© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. Building AWS Lambda functions from container images Julian Wood Senior Developer Advocate – AWS Serverless @julian_wood AWS User Group UK - November 2021 @julian_wood 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Today’s focus: 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container image support for AWS Lambda! Today’s focus: 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless applications Event source Services (anything) Changes in data state Requests to endpoints Changes in Resource state Function Node.js Python Java Go Ruby .Net (C#/Powershell) Custom Runtime API 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Handler function Function to be executed upon invocation Event object Data sent during Lambda function invocation Context object Methods available to interact with runtime information (request ID, log group, more) CODE EDITOR let response; exports.handler = async (event, context) => { try { response = { 'statusCode': 200, 'body': JSON.stringify({ message: 'hello world’, }) } } catch (err) { console.log(err); return err; } return response }; 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda container image support Package and deploy functions as container images • Why use Lambda • Lambda container image benefits • Working with Lambda container images • Developer workflow • What changes and what stays the same 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. Why use Lambda? 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Lambda? Operational support AWS Lambda is the general compute option that provides the greatest level of operational support by AWS Designed to simplify high availability, scale and security concerns 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS manages Customer manages Data source integrations Physical hardware, software, networking, and facilities Provisioning Application code Container orchestration, provisioning Cluster scaling Physical hardware, host OS/kernel, networking, and facilities Application code Data source integrations Security config and updates Network config Management tasks Container orchestration control plane Physical hardware software, networking, and facilities Application code Data source integrations Work clusters Security config and updates, network config, firewall, management tasks Physical hardware software, networking, and facilities Application code Data source integrations Scaling Security config and updates Network config Management tasks Provisioning, managing scaling and patching of servers Why Lambda? Operational support AWS Lambda Serverless functions AWS Fargate Serverless containers Amazon ECS/EKS Container management as a service Amazon EC2 Infrastructure as a service Most Least What you manage 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shared Responsibility Model: Managed container services Operating System & Network Configuration Customer data Application identity and access management AWS (what we manage) Customer (what you manage) AWS Identity & Access Management Platform Management Code Encryption At Rest Network Traffic Protection Firewall Configuration Data Encryption & Integrity Authentication Application Management Internet Access Monitoring & Logging Compute Storage Database Networking AWS Infrastructure Regions, AZs & Data centers 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shared Responsibility Model: Lambda Compute Storage Database Networking AWS Infrastructure Regions, AZs & Data centers Operating System & Network Configuration Customer data Application identity and access management AWS Identity & Access Management Platform Management Code Encryption At Rest Network Traffic Protection Firewall Configuration Data Encryption & Integrity Authentication Application Management Internet Access Monitoring & Logging (Tools provided by platform) AWS (what we manage) Customer (what you manage) 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Lambda? Application integrations 200+ AWS service integrations • polling • queueing • batching • event routing • retries • stream checkpointing • graceful error back-offs Amazon Kinesis AWS AppSync Amazon Simple Notification Service Amazon Simple Queue Service AWS Step Function Amazon EventBridge Amazon DynamoDB Amazon API Gateway Amazon Elastic File System Amazon Simple Storage Service (S3) Amazon CloudFront Amazon CloudWatch Amazon MQ Amazon RDS 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Lambda? Automatic scaling • Burst capacity of up to 3,000 in select Regions ○ (us-west-2, us-east-1, eu-west-1) • Enables scaling from 0 to 3,000 concurrent executions in seconds • After the initial burst, functions concurrency can scale by an additional 500 instances each minute • Provisioned Concurrency available for highly consistent function executions 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Lambda? Cost considerations • Only pay for use, never pay for idle resources by default • Scales to zero • Precise cost measurements: 1 MS billing • Allocate memory for cost/performance • No need to pay for patching and maintenance 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. Lambda container image benefits 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Agility Flexibility and familiarity of container tooling (Docker, CI / CD, security, governance) Plus operational simplicity of AWS Lambda Equals more agility when building applications 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Dependency management • Manage all dependencies as immutable artifact • Add dependences in Dockerfile • Install native operating system packages • Install language-compatible dependencies 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Familiar container tooling • Use the same build and pipeline tools to deploy • Use the same container registry to store application artifacts (Amazon ECR, Docker Hub) • Tools that can inspect Dockerfiles work the same 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Larger Lambda functions Developers can now configure Lambda functions for: 10 GB deployment package max 10 GB in memory with up to 6 vCPUs proportional to memory configuration Build compute-intensive workloads: • Machine learning, genomics, gaming, HPC applications Build memory-intensive workloads: • Batch, ETL, analytics, media processing Configured memory (MB) Allocated cores 128 – 1769 1 1770 – 3538 2 3539 – 5307 3 5308 – 7076 4 7077 – 8845 5 8846 – 10240 6 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Immutability • Lambda treats container images as immutability entities • When invoked, functions deployed as container images are run without modification • Invoked functions are immutable across environments: • Desktop, CI / CD • Elastic Container Registry • Lambda execution environment OS and runtime patching no longer performed by AWS Any image change requires a separate redeployment step 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefit: Flexibility ○ Use your preferred base image to deploy Lambda-based applications. ○ Simplifies running images on additional compute services. ○ (Runtime Interface Emulator) 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon ECS AWS Fargate Amazon EKS On-premises Hybrid cloud Benefit: Portability AWS Lambda Lambda container image 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. Working with Lambda container images 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container image format & distros Lambda supports container images that have manifest files following these formats: • Docker image manifest V2, schema 2 (used with Docker version 1.10 and newer) • Open Container Initiative (OCI) Specifications (v1.0.0 and up) Can use non-Amazon Linux distributions such as Alpine or Debian Images can be up to 10 GB More here: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Container image registry Container images are stored in Amazon Elastic Container Registry (ECR) • Fully managed container registry • Required for deploying Lambda functions • Public and private repositories • Cross-account sharing controls • Can replicate images across Regions • Encryption at rest and in transport to Lambda • Integrated vulnerability scanning Amazon Elastic Container Registry 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Base images AWS provided Lambda base images for every managed runtime • Patched and maintained by AWS • Images available from both Docker Hub and Amazon ECR Public Bring your own base image • Linux kernels supported Multi-stage builds • Node.js • Python • Java • Provided.al2 • .Net • Ruby • Go (Runtime API) CODE EDITOR $ cat Dockerfile FROM public.ecr.aws/lambda/nodejs:12 COPY app.js package*.json ./ RUN npm install CMD [ "app.lambdaHandler" ] 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dockerfile for Lambda functions Use the Node.js v12 base image from Amazon ECR Public Copy the application files to the image Run the npm command to install dependencies in the image When the container runs, use my application’s handler CODE EDITOR FROM public.ecr.aws/lambda/nodejs:12 COPY app.js package*.json ./ RUN npm install CMD [ "app.lambdaHandler" ] The container image includes your function and becomes the entire filesystem 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dockerfile for Lambda functions Lambda supports the following container image settings in the Dockerfile: • ENTRYPOINT – Specifies the absolute path to the entry point of the application. • CMD – Specifies parameters that you want to pass in with ENTRYPOINT. • WORKDIR – Specifies the absolute path to the working directory. • ENV – Specifies an environment variable for the Lambda function. Lambda ignores the values of any unsupported container image settings in the Dockerfile. 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Intoducing the RIC and the RIE There are two extra components we’ve released as part of container image support: • AWS Lambda Runtime Interface Client(s) (RIC) • Allows container-based function code to interact with Lambda Runtime API • AWS has released these for each managed runtime • Open-sourced (for example: https://github.com/aws/aws-lambda-nodejs-runtime-interface-client) • AWS Lambda Runtime Interface Emulator (RIE) • Mimics the Runtime API locally for testing purposes • Exposes an HTTP interface that converts requests to JSON for the RIC • Also open-sourced: https://github.com/aws/aws-lambda-runtime-interface-emulator/ 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. Developer workflow 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer workflow: Build and local test docker build / sam build Container image 1. Add base layer image 2. Copy function code 3. Install dependencies Local testing (with RIE) • docker run • sam local invoke Lambda function local test Code Dockerfile Container image 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer workflow: Deploy and run Amazon Elastic Container Registry Container image 1. Tag image 2. Upload image to registry Invoke Status: ACTIVE Ready for invoke Lambda function 1. Pull image from Amazon ECR 2. Optimize image 3. Deploy image to Lambda CreateFunction Container image Status: PENDING AWS Lambda docker tag docker push Container image 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Developer workflow: Deploy and run Amazon Elastic Container Registry Container image 1. Tag image 2. Upload image to registry Invoke Status: ACTIVE Ready for invoke Lambda function 1. Pull image from Amazon ECR 2. Optimize image 3. Deploy image to Lambda CreateFunction Container image Status: PENDING AWS Lambda docker tag docker push sam deploy AWS SAM packages the container, pushes it to a repo, and creates or updates the Lambda function with a single command Container image 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2021, Amazon Web Services, Inc. or its affiliates. What changes and what stays the same 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What changes and what stays the same? What changes? • Larger function size • Use preferred base image (Requires RIC to talk to Runtime API) • No auto-updates without a redeploy (immutable) What stays the same? • Operational models • Invoke model • Performance • Storage options • Logging / metrics / tracing • Other service limits • Pricing 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s the same? Performance Memory and CPU configurations match zip archive functions Performance varies based on image size, composition, runtimes and dependencies Cold start times targeted to be same as zip archive (small % of production traffic) Container images are proactively cached near to where the function runs for faster start-up 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s the same? Pricing Now 1 ms billing granularity, reduced from 100 ms. No additional changes to any Lambda pricing calculations or dimension. You do pay for the ECR repository. 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s the same? Operational Models • Automatic scaling characteristics • High availability (multi-AZ deployments) • Security and isolation 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create and package your functions Lambda console Lambda container image Lambda zip archive 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary Container image support can simplify the way you build Lambda-based applications: • Unified tooling with container-based workloads • Easier dependency management • Larger application artifacts Same benefits of Lambda as a compute service and simplified developer experience with AWS SAM Much more here: s12d.com/lambda-containers 

© 2021, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverlessland.com 

© 2021, Amazon Web Services, Inc. or its affiliates. Thanks! © 2021, Amazon Web Services, Inc. or its affiliates. 42 @julian_wood Julian Wood @julian_wood