
Access authorization is a challenge.
Traffic spikes create an operational burden.
What if I don’t want servers at all?
![Page 9: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/9.jpg)
• Host multiple versions and stages of your APIs
• Create and distribute API keys to developers
• Leverage signature version 4 to authorize access to APIs
• Throttle and monitor requests to protect your back end
• Managed cache to store API responses
Amazon API Gateway
![Page 10: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/10.jpg)
Throttle
Usage plans: Throttle, Enforce and Track
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
![Page 11: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/11.jpg)
Microservices and AWS Lambda
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless back ends one function per API / path
• Data processing one function per data type
![Page 12: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/12.jpg)
Tips and Tricks
![Page 13: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/13.jpg)
Event Driven Scaling
ASYNCHRONOUS
“Event”
SYNCHRONOUS
“RequestResponse”
STREAMS
Lambda.Invoke
![Page 14: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/14.jpg)
Things To Remember: Lambda Function
Memory = “Power Level”
Higher levels offer more memory and more CPU power
Performance tuning
Just-in-time initialization = latency cost the first time (‘cold starts”)
Container reuse to avoid latency on repeat calls
Use reuse to your advantage!
Functions don’t have a notion of state
Use DynamoDB, S3, or ElastiCache for persistence
OK to use local cache (just clean up after yourself)
Use environment variables to pass metadata into your code
![Page 15: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/15.jpg)
Things To Remember: Lambda Application
Lambda scales by events/requests
Stream based = number of shards; request* duration for everything else
Plan for concurrent request rate on downstream services
Retries are built in for asynchronous and Stream invokes
Throttles and errors retried
Plan for retries within your client for synchronous applications
Use the right access control for downstream services
IAM roles and permissions for AWS services
KMS for storing credentials for downstream endpoints
![Page 16: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/16.jpg)
AWS Lambda VPC essentials
• All Lambda functions run in a VPC, all the time
• You can also grant Lambda functions access to resources in
your own VPC (optional)
• Functions configured for VPC access lose internet access by
default
• The ENIs used by Lambda’s VPC feature hit your quota
• Ensure your subnets have enough IPs for those ENIs.
• Specify at least one subnet in each Availability Zone
![Page 17: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/17.jpg)
AWS Serverless Application Model (“SAM”)
• A common language for describing the contents of a serverless app.
• CloudFormation now “speaks serverless” with native support for
SAM.
• New CloudFormation tools to package and deploy Lambda-based
apps.
• Export Lambda blueprints and functions in SAM
from the AWS Lambda console
![Page 18: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/18.jpg)
Best Practice – Use Versions And Aliases
Versions = immutable copies of code + properties
Aliases = mutable pointers to versions
Rollbacks
Staged
promotions
“Lock” behavior
for client
![Page 19: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/19.jpg)
Design Patterns
![Page 20: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/20.jpg)
Interactive Backends
• Bots
• Webhooks
Autonomous IT
• Policy engines
• Infrastructure management
Analytics
• Operational management
• Live Dashboards
Data workflows
• Content management
• ETL workflows
Multiple Application Types
![Page 21: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/21.jpg)
Amazon API Gateway: Serverless APIs
Internet
Mobile apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpointAmazon
CloudWatch
Amazon
CloudFrontAmazon
API Gateway
![Page 22: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/22.jpg)
Amazon Cognito
Authenticate & sync
Amazon Mobile Analytics
Analyze user behavior
AWS Lambda
Run business logic
Amazon S3
Amazon DynamoDB
Store content
Store data
Amazon SNS mobile push
notifications
Send push notifications
Serverless Mobile App on AWS
Mobile SDK
Amazon API Gateway
![Page 23: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/23.jpg)
Realtime analytics
![Page 24: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/24.jpg)
Ingest/
Collect
Consume/
visualizeStore
Process/
analyze
Data
1 40 9
5
Outcomes
& Insights
Personalized
recommendations within
seconds (from 15-20 min)
Scale the expertise of
stylists to all shoppers
Reduce costs by 2X order
of magnitude
…
Mobile Users
Desktop Users
Analytics
Tools
Online Stylist
Amazon
Redshift
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDBAWS
Lambda
Amazon S3
Data Storage
E commerce personalization
![Page 25: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/25.jpg)
Laptop
Encoders
HLS
S3
Playback
VOD Stream
mobile client
CloudFront
Streaming
Live stream
mobile client
CloudFront S3 Ingest
480p
Transcode
HQ Copy
360p
Transcode
Audio-only
Transcode
Thumbnail
QOS
Analytics
Cascading Lambda Functions
Live video transcoding
![Page 26: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/26.jpg)
Where NOT to consider Lambda (today)
• Large software dependencies: Custom software applications with
licensing agreements such as MS-Office document processing, EDA
tools, Oracle databases, etc.
• OS dependencies: Software packages or applications which rely
on calling underlying Windows RPCs
• Custom hardware: GPU acceleration, hardware affinity
![Page 27: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/27.jpg)
Securing serverless
![Page 28: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/28.jpg)
Security model for AWS API calls
Mobile client
IAM PermissionsAWS Security
Token Service
1. Request token
2. Receive temporary
credentials
3. Sign API request
with temporary token
AWS service APIs
4. Make API request
against AWS service API
![Page 29: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/29.jpg)
Web Identity Federation
Users
IAM
Web identity federation
(Fine-grained access control)
Amazon
DynamoDB
![Page 30: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/30.jpg)
Fine-Grained Access Control
Images Table
User Image Date Link
Bob aed4c 2013-10-01 s3://…
Bob 5f2e2 2013-09-05 s3://…
Bob f93bae 2013-10-08 s3://…
Alice ca61a 2013-09-12 s3://…
“Allow all authenticated
Facebook users to query the
Images table, but only on items
where their Facebook ID is the
hash key”
Bob “logs in” using
web identity federation
![Page 31: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/31.jpg)
Fine-Grained Access Control
Images Table
User Image Date Link
Bob aed4c 2013-10-01 s3://…
Bob 5f2e2 2013-09-05 s3://…
Bob f93bae 2013-10-08 s3://…
Alice ca61a 2013-09-12 s3://…
Bob
Bob can query for images
where User=“Bob”
Bob cannot query for images
where User=“Alice”
![Page 32: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/32.jpg)
Authenticated flow in depth
Mobile apps AWS Lambda lambdaHandlerAPI Gateway
Sigv4Invoke with
caller credentials
Service calls are
authorized using
the IAM role
Learn more about fine-grained access permissions
http://amzn.to/1YkxcjR
DynamoDB
![Page 33: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/33.jpg)
Amazon Cognito
• Generate temporary credentials
and enforce rotation to limit
credential lifetime
• Authenticate through 3rd-party or
Cognito Identity Pools
• Optionally allow anonymous access
• Enables security best practices
through IAM roles
![Page 34: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/34.jpg)
Policy Variables – Amazon DynamoDB
<!– DynamoDB policy -->
{
"Effect" : "Allow",
"Action" : [ "dynamodb:GetItem", "dynamodb:Query",
"dynamodb:PutItem", "dynamodb:UpdateItem" ],
"Resource" : "arn:aws:dynamodb:REGION:12345678:table/UserData",
"Condition" : {
"ForAllValues:StringEquals" : {
"dynamodb:LeadingKeys" : "${cognito-identity.amazonaws.com:sub}"
}
}
} Will be replaced by the identity ID
![Page 35: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/35.jpg)
API call flows
Mobile apps AWS Lambda lambdaHandler
Register
LoginAPI Gateway
Mobile apps AWS Lambda lambdaHandler
ListPets
GetPet
API Gateway
Assume Role
CreatePet
Sigv4 Invoke with
caller credentialsAuthorized by IAM
http://bit.ly/28P5ypl
![Page 37: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/37.jpg)
Auto-import IP Address Reputation Lists
Amazon
CloudFront
AWS WAF AWS Lambda Amazon
CloudWatch
Elastic Load
BalancingAmazon
EC2
Amazon
RDS
Bad Users
(based on ip
reputation)
Good users
(based on ip
source)
3rd party
Reputation listshttp://amzn.to/28O6I6O
![Page 38: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/38.jpg)
Auto-block by request rate & bad requests
Amazon
CloudFront
AWS WAFAWS Lambda Amazon
CloudWatch
Elastic Load
BalancingAmazon
EC2
Amazon
RDS
Bad Users
(based on ip
source)
Good users
(based on ip
source)
http://amzn.to/28P16XX | http://amzn.to/28Uqz6l
Static S3 content
CloudFront Access Logs
![Page 39: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/39.jpg)
Auto-block by request rate & bad requests
http://amzn.to/28P16XX | http://amzn.to/28Uqz6l
![Page 40: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/40.jpg)
VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
![Page 41: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/41.jpg)
VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Compliance
app
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Log group
CloudWatch
alarm
Source IP
![Page 42: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/42.jpg)
Growing Serverless Ecosystem
Logging and Monitoring Applications and Deployment
Build and CI/CD
![Page 43: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/43.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Register for a Bootcamp
Get in-depth knowledge and
training from AWS Instructors and
Solutions Architects.
reinvent.awsevents.com/training
#AWSTraining
Get AWS Certified Onsite
Demonstrate your technical
proficiency and receive special
recognition onsite. Register today.
reinvent.awsevents.com/certification
#AWSCertified
Take Hands-on Labs
Practice with AWS in a live
environment. Choose from 100+
lab topics and attend a Spotlight
Lab session.
Free Onsite
![Page 44: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/44.jpg)
Thank you!
![Page 45: AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)](https://reader034.vdocuments.net/reader034/viewer/2022052418/586fe2da1a28ab18428b7d63/html5/thumbnails/45.jpg)
Remember to complete
your evaluations!