Pro Yearly is on sale from $80 to $50! »

Serverless functions deep dive

Serverless functions deep dive

AWS Summit Benelux, Amsterdam, April 17th, 2019

7c9b8b368924556d8642bdaed3ded1f5?s=128

Danilo Poccia

April 17, 2019
Tweet

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Serverless functions deep dive Danilo Poccia Principal Evangelist, Serverless AWS @danilop Olaf Conijn IT Architect Moneyou olaf.conijn@moneyou.nl
  2. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS operational responsibility models On-Premises Cloud Less More Compute Virtual Machine EC2 Elastic Beanstalk AWS Lambda Fargate Databases MySQL MySQL on EC2 RDS MySQL RDS Aurora Aurora Serverless DynamoDB Storage Storage S3 Messaging ESBs Amazon MQ Kinesis SQS / SNS Analytics Hadoop Hadoop on EC2 EMR Elasticsearch Service Athena
  3. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T
  4. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Serverless applications Services (anything) Changes in data state Requests to endpoints Changes in resource state Event source Function Node.js Python Java C# / F# / PowerShell Go Ruby Runtime API
  5. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Anatomy of a Lambda function Handler() function Function to be executed upon invocation Event object Data sent during Lambda function Invocation Context object Methods available to interact with runtime information (request ID, log group, more) import json def lambda_handler(event, context): # TODO implement return { 'statusCode': 200, 'body': json.dumps('Hello World!') }
  6. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Lambda Layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built in support for secure sharing by ecosystem
  7. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Using Lambda Layers • Put common components in a ZIP file and upload it as a Lambda Layer • Layers are immutable and can be versioned to manage updates • When a version is deleted or permissions to use it are revoked, functions that used it previously will continue to work, but you won’t be able to create new ones • You can reference up to five layers, one of which can optionally be a custom runtime Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:2 Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:3
  8. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Lambda Runtime API Bring any Linux compatible language runtime Powered by new Runtime API - Codifies the runtime calling conventions and integration points At launch, custom runtimes powering Ruby support in AWS Lambda, more runtimes from partners (like Erlang) Custom runtimes distributed as “layers” Rule Stack
  9. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Runtime Bootstrap • The bootstrap executable act as a bridge between the Runtime HTTP API and the Function to be executed • Bootstrap needs to manage response/error handling, context creation and function execution • Information on the interface endpoint and the function handler are shared as environment variables /runtime API /invocation/next /init/error /ID/error /invocation/ID/response /invocation/ID/error bootstrap Process events/headers Clean up Initialize and Invoke function Response/Error handling Lambda Function
  10. Build PCI and HIPAA compliant serverless applications! Serverless platform services

    that can be used in both:
  11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Start with a framework AWS Chalice AWS Amplify AWS SAM AWS: Third-party: Serverless Framework
  12. Meet SAM!

  13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS Serverless Application Model (SAM) AWS CloudFormation extension optimized for serverless Special serverless resource types: Functions, APIs, SimpleTables, Layers, and Applications Supports anything AWS CloudFormation supports Open specification (Apache 2.0) https://aws.amazon.com/serverless/sam
  14. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T SAM template AWSTemplateFormatVersion: '2010-09-09’ Transform: AWS::Serverless-2016-10-31 Resources: GetFunction: Type: AWS::Serverless::Function Properties: Handler: index.get Runtime: nodejs8.10 CodeUri: src/ Policies: - DynamoDBReadPolicy: TableName: !Ref MyTable Events: GetResource: Type: Api Properties: Path: /resource/{resourceId} Method: get MyTable: Type: AWS::Serverless::SimpleTable Just 20 lines to create: • Lambda function • IAM role • API Gateway • DynamoDB table O pen Source
  15. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS SAM Command Line Interface (AWS SAM CLI) CLI tool for local development, debugging, testing, deploying, and monitoring of serverless applications Supports API Gateway “proxy-style” and Lambda service API testing Response object and function logs available on your local machine Uses open source docker-lambda images to mimic Lambda’s execution environment such as timeout, memory limits, runtimes Can tail production logs from CloudWatch logs Can help you build in native dependencies https://aws.amazon.com/serverless/sam
  16. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Use SAM CLI to package and deploy SAM templates pip install --user aws-sam-cli sam init --name my-app --runtime python cd my-app/ sam local ... # generate-event/invoke/start-api/start-lambda sam validate # The SAM template sam build # Depending on the runtime sam package --s3-bucket my-packages-bucket \ --output-template-file packaged.yaml sam deploy --template-file packaged.yaml \ --stack-name my-stack-prod sam logs -n MyFunction --stack-name my-stack-prod -t # Tail sam publish # To the Serverless Application Repository O pen Source CodePipeline Use CloudFormation deployment actions with any SAM application Jenkins Use SAM CLI plugin
  17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T
  18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T With the AWS Serverless Application Repository: Developers can… • Discover and deploy ready-made apps and code samples • Combine applications in the app repository with their own via Nested Applications • Customize open-source apps to get started quickly • Share apps privately or publish apps for public use
  19. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T TweetSource: Type: AWS::Serverless::Application Properties: Location: ApplicationId: arn:aws:serverlessrepo:... SemanticVersion: 2.0.0 Parameters: TweetProcessorFunctionName: !Ref MyFunction SearchText: '#serverless -filter:nativeretweets' Nested apps to simplify solving recurring problems Standard Component Custom Business Logic Polling schedule (CloudWatch Events rule) trigger TwitterProcessor SearchCheckpoint TwitterSearchPoller Twitter Search API
  20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS SAM Template Capabilities • Can mix in other non-SAM CloudFormation resources in the same template • i.e. Amazon S3, Amazon Kinesis, AWS Step Functions • Supports use of Parameters, Mappings, Outputs, etc • Supports Intrinsic Functions • Can use ImportValue (exceptions for RestApiId, Policies, StageName attributes) • YAML or JSON
  21. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS Lambda Environment Variables • Key-value pairs that you can dynamically pass to your function • Available via standard environment variable APIs such as process.env for Node.js or os.environ for Python • Can optionally be encrypted via AWS Key Management Service (KMS) • Allows you to specify in IAM what roles have access to the keys to decrypt the information • Useful for creating environments per stage (i.e. dev, testing, production)
  22. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Amazon API Gateway Stage Variables Stage variables act like environment variables • Use stage variables to store configuration values • Stage variables are available in the $context object • Values are accessible from most fields in API Gateway • Lambda function ARN • HTTP endpoint • Custom authorizer function name • Parameter mappings
  23. AWS Lambda and Amazon API Gateway Variables + SAM Parameters:

    MyEnvironment: Type: String Default: test AllowedValues: - test - staging - prod Description: Environment of this stack of resources Mappings: SpecialFeature1: test: status: on staging: status: on prod: status: off #Lambda MyFunction: Type: 'AWS::Serverless::Function' Properties: … Environment: Variables: ENVIRONMENT: !Ref MyEnvironment Spec_Feature1: !FindInMap [SpecialFeature1, !Ref MyEnvironment, status] … #API Gateway MyApiGatewayApi: Type: AWS::Serverless::Api Properties: … Variables: ENVIRONMENT: !Ref MyEnvironment
  24. Parameters: MyEnvironment: Type: String Default: test AllowedValues: - test -

    staging - prod Description: Environment of this stack of resources Mappings: SpecialFeature1: test: status: on staging: status: on prod: status: off #Lambda MyFunction: Type: 'AWS::Serverless::Function' Properties: … Environment: Variables: ENVIRONMENT: !Ref MyEnvironment Spec_Feature1: !FindInMap [SpecialFeature1, !Ref MyEnvironment, status] … #API Gateway MyApiGatewayApi: Type: AWS::Serverless::Api Properties: … Variables: ENVIRONMENT: !Ref MyEnvironment AWS Lambda and Amazon API Gateway Variables + SAM
  25. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T MyLambdaFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: nodejs6.10 AutoPublishAlias: !Ref ENVIRONMENT DeploymentPreference: Type: Linear10PercentEvery10Minutes Alarms: # A list of alarms that you want to monitor - !Ref AliasErrorMetricGreaterThanZeroAlarm - !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks: # Validation Lambda functions that are run before & after traffic shifting PreTraffic: !Ref PreTrafficLambdaFunction PostTraffic: !Ref PostTrafficLambdaFunction AWS SAM + Safe Deployments
  26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Globals: Function: Runtime: nodejs6.10 CodeUri: s3://code-artifacts/pet_app1234.zip MemorySize: 1024 Timeout: 30 AutoPublishAlias: !Ref ENVIRONMENT getDogsFunction: Type: AWS::Serverless::Function Properties: Handler: getDogs.handler Events: GetDogs: Type: Api Properties: Path: /Dogs Method: ANY getCatsFunction: Type: AWS::Serverless::Function Properties: Handler: getCats.handler Events: GetCats: Type: Api Properties: Path: /Cats Method: ANY getBirdsFunction: Type: AWS::Serverless::Function Properties: Handler: getBirds.handler Timeout: 15 Events: GetBirds: Type: Api Properties: Path: /Birds Method: ANY AWS SAM Globals
  27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Lambda permissions model Fine grained security controls for both execution and invocation: Execution policies: • Define what AWS resources/API calls can this function access via IAM • Used in streaming invocations • E.g. “Lambda function A can read from DynamoDB table users” Function policies: • Used for sync and async invocations • E.g. “Actions on bucket X can invoke Lambda function Z” • Resource policies allow for cross account configst access
  28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS SAM Policy Templates MyQueueFunction: Type: AWS::Serverless::Function Properties: ... Policies: # Gives permissions to poll an SQS Queue - SQSPollerPolicy: queueName: !Ref MyQueue ... MyQueue: Type: AWS::SQS::Queue ...
  29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T SAM Policy Templates 45+ predefined policies All found here: https://bit.ly/2xWycnj
  30. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T Best Practices
  31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. S U M M I T AWS SAM Best Practices • Use Parameters and Mappings when possible to build dynamic templates based on user inputs and pseudo parameters such as AWS::Region • Use the Globals section to simplify templates • Use Export & ImportValue to share resource information across stacks • Build out multiple environments, such as for Development, Test, Production and even DR using the same template, even across accounts SAM Template Source Control Dev Test Prod
  32. S U M M I T © 2019, Amazon Web

    Services, Inc. or its affiliates. All rights reserved.
  33. Serverless @ Moneyou Olaf Conijn, IT Architect

  34. About Moneyou • Full subsidiary of ABN Amro • Online

    savings since 2008 • Currently • 0.5 mio customers in NL and DE • Combined savings & payments proposition • Small organization (<200 fte) • Focus on UX and customer centricity
  35. Choosing Serverless

  36. Moneyou’s journey to become a fintech Moneyou until 2016 •

    Label for ABN AMRO products • IT was outsourced to partners • Hosting & development • Core banking & channels Moneyou in 2016 • Started to build a new payment proposition • Need for short time to market & cost efficiency • Need to insource software development in a modern way • Ambition to do DevOps
  37. Orchestration (serverless) Target architecture Thaler & OpenAM Salesforce Bankable apps

    web api’s Orchestration
  38. Our experience so far Serverless Benefits Need for compliance, security

    and other non-functionals
  39. Serverless, not FAAS

  40. Platform needs • Short Time To Market • Cost effectiveness

    • Simplicity • Confidentiality & Integrity of data • Continuous compliance Serverless Multi-account setup (AWS Organizations) Automated compliance checks (AWS Config) Encrypt everything (AWS KMS) Everything is code (Cloud formation/serverless.com)
  41. • Development account per teams • Production account per system

    • Demonstrably in control of production data • Reduce blast radius • Cost allocation per account • Scalable AWS Organisations: Multi account setup
  42. Infrastructure as code • Everything is code • Features use

    serverless.com framework • Platform uses • Cloudformation stacksets • Serverless.com framework • Custom build process
  43. Continuous compliance • SCPs to whitelist services • For every

    service compliant configurations are defined. • AWS config keeps track of all resources • Notifies for in compliant configuration • Notifications send to account owner and platform team (incl. ciso) • All production systems run our most critical CIA rating • Stay away from: EC2 or VPC
  44. Patterns & lessons learned

  45. On-premise connectivity Patterns & lessons learned

  46. On-premise connectivity • Lambdas are best run outside of a

    VPC • Lambdas in VPC suffer additional cold-start time • Additional complexity managing VPC’s • Connectivity to on-prem done through VPC and Direct-Connect/VPN • Solution: API Gateway and IAM to proxy on-prem services • VPCs centrally managed • Lambda’s/features run outside a VPC • Highly scalable, highly available
  47. On-premise connectivity: Lambda outside VPC • Authorize workload account in

    API GW Resource Policy • Authorize Lambda to call API GW in shared account • Sign HTTP requests using AWS v4 Signature
  48. On-premise connectivity: Lambda outside VPC - Caveats • NLB uses

    IP addresses of on-premise servers • API GW Proxy requires Back-end TLS cert to be signed by trusted CA • AWS v4 request signing requires access to underlying HTTP client
  49. Strong consistency Patterns & lessons learned

  50. • Event driven architectures benefit from • Eventual consistency for

    scalability • Retry mechanisms for reliability • What if…. strong consistency does matter? Strong consistency • Solution: Use DynamoDB as a lock server • Conditional (atomic) Updates • Consistent reads
  51. Strong consistency - example

  52. Strong consistency - example

  53. Strong consistency - example

  54. General tips • Know your (AWS Service) limits! • DynamoDB

    OnDemand and PITR • Serverless performance must-read: theburningmonk.com • Outsource availability and scalability to AWS
  55. Try us Contact olaf.conijn@moneyou.nl

  56. Thank you! S U M M I T © 2019,

    Amazon Web Services, Inc. or its affiliates. All rights reserved. Danilo Poccia @danilop Olaf Conijn olaf.conijn@moneyou.nl
  57. S U M M I T © 2019, Amazon Web

    Services, Inc. or its affiliates. All rights reserved.