Serverless SaaS By Ali El Kontar

Transcript

1. COMMUNITY DAY MEN A Building Serverless SaaS

2. Ali El Kontar Founder and CEO of Zero&One 9 x

   AWS Certified AWS Authorized Instructor Champion Introduction COMMUNITY DAY MENA akonta r [email protected] e

3. • AWS Advanced Consulting Partner • Specialized in DevOps and

   building Native platforms on AWS • Well-Architected Partner • Service Delivery Program • Public Sector Partner • Immersion Day Partner Introduction www.zeroandone.me COMMUNITY DAY MENA

4. Gartner estimates that the market size of the SaaS marketplace

   is $99,7B in 2020 while growing at the rate of 21% Gartner, Forecast: Public Cloud Services, Worldwide, 2016-2020 COMMUNITY DAY MENA

5. According to IDC, 72% of enterprise will prioritize SaaS when

   selecting new application solutions, 16% are neutral and only 13% prefer traditional applications over SaaS IDC SaaSView 4Q18, October 2018 COMMUNITY DAY MENA

6. SaaS Benefits COMMUNITY DAY MENA

7. *Source: keystone, The Shift to SaaS: A highl-value opportunity for

   ISVs, June1,2017 • Lower customer adoption costs • Lower operational costs per customer 75% installation time reduction Unlock new customer segments • Reduced upfront infrastructure cost • Eliminating customer support costs 30% Savings on system costs Reduce TCO • Leverage off-the-shelf components available in public cloud • Reduced time to develop new functionality Integrate new cloud services • Derive new customer insights from usage data • Develop new data-driven solutions • Monetize data Leverage aggregated data Service companies are gaining benefits from the SaaS model not accessible to traditional ISVs COMMUNITY DAY MENA

8. • In contrast to the traditional licensing model, subscription model

   allows customers to use the software without committing to long licensing periods, lowering their barrier to buy. • A Subscription model smoothens the revenue curve through monthly recurring revenue, resulting in improved financial predictability Service companies are gaining benefits from the SaaS model not accessible to traditional ISVs COMMUNITY DAY MENA

9. Serverless & SaaS COMMUNITY DAY MENA

10. Smaller deployments Optimized Consumption Natural isolation models Simpler operations footprint

    Focus on IP / Customers Drive service decomposition Serverless: A Natural fit – The Ultimate Match COMMUNITY DAY MENA

11. Cost, sale and performance Tenant Consumption No more over-provisioning COMMUNITY

    DAY MENA

12. Tenant Onboarding Authentication Authorization Tenant isolation Data Access / Partitioning

    DevOps and agility Tenant aware app functions Introducing multi-tenancy COMMUNITY DAY MENA

13. SaaS Architecture Landscape Onboarding Authenticatio n Metrics Billing Management Service

    Service Application Services Storage Partitioning Tenant isolation Tenant isolation COMMUNITY DAY MENA

14. COMMUNITY DAY MENA • Configure IAM policies • Provision users/tenants

    • Create billing account • Provision tenant functions Shared System Services Shared Services

15. COMMUNITY DAY MENA /re g 1 /user/re g 2 3

    4 5 POS T 6 Onboarding & Identity

16. Amazon Cognito Tenant context flowed into all downstream services Authentication

    injects SaaS identity COMMUNITY DAY MENA

17. COMMUNITY DAY MENA Usage plans Routes enabled/disabled based on tenant

    context Applying tenant strategies with API Gateway Lambda Authorizer Tenant2 API Key (advanced tier) Tenant1 API Key (basic tier) Tenant context, role, etc. x x

18. COMMUNITY DAY MENA All tenants execution role Tenant 2 execution

    role Tenant 1 execution role Provision separate functions for each tenant (provision as each tenant onboard) Silo Shared functions for all tenants (one-time provisioning) Pool Tenant 1 Tenant 2 Tenant 1,2,…..n Provisioning tenants and isolation

19. COMMUNITY DAY MENA Access scoped by IAM policy Tenant 1

    Tenant 1 execution role Cascading tenant scope from siloed function

20. COMMUNITY DAY MENA Basic Tier Reserve Concurrency = 100 Advanced

    Tier Reserve Concurrency = 100 Premium Tier Reserve Concurrency = all unreserved Using concurrency as a tiering strategy

21. COMMUNITY DAY MENA Pool compute relies on run-time policies AWS

    Identity and Access Management (IAM) Runtime-acquired tenant scope Compute runs with a broader profile/execution scope Scope applied when accessing resources Isolation token manager Access Context Access Context

22. COMMUNITY DAY MENA • Hide the details of multi-tenancy •

    Push all shared concepts to libraries • Enable developers to focus on app features • Smaller functions = smaller blast radius • Limit synchronous dependencies Multi-tenant metrics Multi-tenant logging Partitioned data access Multi-tenant microservice JWT with SaaS identity Tenant isolation Building multi-tenant functions

23. COMMUNITY DAY MENA Logging manager Metrics manager Token manager getTenantId(token

    ) Log(tenantId ) recordMetric(tenantId ) JWT token Minimize tenant awareness V2. 0 Layers are deployed and versioned JWT token Laye r Using Lambda Layers for shared constructs

24. COMMUNITY DAY MENA Introducing layers into your environment const logManager

    = require('/opt/nodejs/log-manager.js'); const metricManager = require('opt/nodejs/metric-manager.js'); const tokenManager = require('/opt/nodejs/token-manager.js'); const dal = require('./course-manager-dal.js');

25. COMMUNITY DAY MENA Centralizing tenant context management module.exports.getCredentialsFromToken = function(event,

    updateCredentials) { var bearerToken = event.headers['Authorization’]; if (bearerToken) { var tokenValue = bearerToken.substring(bearerToken.indexOf(' ') + 1); if (!(tokenValue in tokenCache)) { var decodedIdToken = jwtDecode(tokenValue); var userName = decodedIdToken['cognito:username’]; var tenantId = decodedIdToken["custom:tenant_id"]; async.waterfall([ function(callback) { userManager.getUserPoolWithParam(userName, tenantId ,callback) }, function(userPool, callback) { authenticateUserInPool(userPool, tokenValue, callback) } ], function(error, results) { if (error) { updateCredentials(null); } else { tokenCache[tokenValue] = results; updateCredentials(results); } }); } else if (tokenValue in tokenCache) { updateCredentials(tokenCache[tokenValue]); } } };

26. COMMUNITY DAY MENA The payoff: A simplified developer experience 'use

    strict'; const logManager = require('/opt/nodejs/log-manager.js'); const metricManager = require('opt/nodejs/metric-manager.js'); const tokenManager = require('/opt/nodejs/token-manager.js'); const dal = require('./course-manager-dal.js'); // Fetch the course with the supplied CourseId exports.get = (event, context, callback) => { logManager.log(event, "CourseManager", {"Message": "GetCourse() called.", "CourseId" : event.pathParameters.resourceId}); dal.getCourse(event, function(response) { logManager.log(event, "CourseManager", {"Message":"Course Returned","Course": response}); callback(null, response); }); };

27. COMMUNITY DAY MENA Multi-Tenant influence on service decomposition GetOrder() GetOrder()

    GetOrder() UpdateOrder() UpdateOrder() DeleteOrder() Scal e GET /orders POST /orders/712 PUT /orders/42 DELTE /orders/42 Scale x Policy No Policy

28. COMMUNITY DAY MENA • Serverless enables SaaS agility, resilience and

    innovation • Isolation strategies directly shape deployment footprint • Consider supporting multiple isolation models (hybrid) • Factor account limits in your isolation model • Hide details of multi tenancy from service developers • Consider using layers as the home for shared multi-tenant concepts • Serverless allows us to better align tenant consumption and activity Takeaways

29. COMMUNITY DAY MEN A Thank You