Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

Building Serverless APIs with the Amazon API Gateway and AWS AppSync

London API Professionals Meetup, London, May 23rd, 2018

In this session, we’ll review features and best practices for building serverless backends using REST and GraphQL. We’ll use tools such as Lambda functions, the Amazon API Gateway and AWS AppSync to expose your business logic or your legacy applications using an open interface and an event-driven architecture. Managing our infrastructure as code, with tools such as AWS SAM, we can implement a CI/CD pipeline that can speed up development and support safe deployments in production.

Danilo Poccia

May 23, 2018
Tweet

More Decks by Danilo Poccia

Other Decks in Programming

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Danilo Poccia
    Evangelist, Serverless
    [email protected]
    @danilop
    danilop
    Building Serverless APIs
    With the AWS API Gateway and AWS AppSync

    View Slide

  2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

    View Slide

  3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    No servers to provision
    or manage
    Scales with usage
    Never pay for idle Availability and fault
    tolerance built in
    Serverless means…

    View Slide

  4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    SERVICES (ANYTHING)
    Changes in
    data state
    Requests to
    endpoints
    Changes in
    resource state
    EVENT SOURCE FUNCTION
    Node.js
    Python
    Java
    C#
    Go
    Serverless applications

    View Slide

  5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Using AWS Lambda
    Bring your own code
    • Node.js, Java, Python,
    C#, Go
    • Bring your own libraries
    (even native ones)
    Simple resource model
    • Select power rating from
    128 MB to 3 GB
    • CPU and network
    allocated proportionately
    Flexible use
    • Synchronous or
    asynchronous
    • Integrated with other
    AWS services
    Flexible authorization
    • Securely grant access to
    resources and VPCs
    • Fine-grained control for
    invoking your functions

    View Slide

  6. Lambda permissions model
    Fine grained security controls for both execution
    and invocation:
    Execution policies:
    • Define what AWS resources/API calls can this
    function access via IAM
    • Used in streaming invocations
    • E.g. “Lambda function A can read from
    DynamoDB table users”
    Function policies:
    • Used for sync and async invocations
    • E.g. “Actions on bucket X can invoke Lambda
    function Z"
    • Resource policies allow for cross account
    access

    View Slide

  7. Lambda execution model
    Synchronous
    (push)
    Asynchronous
    (event)
    Stream-based
    Amazon
    API Gateway
    AWS Lambda
    function
    Amazon
    DynamoDB
    Amazon
    SNS
    /order
    AWS Lambda
    function
    Amazon
    S3
    reqs
    Amazon
    Kinesis
    changes
    AWS Lambda
    service
    function

    View Slide

  8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Using AWS Lambda
    Authoring functions
    • Cloud9
    • WYSIWYG editor or
    upload packaged .zip
    • Third-party plugins
    (Eclipse, Visual Studio)
    Monitoring and logging
    • Metrics for requests,
    errors, and throttles
    • Built-in logs to Amazon
    CloudWatch Logs
    • X-Ray integration
    Programming model
    • Use processes, threads,
    /tmp, sockets normally
    • AWS SDK built in
    (Python and Node.js)
    Stateless
    • Persist data using
    external storage
    • No affinity or access to
    underlying infrastructure

    View Slide

  9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Anatomy of a Lambda function
    Handler() function
    Function to be executed
    upon invocation
    Event object
    Data sent during
    Lambda Function
    Invocation
    Context object
    Methods available to
    interact with runtime
    information (request ID,
    log group, etc.)
    public String handleRequest(Book book, Context context) {
    saveBook(book);
    return book.getName() + " saved!";
    }

    View Slide

  10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon S3 Amazon
    DynamoDB
    Amazon
    Kinesis
    AWS
    CloudFormation
    AWS CloudTrail Amazon
    CloudWatch
    Amazon
    Cognito
    Amazon SNS
    Amazon
    SES
    Cron events
    DATA STORES ENDPOINTS
    DEVELOPMENT AND MANAGEMENT TOOLS EVENT/MESSAGE SERVICES
    Event sources that trigger AWS Lambda
    and more!
    AWS
    CodeCommit
    Amazon
    API Gateway
    Amazon
    Alexa
    AWS IoT AWS Step
    Functions

    View Slide

  11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Fine-Grained Pricing
    Buy compute time in 100ms
    increments
    Low request charge
    No hourly, daily, or monthly
    minimums
    No per-device fees
    Never pay for idle
    Free Tier
    1M requests and 400,000 GB-s of compute.
    Every month, every customer.

    View Slide

  12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Common Lambda use cases
    Web
    Applications
    • Static
    websites
    • Complex web
    apps
    • Packages for
    Flask and
    Express
    Data
    Processing
    • Real time
    • MapReduce
    • Batch
    Chatbots
    • Powering
    chatbot logic
    Backends
    • Apps &
    services
    • Mobile
    • IoT
    >
    >
    Amazon
    Alexa
    • Powering
    voice-enabled
    apps
    • Alexa Skills
    Kit
    IT
    Automation
    • Policy engines
    • Extending
    AWS services
    • Infrastructure
    management

    View Slide

  13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon API Gateway
    Create a unified
    API frontend for
    multiple micro-
    services
    Authenticate and
    authorize
    requests to a
    backend
    DDoS protection
    and throttling
    for your backend
    Throttle, meter,
    and monetize
    API usage by
    third-party
    developers

    View Slide

  14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    API Gateway integrations
    Internet
    Mobile Apps
    Websites
    Services
    AWS Lambda
    functions
    AWS
    API Gateway
    Cache
    Endpoints on
    Amazon EC2
    Amazon
    CloudWatch
    Monitoring
    Amazon
    CloudFront
    Any other
    AWS service
    YOUR VPC
    Endpoints in
    Your VPC
    Regional API Endpoints
    All publicly
    accessible endpoints
    AWS Lambda
    functions

    View Slide

  15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon API Gateway Security
    Several mechanisms for adding Authz/Authn to our API:
    • IAM Permissions
    • Use IAM policies and AWS credentials to grant access
    • Custom Authorizers
    • Use Lambda to validate a bearer token(Oauth or SAML as
    examples) or request parameters and grant access
    • Cognito User Pools
    • Create a completely managed user management system

    View Slide

  16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Authentication type comparison
    Feature AWS_IAM TOKEN REQUEST COGNITO
    Authentication X X X X
    Authorization X X X
    Signature V4 X
    Cognito User Pools X X X
    Third-Party
    Authentication
    X X
    Multiple Header
    Support
    X
    Additional Costs NONE Pay per
    authorizer
    invoke
    Pay per
    authorizer
    invoke
    NONE

    View Slide

  17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Gateway responses
    Allows customization of various error responses
    • Change HTTP status code
    • Modify body content
    • Add headers
    Can customize specific responses and/or modify default
    4XX/5XX

    View Slide

  18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    API Gateway throttling
    Three levels of throttling for APIs
    API Key level throttling—configurable in usage plan
    Method level throttling—configurable in stage settings
    Account level throttling—limits can be increased

    View Slide

  19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    API Gateway throttling
    Token bucket algorithm
    Burst—the maximum size of the bucket
    Rate—the number of tokens added to the bucket

    View Slide

  20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    API Gateway usage plans
    API Key Throttling
    Rate/Burst per API Key
    API Key Quota
    Periodic limits per API Key
    API Key Usage
    Daily usage records

    View Slide

  21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Custom domains
    Run your APIs within your own DNS zone
    Recommended for supporting multiple versions
    api.tampr.com/v1 -> restapi1
    api.tampr.com/v2 -> restapi2
    Support for cross-region redundancy with regional API
    endpoints
    NEW

    View Slide

  22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon
    DynamoDB
    AWS Lambda
    Amazon API
    Gateway
    Amazon
    DynamoDB
    AWS Lambda
    Amazon API
    Gateway
    Amazon
    Route53
    eu-west-1
    us-east-1
    Global Tables
    https://global.domain.com/

    View Slide

  23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon API Gateway – Lambda Proxy Integration
    {
    "resource": "Resource path",
    "path": "Path parameter",
    "httpMethod": "Incoming request's method name",
    "headers": {Incoming request headers},
    "queryStringParameters": {Query string parameters},
    "pathParameters":{Path parameters},
    "stageVariables": {Applicable stage variables},
    "requestContext": {Request context, including authorizer-returned key-value pairs},
    "body": "...",
    "isBase64Encoded": true|false
    }
    {
    "statusCode": httpStatusCode,
    "headers": { "headerName": "headerValue", ... },
    "body": "...”,
    "isBase64Encoded": true|false
    }
    Input Format of a Lambda Function for Proxy Integration
    Output Format of a Lambda Function for Proxy Integration

    View Slide

  24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS Lambda
    + Amazon API Gateway
    Demo

    View Slide

  25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Environment Variables
    • Key-value pairs that you can dynamically pass to
    your function
    • Available via standard environment variable APIs
    such as process.env for Node.js or os.environ for
    Python
    • Can optionally be encrypted via AWS Key
    Management Service (KMS)
    • Allows you to specify in IAM what roles have access to
    the keys to decrypt the information
    • Useful for creating environments per stage (i.e.
    dev, testing, production)

    View Slide

  26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    API Gateway Stage Variables
    • Stage variables act like environment variables
    • Use stage variables to store configuration values
    • Stage variables are available in the $context object
    • Values are accessible from most fields in API Gateway
    • Lambda function ARN
    • HTTP endpoint
    • Custom authorizer function name
    • Parameter mappings

    View Slide

  27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Stage Variables and Lambda Aliases
    Using Stage Variables in API Gateway together with Lambda function Aliases
    you can manage a single API configuration and Lambda function for multiple
    environment stages
    myLambdaFunction
    1
    2
    3 = prod
    4
    5
    6 = beta
    7
    8 = dev
    My First API
    Stage variable = lambdaAlias
    Prod
    lambdaAlias = prod
    Beta
    lambdaAlias = beta
    Dev
    lambdaAlias = dev

    View Slide

  28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & Safe Deployments
    “By default, an alias points to a single Lambda function version. When the alias is
    updated to point to a different function version, incoming request traffic in turn
    instantly points to the updated version.”

    View Slide

  29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & Safe Deployments
    “By default, an alias points to a single Lambda function version. When the alias is
    updated to point to a different function version, incoming request traffic in turn
    instantly points to the updated version.
    This exposes that alias to any potential instabilities introduced by the new version.”

    View Slide

  30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & Safe Deployments
    “By default, an alias points to a single Lambda function version. When the alias is
    updated to point to a different function version, incoming request traffic in turn
    instantly points to the updated version.
    This exposes that alias to any potential instabilities introduced by the new version.
    To minimize this impact, you can implement the routing-config parameter of the
    Lambda alias that allows you to point to two different versions of the Lambda function
    and dictate what percentage of incoming traffic is sent to each version.”
    – AWS Lambda docs on “Traffic Shifting Using Aliases”
    aws lambda update-alias --name alias name --function-name function-
    name --routing-config AdditionalVersionWeights={”6"=0.05}

    View Slide

  31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting
    myLambdaFunction
    1
    2
    3 = prod
    4
    5
    6 = prod 5%
    My First API
    Stage variable = lambdaAlias
    Prod
    lambdaAlias = prod
    aws lambda update-alias --name prod --function-name myLambdaFunction
    --routing-config AdditionalVersionWeights={”6"=0.05}

    View Slide

  32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting
    myLambdaFunction
    5
    6 = prod
    My First API
    Stage variable = lambdaAlias
    Prod
    lambdaAlias = prod
    aws lambda update-alias --name prod --function-name myLambdaFunction
    --function-version 6 --routing-config ''

    View Slide

  33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & AWS Step Functions
    Blog link: http://amzn.to/2FjlWA7

    View Slide

  34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    SAM Globals + Safe Deployments
    Globals:
    Function:
    Runtime: nodejs4.3
    AutoPublishAlias: !Ref ENVIRONMENT
    MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: index.handler
    DeploymentPreference:
    Type: Linear10PercentEvery10Minutes
    Alarms:
    # A list of alarms that you want to monitor
    - !Ref AliasErrorMetricGreaterThanZeroAlarm
    - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
    Hooks:
    # Validation Lambda functions that are run before & after traffic shifting
    PreTraffic: !Ref PreTrafficLambdaFunction
    PostTraffic: !Ref PostTrafficLambdaFunction

    View Slide

  35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    SAM Globals + Safe Deployments
    Globals:
    Function:
    Runtime: nodejs4.3
    AutoPublishAlias: !Ref ENVIRONMENT
    MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: index.handler
    DeploymentPreference:
    Type: Linear10PercentEvery10Minutes
    Alarms:
    # A list of alarms that you want to monitor
    - !Ref AliasErrorMetricGreaterThanZeroAlarm
    - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
    Hooks:
    # Validation Lambda functions that are run before & after traffic shifting
    PreTraffic: !Ref PreTrafficLambdaFunction
    PostTraffic: !Ref PostTrafficLambdaFunction

    View Slide

  36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & AWS SAM
    AutoPublishAlias
    By adding this property and specifying an
    alias name, AWS SAM will do the
    following:
    • Detect when new code is being
    deployed based on changes to the
    Lambda function's Amazon S3 URI.
    • Create and publish an updated version
    of that function with the latest code.
    • Create an alias with a name you
    provide (unless an alias already exists)
    and points to the updated version of
    the Lambda function.
    Deployment Preference Type
    Canary10Percent30Minutes
    Canary10Percent5Minutes
    Canary10Percent10Minutes
    Canary10Percent15Minutes
    Linear10PercentEvery10Minutes
    Linear10PercentEvery1Minute
    Linear10PercentEvery2Minutes
    Linear10PercentEvery3Minutes
    AllAtOnce
    In SAM:

    View Slide

  37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Lambda Alias Traffic Shifting & AWS SAM
    Alarms: # A list of alarms that you want to monitor
    - !Ref AliasErrorMetricGreaterThanZeroAlarm
    - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
    Hooks: # Validation Lambda functions that are run
    before & after traffic shifting
    PreTraffic: !Ref PreTrafficLambdaFunction
    PostTraffic: !Ref PostTrafficLambdaFunction
    In SAM:
    Note: You can specify a maximum of 10 alarms

    View Slide

  38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    NEW: Can deploy AWS Lambda!!
    Uses AWS SAM to deploy serverless applications
    Supports Lambda Alias Traffic Shifting enabling
    canaries and blue|green deployments
    Can rollback based on CloudWatch Metrics/Alarms
    Pre/Post-Traffic Triggers can integrate with other
    services (or even call Lambda functions)
    AWS CodeDeploy + Lambda

    View Slide

  39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    CodeDeploy comes with a number of added
    capabilities:
    • Custom deployment configurations.
    Examples:
    • “Canary 5% for 1 hour”
    • “Linear 20% every 1 hour”
    • Notification events via SNS on
    success/failure/rollback
    • Console with visibility on deploy status,
    history, and rollbacks.
    AWS CodeDeploy + Lambda

    View Slide

  40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS CodeDeploy + Lambda

    View Slide

  41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Amazon API Gateway Canary Support
    Use canary release deployments to gradually roll out new APIs
    in Amazon API Gateway:
    • configure percent of traffic to go to a new stage
    deployment
    • can test stage settings and variables
    • API gateway will create additional Amazon CloudWatch
    Logs group and CloudWatch metrics for the requests
    handled by the canary deployment API
    • To rollback: delete the deployment or set percent of traffic
    to 0
    NEW!

    View Slide

  42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL: A Query Language for APIs
    Resources defined by a GraphQL schema
    Client sends query, server orchestrates data
    Multiple transports (HTTP, MQTT, WebSockets)
    Efficient (network bandwidth, dev time)
    Self-documenting (introspection w/tooling)

    View Slide

  43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Is REST dead then?
    • When data drives UI
    • Structured data
    • Query-driven
    • Client-driven
    development
    Use GraphQL
    • When you leverage HTTP
    • Caching
    • Content types
    • Hypermedia (HATEOS)
    • For resources (e.g.,
    Amazon S3)
    Use REST
    Pick the appropriate protocol for your use case

    View Slide

  44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL
    Schema
    type Event {
    id: ID!
    name: String
    where: String
    when: String
    description: String
    comments: [Comment]
    }
    type Comment {
    commentId: String!
    eventId: ID!
    content: String!
    createdAt: String!
    }

    View Slide

  45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL
    Schema
    Mutation
    type Mutation {
    createEvent(
    name: String!,
    when: String!,
    where: String!,
    description: String!
    ): Event
    deleteEvent(id: ID!): Event
    commentOnEvent(
    eventId: ID!,
    content: String!,
    createdAt: String!
    ): Comment
    }

    View Slide

  46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL
    Schema
    Mutation
    Query
    type Query {
    getEvent(id: ID!): Event
    listEvents(
    limit: Int = 10,
    nextToken: String
    ): EventConnection
    }

    View Slide

  47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL
    Schema
    Mutation
    Query
    Subscription
    type Subscription {
    subscribeToEventComments(eventId: String!): Comment
    @aws_subscribe(mutations: ["commentOnEvent"])
    }

    View Slide

  48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    GraphQL
    Schema
    Mutation
    Query
    Subscription
    Realtime? YES
    Batching? YES
    Pagination? YES
    Relations? YES
    Aggregations? YES
    Search? YES
    Offline? YES

    View Slide

  49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS AppSync
    DynamoDB
    Table
    Lambda
    Function Elasticsearch
    Service
    GraphQL
    Schema
    Upload
    Schema
    GraphQL
    Query
    Mutation
    Subscription
    Real-time
    Offline
    AppSync
    API
    Cognito
    User Pool

    View Slide

  50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS AppSync
    DynamoDB
    Table
    Lambda
    Function Elasticsearch
    Service
    GraphQL
    Schema
    Upload
    Schema
    GraphQL
    Query
    Mutation
    Subscription
    Real-time
    Offline
    AppSync
    API
    Cognito
    User Pool
    Legacy
    Application

    View Slide

  51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS AppSync
    DynamoDB
    Table
    Lambda
    Function Elasticsearch
    Service
    GraphQL
    Schema
    Upload
    Schema
    GraphQL
    Query
    Mutation
    Subscription
    Real-time
    Offline
    DynamoDB to Elasticsearch
    Sync Function
    AppSync
    API
    Cognito
    User Pool

    View Slide

  52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS AppSync
    DynamoDB
    Table
    Lambda
    Function Elasticsearch
    Service
    GraphQL
    Schema
    Autogenerate
    Schema
    GraphQL
    Query
    Mutation
    Subscription
    Real-time
    Offline
    AppSync
    API
    Cognito
    User Pool
    Upload
    Schema

    View Slide

  53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    AWS AppSync
    Demo

    View Slide

  54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    https://sbd.danilop.net
    O
    pen
    Source
    Serverless by Design

    View Slide

  55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    Thank you!
    Danilo Poccia
    Evangelist, Serverless
    [email protected]
    @danilop
    danilop

    View Slide