Download as PDF, PPTX
![Security: Secrets
AWS Parameter Store
Centralized store to manage your
configuration data
• Supports hierarchies
• Plain-text or encrypted with KMS
• Can send notifications of changes to Amazon
SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Integrated with AWS Secrets Manager
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDec
ryption=True
)
for parameter in response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value](https://image.slidesharecdn.com/serverlessarchitecturalpatternsbestpractices-191015020744/85/Serverless-Architectural-Patterns-Best-Practices-42-320.jpg)
![Security: Secrets
AWS Parameter Store
Centralized store to manage your
configuration data
• Supports hierarchies
• Plain-text or encrypted with KMS
• Can send notifications of changes to Amazon
SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Integrated with AWS Secrets Manager
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDec
ryption=True
)
for parameter in response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value](https://image.slidesharecdn.com/serverlessarchitecturalpatternsbestpractices-191015020744/75/Serverless-Architectural-Patterns-Best-Practices-42-2048.jpg)
Uploaded byDaniel Zivkovic
Serverless Architectural Patterns & Best Practices
The document focuses on serverless architectural patterns and best practices for AWS, particularly emphasizing tools like AWS Lambda, API Gateway, and DynamoDB. It outlines various operational models, microservice patterns, data processing, observability, and security considerations for implementing serverless solutions. Best practices for development, deployment, and resource allocation are also discussed to guide users in effective serverless application management.
More Related Content
Similar to Serverless Architectural Patterns & Best Practices
![Jumpstart your idea with AWS Serverless [Oct 2020]](https://cdn.slidesharecdn.com/ss_thumbnails/jumpstartyourideawithawsserverlessoct2020-240904053409-07f4072b-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Serverless Architectural Patterns & Best Practices
- 1. Mike Apted @mikeapted Startup SolutionsArchitect AWS Canada Serverless Architectural Patterns & Best Practices Serverless Toronto Meetup September 12th, 2019
- 2.
- 3.
- 4. Serverless? No servers toprovision or manage Scales with usage Never pay for idle Availability and fault tolerance built in #serverlessTO @mikeapted
- 5.
- 6. Operational responsibility models On-PremisesCloud Less More Compute Virtual Machine EC2 Elastic Beanstalk LambdaFargate Databases MySQL MySQL on EC2 RDS MySQL RDS Aurora Aurora Serverless DynamoDB Storage Storage S3 Messaging ESBs Amazon MQ Kinesis SQS / SNS Analytics Hadoop Hadoop on EC2 EMR Elasticsearch Service Athena #serverlessTO @mikeapted
- 7. Operational responsibility models On-PremisesCloud Less More Compute Virtual Machine EC2 Elastic Beanstalk LambdaFargate Databases MySQL MySQL on EC2 RDS MySQL RDS Aurora Aurora Serverless DynamoDB Storage Storage S3 Messaging ESBs Amazon MQ Kinesis SQS / SNS Analytics Hadoop Hadoop on EC2 EMR Elasticsearch Service Athena #serverlessTO @mikeapted
- 8. Serverless is anopera-onal model AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions COMPUTE DATA STORES INTEGRATION Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync #serverlessTO @mikeapted
- 9.
- 10. Web application Internet/ other services in network AmazonAPI Gateway AWS Lambda Amazon DynamoDB AWS Cloud #serverlessTO @mikeapted
- 11. Web applica*on Internet/ other services in network AmazonAPI Gateway AWS Lambda Amazon Aurora Serverless AWS Cloud #serverlessTO @mikeapted
- 12. Microservices Internet/ other services in network Amazon API Gateway AWS Lambda Amazon DynamoDB AWSCloud #serverlessTO @mikeapted Amazon Aurora Serverless
- 13. Microservice patterns: LambdaAPI 1. Lambda directly invoked via invoke API SDK clients API provided by the Lambda service Used by all other services that invoke Lambda across all models Supports sync and async Can pass any event payload structure you want Client included in every SDK Synchronous / Asynchronous Lambda function #serverlessTO @mikeapted
- 14. Lambda Execu,on Model Synchronous(push) Asynchronous (event) Stream (poll-based) Amazon DynamoDB Amazon SNS /order Amazon S3 reqs Amazon Kinesis Data Streams changes AWS Lambda service function Amazon API Gateway Lambda function Lambda function
- 15. Microservice pa,erns: AmazonSNS + Lambda 2. Lambda function(s) invoked Amazon SNS topic 1. Data published to a topic Data Simple, flexible, fully managed publish/subscribe messaging and mobile push notification service for high throughput, highly reliable message delivery Messages are published to a topic Topics can have multiple subscribers (fanout) Messages can be filtered and only sent to certain subscribers Asynchronous Lambda function Lambda function #serverlessTO @mikeapted
- 16. Microservice patterns: AmazonSQS + Lambda 1. Message inserted into a queue Message Amazon SQS3. SQS removes message from queue on successful response from function 2. Lambda function invoked Simple, flexible, fully managed message queuing service for reliably and continuously exchanging any volume of messages from anywhere Processed in batches At-least-once delivery Visibility timeout allows for handling of failures during processing Asynchronous Lambda function #serverlessTO @mikeapted
- 17. Streaming Data: Transformation Record producers AWS Lambda AWSCloud Amazon Kinesis Data Firehose Amazon S3 Amazon Redshift Amazon Elasticsearch #serverlessTO @mikeapted
- 18. Streaming Data: Enrichment Record producers AWS Lambda Amazon DynamoDB AWSCloud Amazon Kinesis Data Firehose Amazon S3 Amazon Redshift Amazon Elasticsearch #serverlessTO @mikeapted
- 19. Streaming Data: FanOut Record producers AWS Cloud Amazon Kinesis Data Streams AWS Lambda #serverlessTO @mikeapted
- 20. Streaming Data: RealTime Analy2cs Record producers AWS Cloud Amazon Kinesis Data Streams Amazon Kinesis Data Analytics AWS Lambda #serverlessTO @mikeapted
- 21. Data Lakes: BatchProcessing (MapReduce) Amazon S3 AWS Lambda Amazon DynamoDB AWS Cloud #serverlessTO @mikeapted
- 22. Orchestra)on: Step Func)ons Serverlessworkflow management with zero administration • Makes it easy to coordinate the components of distributed applications and microservices using visual workflows • Automatically triggers and tracks each step and retries when there are errors, so your application executes in order and as expected • Logs the state of each step, so when things do go wrong, you can diagnose and debug problems quickly #serverlessTO @mikeapted
- 23. Orchestra)on: Step Func)ons Withserverless polling With direct service integrationStart End AWS Lambda functions Start End No Lambda functions #serverlessTO @mikeapted
- 24.
- 25. DevOps: Tes*ng • Decouplebusiness logic from your Lambda handler • Write unit tests as you normally would • Leverage tools like “aws-sdk-mock” • Leverage a framework for easier local testing • i.e. SAM Local • For integration tests leverage real services
- 26. DevOps: Deployments +Frameworks • Build pipelines from source control to production • Consider one pipeline per service • Leverage capabilities that are built into frameworks like: • traffic shifting between Lambda aliases • canary or blue/green deployments • error monitoring • automatic rollbacks,
- 27. DevOps: Share Codew/ Lambda Layers Lets functions easily share code: Upload layer once, reference within any function Layer can be anything: dependencies, training data, configuration files, etc Promote separation of responsibilities, lets developers iterate faster on writing business logic Built in support for secure sharing by ecosystem #serverlessTO @mikeapted
- 28. Observability: X-Ray • Lambdainstruments incoming requests for all supported languages • Lambda runs the X-Ray daemon on all languages with an SDK var AWSXRay = require(‘aws-xray-sdk-core‘); AWSXRay.middleware.setSamplingRules(‘sampling- rules.json’); var AWS = AWSXRay.captureAWS(require(‘aws-sdk’)); S3Client = AWS.S3(); #serverlessTO @mikeapted
- 29.
- 30.
- 31. Observability: Metrics • 6Built in metrics for Lambda • Invocation Count, Invocation duration, Invocation errors, Throttled Invocation, Iterator Age, DLQ Errors • Can call “put-metric-data” from your function code for custom metrics • 7 Built in metrics for API-Gateway • API Calls Count, Latency, 4XXs, 5XXs, Integration Latency, Cache Hit Count, Cache Miss Count • Error and Cache metrics now support averages and percen,les #serverlessTO @mikeapted
- 32. Observability: Logs • APIGateway Logging • 2 Levels of logging, ERROR and INFO • Optionally log method request/body content • Set globally in stage, or override per method • Lambda Logging • Logging directly from your code with your language’s equivalent of console.log() • Basic request information included • Log Pivots • Build metrics based on log filters • Jump to logs that generated metrics • Export logs to AWS ElastiCache or S3 • Explore with Kibana or Athena/QuickSight #serverlessTO @mikeapted
- 33. Observability: DLQ “By default,a failed Lambda function invoked asynchronously is retried twice, and then the event is discarded.” https://docs.aws.amazon.com/lambda/latest/dg/dlq.html • Turn this on! (for async use-cases) • Monitor it via an SQS Queue length metric/alarm • If you use SNS, send the messages to something durable and/or a trusted endpoint for processing • If and when things fail DLQ can save your invocation event information ☠ ✉ Q #serverlessTO @mikeapted
- 34. Performance: Function Lifecycle Bootstrap theruntime Start your code Full cold start Partial cold start Warm start Download your code Start new Execution environment AWS optimization Your optimization #serverlessTO @mikeapted
- 35. Anatomy of aLambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionB(thing){ ## logic here }
- 36. Anatomy of aLambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionB(thing){ ## logic here } Dependencies, configuration information, common helper functions Common helper functions Business logic sub-functions Your handler
- 37. Performance: Cold Starts/ VPC to VPC NAT Faster Scaling Lower Latency Easier To Use
- 38. Performance: Resource Alloca1on Lambdaexposes only a memory control, with the % of CPU core and network capacity allocated to a function proportionally #serverlessTO @mikeapted
- 39.
- 40. Performance: Mul/threading • <1.8GBis still single core • CPU bound workloads won’t see gains – processes share same resources • >1.8GB is multi core • CPU bound workloads will gains, but need to multi thread • I/O bound workloads WILL likely see gains • e.g. parallel calculations to return #serverlessTO @mikeapted
- 41. Security: Configura1on • Key-valuepairs that you can dynamically pass to your function • Available via standard environment variable APIs such as process.env for Node.js or os.environ for Python • Can optionally be encrypted via AWS Key Management Service (KMS) • Allows you to specify in IAM what roles have access to the keys to decrypt the information • Useful for creating environments per stage (i.e. dev, testing, production) #serverlessTO @mikeapted
- 42. Security: Secrets AWS ParameterStore Centralized store to manage your configuration data • Supports hierarchies • Plain-text or encrypted with KMS • Can send notifications of changes to Amazon SNS/ AWS Lambda • Can be secured with IAM • Calls recorded in CloudTrail • Can be tagged • Integrated with AWS Secrets Manager • Available via API/SDK Useful for: centralized environment variables, secrets control, feature flags from __future__ import print_function import json import boto3 ssm = boto3.client('ssm', 'us-east-1') def get_parameters(): response = ssm.get_parameters( Names=['LambdaSecureString'],WithDec ryption=True ) for parameter in response['Parameters']: return parameter['Value'] def lambda_handler(event, context): value = get_parameters() print("value1 = " + value) return value # Echo back the first key value
- 43. Security: Permissions Function policies: •“Actions on bucket X can invoke Lambda function Z" • Resource policies allow for cross account access Execution role: • “Lambda function A can read from DynamoDB table users” • Define what AWS resources/API calls can this function access via IAM Event source ServicesFunction #serverlessTO @mikeapted
- 44.
- 45.
- 46. Mike Apted @mikeapted “No serveris easier to manage than no server.” - Werner Vogels, Amazon CTO