Making Serverless Headless - Drupal with AWS Lambda@Edge & Amazon CloudFront

© 2018, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Prateek Yadav, Software Development Engineer Vasanth Kumararajan, Technical Program Manager Woodrow Arrington, Sr. Product Manager Technical 04.11.18 Making Headless Drupal Serverless

rights reserved. What is covered in this session? • Media Customer Challenges • Headless Drupal • Amazon CloudFront • AWS Lambda@Edge • Live Demo

rights reserved. Media Company Challenges Scalability Performance Security Personalization Flexibility Financial

rights reserved. Typical Monolith Architecture Authentication and authorization Content management and processing Localization and personalization

rights reserved. Authentication and authorization Content management and processing Localization and personalization Application code Typical Monolith Architecture

rights reserved. Trending towards Headless Drupal Traditional Headless / Decoupled Frontend Backend Backend Frontends

rights reserved. Multi-Endpoint Headless Drupal Helps Solve Performance Flexibility

rights reserved. … how can I address some of the other challenges mentioned?

rights reserved. … first let’s talk about being serverless

rights reserved. No Server Management Flexible Scaling Never Pay for Idle Time Built-in Availability and Fault Tolerance What does it mean to be serverless?

rights reserved. What is AWS Lambda? Changes in data state Requests to endpoints Changes in resource state 1 2 3 4

rights reserved. … what if you could run your Lambda functions even closer to your viewers?

rights reserved. Amazon CloudFront AWS Lambda Lambda@Edge AWS Lambda@Edge

rights reserved. 114 Points of Presence (103 Edge locations + 11 Regional Edge Caches)

rights reserved. Architecture (Simple, But Works) Compute viewer Storage Datastore

rights reserved. Origin Basic AWS Regional Deployment Compute Database Storage

rights reserved. Amazon CloudFront Origin AWS Location AWS Location AWS Location AWS Location AWS Location AWS Location

rights reserved. CloudFront: More than just byte delivery Performance Scalability Global Reach Security Programmable Cost Effective

rights reserved. Performance Global Network & AWS backbone infrastructure Conduct TCP handshakes closer to viewers Keep-alive connections to reduce round-trip times (RTT) Request collapsing Fast content invalidations Static + Dynamic

rights reserved. Security Access Control • Origin Access Identity (OAI) • Signed URLs / Cookies • Geo blocking Encryption • Advanced protocols & ciphers • Half / Full bridge HTTPS connections • Certificate stapling (OCSP) Compliance • PCI • HIPAA • ISO Integrations • AWS Certificate Manager • AWS Shield • AWS WAF

rights reserved. CloudFront Helps Solve Scalability Performance Security Cost Effective

rights reserved. … let’s now talk about Lambda@Edge

rights reserved. Taking AWS Lambda to the Edge Changes in data state Requests to endpoints Changes in resource state 1 2 3 4

rights reserved. Write once, run Lambda functions globally N Virginia AWS Location AWS Location AWS Location AWS Location AWS Location AWS Location

rights reserved. Amazon CloudFront + Lambda@Edge Origin AWS Location AWS Location AWS Location AWS Location AWS Location AWS Location

rights reserved. Lambda@Edge Globally Distributed Bring your own code to the Edge to improve viewer experience Serverless Compute Programmable CDN

rights reserved. CloudFront events for Lambda@Edge CloudFront cache Viewer Response Origin Response Origin Origin Request Viewer Viewer Request

rights reserved. From Monolithic to Serverless Microservices Amazon CloudFront Authentication and authorization Content management and processing Localization and personalization Lambda@Edge Functions User Agents HTTP Origins

rights reserved. Lambda@Edge Helps Solve Personalization Flexibility Paywalls & Authorization

rights reserved. Media Company Website Dynamic Personalized Content Authentication Dynamic News Content Static Content (images,JS,CSS, …) Customized Local Content

rights reserved. DEMO

rights reserved. … Lets dive deep into Lambda@Edge

rights reserved. CloudFront events for Lambda@Edge CloudFront cache Viewer Response Origin Response Origin Origin Request Viewer Viewer Request

rights reserved. VIEWER REQUEST EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Viewer Response Origin Response Origin Request Viewer Request

rights reserved. VIEWER REQUEST EVENTS Executed on every request before CloudFront’s cache is checked Modify cache key (URL, cookies, headers, query string) Perform stateless authentication and authorization checks Network calls at viewer request Generate responses that will not be cached

rights reserved. VIEWER REQUEST: AUTHORIZATION Viewer Request Event User Agent CloudFront distribution www.example.com NO Paywall message, 403, redirect, etc. $ Entitlement service HTTP request Access decision HTTP Origins OK User database

rights reserved. VIEWER REQUEST: STATELESS AUTH JWT JWT public key Viewer Request Event User Agent CloudFront distribution www.example.com JWT HTTP 403, 3XX, etc. NO Access decision Legacy application S3 Bucket Origin application OK

rights reserved. { "iss": "https://idp.example.com", "client_id": "exampleclient", "sub": "vkumarar", "scope": { "compute": "2018-05-11T00:00:00Z", "edge": "2018-05-09T00:00:00Z", "language": "ja" }, } VIEWER REQUEST: STATELESS AUTH Example JWT payload: Private claims for the user interests in news artciles

rights reserved. ORIGIN REQUEST EVENTS CloudFront cache User Agents Viewer Request HTTP Origins Viewer Response Origin Response Origin Request Viewer Response Origin Response Viewer Request Origin Request

rights reserved. ORIGIN REQUEST EVENTS Executed on cache miss, before a request is forwarded to the origin Make one or more external network calls Dynamically select an origin based on request headers Implement pretty URLs by rewriting the origin URL Generate responses that can be cached

rights reserved. ORIGIN REQUEST: Content Aggregation Example: News app landing page Client: Each user has a preference for articles http://yournewsaggregator.com/ Function: • Validate and parse the JWT • Fetches the relevant articles from Drupal • Sends the aggregated response to the client CloudFront cache Viewer Request Origin Request Viewer

rights reserved. ORIGIN REQUESTS: Template Rendering (Body Generation) User Agent CloudFront distribution www.example.com Cache Behavior /blog Origin Request Event S3 Bucket blog-templates.s3.amazonaws.com DynamoDB table blog-posts Outbound network calls Rendered template Cached response

rights reserved. How template rendering works? <h1>{ page.title }</h1> {{ for section in page.sections }} <h2>{ section.title }</h2> <p>{ section.body }</p> {{ endfor }} "page": { "title": "Hello", "sections": [ { "title": "Introduction", "body": "The quick..." }, { ... } ]

rights reserved. const templateBucket = 'blog-templates-123456789012'; const postTable = 'blog-posts'; var AWS = require('aws-sdk'); var Mustache = require('mustache'); var s3 = new AWS.S3({region: 'us-east-1'}); var documentClient = new AWS.DynamoDB.DocumentClient({ region: 'us-east-1'}); exports.handler = (event, context, callback) => { const request = event.Records[0].cf.request; const response = { status: '200', statusDescription: 'OK', headers: { 'cache-control': [{ key: 'Cache-Control', value: 'max-age=2628000, public’ }], 'content-type': [{ key: 'Content-Type', value: 'text/html; charset=utf-8’ }]}}; ORIGIN REQUEST: BODY GENERATION const ddbParams = { TableName: postTable, Key: { slug: request['uri'].slice(1) }}; documentClient.get(ddbParams, function(err, resp) { if (err) { callback(err, null); return; } const template = resp['Item']['template']; const data = resp['Item']['data']; const s3Params = { Bucket: templateBucket, Key: template }; s3.getObject(s3Params, function(err, s3resp) { if (err) { callback(err, null); return; } const body = s3resp.Body.toString('utf-8'); response.body = Mustache.render(body, data); callback(null, response); }); }); };

rights reserved. DEMO

rights reserved. … so what are all the things you can do with Lambda@Edge?

rights reserved. • Highly Personalized Websites • Response Generation at Viewer Request • URL Rewrites • Access Control at the Edge • Remote Network Calls • A/B Testing • Content-Based Dynamic Origin Selection

rights reserved. PRETTY URLS FOR USER/API EXPERIENCE https://tiles.example.com/zoom/x/y.jpg S3 Bucket tiles- v1.s3.amazonaws.com Legacy Service old-tile- service.example.net Elastic Load Balancer tile-service-123456.us-east- 1 .amazonaws.com

rights reserved. ORIGIN REQUESTS : PRETTY URLS https://tiles.example.com/zoom/x/y.jpg https://tiles-origin.s3.amazonaws.com/f5fdc6f658a49284b.jpg Origin Request Event originPath = sha256(requestPath) CloudFront cache Cache key: tiles.example.com/zoom/x/y.jpg Cached response

rights reserved. ORIGIN REQUEST: ORIGIN SELECTION • Multiple origin setup • Latency: Talk to the origin closest to the viewer • Load balance across origins • Controlled rollout of changes at origin • A/B Testing of new features • Blue/Green origin deploys • Migrating between origins • Including on-premise to cloud • Search Engine Optimization • Serve human and web crawler traffic from separate origins

rights reserved. "s3": { "domainName": "green-bucket.s3.amazonaws.com”, "path": "/originPath", "authMethod": "origin-access-identity", "region": "us-east-1", "customHeaders": { "my-custom-origin-header": [ { "key": "My-Custom-Origin-Header", "value": "test-value” } ] } } Origin Selection • Origin is present as part of request • event.Records[0].cf.request.origin • Modified Origin should also be part of the request structure returned

rights reserved. Origin Selection – A/B Testing Example: You want to test a new feature. It is only deployed to one of your origins. In the function: 1. Check to see if this is a active session. (Say, using a cookie.) 2. For active sessions, set the origin based on the value in the cookie. 3. For a new session, decide whether to show A or B variant. And set the origin accordingly. CloudF ront cache Origin Request Viewer Origin B Origin A

rights reserved. exports.handler = (event, context, callback) => { const request = event.Records[0].cf.request; desiredOrigin = decide(request); /* Set custom origin fields*/ request.origin = { custom: { domainName: desiredOrigin, port: 443, protocol: 'https', } }; request.headers['host'] = [{ key: 'host', value: desiredOrigin }]; callback(null, request); }; Example – A/B Testing function decide(request) { if (request.headers[‘my-session-cookie’]) { cookie = request.headers[‘my-session- cookie’].value; return decodeOrigin(cookie); } else { return chooseOrigin(request); } };

rights reserved. TRANSPARENT GLOBAL EXPANSION Region A customers Region A deployment Region B customers Region B deployment https://saas.example.com

rights reserved. ORIGIN REQUEST: ORIGIN SELECTION id user 1 alex 2 bob 3 joe 4 jane User database 200 OK Application User Agent POST /login user=jane&pass=*** home-region na eu ap eu Set-Cookie: home-region=eu

rights reserved. ORIGIN REQUEST: ORIGIN SELECTION User Agent CloudFront distribution www.example.com North America origin User DB Cache Behavior /login North America app DB Europe origin Europe app DB home-region=eu ? APAC origin APAC app DB Cache Behavior /app Origin Request Event

rights reserved. ORIGIN REQUEST: ROUTE ON USER AGENT User Agents Desktop Mobile Bots and crawlers CloudFront distribution www.example.com Origin Request Event Mobile optimized app Client-rendered app Server-rendered app Cloudfront-Is-Mobile-Viewer? Cloudfront-Is-Desktop-Viewer? Cloudfront-Is-Tablet-Viewer? User-Agent?

rights reserved. ORIGIN REQUEST: GENERATE REDIRECT User Agent CloudFront distribution www.example.com HTTP redirect www.example.com/de Origin Request Event Cloudfront-Viewer-Country? Accept-Language?

rights reserved. 'use strict'; const originDomainNames = { 'origin_1': 'origin.us-east-1.example.com', 'origin_2': 'origin.eu-west-1.example.com' }; const defaultOrigin = 'origin_1'; function chooseOrigin(headers) { /* Parse cookies, inspect headers, etc. */ if (condition1) { return 'origin_1'; } else if (condition2) { return 'origin_2'; } else { return default_origin; } } ORIGIN REQUEST: CUSTOM ROUTING exports.handler = (event, context, callback) => { const request = event.Records[0].cf.request; const headers = request.headers; const selectedOrigin = chooseOrigin(headers); /* Modify the request's `origin` object. */ request.origin = { custom: { domainName: originDomainNames[selectedOrigin], keepAliveTimeout: 5000, path: '/', port: 443, protocol: 'https', readTimeout: 5000, sslProtocols: ['TLSv1', 'TLSv1.1'] } }; callback(null, request); };

rights reserved. ORIGIN REQUESTS: IMAGE PROCESSING User Agent CloudFront distribution www.example.com Origin Request Event S3 Bucket image-originals.s3.amazonaws.com GET /full-resolution image Resized image based on request configurations e.g. Device Type

rights reserved. Getting Started Resources Amazon CloudFront Getting Started https://aws.amazon.com/cloudfront/getting-started/ AWS Lambda@Edge https://aws.amazon.com/lambda/edge/ Content Delivery AWS Blog Channel https://aws.amazon.com/blogs/networking-and-content-delivery/ Articles with sample code and step by step guides for: • Accelerating Drupal with Amazon CloudFront • Resizing Images on the Fly with Lambda@Edge • Authorization@Edge using JSON Web Tokens using Lambda@Ed • and more…

rights reserved. Thank you!

Making Serverless Headless - Drupal with AWS Lambda@Edge & Amazon CloudFront

Making Serverless Headless - Drupal with AWS Lambda@Edge & Amazon CloudFront

More Decks by drupalcon

Other Decks in Technology

Featured

Transcript