Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless functions deep dive

Serverless functions deep dive

AWS Summit Benelux, Amsterdam, April 17th, 2019

Danilo Poccia

April 17, 2019
Tweet

More Decks by Danilo Poccia

Other Decks in Programming

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Serverless functions deep dive
    Danilo Poccia
    Principal Evangelist, Serverless
    AWS
    @danilop
    Olaf Conijn
    IT Architect
    Moneyou
    [email protected]

    View Slide

  2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS operational responsibility models
    On-Premises Cloud
    Less More
    Compute Virtual Machine
    EC2 Elastic Beanstalk AWS Lambda
    Fargate
    Databases MySQL MySQL on EC2
    RDS MySQL RDS Aurora Aurora Serverless DynamoDB
    Storage Storage
    S3
    Messaging ESBs
    Amazon MQ Kinesis SQS / SNS
    Analytics
    Hadoop Hadoop on EC2 EMR Elasticsearch Service Athena

    View Slide

  3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T

    View Slide

  4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Serverless applications
    Services (anything)
    Changes in
    data state
    Requests to
    endpoints
    Changes in
    resource state
    Event source Function
    Node.js
    Python
    Java
    C# / F# / PowerShell
    Go
    Ruby
    Runtime API

    View Slide

  5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Anatomy of a Lambda function
    Handler() function
    Function to be executed
    upon invocation
    Event object
    Data sent during Lambda
    function Invocation
    Context object
    Methods available to
    interact with runtime
    information (request ID,
    log group, more)
    import json
    def lambda_handler(event, context):
    # TODO implement
    return {
    'statusCode': 200,
    'body': json.dumps('Hello World!')
    }

    View Slide

  6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Lambda Layers
    Lets functions easily share code: Upload layer
    once, reference within any function
    Promote separation of responsibilities, lets
    developers iterate faster on writing business logic
    Built in support for secure sharing by ecosystem

    View Slide

  7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Using Lambda Layers
    • Put common components in a ZIP file and
    upload it as a Lambda Layer
    • Layers are immutable and can be versioned
    to manage updates
    • When a version is deleted or permissions to
    use it are revoked, functions that used it
    previously will continue to work, but you
    won’t be able to create new ones
    • You can reference up to five layers, one of
    which can optionally be a custom runtime
    Lambda
    Layers
    arn:aws:lambda:region:accountId:layer:shared-lib
    Lambda
    Layers
    arn:aws:lambda:region:accountId:layer:shared-lib:2
    Lambda
    Layers
    arn:aws:lambda:region:accountId:layer:shared-lib:3

    View Slide

  8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Lambda Runtime API
    Bring any Linux compatible language runtime
    Powered by new Runtime API - Codifies the
    runtime calling conventions and integration points
    At launch, custom runtimes powering Ruby
    support in AWS Lambda, more runtimes from
    partners (like Erlang)
    Custom runtimes distributed as “layers”
    Rule
    Stack

    View Slide

  9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Runtime Bootstrap
    • The bootstrap executable act as a bridge
    between the Runtime HTTP API and the
    Function to be executed
    • Bootstrap needs to manage response/error
    handling, context creation and function
    execution
    • Information on the interface endpoint and the
    function handler are shared as environment
    variables
    /runtime API
    /invocation/next
    /init/error /ID/error
    /invocation/ID/response
    /invocation/ID/error
    bootstrap
    Process events/headers
    Clean up
    Initialize and Invoke function
    Response/Error handling
    Lambda
    Function

    View Slide

  10. Build PCI and HIPAA compliant serverless applications!
    Serverless platform services that can be used in both:

    View Slide

  11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Start with a framework
    AWS
    Chalice
    AWS Amplify
    AWS
    SAM
    AWS: Third-party:
    Serverless
    Framework

    View Slide

  12. Meet
    SAM!

    View Slide

  13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS Serverless Application Model (SAM)
    AWS CloudFormation extension optimized for
    serverless
    Special serverless resource types: Functions, APIs,
    SimpleTables, Layers, and Applications
    Supports anything AWS CloudFormation supports
    Open specification (Apache 2.0)
    https://aws.amazon.com/serverless/sam

    View Slide

  14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    SAM template
    AWSTemplateFormatVersion: '2010-09-09’
    Transform: AWS::Serverless-2016-10-31
    Resources:
    GetFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: index.get
    Runtime: nodejs8.10
    CodeUri: src/
    Policies:
    - DynamoDBReadPolicy:
    TableName: !Ref MyTable
    Events:
    GetResource:
    Type: Api
    Properties:
    Path: /resource/{resourceId}
    Method: get
    MyTable:
    Type: AWS::Serverless::SimpleTable
    Just 20 lines to create:
    • Lambda function
    • IAM role
    • API Gateway
    • DynamoDB table
    O
    pen
    Source

    View Slide

  15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS SAM Command Line Interface (AWS SAM CLI)
    CLI tool for local development, debugging, testing, deploying,
    and monitoring of serverless applications
    Supports API Gateway “proxy-style” and Lambda service API
    testing
    Response object and function logs available on your local
    machine
    Uses open source docker-lambda images to mimic Lambda’s
    execution environment such as timeout, memory limits,
    runtimes
    Can tail production logs from CloudWatch logs
    Can help you build in native dependencies
    https://aws.amazon.com/serverless/sam

    View Slide

  16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Use SAM CLI to package and deploy SAM templates
    pip install --user aws-sam-cli
    sam init --name my-app --runtime python
    cd my-app/
    sam local ... # generate-event/invoke/start-api/start-lambda
    sam validate # The SAM template
    sam build # Depending on the runtime
    sam package --s3-bucket my-packages-bucket \
    --output-template-file packaged.yaml
    sam deploy --template-file packaged.yaml \
    --stack-name my-stack-prod
    sam logs -n MyFunction --stack-name my-stack-prod -t # Tail
    sam publish # To the Serverless Application Repository
    O
    pen
    Source
    CodePipeline
    Use
    CloudFormation
    deployment actions
    with any SAM
    application
    Jenkins
    Use SAM CLI plugin

    View Slide

  17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T

    View Slide

  18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    With the AWS Serverless Application Repository:
    Developers can…
    • Discover and deploy ready-made apps and
    code samples
    • Combine applications in the app repository
    with their own via Nested Applications
    • Customize open-source apps to get started
    quickly
    • Share apps privately or publish apps
    for public use

    View Slide

  19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    TweetSource:
    Type: AWS::Serverless::Application
    Properties:
    Location:
    ApplicationId: arn:aws:serverlessrepo:...
    SemanticVersion: 2.0.0
    Parameters:
    TweetProcessorFunctionName: !Ref MyFunction
    SearchText: '#serverless -filter:nativeretweets'
    Nested apps to simplify solving recurring problems
    Standard
    Component
    Custom
    Business
    Logic
    Polling schedule
    (CloudWatch
    Events rule)
    trigger
    TwitterProcessor
    SearchCheckpoint
    TwitterSearchPoller
    Twitter
    Search API

    View Slide

  20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS SAM Template Capabilities
    • Can mix in other non-SAM CloudFormation
    resources in the same template
    • i.e. Amazon S3, Amazon Kinesis, AWS Step Functions
    • Supports use of Parameters, Mappings,
    Outputs, etc
    • Supports Intrinsic Functions
    • Can use ImportValue
    (exceptions for RestApiId, Policies, StageName attributes)
    • YAML or JSON

    View Slide

  21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS Lambda Environment Variables
    • Key-value pairs that you can dynamically pass to
    your function
    • Available via standard environment variable APIs
    such as process.env for Node.js or os.environ for
    Python
    • Can optionally be encrypted via AWS Key
    Management Service (KMS)
    • Allows you to specify in IAM what roles have access to
    the keys to decrypt the information
    • Useful for creating environments per stage
    (i.e. dev, testing, production)

    View Slide

  22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Amazon API Gateway Stage Variables
    Stage variables act like environment variables
    • Use stage variables to store configuration values
    • Stage variables are available in the $context object
    • Values are accessible from most fields
    in API Gateway
    • Lambda function ARN
    • HTTP endpoint
    • Custom authorizer function name
    • Parameter mappings

    View Slide

  23. AWS Lambda and Amazon API Gateway Variables + SAM
    Parameters:
    MyEnvironment:
    Type: String
    Default: test
    AllowedValues:
    - test
    - staging
    - prod
    Description: Environment of this stack of
    resources
    Mappings:
    SpecialFeature1:
    test:
    status: on
    staging:
    status: on
    prod:
    status: off
    #Lambda
    MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:

    Environment:
    Variables:
    ENVIRONMENT: !Ref MyEnvironment
    Spec_Feature1: !FindInMap [SpecialFeature1,
    !Ref MyEnvironment, status]

    #API Gateway
    MyApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:

    Variables:
    ENVIRONMENT: !Ref MyEnvironment

    View Slide

  24. Parameters:
    MyEnvironment:
    Type: String
    Default: test
    AllowedValues:
    - test
    - staging
    - prod
    Description: Environment of this stack of
    resources
    Mappings:
    SpecialFeature1:
    test:
    status: on
    staging:
    status: on
    prod:
    status: off
    #Lambda
    MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:

    Environment:
    Variables:
    ENVIRONMENT: !Ref MyEnvironment
    Spec_Feature1: !FindInMap [SpecialFeature1,
    !Ref MyEnvironment, status]

    #API Gateway
    MyApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:

    Variables:
    ENVIRONMENT: !Ref MyEnvironment
    AWS Lambda and Amazon API Gateway Variables + SAM

    View Slide

  25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: index.handler
    Runtime: nodejs6.10
    AutoPublishAlias: !Ref ENVIRONMENT
    DeploymentPreference:
    Type: Linear10PercentEvery10Minutes
    Alarms:
    # A list of alarms that you want to monitor
    - !Ref AliasErrorMetricGreaterThanZeroAlarm
    - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm
    Hooks:
    # Validation Lambda functions that are run before & after traffic shifting
    PreTraffic: !Ref PreTrafficLambdaFunction
    PostTraffic: !Ref PostTrafficLambdaFunction
    AWS SAM + Safe Deployments

    View Slide

  26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Globals:
    Function:
    Runtime: nodejs6.10
    CodeUri: s3://code-artifacts/pet_app1234.zip
    MemorySize: 1024
    Timeout: 30
    AutoPublishAlias: !Ref ENVIRONMENT
    getDogsFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: getDogs.handler
    Events:
    GetDogs:
    Type: Api
    Properties:
    Path: /Dogs
    Method: ANY
    getCatsFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: getCats.handler
    Events:
    GetCats:
    Type: Api
    Properties:
    Path: /Cats
    Method: ANY
    getBirdsFunction:
    Type: AWS::Serverless::Function
    Properties:
    Handler: getBirds.handler
    Timeout: 15
    Events:
    GetBirds:
    Type: Api
    Properties:
    Path: /Birds
    Method: ANY
    AWS SAM Globals

    View Slide

  27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Lambda permissions model
    Fine grained security controls for both
    execution and invocation:
    Execution policies:
    • Define what AWS resources/API calls can this
    function access via IAM
    • Used in streaming invocations
    • E.g. “Lambda function A can read from
    DynamoDB table users”
    Function policies:
    • Used for sync and async invocations
    • E.g. “Actions on bucket X can invoke Lambda
    function Z”
    • Resource policies allow for cross account
    configst access

    View Slide

  28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS SAM Policy Templates
    MyQueueFunction:
    Type: AWS::Serverless::Function
    Properties:
    ...
    Policies:
    # Gives permissions to poll an SQS Queue
    - SQSPollerPolicy:
    queueName: !Ref MyQueue
    ...
    MyQueue:
    Type: AWS::SQS::Queue
    ...

    View Slide

  29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    SAM Policy Templates
    45+ predefined
    policies
    All found here:
    https://bit.ly/2xWycnj

    View Slide

  30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    Best
    Practices

    View Slide

  31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    S U M M I T
    AWS SAM Best Practices
    • Use Parameters and Mappings when possible
    to build dynamic templates based on user
    inputs and pseudo parameters such as
    AWS::Region
    • Use the Globals section to simplify templates
    • Use Export & ImportValue to share resource
    information across stacks
    • Build out multiple environments, such as for
    Development, Test, Production and even DR
    using the same template, even across
    accounts
    SAM Template
    Source
    Control
    Dev
    Test
    Prod

    View Slide

  32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide

  33. Serverless @
    Moneyou
    Olaf Conijn, IT Architect

    View Slide

  34. About Moneyou
    • Full subsidiary of ABN Amro
    • Online savings since 2008
    • Currently
    • 0.5 mio customers in NL and DE
    • Combined savings & payments proposition
    • Small organization (<200 fte)
    • Focus on UX and customer
    centricity

    View Slide

  35. Choosing Serverless

    View Slide

  36. Moneyou’s journey to become a fintech
    Moneyou until 2016
    • Label for ABN AMRO products
    • IT was outsourced to partners
    • Hosting & development
    • Core banking & channels
    Moneyou in 2016
    • Started to build a new payment proposition
    • Need for short time to market & cost efficiency
    • Need to insource software development in a modern way
    • Ambition to do DevOps

    View Slide

  37. Orchestration (serverless)
    Target architecture
    Thaler & OpenAM Salesforce Bankable
    apps
    web api’s
    Orchestration

    View Slide

  38. Our experience so far
    Serverless
    Benefits
    Need for compliance, security and other non-functionals

    View Slide

  39. Serverless, not FAAS

    View Slide

  40. Platform needs
    • Short Time To Market
    • Cost effectiveness
    • Simplicity
    • Confidentiality & Integrity of data
    • Continuous compliance
    Serverless
    Multi-account setup (AWS Organizations)
    Automated compliance checks (AWS Config)
    Encrypt everything (AWS KMS)
    Everything is code (Cloud formation/serverless.com)

    View Slide

  41. • Development account per teams
    • Production account per system
    • Demonstrably in control of production data
    • Reduce blast radius
    • Cost allocation per account
    • Scalable
    AWS Organisations: Multi account setup

    View Slide

  42. Infrastructure as code
    • Everything is code
    • Features use serverless.com framework
    • Platform uses
    • Cloudformation stacksets
    • Serverless.com framework
    • Custom build process

    View Slide

  43. Continuous compliance
    • SCPs to whitelist services
    • For every service compliant configurations
    are defined.
    • AWS config keeps track of all resources
    • Notifies for in compliant configuration
    • Notifications send to account owner and
    platform team (incl. ciso)
    • All production systems run our most critical
    CIA rating
    • Stay away from: EC2 or VPC

    View Slide

  44. Patterns & lessons learned

    View Slide

  45. On-premise connectivity
    Patterns & lessons learned

    View Slide

  46. On-premise connectivity
    • Lambdas are best run outside of a VPC
    • Lambdas in VPC suffer additional cold-start time
    • Additional complexity managing VPC’s
    • Connectivity to on-prem done through VPC and Direct-Connect/VPN
    • Solution: API Gateway and IAM to proxy on-prem services
    • VPCs centrally managed
    • Lambda’s/features run outside a VPC
    • Highly scalable, highly available

    View Slide

  47. On-premise connectivity: Lambda outside VPC
    • Authorize workload account in API GW Resource Policy
    • Authorize Lambda to call API GW in shared account
    • Sign HTTP requests using AWS v4 Signature

    View Slide

  48. On-premise connectivity: Lambda outside VPC - Caveats
    • NLB uses IP addresses of on-premise servers
    • API GW Proxy requires Back-end TLS cert to be signed by trusted CA
    • AWS v4 request signing requires access to underlying HTTP client

    View Slide

  49. Strong consistency
    Patterns & lessons learned

    View Slide

  50. • Event driven architectures benefit from
    • Eventual consistency for scalability
    • Retry mechanisms for reliability
    • What if…. strong consistency does matter?
    Strong consistency
    • Solution: Use DynamoDB as a lock server
    • Conditional (atomic) Updates
    • Consistent reads

    View Slide

  51. Strong consistency - example

    View Slide

  52. Strong consistency - example

    View Slide

  53. Strong consistency - example

    View Slide

  54. General tips
    • Know your (AWS Service) limits!
    • DynamoDB OnDemand and PITR
    • Serverless performance must-read: theburningmonk.com
    • Outsource availability and scalability to AWS

    View Slide

  55. Try us
    Contact
    [email protected]

    View Slide

  56. Thank you!
    S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Danilo Poccia
    @danilop
    Olaf Conijn
    [email protected]

    View Slide

  57. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide