Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless for the Enterprise

Serverless for the Enterprise

Using serverless technologies brings a number challenges for large, enterprise scale systems. This talk covers the problems faced and offers insights and recommendations to help others wanting to use serverless for non-trivial use cases.

D01c2f599fa703fa97d3c799562bf1b7?s=128

Rafal Gancarz

October 27, 2016
Tweet

Transcript

  1. 1 Serverless for the Enterprise Rafal Gancarz Lead Consultant rafal.gancarz@opencredo.com

    @RafalGancarz
  2. 2 So you want to do Serverless? fun, cool, cutting

    edge, cost effective, agile, competitive, fast to deliver @RafalGancarz
  3. 3 … but you are an Enterprise security, operability, support,

    compliance @RafalGancarz
  4. 4 … or you just want to build something more

    substantial multiple development teams, CI/CD, DevOps, automated testing, loose coupling, microservices, event-driven @RafalGancarz
  5. Simple use case - chat bot 5 @RafalGancarz

  6. Simple use case - image resizer 6 @RafalGancarz

  7. • API-first platform for the cloud management vendor • 10s

    of APIs • CRUD, scheduled/triggered background jobs, event-driven processing • Strict security policies • SAML SSO integration • Rich RBAC model • Legacy system integration • CI/CD • Operations • Tooling 7 Advanced use case ? @RafalGancarz
  8. • Tight coupling • Sprawling web of dependencies • All

    or nothing deployments • Team dependencies/ coordination challenges 8 Serverless monolith ABC API @RafalGancarz
  9. • Scoped around domain bounded contexts or platform capabilities •

    Isolated infrastructure stack (Terraform state) • Consistent naming of resources • Dedicated build/deployment pipeline • 0 .. N Lambda functions • Explicitly defined security policies and dependencies • Optionally exposes an API • Optionally exposes domain events • Optionally subscribes to event sources 9 Serverless Components A B C API API @RafalGancarz
  10. • Synchronous call to another component • via HTTPS API

    • via direct Lambda invokation • no buffering • you pay for the wait time :) 10 Integration patterns @RafalGancarz
  11. • Asynchronous call to another component • send a message

    to SQS queue or SNS topic • fire and forget • decoupled • flexible message formats helpful 11 Integration patterns @RafalGancarz
  12. • Asynchronous notifications • subscribe to SNS topic • decoupled

    • flexible message formats helpful 12 Integration patterns @RafalGancarz
  13. • Swagger for API specifications • API definitions can be

    used for model validation and contract testing • API versioning (for non backward- compatible changes) • Developer portal for API discovery and documentation 13 APIs
  14. 14 Continuous delivery/deployment @RafalGancarz

  15. 15 Continuous delivery/deployment @RafalGancarz

  16. 16 Infrastructure provisioning @RafalGancarz

  17. 17 Code deployments ES 2015 + @RafalGancarz (babeljs.io) (rollupjs.org) (apex.run)

  18. 18 Testing Unit testing (local/CI) Acceptance testing (test environment) Smoke

    testing (post deployment) testing pyramid @RafalGancarz
  19. 19 Testing + + Unit testing (local + CI) +

    Acceptance/functional testing (AWS) + Smoke testing (AWS) + @RafalGancarz (mochajs.org) (chaijs.com) (sinonjs.org) (proxyquire)
  20. • Least privilege policy based on IAM roles • IAM

    credentials and STS used for operations/tooling access • Credential/key rotation • Encryption in transfer • Encryption in storage (for sensitive data) 20 Security principles @RafalGancarz
  21. 21 Security in depth @RafalGancarz

  22. • Authentication • Bespoke SSO solution integrated with the legacy

    system • Serverless SAML SSO + JWT token • Authorisation • Custom authorisation library • API Gateway custom authorisers not flexible enough • Sensitive configuration values • Encrypted objects in the component’s S3 bucket • Secret management/storage component • Bespoke serverless solution based on DynamoDB and KMS 22 Security @RafalGancarz
  23. • Bunyan logging library • JSON formatted logs • business

    specific metadata • transaction tracing • CloudWatch Logs for log collection • Log aggregation pipeline (Lambda + Kinesis + Lambda) • Bespoke log filtering solution • Elastic Search for log storage • Kibana (on a server!) for browsing 23 Logging @RafalGancarz
  24. • CloudWatch metrics and alarms • API Gateway • Lambda

    • DynamoDB • Billing • Bespoke Operations Health Dashboard application • CloudTrail for auditing • API Gateway • AWS API calls 24 Monitoring & Auditing @RafalGancarz
  25. • Serverless NPM registry (S3 + Lambda + API GW)

    • Jenkins Pipeline DSL scripts (Groovy) • Deployment framework (Python) • Operations Dashboard (Node) • more to come … 25 Tooling @RafalGancarz
  26. • Serverless is still in its infancy - lots of

    problems to solve (sometimes not the problems you’d like to be solving) • Serverless evolves rapidly - new tools/solutions are emerging, new features becoming available, new ideas&patterns are being shared • Strong dependency on the cloud provider (SDKs, tools, support, limits) • Plan/adapt your capacity (DynamoDB, Kinesis) • Serverless frameworks are great for some use cases but quite opinionated and limiting for others (particularly around stack provisioning/management) • Tooling is sparse, a lot of ‘build your own’ Lessons learned 26 @RafalGancarz
  27. • Automated rollback (when deployment fails) • Data migration (when

    DynamoDB table name or hashing key changes) • Involving the wider engineering team 27 Challenges to be addressed @RafalGancarz
  28. 28 Thank you! Rafal Gancarz Lead Consultant rafal.gancarz@opencredo.com @RafalGancarz Questions?