Slide 1

Slide 1 text

Serverless on AWS Driss Amri @drams88 LESSONS LEARNED

Slide 2

Slide 2 text

Who is Driss Amri? Blogger at drissamri.be Traveler, Diver, Software Engineer

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Serverless is awesome! ● Faster time to market ● Significantly reduces server costs ● No server maintenance ● But...

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

● First invocation ● Concurrent invocations ● After provider resource clean up ● After deployment & configuration change Frequency

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

● Keep function single purposed* ● Minimize dependencies & use lightweight alternatives - ProGuard, serverless-optimizer-plugin, … ● Prefer low overhead runtime (Go, node.js, Python) - … warming up strategies for Java, .NET Minimize bootstrap PRO TIP: https://www.graalvm.org/

Slide 9

Slide 9 text

https://github.com/alexcasalboni/aws-lambda-power-tuning

Slide 10

Slide 10 text

● Move state to global variables ● Fail fast ● Connections - Shorter server-side connection timeouts - Client side connection pool to 1 - Connections keep-alive & auto reconnect Optimize execution time

Slide 11

Slide 11 text

✅ Access to Amazon RDS, Elasticache, RedShift, … ✅ Private API Gateway ✅ On-premise services over VPN When to use a VPC? ❌ Elastic Network Interface (ENI) increases cold start ❌ Limited number of ENIs per VPC ❌ NAT Gateway are required for Internet Access

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Development

Slide 14

Slide 14 text

● Local development - Serverless - aws-sam-cli ● Separate Lambda handler from business logic ● Use Environment Variables - … learn to love SSM Parameter Store Development tips

Slide 15

Slide 15 text

● Serverless framework ● Terraform ● AWS SAM CLI ● CloudFormation & AWS Cloud Development Kit (CDK) Tools

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

● Principle of least privileged - https://github.com/puresec/serverless-puresec-cli ● Validate your dependencies - https://jeremylong.github.io/DependencyCheck/ ● PureSec Function Shield - Disable /tmp access - Disable outbound internet connections - Disable child process execution ● (Cross-) Account Lambda Authorizers Security

Slide 18

Slide 18 text

Monitoring

Slide 19

Slide 19 text

● Functions don’t call functions ● Avoid RDBMS STOP!

Slide 20

Slide 20 text

Cost control

Slide 21

Slide 21 text

● AWS Lambda: $0.20 per million requests $0.00001667 per GB-second ● API Gateway: $3.50 per million API calls ● SQS: $0.40 per million requests ● DynamoDB: $0.25 per GB-month Stream triggers to Lambda free ● Kinesis*: $0.015 per shard per hour $0.014 per million PUT requests Pricing* NOTE: Prices vary per region + Free tier

Slide 22

Slide 22 text

https://github.com/open-guides/og-aws#aws-data-transfer-costs

Slide 23

Slide 23 text

● Max duration AWS API Gateway: 30 seconds ● Total size deployment packages: 75 GB Gotchas

Slide 24

Slide 24 text

Example https://github.com/drissamri/serverless-architecture

Slide 25

Slide 25 text

Learn...

Slide 26

Slide 26 text

Get started! Amazon Web Services — a practical guide https://github.com/open-guides/og-aws AWS Certification preparation https://bit.ly/2aroFYb Serverless framework https://serverless.com AWS Well-Architected https://aws.amazon.com/architecture/well-architected AWS re:Invent 2017: Become a Serverless Black Belt https://www.youtube.com/watch?v=oQFORsso2go