COMMUNITY DAY MEN A Building Serverless SaaS

Ali El Kontar Founder and CEO of Zero&One 9 x AWS Certified AWS Authorized Instructor Champion Introduction COMMUNITY DAY MENA akonta r a.kontar@zeroandone.m e

• AWS Advanced Consulting Partner • Specialized in DevOps and building Native platforms on AWS • Well-Architected Partner • Service Delivery Program • Public Sector Partner • Immersion Day Partner Introduction www.zeroandone.me COMMUNITY DAY MENA

Gartner estimates that the market size of the SaaS marketplace is $99,7B in 2020 while growing at the rate of 21% Gartner, Forecast: Public Cloud Services, Worldwide, 2016-2020 COMMUNITY DAY MENA

According to IDC, 72% of enterprise will prioritize SaaS when selecting new application solutions, 16% are neutral and only 13% prefer traditional applications over SaaS IDC SaaSView 4Q18, October 2018 COMMUNITY DAY MENA

SaaS Benefits COMMUNITY DAY MENA

*Source: keystone, The Shift to SaaS: A highl-value opportunity for ISVs, June1,2017 • Lower customer adoption costs • Lower operational costs per customer 75% installation time reduction Unlock new customer segments • Reduced upfront infrastructure cost • Eliminating customer support costs 30% Savings on system costs Reduce TCO • Leverage off-the-shelf components available in public cloud • Reduced time to develop new functionality Integrate new cloud services • Derive new customer insights from usage data • Develop new data-driven solutions • Monetize data Leverage aggregated data Service companies are gaining benefits from the SaaS model not accessible to traditional ISVs COMMUNITY DAY MENA

• In contrast to the traditional licensing model, subscription model allows customers to use the software without committing to long licensing periods, lowering their barrier to buy. • A Subscription model smoothens the revenue curve through monthly recurring revenue, resulting in improved financial predictability Service companies are gaining benefits from the SaaS model not accessible to traditional ISVs COMMUNITY DAY MENA

Serverless & SaaS COMMUNITY DAY MENA

Smaller deployments Optimized Consumption Natural isolation models Simpler operations footprint Focus on IP / Customers Drive service decomposition Serverless: A Natural fit – The Ultimate Match COMMUNITY DAY MENA

Cost, sale and performance Tenant Consumption No more over-provisioning COMMUNITY DAY MENA

Tenant Onboarding Authentication Authorization Tenant isolation Data Access / Partitioning DevOps and agility Tenant aware app functions Introducing multi-tenancy COMMUNITY DAY MENA

SaaS Architecture Landscape Onboarding Authenticatio n Metrics Billing Management Service Service Application Services Storage Partitioning Tenant isolation Tenant isolation COMMUNITY DAY MENA

COMMUNITY DAY MENA • Configure IAM policies • Provision users/tenants • Create billing account • Provision tenant functions Shared System Services Shared Services

COMMUNITY DAY MENA /re g 1 /user/re g 2 3 4 5 POS T 6 Onboarding & Identity

Amazon Cognito Tenant context flowed into all downstream services Authentication injects SaaS identity COMMUNITY DAY MENA

COMMUNITY DAY MENA Usage plans Routes enabled/disabled based on tenant context Applying tenant strategies with API Gateway Lambda Authorizer Tenant2 API Key (advanced tier) Tenant1 API Key (basic tier) Tenant context, role, etc. x x

COMMUNITY DAY MENA All tenants execution role Tenant 2 execution role Tenant 1 execution role Provision separate functions for each tenant (provision as each tenant onboard) Silo Shared functions for all tenants (one-time provisioning) Pool Tenant 1 Tenant 2 Tenant 1,2,…..n Provisioning tenants and isolation

COMMUNITY DAY MENA Access scoped by IAM policy Tenant 1 Tenant 1 execution role Cascading tenant scope from siloed function

COMMUNITY DAY MENA Basic Tier Reserve Concurrency = 100 Advanced Tier Reserve Concurrency = 100 Premium Tier Reserve Concurrency = all unreserved Using concurrency as a tiering strategy

COMMUNITY DAY MENA Pool compute relies on run-time policies AWS Identity and Access Management (IAM) Runtime-acquired tenant scope Compute runs with a broader profile/execution scope Scope applied when accessing resources Isolation token manager Access Context Access Context

COMMUNITY DAY MENA • Hide the details of multi-tenancy • Push all shared concepts to libraries • Enable developers to focus on app features • Smaller functions = smaller blast radius • Limit synchronous dependencies Multi-tenant metrics Multi-tenant logging Partitioned data access Multi-tenant microservice JWT with SaaS identity Tenant isolation Building multi-tenant functions

COMMUNITY DAY MENA Logging manager Metrics manager Token manager getTenantId(token ) Log(tenantId ) recordMetric(tenantId ) JWT token Minimize tenant awareness V2. 0 Layers are deployed and versioned JWT token Laye r Using Lambda Layers for shared constructs

COMMUNITY DAY MENA Introducing layers into your environment const logManager = require('/opt/nodejs/log-manager.js'); const metricManager = require('opt/nodejs/metric-manager.js'); const tokenManager = require('/opt/nodejs/token-manager.js'); const dal = require('./course-manager-dal.js');

COMMUNITY DAY MENA Centralizing tenant context management module.exports.getCredentialsFromToken = function(event, updateCredentials) { var bearerToken = event.headers['Authorization’]; if (bearerToken) { var tokenValue = bearerToken.substring(bearerToken.indexOf(' ') + 1); if (!(tokenValue in tokenCache)) { var decodedIdToken = jwtDecode(tokenValue); var userName = decodedIdToken['cognito:username’]; var tenantId = decodedIdToken["custom:tenant_id"]; async.waterfall([ function(callback) { userManager.getUserPoolWithParam(userName, tenantId ,callback) }, function(userPool, callback) { authenticateUserInPool(userPool, tokenValue, callback) } ], function(error, results) { if (error) { updateCredentials(null); } else { tokenCache[tokenValue] = results; updateCredentials(results); } }); } else if (tokenValue in tokenCache) { updateCredentials(tokenCache[tokenValue]); } } };

COMMUNITY DAY MENA The payoff: A simplified developer experience 'use strict'; const logManager = require('/opt/nodejs/log-manager.js'); const metricManager = require('opt/nodejs/metric-manager.js'); const tokenManager = require('/opt/nodejs/token-manager.js'); const dal = require('./course-manager-dal.js'); // Fetch the course with the supplied CourseId exports.get = (event, context, callback) => { logManager.log(event, "CourseManager", {"Message": "GetCourse() called.", "CourseId" : event.pathParameters.resourceId}); dal.getCourse(event, function(response) { logManager.log(event, "CourseManager", {"Message":"Course Returned","Course": response}); callback(null, response); }); };

COMMUNITY DAY MENA Multi-Tenant influence on service decomposition GetOrder() GetOrder() GetOrder() UpdateOrder() UpdateOrder() DeleteOrder() Scal e GET /orders POST /orders/712 PUT /orders/42 DELTE /orders/42 Scale x Policy No Policy

COMMUNITY DAY MENA • Serverless enables SaaS agility, resilience and innovation • Isolation strategies directly shape deployment footprint • Consider supporting multiple isolation models (hybrid) • Factor account limits in your isolation model • Hide details of multi tenancy from service developers • Consider using layers as the home for shared multi-tenant concepts • Serverless allows us to better align tenant consumption and activity Takeaways

COMMUNITY DAY MEN A Thank You