Building Serverless APIs with the Amazon API Gateway and AWS AppSync

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Danilo Poccia
Evangelist, Serverless
[email protected]
@danilop
danilop
Building Serverless APIs
With the AWS API Gateway and AWS AppSync

View Slide


View Slide

No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…

View Slide

SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
EVENT SOURCE FUNCTION
Node.js
Python
Java
C#
Go
Serverless applications

View Slide

Using AWS Lambda
Bring your own code
• Node.js, Java, Python,
C#, Go
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 3 GB
• CPU and network
allocated proportionately
Flexible use
• Synchronous or
asynchronous
• Integrated with other
AWS services
Flexible authorization
• Securely grant access to
resources and VPCs
• Fine-grained control for
invoking your functions

View Slide

Lambda permissions model
Fine grained security controls for both execution
and invocation:
Execution policies:
• Define what AWS resources/API calls can this
function access via IAM
• Used in streaming invocations
• E.g. “Lambda function A can read from
DynamoDB table users”
Function policies:
• Used for sync and async invocations
• E.g. “Actions on bucket X can invoke Lambda
function Z"
• Resource policies allow for cross account
access

View Slide

Lambda execution model
Synchronous
(push)
Asynchronous
(event)
Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDB
Amazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function

View Slide

Using AWS Lambda
Authoring functions
• Cloud9
• WYSIWYG editor or
upload packaged .zip
• Third-party plugins
(Eclipse, Visual Studio)
Monitoring and logging
• Metrics for requests,
errors, and throttles
• Built-in logs to Amazon
CloudWatch Logs
• X-Ray integration
Programming model
• Use processes, threads,
/tmp, sockets normally
• AWS SDK built in
(Python and Node.js)
Stateless
• Persist data using
external storage
• No affinity or access to
underlying infrastructure

View Slide

Anatomy of a Lambda function
Handler() function
Function to be executed
upon invocation
Event object
Data sent during
Lambda Function
Invocation
Context object
Methods available to
interact with runtime
information (request ID,
log group, etc.)
public String handleRequest(Book book, Context context) {
saveBook(book);
return book.getName() + " saved!";
}

View Slide

Amazon S3 Amazon
DynamoDB
Amazon
Kinesis
AWS
CloudFormation
AWS CloudTrail Amazon
CloudWatch
Amazon
Cognito
Amazon SNS
Amazon
SES
Cron events
DATA STORES ENDPOINTS
DEVELOPMENT AND MANAGEMENT TOOLS EVENT/MESSAGE SERVICES
Event sources that trigger AWS Lambda
and more!
AWS
CodeCommit
Amazon
API Gateway
Amazon
Alexa
AWS IoT AWS Step
Functions

View Slide

Fine-Grained Pricing
Buy compute time in 100ms
increments
Low request charge
No hourly, daily, or monthly
minimums
No per-device fees
Never pay for idle
Free Tier
1M requests and 400,000 GB-s of compute.
Every month, every customer.

View Slide

Common Lambda use cases
Web
Applications
• Static
websites
• Complex web
apps
• Packages for
Flask and
Express
Data
Processing
• Real time
• MapReduce
• Batch
Chatbots
• Powering
chatbot logic
Backends
• Apps &
services
• Mobile
• IoT
>
>
Amazon
Alexa
• Powering
voice-enabled
apps
• Alexa Skills
Kit
IT
Automation
• Policy engines
• Extending
AWS services
• Infrastructure
management

View Slide

Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling
for your backend
Throttle, meter,
and monetize
API usage by
third-party
developers

View Slide

API Gateway integrations
Internet
Mobile Apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
Cache
Endpoints on
Amazon EC2
Amazon
CloudWatch
Monitoring
Amazon
CloudFront
Any other
AWS service
YOUR VPC
Endpoints in
Your VPC
Regional API Endpoints
All publicly
accessible endpoints
AWS Lambda
functions

View Slide

Amazon API Gateway Security
Several mechanisms for adding Authz/Authn to our API:
• IAM Permissions
• Use IAM policies and AWS credentials to grant access
• Custom Authorizers
• Use Lambda to validate a bearer token(Oauth or SAML as
examples) or request parameters and grant access
• Cognito User Pools
• Create a completely managed user management system

View Slide

Authentication type comparison
Feature AWS_IAM TOKEN REQUEST COGNITO
Authentication X X X X
Authorization X X X
Signature V4 X
Cognito User Pools X X X
Third-Party
Authentication
X X
Multiple Header
Support
X
Additional Costs NONE Pay per
authorizer
invoke
Pay per
authorizer
invoke
NONE

View Slide

Gateway responses
Allows customization of various error responses
• Change HTTP status code
• Modify body content
• Add headers
Can customize specific responses and/or modify default
4XX/5XX

View Slide

API Gateway throttling
Three levels of throttling for APIs
API Key level throttling—configurable in usage plan
Method level throttling—configurable in stage settings
Account level throttling—limits can be increased

View Slide

API Gateway throttling
Token bucket algorithm
Burst—the maximum size of the bucket
Rate—the number of tokens added to the bucket

View Slide

API Gateway usage plans
API Key Throttling
Rate/Burst per API Key
API Key Quota
Periodic limits per API Key
API Key Usage
Daily usage records

View Slide

Custom domains
Run your APIs within your own DNS zone
Recommended for supporting multiple versions
api.tampr.com/v1 -> restapi1
api.tampr.com/v2 -> restapi2
Support for cross-region redundancy with regional API
endpoints
NEW

View Slide

Amazon
DynamoDB
AWS Lambda
Amazon API
Gateway
Amazon
DynamoDB
AWS Lambda
Amazon API
Gateway
Amazon
Route53
eu-west-1
us-east-1
Global Tables
https://global.domain.com/

View Slide

Amazon API Gateway – Lambda Proxy Integration
{
"resource": "Resource path",
"path": "Path parameter",
"httpMethod": "Incoming request's method name",
"headers": {Incoming request headers},
"queryStringParameters": {Query string parameters},
"pathParameters":{Path parameters},
"stageVariables": {Applicable stage variables},
"requestContext": {Request context, including authorizer-returned key-value pairs},
"body": "...",
"isBase64Encoded": true|false
}
{
"statusCode": httpStatusCode,
"headers": { "headerName": "headerValue", ... },
"body": "...”,
"isBase64Encoded": true|false
}
Input Format of a Lambda Function for Proxy Integration
Output Format of a Lambda Function for Proxy Integration

View Slide

AWS Lambda
+ Amazon API Gateway
Demo

View Slide

Lambda Environment Variables
• Key-value pairs that you can dynamically pass to
your function
• Available via standard environment variable APIs
such as process.env for Node.js or os.environ for
Python
• Can optionally be encrypted via AWS Key
Management Service (KMS)
• Allows you to specify in IAM what roles have access to
the keys to decrypt the information
• Useful for creating environments per stage (i.e.
dev, testing, production)

View Slide

API Gateway Stage Variables
• Stage variables act like environment variables
• Use stage variables to store configuration values
• Stage variables are available in the $context object
• Values are accessible from most fields in API Gateway
• Lambda function ARN
• HTTP endpoint
• Custom authorizer function name
• Parameter mappings

View Slide

Stage Variables and Lambda Aliases
Using Stage Variables in API Gateway together with Lambda function Aliases
you can manage a single API configuration and Lambda function for multiple
environment stages
myLambdaFunction
1
2
3 = prod
4
5
6 = beta
7
8 = dev
My First API
Stage variable = lambdaAlias
Prod
lambdaAlias = prod
Beta
lambdaAlias = beta
Dev
lambdaAlias = dev

View Slide

Lambda Alias Traffic Shifting & Safe Deployments
“By default, an alias points to a single Lambda function version. When the alias is
updated to point to a different function version, incoming request traffic in turn
instantly points to the updated version.”

View Slide

instantly points to the updated version.
This exposes that alias to any potential instabilities introduced by the new version.”

View Slide

instantly points to the updated version.
This exposes that alias to any potential instabilities introduced by the new version.
To minimize this impact, you can implement the routing-config parameter of the
Lambda alias that allows you to point to two different versions of the Lambda function
and dictate what percentage of incoming traffic is sent to each version.”
– AWS Lambda docs on “Traffic Shifting Using Aliases”
aws lambda update-alias --name alias name --function-name function-
name --routing-config AdditionalVersionWeights={”6"=0.05}

View Slide

Lambda Alias Traffic Shifting
myLambdaFunction
1
2
3 = prod
4
5
6 = prod 5%
My First API
Prod
lambdaAlias = prod
aws lambda update-alias --name prod --function-name myLambdaFunction
--routing-config AdditionalVersionWeights={”6"=0.05}

View Slide

Lambda Alias Traffic Shifting
myLambdaFunction
5
6 = prod
My First API
Prod
lambdaAlias = prod
aws lambda update-alias --name prod --function-name myLambdaFunction
--function-version 6 --routing-config ''

View Slide

Lambda Alias Traffic Shifting & AWS Step Functions
Blog link: http://amzn.to/2FjlWA7

View Slide

SAM Globals + Safe Deployments
Globals:
Function:
Runtime: nodejs4.3
AutoPublishAlias: !Ref ENVIRONMENT
MyLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
DeploymentPreference:
Type: Linear10PercentEvery10Minutes
Alarms:
# A list of alarms that you want to monitor
- !Ref AliasErrorMetricGreaterThanZeroAlarm
- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
Hooks:
# Validation Lambda functions that are run before & after traffic shifting
PreTraffic: !Ref PreTrafficLambdaFunction
PostTraffic: !Ref PostTrafficLambdaFunction

View Slide

Lambda Alias Traffic Shifting & AWS SAM
AutoPublishAlias
By adding this property and specifying an
alias name, AWS SAM will do the
following:
• Detect when new code is being
deployed based on changes to the
Lambda function's Amazon S3 URI.
• Create and publish an updated version
of that function with the latest code.
• Create an alias with a name you
provide (unless an alias already exists)
and points to the updated version of
the Lambda function.
Deployment Preference Type
Canary10Percent30Minutes
Linear10PercentEvery10Minutes
Linear10PercentEvery1Minute
AllAtOnce
In SAM:

View Slide

Lambda Alias Traffic Shifting & AWS SAM
Alarms: # A list of alarms that you want to monitor
- !Ref AliasErrorMetricGreaterThanZeroAlarm
- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
Hooks: # Validation Lambda functions that are run
before & after traffic shifting
PreTraffic: !Ref PreTrafficLambdaFunction
PostTraffic: !Ref PostTrafficLambdaFunction
In SAM:
Note: You can specify a maximum of 10 alarms

View Slide

NEW: Can deploy AWS Lambda!!
Uses AWS SAM to deploy serverless applications
Supports Lambda Alias Traffic Shifting enabling
canaries and blue|green deployments
Can rollback based on CloudWatch Metrics/Alarms
Pre/Post-Traffic Triggers can integrate with other
services (or even call Lambda functions)
AWS CodeDeploy + Lambda

View Slide

CodeDeploy comes with a number of added
capabilities:
• Custom deployment configurations.
Examples:
• “Canary 5% for 1 hour”
• “Linear 20% every 1 hour”
• Notification events via SNS on
success/failure/rollback
• Console with visibility on deploy status,
history, and rollbacks.

View Slide


View Slide

Amazon API Gateway Canary Support
Use canary release deployments to gradually roll out new APIs
in Amazon API Gateway:
• configure percent of traffic to go to a new stage
deployment
• can test stage settings and variables
• API gateway will create additional Amazon CloudWatch
Logs group and CloudWatch metrics for the requests
handled by the canary deployment API
• To rollback: delete the deployment or set percent of traffic
to 0
NEW!

View Slide

GraphQL: A Query Language for APIs
Resources defined by a GraphQL schema
Client sends query, server orchestrates data
Multiple transports (HTTP, MQTT, WebSockets)
Efficient (network bandwidth, dev time)
Self-documenting (introspection w/tooling)

View Slide

Is REST dead then?
• When data drives UI
• Structured data
• Query-driven
• Client-driven
development
Use GraphQL
• When you leverage HTTP
• Caching
• Content types
• Hypermedia (HATEOS)
• For resources (e.g.,
Amazon S3)
Use REST
Pick the appropriate protocol for your use case

View Slide

GraphQL
Schema
type Event {
id: ID!
name: String
where: String
when: String
description: String
comments: [Comment]
}
type Comment {
commentId: String!
eventId: ID!
content: String!
createdAt: String!
}

View Slide

GraphQL
Schema
Mutation
type Mutation {
createEvent(
name: String!,
when: String!,
where: String!,
description: String!
): Event
deleteEvent(id: ID!): Event
commentOnEvent(
eventId: ID!,
content: String!,
createdAt: String!
): Comment
}

View Slide

GraphQL
Schema
Mutation
Query
type Query {
getEvent(id: ID!): Event
listEvents(
limit: Int = 10,
nextToken: String
): EventConnection
}

View Slide

GraphQL
Schema
Mutation
Query
Subscription
type Subscription {
subscribeToEventComments(eventId: String!): Comment
@aws_subscribe(mutations: ["commentOnEvent"])
}

View Slide

GraphQL
Schema
Mutation
Query
Subscription
Realtime? YES
Batching? YES
Pagination? YES
Relations? YES
Aggregations? YES
Search? YES
Offline? YES

View Slide

AWS AppSync
DynamoDB
Table
Lambda
Function Elasticsearch
Service
GraphQL
Schema
Upload
Schema
GraphQL
Query
Mutation
Subscription
Real-time
Offline
AppSync
API
Cognito
User Pool

View Slide

AWS AppSync
DynamoDB
Table
Lambda
Service
GraphQL
Schema
Upload
Schema
GraphQL
Query
Mutation
Subscription
Real-time
Offline
AppSync
API
Cognito
User Pool
Legacy
Application

View Slide

AWS AppSync
DynamoDB
Table
Lambda
Service
GraphQL
Schema
Upload
Schema
GraphQL
Query
Mutation
Subscription
Real-time
Offline
DynamoDB to Elasticsearch
Sync Function
AppSync
API
Cognito
User Pool

View Slide

AWS AppSync
DynamoDB
Table
Lambda
Service
GraphQL
Schema
Autogenerate
Schema
GraphQL
Query
Mutation
Subscription
Real-time
Offline
AppSync
API
Cognito
User Pool
Upload
Schema

View Slide

AWS AppSync
Demo

View Slide

https://sbd.danilop.net
O
pen
Source
Serverless by Design

View Slide

Thank you!
Danilo Poccia
Evangelist, Serverless
[email protected]
@danilop
danilop

View Slide

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

Danilo Poccia

More Decks by Danilo Poccia

Other Decks in Programming

Featured

Transcript