Building Serverless APIs with the Amazon API Gateway and AWS AppSync

© 2018, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Danilo Poccia Evangelist, Serverless [email protected] @danilop danilop Building Serverless APIs With the AWS API Gateway and AWS AppSync

rights reserved.

rights reserved. No servers to provision or manage Scales with usage Never pay for idle Availability and fault tolerance built in Serverless means…

rights reserved. SERVICES (ANYTHING) Changes in data state Requests to endpoints Changes in resource state EVENT SOURCE FUNCTION Node.js Python Java C# Go Serverless applications

rights reserved. Using AWS Lambda Bring your own code • Node.js, Java, Python, C#, Go • Bring your own libraries (even native ones) Simple resource model • Select power rating from 128 MB to 3 GB • CPU and network allocated proportionately Flexible use • Synchronous or asynchronous • Integrated with other AWS services Flexible authorization • Securely grant access to resources and VPCs • Fine-grained control for invoking your functions

Lambda permissions model Fine grained security controls for both execution
and invocation: Execution policies: • Define what AWS resources/API calls can this function access via IAM • Used in streaming invocations • E.g. “Lambda function A can read from DynamoDB table users” Function policies: • Used for sync and async invocations • E.g. “Actions on bucket X can invoke Lambda function Z" • Resource policies allow for cross account access

Lambda execution model Synchronous (push) Asynchronous (event) Stream-based Amazon API
Gateway AWS Lambda function Amazon DynamoDB Amazon SNS /order AWS Lambda function Amazon S3 reqs Amazon Kinesis changes AWS Lambda service function

rights reserved. Using AWS Lambda Authoring functions • Cloud9 • WYSIWYG editor or upload packaged .zip • Third-party plugins (Eclipse, Visual Studio) Monitoring and logging • Metrics for requests, errors, and throttles • Built-in logs to Amazon CloudWatch Logs • X-Ray integration Programming model • Use processes, threads, /tmp, sockets normally • AWS SDK built in (Python and Node.js) Stateless • Persist data using external storage • No affinity or access to underlying infrastructure

rights reserved. Anatomy of a Lambda function Handler() function Function to be executed upon invocation Event object Data sent during Lambda Function Invocation Context object Methods available to interact with runtime information (request ID, log group, etc.) public String handleRequest(Book book, Context context) { saveBook(book); return book.getName() + " saved!"; }

rights reserved. Amazon S3 Amazon DynamoDB Amazon Kinesis AWS CloudFormation AWS CloudTrail Amazon CloudWatch Amazon Cognito Amazon SNS Amazon SES Cron events DATA STORES ENDPOINTS DEVELOPMENT AND MANAGEMENT TOOLS EVENT/MESSAGE SERVICES Event sources that trigger AWS Lambda and more! AWS CodeCommit Amazon API Gateway Amazon Alexa AWS IoT AWS Step Functions

rights reserved. Fine-Grained Pricing Buy compute time in 100ms increments Low request charge No hourly, daily, or monthly minimums No per-device fees Never pay for idle Free Tier 1M requests and 400,000 GB-s of compute. Every month, every customer.

rights reserved. Common Lambda use cases Web Applications • Static websites • Complex web apps • Packages for Flask and Express Data Processing • Real time • MapReduce • Batch Chatbots • Powering chatbot logic Backends • Apps & services • Mobile • IoT </> </> Amazon Alexa • Powering voice-enabled apps • Alexa Skills Kit IT Automation • Policy engines • Extending AWS services • Infrastructure management

rights reserved. Amazon API Gateway Create a unified API frontend for multiple micro- services Authenticate and authorize requests to a backend DDoS protection and throttling for your backend Throttle, meter, and monetize API usage by third-party developers

rights reserved. API Gateway integrations Internet Mobile Apps Websites Services AWS Lambda functions AWS API Gateway Cache Endpoints on Amazon EC2 Amazon CloudWatch Monitoring Amazon CloudFront Any other AWS service YOUR VPC Endpoints in Your VPC Regional API Endpoints All publicly accessible endpoints AWS Lambda functions

rights reserved. Amazon API Gateway Security Several mechanisms for adding Authz/Authn to our API: • IAM Permissions • Use IAM policies and AWS credentials to grant access • Custom Authorizers • Use Lambda to validate a bearer token(Oauth or SAML as examples) or request parameters and grant access • Cognito User Pools • Create a completely managed user management system

rights reserved. Authentication type comparison Feature AWS_IAM TOKEN REQUEST COGNITO Authentication X X X X Authorization X X X Signature V4 X Cognito User Pools X X X Third-Party Authentication X X Multiple Header Support X Additional Costs NONE Pay per authorizer invoke Pay per authorizer invoke NONE

rights reserved. Gateway responses Allows customization of various error responses • Change HTTP status code • Modify body content • Add headers Can customize specific responses and/or modify default 4XX/5XX

rights reserved. API Gateway throttling Three levels of throttling for APIs API Key level throttling—configurable in usage plan Method level throttling—configurable in stage settings Account level throttling—limits can be increased

rights reserved. API Gateway throttling Token bucket algorithm Burst—the maximum size of the bucket Rate—the number of tokens added to the bucket

rights reserved. API Gateway usage plans API Key Throttling Rate/Burst per API Key API Key Quota Periodic limits per API Key API Key Usage Daily usage records

rights reserved. Custom domains Run your APIs within your own DNS zone Recommended for supporting multiple versions api.tampr.com/v1 -> restapi1 api.tampr.com/v2 -> restapi2 Support for cross-region redundancy with regional API endpoints NEW

rights reserved. Amazon DynamoDB AWS Lambda Amazon API Gateway Amazon DynamoDB AWS Lambda Amazon API Gateway Amazon Route53 eu-west-1 us-east-1 Global Tables https://global.domain.com/

rights reserved. Amazon API Gateway – Lambda Proxy Integration { "resource": "Resource path", "path": "Path parameter", "httpMethod": "Incoming request's method name", "headers": {Incoming request headers}, "queryStringParameters": {Query string parameters}, "pathParameters":{Path parameters}, "stageVariables": {Applicable stage variables}, "requestContext": {Request context, including authorizer-returned key-value pairs}, "body": "...", "isBase64Encoded": true|false } { "statusCode": httpStatusCode, "headers": { "headerName": "headerValue", ... }, "body": "...”, "isBase64Encoded": true|false } Input Format of a Lambda Function for Proxy Integration Output Format of a Lambda Function for Proxy Integration

rights reserved. Lambda Environment Variables • Key-value pairs that you can dynamically pass to your function • Available via standard environment variable APIs such as process.env for Node.js or os.environ for Python • Can optionally be encrypted via AWS Key Management Service (KMS) • Allows you to specify in IAM what roles have access to the keys to decrypt the information • Useful for creating environments per stage (i.e. dev, testing, production)

rights reserved. API Gateway Stage Variables • Stage variables act like environment variables • Use stage variables to store configuration values • Stage variables are available in the $context object • Values are accessible from most fields in API Gateway • Lambda function ARN • HTTP endpoint • Custom authorizer function name • Parameter mappings

rights reserved. Stage Variables and Lambda Aliases Using Stage Variables in API Gateway together with Lambda function Aliases you can manage a single API configuration and Lambda function for multiple environment stages myLambdaFunction 1 2 3 = prod 4 5 6 = beta 7 8 = dev My First API Stage variable = lambdaAlias Prod lambdaAlias = prod Beta lambdaAlias = beta Dev lambdaAlias = dev

rights reserved. Lambda Alias Traffic Shifting & Safe Deployments “By default, an alias points to a single Lambda function version. When the alias is updated to point to a different function version, incoming request traffic in turn instantly points to the updated version.”

rights reserved. Lambda Alias Traffic Shifting & Safe Deployments “By default, an alias points to a single Lambda function version. When the alias is updated to point to a different function version, incoming request traffic in turn instantly points to the updated version. This exposes that alias to any potential instabilities introduced by the new version.”

rights reserved. Lambda Alias Traffic Shifting & Safe Deployments “By default, an alias points to a single Lambda function version. When the alias is updated to point to a different function version, incoming request traffic in turn instantly points to the updated version. This exposes that alias to any potential instabilities introduced by the new version. To minimize this impact, you can implement the routing-config parameter of the Lambda alias that allows you to point to two different versions of the Lambda function and dictate what percentage of incoming traffic is sent to each version.” – AWS Lambda docs on “Traffic Shifting Using Aliases” aws lambda update-alias --name alias name --function-name function- name --routing-config AdditionalVersionWeights={”6"=0.05}

rights reserved. Lambda Alias Traffic Shifting myLambdaFunction 1 2 3 = prod 4 5 6 = prod 5% My First API Stage variable = lambdaAlias Prod lambdaAlias = prod aws lambda update-alias --name prod --function-name myLambdaFunction --routing-config AdditionalVersionWeights={”6"=0.05}

rights reserved. Lambda Alias Traffic Shifting myLambdaFunction 5 6 = prod My First API Stage variable = lambdaAlias Prod lambdaAlias = prod aws lambda update-alias --name prod --function-name myLambdaFunction --function-version 6 --routing-config ''

rights reserved. Lambda Alias Traffic Shifting & AWS Step Functions Blog link: http://amzn.to/2FjlWA7

rights reserved. SAM Globals + Safe Deployments Globals: Function: Runtime: nodejs4.3 AutoPublishAlias: !Ref ENVIRONMENT MyLambdaFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler DeploymentPreference: Type: Linear10PercentEvery10Minutes Alarms: # A list of alarms that you want to monitor - !Ref AliasErrorMetricGreaterThanZeroAlarm - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks: # Validation Lambda functions that are run before & after traffic shifting PreTraffic: !Ref PreTrafficLambdaFunction PostTraffic: !Ref PostTrafficLambdaFunction

rights reserved. Lambda Alias Traffic Shifting & AWS SAM AutoPublishAlias By adding this property and specifying an alias name, AWS SAM will do the following: • Detect when new code is being deployed based on changes to the Lambda function's Amazon S3 URI. • Create and publish an updated version of that function with the latest code. • Create an alias with a name you provide (unless an alias already exists) and points to the updated version of the Lambda function. Deployment Preference Type Canary10Percent30Minutes Canary10Percent5Minutes Canary10Percent10Minutes Canary10Percent15Minutes Linear10PercentEvery10Minutes Linear10PercentEvery1Minute Linear10PercentEvery2Minutes Linear10PercentEvery3Minutes AllAtOnce In SAM:

rights reserved. Lambda Alias Traffic Shifting & AWS SAM Alarms: # A list of alarms that you want to monitor - !Ref AliasErrorMetricGreaterThanZeroAlarm - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks: # Validation Lambda functions that are run before & after traffic shifting PreTraffic: !Ref PreTrafficLambdaFunction PostTraffic: !Ref PostTrafficLambdaFunction In SAM: Note: You can specify a maximum of 10 alarms

rights reserved. NEW: Can deploy AWS Lambda!! Uses AWS SAM to deploy serverless applications Supports Lambda Alias Traffic Shifting enabling canaries and blue|green deployments Can rollback based on CloudWatch Metrics/Alarms Pre/Post-Traffic Triggers can integrate with other services (or even call Lambda functions) AWS CodeDeploy + Lambda

rights reserved. CodeDeploy comes with a number of added capabilities: • Custom deployment configurations. Examples: • “Canary 5% for 1 hour” • “Linear 20% every 1 hour” • Notification events via SNS on success/failure/rollback • Console with visibility on deploy status, history, and rollbacks. AWS CodeDeploy + Lambda

rights reserved. AWS CodeDeploy + Lambda

rights reserved. Amazon API Gateway Canary Support Use canary release deployments to gradually roll out new APIs in Amazon API Gateway: • configure percent of traffic to go to a new stage deployment • can test stage settings and variables • API gateway will create additional Amazon CloudWatch Logs group and CloudWatch metrics for the requests handled by the canary deployment API • To rollback: delete the deployment or set percent of traffic to 0 NEW!

rights reserved. GraphQL: A Query Language for APIs Resources defined by a GraphQL schema Client sends query, server orchestrates data Multiple transports (HTTP, MQTT, WebSockets) Efficient (network bandwidth, dev time) Self-documenting (introspection w/tooling)

rights reserved. Is REST dead then? • When data drives UI • Structured data • Query-driven • Client-driven development Use GraphQL • When you leverage HTTP • Caching • Content types • Hypermedia (HATEOS) • For resources (e.g., Amazon S3) Use REST Pick the appropriate protocol for your use case

rights reserved. GraphQL Schema type Event { id: ID! name: String where: String when: String description: String comments: [Comment] } type Comment { commentId: String! eventId: ID! content: String! createdAt: String! }

rights reserved. GraphQL Schema Mutation type Mutation { createEvent( name: String!, when: String!, where: String!, description: String! ): Event deleteEvent(id: ID!): Event commentOnEvent( eventId: ID!, content: String!, createdAt: String! ): Comment }

rights reserved. GraphQL Schema Mutation Query type Query { getEvent(id: ID!): Event listEvents( limit: Int = 10, nextToken: String ): EventConnection }

rights reserved. GraphQL Schema Mutation Query Subscription type Subscription { subscribeToEventComments(eventId: String!): Comment @aws_subscribe(mutations: ["commentOnEvent"]) }

rights reserved. GraphQL Schema Mutation Query Subscription Realtime? YES Batching? YES Pagination? YES Relations? YES Aggregations? YES Search? YES Offline? YES

rights reserved. AWS AppSync DynamoDB Table Lambda Function Elasticsearch Service GraphQL Schema Upload Schema GraphQL Query Mutation Subscription Real-time Offline AppSync API Cognito User Pool

rights reserved. AWS AppSync DynamoDB Table Lambda Function Elasticsearch Service GraphQL Schema Upload Schema GraphQL Query Mutation Subscription Real-time Offline AppSync API Cognito User Pool Legacy Application

rights reserved. AWS AppSync DynamoDB Table Lambda Function Elasticsearch Service GraphQL Schema Upload Schema GraphQL Query Mutation Subscription Real-time Offline DynamoDB to Elasticsearch Sync Function AppSync API Cognito User Pool

rights reserved. AWS AppSync DynamoDB Table Lambda Function Elasticsearch Service GraphQL Schema Autogenerate Schema GraphQL Query Mutation Subscription Real-time Offline AppSync API Cognito User Pool Upload Schema

rights reserved. https://sbd.danilop.net O pen Source Serverless by Design

rights reserved. Thank you! Danilo Poccia Evangelist, Serverless [email protected] @danilop danilop

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

More Decks by Danilo Poccia

Other Decks in Programming

Featured

Transcript