0% found this document useful (0 votes)

78 views464 pages

Serverless Course Slide 012022

Uploaded by

felixbossio

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

78 views464 pages

Serverless Course Slide 012022

Uploaded by

felixbossio

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 464

Copyright © Rajdeep Saha - All Rights Reserved

How This Course is Structured

Getting Started
Storage For Serverless
API Gateway
Real World Project
Lambda Advanced
Concepts DevOps For Serverless

Step Functions AWS SAM

Logging & Monitoring Serverless Frameworks
AWS CLI Serverless Vs Containers
AWS Cloud9 Architectures &
Optimization
Serverless Security

Copyright © Rajdeep Saha - All Rights Reserved

Traditional Server Cloud VM Serverless
Scenario - Everyday, dinner party at your home, number of guests could be between 1 to 20, no one RSVPs!

Traditional Server in your Serverless (Lambda)

Cloud VM (EC2)
Datacenter

● You own the kitchen ● You do NOT own kitchen ● You do NOT own kitchen
● You spend money buying ● You get food from a takeout place ● You get food from a takeout place who
every appliance who delivers instantly delivers instantly
● You pay for the electricity ● However, takeout place only ● However, this takeout place accepts
used in the kitchen delivers food exactly for 5 people at order for any number of people
● You make food for 20 a time ● You simply put order for the exact
people everyday ● If 3 people show up, you waste food number of people showed up
● Lot of wasted food of 2 people ● Best cost optimized solution
● If 7 people show up, you place 2
orders, each for 5 people, still some
waste
● Better than Traditional Datacenter
but still little wasteful

Copyright © Rajdeep Saha - All Rights Reserved

Traditional Server Cloud VM Serverless
Scenario - Everyday, traffic hits your website, you don’t know how much traffic going to hit each day

Traditional Server in your Serverless (Lambda)

Cloud VM (EC2)
Datacenter

● You own the datacenter ● You do NOT own the datacenter ● You do NOT own the datacenter
building ● You provision EC2 ● You utilize Serverless Services
● You spend money buying ● However, each EC2 comes with ● If more traffic hits, it auto scales
every server fixed processing power and automatically
● You pay for the cost of memory ● You pay for the number of executions
datacenter i.e. electricity, ● Sometimes traffic would be less rather than idle resources
AC etc. than EC2 capacity ● Best cost optimized solution
● You buy enough servers to ● If EC2 reaches capacity, add
accommodate for huge another EC2 via Auto Scaling
traffic Group, but with fixed predetermined
● Lot of wasted $$$ capacity
● Better than Traditional Datacenter
but still little wasteful

Copyright © Rajdeep Saha - All Rights Reserved

Cloud VM (EC2)

Traffic

CPU

Auto Scaling Amazon EC2

Copyright © Rajdeep Saha - All Rights Reserved

Cloud VM (EC2)

Traffic

CPU

Auto Scaling Amazon EC2

Copyright © Rajdeep Saha - All Rights Reserved

Cloud VM (EC2)

Traffic

CPU CPU

Auto Scaling
Amazon EC2 Amazon EC2

Utilization 30%
Cost 100%

Copyright © Rajdeep Saha - All Rights Reserved

Serverless (Lambda)

Traffic

AWS Lambda

Copyright © Rajdeep Saha - All Rights Reserved

Serverless (Lambda)

Traffic

AWS Lambda AWS Lambda

Copyright © Rajdeep Saha - All Rights Reserved

Serverless (Lambda)

Traffic

AWS Lambda AWS Lambda AWS Lambda

Pay for what you use

(3 Invocations)

Copyright © Rajdeep Saha - All Rights Reserved

Lambda Logging & Monitoring

AWS Lambda Amazon CloudWatch

● Logs
● Metrics
● CloudWatch Insights

Copyright © Rajdeep Saha - All Rights Reserved

Serverless Is NOT Only Lambda

Copyright © Rajdeep Saha - All Rights Reserved

What Defines Serverless?

No servers to provision or manage

Automatically scales with usage

Never pay for idle

Availability and fault tolerance built in

Copyright © Rajdeep Saha - All Rights Reserved

Serverless means…

No AMI Rehydration

Copyright © Rajdeep Saha - All Rights Reserved

Serverless Ecosystem - Beyond Lambda
Compute Storage Integration, Analytics

Aurora Serverless
AWS Lambda Amazon API Amazon SQS AWS Step
Gateway Functions

DynamoDB

AWS Fargate AWS Glue Amazon SNS AWS AppSync

Amazon S3

And More...
Copyright © Rajdeep Saha - All Rights Reserved
Crown Jewel of Serverless

Copyright © Rajdeep Saha - All Rights Reserved

What is AWS Lambda?
● AWS Lambda lets you run code without provisioning or managing
servers

● With Lambda, you can run code for virtually any type of
application or backend service - all with zero administration

● Just upload your code and Lambda takes care of everything

required to run and scale your code with high availability

● You pay only for the compute time you consume

Copyright © Rajdeep Saha - All Rights Reserved

What Does This Buy You?

Speed, Agility, and Innovation

Copyright © Rajdeep Saha - All Rights Reserved

Some More Details About Lambda

● Select Memory from 128 MB to 10 GB

(reInvent 2020)
● CPU and Network allocated proportionally
● Max 15 Mins Runtime
Configuration

● Can be invoked synchronous (e.g. API) or

asynchronous (e.g. SQS, S3)
● Inherent integration with other AWS services
● Wide range of use cases
Architectural
Flexibility

Copyright © Rajdeep Saha - All Rights Reserved

You Use Lambda All the Time!

Copyright © Rajdeep Saha - All Rights Reserved

Serverless applications
What Can Lambda Call?
(anything)
Event Lambda

S3 Bucket
Object Put
Aurora
Message in SQS

API Invocation Node.js

Python
Kinesis Streams Java
C# Other AWS
Go Services
Other codes
Ruby
BYOR (Bring your own runtime)
And many more..
“We don’t believe in one tool to rule the world. We want you to
use the right tool for the right job.”—Andy Jassy, CEO of AWS

Copyright © Rajdeep Saha - All Rights Reserved

Cost Of Lambda

Copyright © Rajdeep Saha - All Rights Reserved

Non Expiring Free Tier!!

● Every month you get 1M invocations and

400,000 GBs of compute
● Charged in 1 ms increments (reInvent 2020)
● No commitment required
● Never pay for idle

All demos covered under Free-Tier*

*Except Advanced API Logging
How Do You Calculate for Real Projects!
Let’s Calculate!

https://s3.amazonaws.com/lambda-tools/pricing-calculator.html
Ways To Create
Lambda
Ways To Create Serverless

AWS Console

CloudFormation/SAM/CDK

AWS CLI

Copyright © Rajdeep Saha - All Rights Reserved

Learning Medium

AWS Console

CloudFormation/SAM/CDK

AWS CLI

Local PC AWS Cloud9 Amazon EC2

(Using AWS Creds) (Terminal) (Command Line)

Copyright © Rajdeep Saha - All Rights Reserved

Learning Medium

AWS Console

CloudFormation/SAM/CDK

AWS CLI

Local PC AWS Cloud9 Amazon EC2

(Using AWS Creds) (Terminal) (Command Line)

Copyright © Rajdeep Saha - All Rights Reserved

IAM Roles
Role Based Access

AWS Account #1234

Admin Developer Tester

Have full access to any Read, write, execute Execute selected

service selected services services

Lambda Dynamo S3 Lambda

Role Based Access

AWS Account #1234

Admin (Tina) Developer (Bob) Tester (Susan)

Have full access to any Read, write, execute Execute selected
service selected services services

Lambda Dynamo S3 Lambda

Why IAM Role?

RDS Dynamo

S3
Other 100s of
Services
EC2

Comprehend

QLDB MQ
IAM Roles

aws s3 ls
Ap
plic
a
EC2 Ap
Dy tion
na rea S3
plic mo ds
Role attached to EC2 a ti
Dy on w
na rite
mo s
Policy to access S3 to

Policy to read Dynamo

Policy to write Dynamo DYNAMODB

Role Based Access

AWS Account #1234

Developer
Project Team A Project Team B

EC2 EC2

Dynamo S3 RDS
Is This Service
Serverless

Copyright © Rajdeep Saha - All Rights Reserved

Let’s Test The 4 Rules
No servers to provision or manage
Automatically scales with usage

Never pay for idle

Availability and fault tolerance built in

Serverless
Amazon SQS

Copyright © Rajdeep Saha - All Rights Reserved

Let’s Test The 4 Rules
No servers to provision or manage
Automatically scales with usage

Never pay for idle

Availability and fault tolerance built in

Not
Serverless
Amazon Kinesis

Copyright © Rajdeep Saha - All Rights Reserved

Let’s Test The 4 Rules
No servers to provision or manage
Automatically scales with usage

Never pay for idle

Availability and fault tolerance built in

Not
Serverless
Amazon EC2

Copyright © Rajdeep Saha - All Rights Reserved

Understanding API with
Real World Example

Copyright © Rajdeep Saha - All Rights Reserved

What is API?
Wikipedia Definition
In computer programming, an application programming interface (API) is a set of subroutine definitions,
communication protocols, and tools for building software. In general terms, it is a set of clearly defined
methods of communication between various components.

RESTAURANT
KITCHEN

Whatever happens here,

Order food Send order to kitchen abstracted from you

YOU Deliver food WAITER Food ready

What is API?

RESTAURANT
KITCHEN

WAITER = API Whatever happens here,

Request Abstracted from you

Response
YOU
Real life example of APIs
I hope it is
payday!

Get Balance
API

Time to lookup
that fancy
restaurant

Get Highly Rated Restaurants

API
Real life example of APIs
I hope it is
payday!

Get Balance
API

Time to lookup
that fancy
restaurant

Get Highly Rated Restaurants

API
Real life example of APIs

Book Taxi
Look Up Flight Deals
Browse Items in Online Store

APIs are everywhere!

Going back to wikipedia definition

In general terms, it is a set of clearly defined methods of communication between various
components.
What is API Gateway

Copyright © Rajdeep Saha - All Rights Reserved

What is API Gateway?

RESTAURANT
KITCHEN
Reques
t Desser
t
Dessert
Another hungry patron API
Station

Request Main Course

Main
API Course
YOU Station
Orchestrator
Drinks
Request API Gateway
API Drinks
Station
Loud guy
API Gateway continued...

Functions of API Gateway

● Lets you create, configure, and host a

API
● Authentication and Authorization of your
API
● Tracing, Caching and Throttling of API
Requests
● Staged deployments, Canary release
● And much more..
How does Lambda fit into API Gateway?

Lambda does all

Invokes API API Gateway calls the computations
Lambda backend and send
response back
API Gateway
Components

Copyright © Rajdeep Saha - All Rights Reserved

API Gateway Components
● The public interface of an API ● Interfaces with backend
method ● Map the parameters and body of a
● Deﬁnes the parameters and method request to the formats
body required by the backend

Method Integration
Request Request

Lambda backend
Client

Method Integration
Response Response

● Public interface of an API ● Map the status codes, headers, and

● Deﬁnes the status codes, payload that are received from the
headers, and body models backend to the response format that is
returned to a client app
API Gateway Components - Continued

Invoke URL - URL to invoke the API

Usage Plan - A usage plan provides selected API clients with access to one or more deployed
APIs. You can use a usage plan to configure throttling and quota limits, which are enforced on
individual client API keys

API Developer - Your AWS account that owns an API Gateway deployment (for example, a service
provider that also supports programmatic access.)

App Developer - An app creator who may or may not have an AWS account and interacts with the
API that you, the API developer, have deployed. App developers are your customers. An app
developer is typically identified by an API key.

Resources (could be different projects/business areas)

Methods (GET, POST etc.) - Each method along with resources, are deployed to stages,
with invoke url for each method under each resource in each stage
Lambda Version and
Alias

Copyright © Rajdeep Saha - All Rights Reserved

Lambda Version and Alias

Version 1 $LATEST
50%

Version 2 $LATEST
API Alias
Gateway oldestNewest

Version 3 $LATEST
50%

Version 4 $LATEST
API Gateway Canary Deployment

100%
Lambda 1
0%
50% Base Version

API Gateway API STAGE

100%
50%

Lambda 1 modified
Canary Version
Base Version
API Gateway API
Endpoint Types

Copyright © Rajdeep Saha - All Rights Reserved

API Gateway API Endpoint Types

Edge optimized: Designed to help you reduce client latency from

anywhere on the Internet
Regional: Designed to reduce latency when calls are made from the
same region as the API
Private: Designed to expose APIs only inside your VPC
Edge Optimized
Edge optimized: Designed to help you reduce client latency from
anywhere on the Internet
Regional
Regional: Designed to reduce latency when calls are made from the
same region as the API
Regional
Private
Private: Designed to expose APIs only inside your VPC
DEMO
● Choosing Endpoint Type of your API
● Note - You can change your Endpoint Type!
What is Swagger?
● API as Code
● Human and machine readable to create APIs
● Share APIs internally and externally
● Generates API documentation
● Supports YAML and JSON
● Now called “Open API Initiative”
● You can generate Swagger files for all your
APIs in API Gateway, even if you created
them in console!
Why Swagger?
● Recreate your APIs
● Enables you to use any API Management
tool (NOT Locked in)
● Create standards for the APIs in your
enterprise
● Documentation helps future developers
DEMO
● Export API Gateway API as Swagger
● Create API with Swagger
DEMO - Under SAM
● Defining API with SAM and Swagger
CORS (Cross Origin Resource
Sharing)
+

API Gateway
What is CORS?
● Browser security feature that restricts cross-origin HTTP requests

What Qualifies for Cross Origin HTTP Requests?

● A different domain (e.g. from cat.com to dog.com)

● A different subdomain (e.g. from cat.com to adopt.cat.com )
● A different port (e.g. from cat.com to cat.com:10700)
● A different protocol (e.g. from https://cat.com to http://cat.com)

Copyright © Rajdeep Saha - All Rights Reserved

Cross-origin HTTP requests
Simple (All below has to satisfy)
● Only for GET, HEAD, POST
● POST must include Origin header
● Request payload content type is text/plain, multipart/form-data, or
application/x-www-form-urlencoded
● Request does not contain custom header
● Plus requirements in https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests

Non Simple (Almost All Real World APIs)

● All other cross origin HTTP Requests

Copyright © Rajdeep Saha - All Rights Reserved

CORS Pre-flight
● First invoke OPTIONS Method to validate
● After getting valid response with allowed values, invoke actual
Method (GET, POST etc.)

1 Can I do a GET?

Web Browser 2 Sure! Remote REST

(www.example.com) Service
3 Actual GET Call

Copyright © Rajdeep Saha - All Rights Reserved

CORS Flow
1 OPTIONS
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key

2 Allowed values Returned Remote REST

Web Browser Access-Control-Request-Method: GET, POST Service
(www.example.com) Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key
Access-Control-Allow-Origin: *

3 Actual GET Call

Copyright © Rajdeep Saha - All Rights Reserved

CORS Flow
1 OPTIONS
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key

2 Allowed values Returned Remote REST

Web Browser Access-Control-Request-Method: GET, POST Service
(www.example.com) Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key
Access-Control-Allow-Origin: www.example.com

3 Actual GET Call

Copyright © Rajdeep Saha - All Rights Reserved

CORS Flow - API Gateway
1 OPTIONS
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key Mock Integration

2 Allowed values Returned

Web Browser Access-Control-Request-Method: GET, POST
(www.example.com) Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key
Access-Control-Allow-Origin: www.example.com

3 Actual GET Call

Application Lambda
Copyright © Rajdeep Saha - All Rights Reserved
Multi Origin CORS Flow
1 OPTIONS
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type,
Authorization,x-api-key
Web Browser
(www.example.com) 2 Allowed values Returned
Access-Control-Request-Method: GET, POST CORS Lambda
Access-Control-Request-Headers: Content-Type,
(Sets Header based
Authorization,x-api-key
Web Browser Access-Control-Allow-Origin: www.example.com on incoming origin)
(www.demo.com) OR
Access-Control-Allow-Origin: www.demo.com

3 Actual GET Call

Copyright © Rajdeep Saha - All Rights Reserved

Application Lambda
REST API

HTTP API
Copyright © Rajdeep Saha - All Rights Reserved
HTTP APIs - What and Why?

● What if only API integration you need is Lambda and Url

● HTTP APIs announced Dec 2019

● Low-latency, cost eﬀective integration with Lambda and HTTP

URLs

● That’s not the only diﬀerence!

Copyright © Rajdeep Saha - All Rights Reserved

HTTP API Vs Rest API - API Types

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html
Copyright © Rajdeep Saha - All Rights Reserved
HTTP API Vs Rest API - Integration

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html
Copyright © Rajdeep Saha - All Rights Reserved
HTTP API Vs Rest API - Security

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html
Copyright © Rajdeep Saha - All Rights Reserved
HTTP API Vs Rest API - Monitoring

Invoke API
Amazon API Gateway
Invoke
URL: https://p6xpfsiz5m.execute-api.us-west-2.amazonaws.com/default/myﬁrstlambda
Using API Gateway Url

Invoke API
Amazon API Gateway

Amazon EC2 Invoke

URL: https://p6xpfsiz5m.execute-api.us-west-2.amazonaws.com/default/myﬁrstlambda
Using API Gateway Url

Invoke API
Amazon API Gateway

Amazon EC2 Invoke

URL: https://p778bcx6.execute-api.us-west-2.amazonaws.com/default/mylatestlambda
Change application
Using Custom Domain

Invoke API via domain

Amazon API Gateway
Invoke
Amazon EC2 URL: https://lambda-api.com
Application unchanged Domain pointing to: https://p6xpfsiz5m.execute-api.us-west-2.amazonaws.com/default/myﬁrstlam
Server authentication using Domain pointing to: https://p778bcx6.execute-api.us-west-2.amazonaws.com/default/mylatestlam
certiﬁcates
Using API Gateway Custom Domain

• ACM can be expensive ($400 per certiﬁcate

after free-tier expires)

• Lot of steps involved

API Gateway Custom Domain Flow

DNS “A” Record pointing to API Gateway API Gateway

Domain (NOT API Endpoint) Custom Domain to
API Endpoint
Mapping

Invoke API via domain

Your API
Amazon Route 53 Amazon API Gateway

Amazon EC2
https://lambda-api.com

AWS Certiﬁcate Manager

Demo
What about Client Authentication?

DNS “A” Record pointing to API Gateway API Gateway

Domain (NOT API Endpoint) Custom Domain to
API Endpoint
Mapping

Invoke API via domain

Your API
Amazon Route 53 Amazon API Gateway

Amazon EC2
https://lambda-api.com

AWS Certiﬁcate Manager

Lambda
Scaling &
Concurrency
How Does Lambda
Scale?
Lambda Code Execution Under The Hood
Concurrent Invocation
Lambda Lambda Lambda Lambda Lambda
Invoke Invoke Invoke Invoke Invoke

Container 1 Container 2 Container 3 Container 4 Container n

...
• Container comes up
Cold Start
• Loads your code
• Run Code

● Limit of Scaling
● Rate of Scaling
Lambda Code Execution Under The Hood
Lambda
Lambda
Invoke
Invoke

Container Lambda done running

Container Container
Some
code

First Execution Lambda Finished Execution Lambda Invoked again

• Container comes up • Container stays warm for • Container is reused

Cold Start
• Loads your code certain time • Some codes get executed
Cold Start much less on
• Run Code • Some codes stay warm • Warm codes do NOT subsequent execution
too! re-execute, saving
execution time

What Codes Stay Warm?

New! (re:Invent 2019)
Account Concurrency
Account Concurrency - Scaling Limit

How about Rate of Scaling?

What if Lambda Needs to Scale Super Fast!
Concurrent Invocation - 0 to 1000 in 1 second!
Lambda Lambda Lambda Lambda Lambda
Invoke Invoke Invoke Invoke Invoke

Container 1 Container 2 Container 3 Container 4 Container n

...

Rate of Scaling Can’t Keep Up - Throttling

Provisioned Concurrency to the Rescue

New! (re:Invent 2019)

Provisioned Concurrency

● Pre-initialized Execution Environments

What if Lambda Needs to Scale Super Fast!
n Containers up with Lambda Code Loaded
Lambda Lambda Lambda Lambda Lambda
Invoke Invoke Invoke Invoke Invoke

Container 1 Container 2 Container 3 Container 4 Container n

...
Provisioned Concurrency

● Pre-initialized Execution Environments

● No Cold Start or Throttling due to Super
Fast Traffic Increase
● AWS will keep assigned capacity “Warm”
Lambda Environment Variables

● Key-value pairs that you can dynamically pass to your

Lambda Environment

json boto3

installed separately requests

(using pip, yum, npm etc.)

Lambda Code

import json ✅
import boto3 ✅
import requests ✅❌

def lambda_handler(event, context):

……
…...
Lambda Container Image
Agenda:

• Lambda container image – what and why

• Demo

• Best practices
• AWS provides underlying container, your
code/dependencies gets loaded
• Package and deploy Lambda function as container
images
• This does NOT run Lambda code on EKS/ECS
(NOT Knative/CloudRun equivalent)
• Container image can be up to 10 GB in size
(Compared to 50 MB for Zip deployment )
Dockerize app
Amazon Elastic Container
Registry
Lambda Container Image Support

Dockerize app
Amazon Elastic Container
Registry
Dockerize app
Amazon Elastic Container
Registry

• AWS provides base images

• Runtime interface client manage interaction between Lambda

service and your function code

• You can create custom image

• Require to have runtime interface clients
• Supports linux based image currently
• Supports speciﬁc container image settings
Advantages

• Utilize existing container tooling

• Create image with what you need – faster start up

time
• Perform local testing with runtime interface
emulator
• 10 GB package size compare to 50 MB Zip
deployment
Demo

• Demo of the Lambda container image

• Pay for ECR and Lambda

• Supported in AWS CLI, CloudFormation, SAM

Lambda Layer
Lambda Layer
CloudWatch Insights
Enterprise Scenario
● Validate if Account Number 10
digits
● Business Logic for create
account
createAccountLambda

● Validate if Account Number 10

digits
● Business Logic for get balance

getAccountBalance

● Validate if Account Number 10

digits
● Business Logic for update
balance
updateAccountBalance
Enterprise Scenario
● Validate if Account Number 10
digits
● Business Logic for create
account
createAccountLambda ➔ Duplication of code over time
➔ If logic need to be changed, it
need to be changed in many
● Validate if Account Number 10 programs
digits
● Business Logic for get balance ➔ Testing and maintenance
overhead
getAccountBalance

● Validate if Account Number 10

digits
● Business Logic for update
balance
updateAccountBalance
Enterprise Scenario

Duplicated logic in every Lambda

Lambda Layers

Lets functions easily share code: Upload layer once,

reference within any function

Layer can be anything: dependencies, training data,

configuration files, etc.

Promote separation of responsibilities, lets developers iterate

faster on writing business logic

Built in support for secure sharing by ecosystem

Enterprise Scenario w layer
● Business Logic for create
account

createAccountLambda

● Business Logic for get balance

validateAcct() in Lambda Layer

getAccountBalance
Layer gets loaded with function code,
no additional execution latency
● Business Logic for update
balance

updateAccountBalance
Lambda Layers re:Invent 2018 Update
● Layers simplify sharing, versioning, and deploying common code.
● 250 MB total size limit unchanged (total layers, unzipped).
● Up to 5 layers per function.

Layers DOs Layers DON’Ts

Put shared code into discrete layers Don’t put unnecessary stuff into the layer,
don’t treat it as dumpstar! It will increase
Version layers and use to deploy across code loading time.
accounts

Simplify your deployment management

Lambda EFS
Integration

+ =
Copyright © Rajdeep Saha - All Rights Reserved
Lambda EFS Integration

Amazon EC2

Write Data Read Data Delete Data Write Data

Elastic File System

● EFS is shared across concurrent executions of a Lambda

function

● EFS can be used with Provisioned Concurrency

● Some use cases:

○ Process large ﬁles across multiple functions
○ Import large ML Models, Code Libraries
○ Use other services (e.g. EC2, EKS etc.) with Lambda
○ And more… (Lambda is NOT STATELESS Anymore!)

Copyright © Rajdeep Saha - All Rights Reserved

Lambda EFS
Integration Demo

+ =
https://aws.amazon.com/blogs/aws/new-a-shared-file-system-for-your-lambda-functions/

Copyright © Rajdeep Saha - All Rights Reserved

Lambda EFS

Copyright © Rajdeep Saha - All Rights Reserved

AWS Serverless Application Repository
AWS Serverless Application Repository
LAMBDA DESTINATIONS
CONSOLE CHANGES

W !
N E
RDS Proxy
Regular Lambda Database Design

Amazon API Gateway AWS Lambda Amazon RDS

Increased Traﬃc

Amazon API Gateway Amazon RDS

• Can handle limited number of

connections
• Orphan connections linger
• Database spends CPU/Memory for
connection management
• Lambda can exhaust connection
Lambda Code to handle limit – throttling, error
connection!
RDS Proxy

Amazon API Gateway AWS Lambda RDS Proxy Amazon RDS

• Fully managed, highly available

database proxy
• Allows applications to share pool of
database connections
• Use Secrets Manager for database
credential
• Failover without DNS change, 66%
reduced failover time for Aurora,
RDS
• Allocate how many connections
Lambdas allow to use
RDS Proxy Demo

AWS Lambda RDS Proxy Amazon RDS

RDS Proxy – Couple More Points
• Currently works with
• Amazon Aurora
• RDS MySQL
• RDS PostgreSQL
• RDS MariaDB
• RDS Oracle
• RDS SQL Server

• Priced per vCPU per hour for each enabled database instance
RDS Proxy – Demo
• NOT FREE - Priced per vCPU per hour for each enabled database instance
RDS Proxy – Demo
• IAM Prerequisites
• IAM Role for RDS proxy
• IAM Role for Lambda

• Everything within VPC

• Proper Security Groups for Lambda to Proxy to RDS

• Lambda requires external dependency

• Demo shown for RDS MySQL
Code Any Boto3
with Lambda
What We Building
● EC2 Started without proper tag

● Stop EC2

● Send threatening email to employee!

High Level Design

Event Amazon EC2

AWS Lambda

Amazon CloudWatch Amazon Simple

IAM Role Notification Service

Event
(event-based)
High Level Design

Event Amazon EC2

AWS Lambda

Amazon Simple Storage Amazon Simple

Service (S3) Notification Service
Boto3
● Boto3 is AWS Software Development Kit for Python
● Call ANY AWS Services from code
○ Code can be in EC2, Lambda, EKS etc.
Let’s Code
Boto3 Verdict
● Boto3 Documentation is super good
● Practice doing using the documentation
SNS, SQS, Lambda
(The Perfect Love Triangle)

Copyright © Rajdeep Saha - All Rights Reserved

What is SNS?
Amazon SNS (Simple Notification Service) is a highly available, durable,
secure, fully managed pub/sub messaging service

Amazon Simple
Notification Service
SubscriberA

SystemA
Publishes a
Topic
message SubscriberB

SubscriberC

AWS Lambda
Copyright © Rajdeep Saha - All Rights Reserved
Advantages of SNS
● Automatically scale

● Keep messages secure using AWS KMS Keys

● Messages can go to different subscribers based on fields in message

(Message Filtering)

● Fan Out Architecture - Same message can be consumed by multiple

consumers

Copyright © Rajdeep Saha - All Rights Reserved

What is SQS?
Amazon SQS (Simple Queue Service) is a fully managed message queuing
service

Amazon Simple Queue

Service

SystemA
Puts a
Queue
message AWS Lambda

● Standard Queue
● FIFO Queue
Copyright © Rajdeep Saha - All Rights Reserved
Standard Vs FIFO
Standard FIFO
● Order is not guaranteed ● Order is strictly preserved

● Messages may be delivered ● Messages follow exactly once

more than once processing, dedup
configuration avoids duplicate
message delivery

● Nearly unlimited messages ● 300 messages/second. With

processed per second batching supported upto 3000
message/second
● $0.40/million ● $0.50/million
requests/month after free requests/month after free
tier tier
Copyright © Rajdeep Saha - All Rights Reserved
Advantages of SQS
● Reliable, Dead Letter Queues can be enabled

● Scales automatically

● Keep messages secure using KMS

● Convert synchronous patterns to asynchronous.

● One message can’t have multiple consumers. Once message is
processed by consumer, it gets deleted from SQS

Copyright © Rajdeep Saha - All Rights Reserved

Diving Deeper into SQS + Lambda

Lambda service polls queue

SystemA AWS Lambda Service

When message(s) found,

Amazon Simple Queue invokes function. Function
Service reads in batches Your Lambda
Function

Copyright © Rajdeep Saha - All Rights Reserved

Diving Deeper into SQS + Lambda

AWS Lambda Service

Your Lambda
SQS Queue Function

Copyright © Rajdeep Saha - All Rights Reserved

Diving Deeper into SQS + Lambda
Polls for messages

AWS Lambda Service

Your Lambda
SQS Queue Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit

Copyright © Rajdeep Saha - All Rights Reserved

Diving Deeper into SQS + Lambda

AWS Lambda Service

Invokes 5 copies of your function
Your Lambda Function

Your Lambda Function

SQS Queue Your Lambda Function

Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Diving Deeper into SQS + Lambda

AWS Lambda Service

Invokes 5 copies of your function
Messages invisible to others (Visibility Your Lambda Function
Timeout)

Your Lambda Function

SQS Queue Your Lambda Function

Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
SQS & SNS DEEPER DIVE

SQS Queue
Copyright © Rajdeep Saha - All Rights Reserved
Sunny Day Scenario

AWS Lambda Service

Deletes messages from SQS
Your Lambda Function

Your Lambda Function

SQS Queue
Your Lambda Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Rainy Day Scenario

AWS Lambda Service

Your Lambda Function

SQS Queue
Your Lambda Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Rainy Day Scenario

AWS Lambda Service

Your Lambda Function

SQS Queue
Your Lambda Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Rainy Day Scenario

AWS Lambda Service

Lambda Service Rolls back ENTIRE
BATCH if one or more message fails. Your Lambda Function
Messages can be reprocessed

Your Lambda Function

SQS Queue
Your Lambda Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Solving Message Re-Processing

Your function deletes successfully

processed messages from SQS
Your Lambda Function

Your Lambda Function

SQS Queue
Your Lambda Function
Batch Size = 6 (Limit 10)
5 =< Polling limit <= Lambda
concurrency limit
Your Lambda Function
Copyright © Rajdeep Saha - All Rights Reserved
Sync to Async: High Volume Traffic
System A calls a Lambda.Traffic volume very high.

This call is the

bottleneck
SystemA

AWS Lambda

● In Synchronous Architecture, all components need to scale together

● Scaling is as high as scaling capacity of lowest scalable component
● Each component will keep running till the whole chain finishes
● If one component fails, whole call fails

Copyright © Rajdeep Saha - All Rights Reserved

Sync to Async: High Volume Traffic

SystemA

Amazon API Gateway AWS Lambda

● In Synchronous Architecture, all components need to scale together

● Scaling is as high as scaling capacity of lowest scalable component
● Each component will keep running till the whole chain finishes
● If one component fails, whole call fails

Copyright © Rajdeep Saha - All Rights Reserved

Sync to Async: High Volume Traffic

SystemA

Amazon Simple Queue AWS Lambda

Service

● In Asynchronous Architecture, all components can scale separately

● Less aggressive scaling requirement on Lambda
● Retry mechanism available even if one component fails
● Control traffic to downstream

Copyright © Rajdeep Saha - All Rights Reserved

Tips For SQS & lambda

Lambda service polls

SystemA queue
When message(s)
found, invokes
Amazon Simple Queue function. Function AWS Lambda
Service reads in batches

● Set function concurrency to 5 or more

● Less than 5 function concurrency can lead to throttling error
● Set queue’s visibility timeout to at least 6 times the timeout of
Lambda Function
● Configure Dead Letter Queue to keep messages to be reprocessed

Copyright © Rajdeep Saha - All Rights Reserved

Food For Thought

SystemA

Amazon API Gateway Amazon Simple Queue AWS Lambda

Service

● Can you break Sync to Async for high volume design?

● POST could be Async, GET could be Sync

Copyright © Rajdeep Saha - All Rights Reserved

High Volume S3 Processing
Throttling
Very High
Volume Traffic
Amazon Simple Storage AWS Lambda
Service (S3) (Triggered from S3 +
Processing)

Very High
Volume Traffic
Amazon Simple Storage AWS Lambda AWS Lambda
Amazon Simple Queue
Service (S3) (Triggered from S3) (Processing)
Service

Copyright © Rajdeep Saha - All Rights Reserved

Food For Thought

Amazon Simple Storage AWS Lambda

AWS Lambda Amazon Simple Queue
Service (S3)
Service

● Can you break Sync to Async for high volume design?

● POST could be Async, GET could be Sync

Copyright © Rajdeep Saha - All Rights Reserved

Reliable Fanout Architecture

Queue1 Further Processing

AWS Lambda

Message Amazon Simple

Notification Service
Queue2
AWS Lambda

Topic

Amazon Simple Queue

Service

Copyright © Rajdeep Saha - All Rights Reserved

SNS Message Filtering - What and Why

Lambda
(HomeLoan)
Amazon
All kinds of Loans SNS

Topic for Loans

Email
(CarLoan)

SMS
(All Loans)
SNS MESSAGE FILTERING

Lambda (HomeLoan)
SNS
All kinds
of Loans Topic for Loans
Email (CarLoan)

SMS (All Loans)

EventBridge Vs SQS Vs SNS
Basic definitions of SNS, SQS, EventBridge
Differences:
Scaling
Conditional Message Processing
Message Replay
Message Ordering
Encryption
Durability
Pricing
Persistence
Consumption
Retry/Failure Handling
Level Set

Amazon Simple Amazon Simple Queue Amazon EventBridge

Notification Service Service

Message Message Message

Topic Queue Event bus

Scaling/Concurrency Controls
Service Scaling controls

SNS Service automatically scales, use Lambda per function concurrency setting to control
downstream consumption.

SQS Service automatically scales, use Lambda trigger Batch size setting and Per Function
Concurrency setting to control downstream consumption.

EventBridge Service automatically scales automatically up with default soft quotas of 400 PutEvents
and 750 target invocations requests per second (can be increased). Use Lambda per
function concurrency setting to control downstream consumption.
Conditional Message Processing
Service Conditional message processing

SNS Can invoke different subscriber based on values on message metadata

using SNS message filtering

SQS SQS can’t decide consumer based on message. Use SNS message filtering
with SQS to achieve this

EventBridge Event filtering can route messages to targets based on message. Can
transform events before sending to target. Contains schema registry.
SNS Message Filtering
Amazon EventBridge Schema

Messag Schem
e a
Amazon EventBridge Schema Registry

• Store schemas in a central location

• Download code bindings to use in code quickly

• Predefined schemas available

• Can automatically discover schemas from messages

Amazon EventBridge Pattern Matching Rules
Amazon EventBridge Message Transformation
Rule1
(Pattern
Matching)
Message

Event bus

Rule2
(Pattern
Matching)
EventBridge Integration Partners

And many more…

Message Replay
Service Conditional message processing

SNS Messages are gone once delivered to subscribers. No replay functionality

SQS Messages are gone once delivered to subscribers. No replay functionality

EventBridge Messages can be archived based on rules. Can be replayed later

Message Order
Service Message ordering

SNS SNS FIFO maintains order (New)

SQS SQS FIFO queue maintains order

EventBridge Message order not maintained

Encryption and Compliance
Service Encryption at rest and compliance
SNS Messages at rest can be encrypted using KMS. Both customer
managed and Amazon managed CMKs are supported
FedRAMP High, HIPAA compliant
SQS Messages at rest can be encrypted using KMS. Both customer
managed and Amazon managed CMKs are supported
FedRAMP High, HIPAA compliant

EventBridge Messages at rest can’t be encrypted using KMS

HIPAA compliant. Check
https://aws.amazon.com/compliance/services-in-scope/ for status
updates
Durability
Service Durability
SNS SNS stores all messages within a single, highly-available AWS region with
multiple redundant Availability Zones (AZs)

SQS SQS stores all messages within a single, highly-available AWS region with
multiple redundant Availability Zones (AZs)

EventBridge EventBridge stores all messages within a single, highly-available AWS region
with multiple redundant Availability Zones (AZs)
Pricing
Service Model Cost Per Mil Factor

SNS Per request $0.50* Each 64KB chunk of delivered

data is billed as 1 request

SQS Per request $0.40* Each 64 KB chunk of a payload

is billed as 1 request

EventBridge Per request $1.00 – SaaS, custom, and Each request can be up to 256
cross-account events KB in size

Free – same-account AWS events

Persistence
Service Persistence of requests

SNS No formal persistence model beyond delivery retry logic that extends up
through potentially 23 days.

SQS By default messages are stored for 4 days. This can be modified to as
little as 60 seconds up to 14 days by configuring a queue’s
MessageRetentionPeriod attribute

EventBridge No formal persistence model beyond delivery retry logic that extends up
through potentially 24 hours
Consumption
Service Invocation model Guidance
SNS Consumer – Lambda, SQS, email, mobile Use Message Filtering to control which
push, SMS, HTTP messages go to which subscribers. Use
Async to Lambda. SNS can ”fanout” to Message delivery status to track failures
multiple subscribing Lambda functions the
same message
SQS Consumer – Lambda, any service that can Can call message delete from within your
run AWS SDK (EC2, EKS etc.) code or let the service handle it via
Lambda service polls messages from queue successful Lambda function execution
and invokes Lambda on your behalf. Scales
polling based on inflight messages.
EventBridge Consumer – Lambda, EC2, Step Functions, Use event patterns set on rules to control
API Gateway etc. which events are subscribed to by different
Async to Lambda. EventBridge can “fanout” rules.
to have up to 5 targets per rule and multiple
rules on the same event source. 300 rules
per event bus.
Retry/Failure handling
Service Retry/failure capabilities

SNS If Lambda is not available, SNS will retry 2 times at 1 seconds apart, then 10 times
exponentially backing off from 1 seconds to 20 minutes and finally 38 times every 20
minutes for a total 50 attempts over more than 23 days before the message is
discarded. Use with SQS for DLQ.

SQS Messages remain in the queue until deleted. They are prevented by being accessed
by other consumers during the “visibility timeout”. Successful Lambda invocations will
cause deletions of messages automatically. If an invocation fails or doesn’t delete a
message during the visibility timeout, it becomes available for other consumers. DLQ
can be used.

EventBridge If Lambda or other target service is not available, EventBridge will automatically retry
delivery with backoff up to 24 hours before message is discarded from EventBridge.
As soon as successful message delivery to target occurs, message is discarded. Use
with SQS for DLQ(New)
Which one should you choose?

Event producer Message order

Scaling requirement Security consideration

Cost calculation Consumer

AWS Step Function - Why and What?
Run some process, derive
Triggered by output x ● Lots of coding for flow
S3 1 control in Lambda
● If the flow changed, lambda
needs to be changed and
retested
● Not easy to change the flow
If x < 5 If x = 5 If x > 5

2 3 4
Loop 10 times with 5
● Step Function takes care of
second interval all the coordination and flow
Error control
● Create/Change flow in
Visual Console
● Lambdas become cleaner
5
Key Components of AWS Step Function
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:HelloFunction",
"Next": "AfterHelloWorldState",
"Comment": "Run the HelloWorld Lambda function"
}

States
States are elements in your state machine.

Tasks
All work in your state machine is done by tasks. A task can be an activity or a Lambda function.

Transitions
Tells the State what to do Next or where to Begin.
Step Function Workflow Types
● Standard And Express Workﬂows

● Standard - long running, slightly higher latency workﬂows

● Express - high-volume, low latency, lower duration (Express!)

workﬂows

● Once selected for a State Machine, can’t be change afterwards

for that State Machine

● Console is great to help you choose!

Copyright © Rajdeep Saha - All Rights Reserved

How To Trigger Step Functions

Amazon API Gateway

Amazon CloudWatch Events

AWS Step Functions

Amazon EventBridge

Step Function API

Many more..
(Basically any code!)
Nested Workflows
● Reuse common workflows, without copy pasting into multiple
workflows
● Standard Workflow can call Express Workflow and vice versa

Step Function 1 Step Function 2

Common Workflow
Start Start

Start

Execute Common Step Execute Common Step

Function Function

Common Step Function

More States More States

End

End End
Nested Workflows Tricky Note
● Keep in mind Request Response vs Sync

Step Function 1

Common Workflow
Start

Start

Execute Common Step

Function

Common Step Function

More States

End

End
Lambda Example
Service Integration
Start
Advantage
Start
Lambda Submits AWS Batch
Job

Submits AWS Batch Job

Wait x Seconds (Job notify Step Function
when done)

Lambda checks job status Publish to SNS

Job Complete? End

Lambda sends message to ● Less code to maintain, no

SNS Lambda
● Out of the box integration
● Supports multiple integration
End patterns
Request Response
● Call service, gets HTTP response, goes to next state immediately
○ Don’t wait for processing

Start

Submits AWS Batch Job

Publish to SNS
SNS Publish will happen even if Job
didn’t complete

End
Run a Job (.sync)
● Step Function wait for the processing to complete before proceeding

Start

Submits AWS Batch Job

Publish to SNS
SNS Publish will
happen only after Job completion

End
Wait For Callback (.waitForTaskToken)
● Step Function pass a task token to integrated service
● Workflow paused until task token is returned
○ Can wait upto an year!

Start

Submits Message to SQS

● SQS receives task token

● Multiple actions trigger from SQS, including
human approval
Publish to SNS ● Some process (not the SQS itself), responds
back to Step Function

End
Wait For Callback (.waitForTaskToken)
● Step Function pass a task token to integrated service
● Workflow paused until task token is returned
○ Can wait upto an year!

Start

Submits Message to SQS

SQS Database
Publish to SNS

EKS
End
Wait For Callback (.waitForTaskToken)
● Specify waiting limit using Heartbeat Timeout

Start

Submits Message to SQS

● SQS receives task token

● Multiple actions trigger from SQS, including
human approval
Publish to SNS ● If task token not returned within heartbeat,
task will fail with timeout error

End
Activity Workers

Start

Submits Message to SQS

SQS Database
Publish to SNS

EKS
End
Activity Workers
● Step Function runs activity with input, and task token
● Some other process (NOT invoked by Step Function) reads,
processes tasks and returns output with task token

Start

Reads using Activity arn

Code written in any

Submits Message to Activity
language

On Prem
Publish to SNS

Returns output with task

token
End
Lambda Logging & Monitoring

AWS Lambda Amazon CloudWatch

● Logs
● Metrics
● CloudWatch Insights

Copyright © Rajdeep Saha - All Rights Reserved

API Gateway &
CloudWatch - Metrics
CloudTrail Logging

● CloudTrail does Infrastructure Logging

Example:
○ Creation/Deletion of S3 bucket
○ Creation/Deletion of VPC
○ Creation/Deletion of Security group

● CloudWatch does Application Logging

Example:
○ API request/response payload
○ Logging from your lambda code
○ Logs for execution of your API

● CloudTrail logs can be sent to CloudWatch logs

● All the logs can be fed to an analytic system for actionable insights
API Gateway & CloudWatch Logging - Beyond the Basic
Execution Logging
● Logs related to execution of the API
● Includes Logs for
○ Request and Response payloads
○ API Keys
○ Usage Plans
○ Data used by Lambda authorizers (custom authorizers)
● Log group would be created automatically, named
API-gateway-Execution-Logs_{rest-api-id}/{stage_name} format

Access Logging
● Logs related to access of the API
● Includes Logs for
○ Who accessed your API
○ How the caller accessed the API
● Create a new Log Group or send to existing one
● Logs can be generated in CLF, JSON, XML, CSV formats for ease of consumption by log analysis
system/process if applicable

Both are charged as per standard CloudWatch rates

Cloudwatch Log Insights
Announced at re:Invent 2018

How do you get insights today on your log?

● Amount of logs are massive and harder to query
● Utilize third party tools to give you insight

S3
Cloudwatch Log Insights
Announced at re:Invent 2018

● Fully managed log query tool

○ AWS managed service
○ No setup, maintenance required
● Queries massive amount of logs in seconds
● Produces visualizations
● Lots of pre built queries

Let’s get hands on

What is AWS X-Ray

● Distributed Tracing System

● Shows map of underlying components
● Identify root cause of performance issues

Reference: https://aws.amazon.com/xray/
Demo of AWS X-Ray with API Gateway

Lambda does all

Invokes API API Gateway calls the computations
Lambda backend and send
response back

Trace API Gateway calls Trace Lambda invocation

and execution
AWS CLI

The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and
configure, you can control multiple AWS services from the command line and automate them through scripts.

Run a command to create

S3 bucket
(aws s3 mb s3://bucketname)
S3
EC2 Role needs to
have proper S3
policies

SSH
Install AWS CLI
AWS CLI

Run command to
create/update lambda
(aws lambda create-function ..)

EC2 Role needs to

have proper
lambda policies Create Lambda
Update Code

SSH
Install AWS CLI
AWS Cloud9 - What and Why?
Home Desktop Office Laptop That machine is still here?

● Not so latest IDE Version ● What is IDE?!

● Latest IDE and patches
● Your favorite addons not compatible ● Huh, Addons!?
● That super cool color scheme addon
● Moved personal projects using ● Where is the USB port?!
● Most of personal projects
drives/disks
AWS Cloud9 - What and Why?

● Cloud-based IDE that write, run, debug your code with just a browser
● Runs in underlying EC2, granting you massive processing power
● Code, Addons and Customizations are saved in cloud
● Consistent experience, no matter which machine you log in from
● And yes, your favorite color scheme is saved as well!
AWS Cloud9 - Features

● Code together with friends

● Seamless integration with Lambda - write, run and DEBUG Lambdas!
● Direct Terminal access utilizing AWS CLI
● Supports languages beyond Lambda
● Tons of color schemes!

Demo for all the above features shown in the course!

Controlling Access to API and Lambda

● API Keys and Usage Plans

● AWS Cognito User Pools
● AWS Secrets Manager
● Lambda Resource Policies
● Lambda Authorizer (Custom Authorizer)
● API Gateway Resource Policies
Security - Using API Key

YOU Key to open front door

(Her favorite grandkid)
Your dear Grandmother’s house

Her not so favorite grandkid

Learning: Whoever has the key, has the access

Usage Plan and API Key
Deployment Stage

Deployment Stage

Deployment Stage
API API API

Resources Resources Resources

Methods Methods Methods

Usage Plan
(Throttling, Bursting and Quota)

API Key
Controlling Access

● DEMO of API Key and Usage

Plans
Securing API With IAM

AWS Identity and Access

Management (IAM)

IAM Creds
Access key
Secret Access Key Amazon API Gateway AWS Lambda
Cognito User Pool and API Gateway Flow

User Pool
Created 1
3 (Pool ID)
User Sign up to the pool App Client
(using pool ID and Client ID) Created
2
(Client ID
generated)
User exchange creds, Assign user pool as 4
receives Token ID Authorizer for API Gateway
Validates
5 Token Method

Backend Lambda
Calls API called
Method with 6 8
Token
API Key Vs Cognito D
D E
EN
API Key Cognito M
COM
Pros Pros R E
● Easy to implement ● More secure than API key because:
● Most popular way of API security ○ Tokens automatically rotate periodically
● Less moving parts ○ Dual checkpoint - during obtaining token,
then again during token validation by API
Cons gateway
● If keys are compromised, API can be invoked ● Similar to OAUTH2, which is becoming the new
by anyone standard
● By default, keys are non expiring. Custom
process required to rotate keys periodically Cons
● Overhead of additional Authentication server
setup
● Could introduce delay to the overall response
time
Demo - Cognito User Pool & API Gateway

I User Pool
CL
S Created 1 ✅
AW
3 ✅ (Pool ID)
User Sign up to the pool App Client
(using pool ID and Client ID) Created
2 ✅
(Client ID
generated)
User exchange creds, Assign user pool as 4 ✅
receives Token ID Authorizer for API Gateway
Validates
✅ 5 I Token Method
CL
S
AW 7 ✅

Backend Lambda
Calls API called
n
ma Method with 8 ✅
st 6 ✅
Po Token
Cognito Federated Identities

Cognito User Pool

AWS_IAM
Securing API With IAM

AWS Identity and Access

Management (IAM)

IAM Creds
Access key
Secret Access Key Amazon API Gateway AWS Lambda
Securing API With IAM

AWS Identity and Access

Management (IAM)

IAM Creds

Amazon API Gateway AWS Lambda

User1 Access key1 petstore/GET
Secret Access key1
User2 Access key2 petstore/POST
Secret Access key2
User3 Access key3 petstore/DELETE
Secret Access key3
How Does IAM Policy Look?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:us-east-1:*:a123456789/prod/POST/petstore/*"
}
]
}
Securing API With IAM

AWS Identity and Access

Management (IAM)

IAM Creds

Amazon API Gateway AWS Lambda

User1 (Policy1) Access key1 petstore/GET
Secret Access key1
User2 (Policy2) Access key2 petstore/POST
Secret Access key2
User3 (Policy3) Access key3 petstore/DELETE
Secret Access key3
Cognito User Pool and API Gateway Flow

User Pool
Created 1
3 (Pool ID)
User Sign up to the pool App Client
(using pool ID and Client ID) Created
2
(Client ID
generated)
User exchange creds,
Assign user pool as 4
receives Token ID (JWT)
Validates Authorizer for API Gateway
5 Token Method

Backend Lambda
Calls API called
Method with 6 8
Token
Understanding Cognito Identity Pool

Assign an IAM
Sends 2 Role for
1 Identity token (JWT) Authenticated
User logs in To Cognito ipool 3
User

IAM Role
Cognito Identity Pool
User
Pool

AWS Credentials (Access key, Secret key, Session ID) sent

5 Access AWS services using the credentials allowed by IAM Role

(Using AWS_IAM)
Understanding Cognito Identity Pool

Assign an IAM
1 Sends 2 Role for
Identity token to Authenticated
User logs in 3
Cognito User

IAM Role1
Cognito Identity Pool
User
Pool

AWS Credentials (Access key1, Secret key1) sent

5 Access petstore/GET using the credentials allowed by IAM Role1

(Using AWS_IAM)
Understanding Cognito Identity Pool

Assign an IAM
1 Sends 2 Role for
Identity token to Authenticated
User logs in 3
Cognito User

IAM Role3
Cognito Identity Pool

User
Pool

AWS Credentials (Access key3, Secret key3) sent

5 Access petstore/DELETE using the credentials allowed by IAM Role3

(Using AWS_IAM)
AWS Secrets Manager

Hardcoding Creds in Code

Importing Creds
AWS Secrets Manager

● Stores API Key, DB Credentials,

encrypted with KMS key
● Can rotate the credentials periodically

Code snippet with Secrets Manager

Security using Lambda Resource Policy
With Resource Based Policy (Function Policy)

Co
Co m
m pr
pr om

X
om Lambda-1 ise Lambda-1
API Gateway ise API Gateway d
in
d vo
APIApplication-1 in APIApplication-1
vok ke
e

Lambda-2 Lambda-2
API Gateway Output contains API Gateway Resource Policy allows which
APIApplication-2 sensitive info APIApplication-2 API/Resource/Method can invoke
this lambda

Lambda-3 Lambda-3
API Gateway API Gateway
APIApplication-3 APIApplication-3
Lambda Resource Policy Continued
Default Behaviour
● By default, if you invoke lambda from API in same AWS account, resource policy of Lambda is
automatically updated to allow the invocation

● For real-world projects, console access beyond development should be prohibited and should
be deployed through CI/CD toolchain with resource policy defined in Cloudformation
○ CI/CD ensures userid (who is deploying) belongs to application ID

● By default, if you invoke lambda from API Gateway from different AWS account, resource
policy of Lambda needs to be updated explicitly

● At this point (Sept, 2018), Lambda resource policy can’t be updated through console
○ Can be updated from AWS CLI and Cloudformation
Demo
Lambda Resource Policy
Demo - Lambda Resource Policy
Compromised invoke

verySensitiveFunction
API Gateway Output contains API Gateway
ProperAPI sensitive info HackerAPI
(Different Application than ProperAPI)

AWS CLI Commands

aws lambda get-policy
--function-name <lambda name or arn>
aws lambda remove-permission
aws lambda add-permission --function-name <lambda name or arn>
--function-name <lambda name or arn> --statement-id <statement id of the permission>
--source-arn <arn of the API Gateway Method>
--principal apigateway.amazonaws.com
--statement-id <string>
--action lambda:InvokeFunction
Lambda Authorizer and API Gateway Flow

Create
OAUTH 1
3 Account

User Sign up in Auth0 Application

Created 2

Auth0
User exchange creds, Assign Lambda 4
receives Token ID Authorizer for API Gateway
Lambda Authorizer Method
5 validates Token
Return IAM Policy
7

Backend Lambda
Calls API called
Method with 6 8
Token
When To Use What?
Mechanism Use Case
API Key Test app, Internal APIs, some times Prod
APIs with key rotation

AWS_IAM Almost never by itself

Cognito User Pool When using AWS Identity Provider

(Cognito)

Cognito Identity Pool Reuse credentials from specific idp

(Facebook, Google, Amazon), and/or IAM
granularity needed

Lambda Authorizer When using external Idp (Okta, AD, Auth0

etc.)
Security using API Gateway Resource Policy
With API gateway Resource Policy With Resource Based Policy (Function Policy)

Co
m
pr
om

X
ise Lambda-1
IP: 20.10.20.30 API Gateway d

X
in
APIApplication-1 vo
ke

IP: 10.50.60.30
Lambda-2
API Gateway Resource Policy allows which
APIApplication-2 API/Resource/Method can invoke
this lambda

Lambda-3
API Gateway
APIApplication-3
Security using API Gateway Resource Policy
IP: 20.10.20.30

X
IP: 10.50.60.30
API Gateway
APIApplication-2

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:region:account-id:api-id/",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["10.50.60.30" ]
}}}]}
Storage For Serverless
SQL Vs NoSQL Database
SQL Database (RDBMS) NoSQL Database

Tables have predefined schema Schemaless

Holds structured data Holds structured and unstructured data

Good fit for joins and complex queries Generally, not good fit for complex multi table
queries

Emphasizes on ACID properties Follows the Brewers CAP theorem

(Atomicity, Consistency, Isolation and (Consistency, Availability and Partition
Durability) tolerance )

Example - Oracle, DB2, MS-SQL, AWS RDS Example - AWS DynamoDB, MongoDB,
Cassandra

Important: With the advent of technology, segregation of use cases for SQL and NoSQL are NOT
as black and white as it used to be, multiple factors need to be considered
Issue with Lambda and Traditional Database
Massive Concurrency Limit
Fixed Read Write Limit
Traffic to Lambda R/W to Database (Pay for max limit)
25% RW

Traffic to Lambda R/W to Database

50% RW

Traffic to Lambda R/W to Database

75% RW

Traffic to Lambda R/W to Database

100% RW

Traffic to Lambda R/W to Database

Database response slows, App crashes
Ideal Lambda and Database Behaviour
Massive Concurrency Limit
Scalable Read Write
Traffic to Lambda R/W to Database (Pay as per usage)
25% RW

Traffic to Lambda R/W to Database

50% RW

Traffic to Lambda R/W to Database

75% RW Threshold reached, RW capacity increased

Traffic to Lambda R/W to Database

30% RW
Auto Scalable Storage Options for Lambda
NoSQL - DynamoDB

RDBMS - Aurora Serverless (As of Aug 2018!)

What is DynamoDB?

● Fully managed NoSQL database

○ Hardware provisioning, setup and conﬁguration, replication, software
patching, or cluster scaling managed by AWS
● Store and retrieve any amount of data
● Serve any level of request traﬃc
● Autoscaling
● Highly available and durable
● Multi- region, multi-master database using Global tables
● Encryption at rest

For further details, refer to DynamoDB Developer Guide

https://aws.amazon.com/documentation/dynamodb/
DynamoDB Core Components
● Tables - A table is a collection of data. Same as every other database.
● Items - An item is a group of attributes that is uniquely identiﬁable among all of the
other items.
● Attributes - Each item is composed of one or more attributes. An attribute is a
fundamental data element, something that does not need to be broken down any
further.
Attributes

Table:

007 Bond James 700-300-7171

Items 001 Doe John 300-400-1234 USA

(row in
RDBMS world) 111 Smith Jane UK
DynamoDB Items and Attributes
DynamoDB Primary Key

What is Primary Key: The primary key uniquely identiﬁes each item in the table, so that no
two items can have the same key.

● Partition key - A simple primary key, composed of one attribute known as the partition key.

● Partition key and sort key - Referred to as a composite primary key, this type of key is
composed of two attributes. The ﬁrst attribute is the partition key, and the second attribute is
the sort key. No two items can have same combo of these two attributes.

Partition key is also referred as hash attribute, sort key also referred as range attribute
DynamoDB Items and Attributes

● The primary key consists of one attribute (PersonID).

● Other than the primary key, the People table is schemaless,
which means that neither the attributes nor their data types
need to be deﬁned beforehand. Each item can have its own
distinct attributes.
● Some of the items have a nested attribute (Address).
DynamoDB supports nested attributes up to 32 levels deep.
DynamoDB Items and Attributes

● The primary key for Music consists of two attributes (Artist and
SongTitle). Each item in the table must have these two attributes.
The combination of Artist and SongTitle distinguishes each item
in the table from all of the others.
● Other than the primary key, the Music table is schemaless, which
means that neither the attributes nor their data types need to
be deﬁned beforehand. Each item can have its own distinct
attributes.
● One of the items has a nested attribute (PromotionInfo), which
contains other nested attributes.
DEMO
Creating DynamoDB table from Console
DynamoDB Primary Key

What is Primary Key: The primary key uniquely identiﬁes each item in the table, so that no
two items can have the same key.

● Partition key - A simple primary key, composed of one attribute known as the partition key.

Example - The People table has a simple primary key (PersonID).

Example - The Music table has composite primary key (Artist and SongTitle). You can access
any item in the Music table directly, if you provide the Artist and SongTitle values for that item.

Partition key is also referred as hash attribute, sort key also referred as range attribute
DEMO
How to write items into DynamoDB from
Lambda
DEMO
How to delete DynamoDB items using Lambda
DynamoDB Secondary Indexes

Why Secondary Indexes: A secondary index lets you query the data in the table using an
alternate key, in addition to queries against the primary key.

● Global secondary index - An index with a partition key and sort key that can be diﬀerent
from those on the table.

● Local secondary index – An index that has the same partition key as the table, but a
diﬀerent sort key.

Note: Table design should be done in such a way that, you can achieve maximum eﬃciency with
minimum number of indexes. Index updates can be expensive!
DynamoDB Secondary Indexes

● Music table, with a new index called

GenreAlbumTitle. In the index,Genre is the
partition key and AlbumTitle is the sort key.
● Query the data either by Artist and/or SongTitle
OR Genre and/or AlbumTitle
DynamoDB Global Tables
Simulating Global Tables

Create two way

replication

Customer
us-west-1 Replication slows down Customer
us-east-1
DynamoDB Global Tables

AWS manages replication

Customer
us-west-1 Customer
us-east-1

When to use it?

● Massively scaled application, with globally dispersed users
● Require world-wide low latency data
● Does cost extra!
DynamoDB Read Consistency
Concept of multi-AZ durability

AZ1 AZ2 AZ3

{“acctno”:1234, {“acctno”:1234, {“acctno”:1234,
“balance”:500.00 “balance”:500.00 “balance”:500.00
} } }

Update bank balance of acctno 1234 from 500$ to 700$

AZ1 AZ2 AZ3

{“acctno”:1234, {“acctno”:1234, {“acctno”:1234,
“balance”:700.00 “balance”:500.00 “balance”:500.00
} } } Read
balance, get
old balance
Need to replicate
DynamoDB Consistent Read

● Eventually Consistent Reads

○ Response might return old data
○ If you repeat read request after a short time, latest data returned

● Strongly Consistent Reads

○ Returns most up-to-date data
○ By default reads are eventually consistent
○ Reads can be made strongly consistent by setting ConsistentRead parameter to true
○ Strongly consistent reads have less throughput (KB/Second) than eventually
consistent reads
DynamoDB Reads and Writes
DynamoDB read and write throughput is measured through capacity units
● One read capacity unit
○ One strongly consistent read per second
○ Two eventually consistent read per second
○ For item upto 4KB in size, for larger item, more capacity unit is required

● One write capacity unit

○ One write per second
○ For item upto 1 KB, for larger item, more capacity unit is required

Math Time!
Q - If you create a table with 10 read and 10 write capacity units, assuming 4 KB item size for read and 1
KB item size for write, what would be the throughput (KB/Second) for strongly consistent read and write?

A - 1 read capacity unit = 1 strongly consistent read/second for 4 KB

10 read capacity unit = 10 strongly consistent read/second for 4 KB each = 40 KB/Second (10 read/sec X 4 KB)
Similarly, for write, 1KB X 10 capacity units = 10 KB/Second
DynamoDB Auto Scaling
What have you learnt so far on DynamoDB read/write?
● Diﬀerence between eventual and strongly consistent reads
● Math behind read and write capacity units
● Given the lowest and highest load in KB/second for your application
○ You can derive lowest and highest read/write capacity units

Time to set up DynamoDB Auto Scaling!

DynamoDB On Demand - Pay per Request Billing
Announced at re:Invent 2018

When to use DynamoDB On Demand?

● Useful if application traﬃc diﬃcult to predict

● Workload has large spikes of short duration

What is DynamoDB On Demand?

● Scaling without capacity planning

● Pay-per-request pricing, only pay for what you use
● Possible to switch back and forth between Provisioned and On-demand mode
● Supports all Dynamo-DB features - encryption, global tables, point in time recovery etc.
● Indexes created on the table inherit same scalability and billing model

Pricing

● $ 1.25 per million write requests, $ 0.25 per million read requests
DynamoDB Streams

What is DynamoDB Streams: An optional feature that captures data modiﬁcation events in
DynamoDB tables. The data about these events appear in the stream in near real time, and in
the order that the events occurred.

Events that triggers stream record:

● A new item is added to the table
● An item is updated
● An item is deleted from the table

New item
inserted
Lambda Real Life Project

4
Get top news stories
1
Fetch news based
on sentiment
News API

Determine sentiment of news -

2 positive, negative, neutral
5

3 6
Save news and sentiment
Lambda Real Life Project

4
Get top news stories
1
Fetch news based
on sentiment
News API

Determine sentiment of news -

2 positive, negative, neutral
5

3 6
Save news and sentiment
Lambda Real Life Project - Part 1 Recap

● Cloud9
● External Dependencies
● AWS Role
Get top news stories
1 ● DynamoDB
● Lambda Write/Delete into DynamoDB
● Cloudwatch Rules
News API
● AWS Comprehend
Determine sentiment of news - ● Homework - AWS Secrets Manager
2 positive, negative, neutral

3
Lambda Real Life Project - Final Words

● Easy Integration
● Secure
● Focus on Service, not Servers!
○ Automatic AutoScaling
○ No AMI to maintain
○ No patching
○ Economical

AND MANY MORE

DevOps for Serverless
Traditional Software Delivery

Write Build Deploy Deploy

WAIT WAIT to test
WAIT Testing WAIT to prod
Code Code

Hours/Days + Lot of Grief for Developer

Traditional Software Delivery

Write Build Deploy Deploy

WAIT WAIT to test
WAIT Testing WAIT to prod
Code Code

Hours/Days + Lot of Grief for Developer & Operations

Traditional Software Delivery
When are When you
you gonna stop
deploy my breaking my
code? servers
Plan Build Test

Developer
Monitor Operate Deploy
Operations
I just
wanna
code cool
stuff
What is DevOps?
● Word “DevOps” coined in 2009 by Patrick Debois
● Combination of cultural philosophies, practices, and tools
● Development and Operations teams are no longer “siloed”
Why DevOps?
How long would it take your organization to deploy a
change that involves a single line of code?

Can you do this on a repeatable reliable basis?

DevOps Vs Non-Devops organizations:

4x 24x 200x 44%

Lower change Faster recovery times More frequent More time spent
failure rate deployments on new features
and code

Source: Puppet 2017 State of DevOps Report

General DevOps Practices
● Automate everything!

● Deploy frequently rather than one mega deployment in months

● Codify every step - infrastructure, application and more

● Rome was not built in a day!

DevOps Phases
DevOps Phases

Source Build Test Prod

• Check-in • Compile code • Integration • Deployment to

source code • Unit tests tests with production
• Create artifacts other systems environments
• Load testing
• UI tests
• Penetration
testing
DevOps Phases - CI/CD

Source Build Test Prod

Continuous Integration

Continuous Delivery

Continuous Deployment
Why DevOps on AWS?
● Fully Managed
● Built for Scale
● Inherent Integration with other AWS Services
● Apply Existing Knowledge of AWS SDK
● Secure
● Pay As You Go + Free Tier
● DevOps on AWS job is on high demand
DevOps On AWS - A Glimpse
Source Build Test Prod

AWS AWS AWS CodeBuild AWS

CodeCommit CodeBuild + Third Party Tools CodeDeploy

AWS CodePipeline
What is AWS CodeCommit
● Code Repository
○ Think of GitHub, GitHub Enterprise, BitBucket
on Steroids! (More on this on next slide)

● Store Anything
○ Source Code to binaries

● Based on Git
○ Works seamlessly with existing Git tools
AWS CodeCommit Benefits
● Fully Managed
○ Eliminates need to host, maintain, backup,
scale your own source control servers
○ Scales automatically
● Secure
○ Automatic encryption at rest & in transit
○ IAM integration
● High Availability
● Collaboration
● Inherent integration with AWS Services
Diving Deeper

Image: CodeCommit User Guide (https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html)

Big Picture

Code Repo

Developer Build Code Testing Deploy

AWS CodeCommit

Continuous Integration
Branch Visualizer
What’s Different in Real World?
● Create a repository from Console
● Clone the repo to Cloud9

● Add a program to the local clone

● Push your first commit back to the repo !

● Code review (Branch, Pull Request)

● Code merged to Master

In This CodeCommit Demo
● Create a Branch - Junior Developer

● Create Pull Request - Junior Developer

● Review Pull Request - Senior Developer

● Merge into Master - Senior Developer

● Controlling Access to Repo - Junior Vs Senior
Developer
In This CodeCommit Demo

Bob
Source Destination
branch branch
(Master)
Bob creates pull
request

Tina reviews and

Merges into master
What is AWS CodeBuild
● Fully Managed Continuous Integration (CI) Service
○ Compiles source code
○ Runs tests
○ Produces ready to deploy software packages
● No need to provision and manage build servers
○ Scales automatically
○ Processes multiple builds concurrently
○ Use prepackaged or custom build environments
● Pay as you go
● Secure
Big Picture

Code Repo

Developer Build Code Testing Deploy

AWS CodeBuild

Continuous Integration
Elephant in the Room - Jenkins
Jenkins CodeBuild

Need to maintain Master and No need to provision and

Worker Nodes in VM manage any Server

Pay for idle resources Pay as you go

You take care of availability and Fully managed and scales

scalability automatically

Very mature plugin ecosystem Have some prepackaged

environments
Can use CodeBuild as worker Inherent integration with other
node AWS Services
CodeBuild
Flow
How CodeBuild Works
Buildspec File

Demo will be shown for all these steps

Image from CodeBuild User Guide: https://docs.aws.amazon.com/codebuild/latest/userguide/concepts.html
Buildspec
Build Specification
Buildspec File

Image from CodeBuild User Guide: https://docs.aws.amazon.com/codebuild/latest/userguide/concepts.html

Buildspec.YML
● Codebuild spins up a docker image and buildspec.yml tells what
commands to run for installing packages and building code

● Docker images comes with common programming languages

installed

● By default, buildspec file must be named buildspec.yml and

placed in the root of your source directory in repo

● Must be in YAML format

CodeBuild
Demo
In this CodeBuild Demo
Code Repo

Lambda Package Triggered Package

Build Code (Zip) by S3 from S3

GitHub

Developer AWS CodeBuild Amazon S3 Deployment Application

Lambda Lambda

AWS CodeCommit
Many Ways to Skin a Cat!
● DevOps is deploying a change on a repeatable, reliable and
automated way

● Whichever tools and methods let’s you do it in a simple fashion

for your organization, is A OK

● No need to have a defined, fancy tool for each DevOps stage

○ Sometimes a Lambda can do the job
○ Sometimes ServiceCatalog API
○ Sometimes CodePipeline
○ Sometimes Jenkin
○ Sometimes Combination of all above
○ Choose based on your requirement and hold your head high!
CI/CD Flow-1 for Lambda
Code Repo

Lambda Package Triggered Package

Build Code (Zip) by S3 from S3

GitHub

Developer AWS CodeBuild Amazon S3 Deployment Application

Lambda Lambda

AWS CodeCommit

Deploying Lambda using Lambda - That’s How Cool We Are!

CI/CD Flow for Lambda
Code Repo

Build Code Lambda Package Triggered Package

Test Code (Zip) by S3 from S3

GitHub

Developer AWS CodeBuild Amazon S3 Deployment Application

Lambda Lambda

AWS CodeCommit

Deploying Lambda using Lambda - That’s How Cool We Are!

CI/CD Flow-2 for Lambda
Code Repo

Lambda Package Uses Package

Build Code (Zip) CloudFormation from S3

GitHub

Developer AWS CodeBuild Amazon S3 AWS Application

CodeDeploy Lambda

AWS CodeCommit

AWS CodePipeline
CI/CD Flow-2 for Lambda
Code Repo

Build Code Lambda Package Uses Package

Test Code (Zip) CloudFormation from S3

GitHub

Developer AWS CodeBuild Amazon S3 AWS Application

CodeDeploy Lambda

AWS CodeCommit

AWS CodePipeline
Power of this Pipeline
Code Repo

Lambda Package Uses Package

Build Code (Zip) CloudFormation from S3

GitHub

Developer AWS CodeBuild Amazon S3 AWS Application

CodeDeploy Lambda

AWS CodeCommit

AWS CodePipeline
In This Lecture

● Deployment Lambda
● End to End Flow
In this CodeBuild Demo
Code Repo

Lambda Package Triggered Package

Build Code (Zip) by S3 from S3

GitHub

Developer AWS CodeBuild Amazon S3 Deployment Application

Lambda Lambda

AWS CodeCommit
Deployment Lambda
Lambda Package Triggered Package
(Zip) by S3 from S3

Amazon S3 Deployment Application

Lambda Lambda

● Grab the Zip file from S3

● Use AWS-SDK to deploy the Lambda
○ Update for existing Lambda
○ Create for new
What is AWS CodeDeploy
● Deployment service that automates application
deployments to
○ EC2 instances, ECS, Lambda, on prem instances

● Can deploy variety of application content

○ Code, Lambda, Web and Config Files,
Executables, Packages, Scripts, Multimedia files
Big Picture

Code Repo

Developer Build Code Testing Deploy

AWS
CodeDeploy
AWS CodeDeploy Benefits
● Automatically Scales
○ Deploy to one or thousands instances
● Minimize Downtime
○ Rolling updates
○ Blue Green Deployments
● Stop And Roll Back
● Integrate with third party tools
● Concurrent Deployments
CodeDeploy For Lambda
● CodeDeploy can NOT deploy Lambda code currently
(As of 08/2019)
● CodeDeploy can switch Lambda traffic from one
version to another
○ All at once
○ Canary
● CodePipeline CAN deploy Lambda code
○ CodeDeploy can switch traffic after deploy
○ Both are covered in the course :)
AppSpec
● AppSpec file tells CodeDeploy what
tasks to do in what order

● Think of it as conceptually similar to

BuildSpec file in CodeBuild
AppSpec
● Serverless Students can skip ahead to
Lambda part
AppSpec
● For EC2/On-Premises Compute
○ What source files to pick up from where
○ Where to deploy them
○ What scripts to run

● For Amazon ECS

○ Name of the Amazon ECS service and the container name
and port used to direct traffic to the new task set
○ Functions to be used as validation tests
AppSpec
● For AWS Lambda
○ The Lambda version traffic should be switched to
○ Functions to run as validation tests
Revision & AppSpec
● Revision contains
○ Source files CodeDeploy will deploy to
instances
○ Scripts CodeDeploy run on instances

● Revision contains AppSpec file

● For Lambda and ECS, a revision is same

as AppSpec File
Key Terms

● Deployment Groups

● Deployment Type

● Deployment Configurations
Deployment Groups
Set of Individual Instances

EC2 Instances

Tag Tag Tag Tag Tag

Type: WebTier Type: AppTier Type: AppTier Type: WebTier Type: AppTier

Deployment Group
Code deployed to App Servers only
Deployment Groups

Deployment Group
WebTier AutoScaling Group AppTier AutoScaling Group

Tag Tag Tag Tag Tag

Type: WebTier Type: WebTier Type: AppTier Type: AppTier Type: AppTier
Deployment Groups for Lambda

● Set of CodeDeploy Configurations

for future deployments
● Easier to understand with demo
Deployment Type
Deployment Configurations
A deployment configuration is a set of rules that determines how fast an application will be deployed and
the success or failure conditions for a deployment.
Putting It All Together
Deployment to EC2

Image: https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps.html#deployment-steps-server
Putting It All Together
Deployment Components on AWS Lambda

Image: https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps.html#deployment-steps-server
DEMO TIME!
● Deployment Group

● Deployment Type

● Deployment Configurations
DEMO TIME!
● CodeDeploy for Lambda
○ Switch traffic to versions
○ Appspec file

● Deploying Lambda will be covered

in CodePipeline section
What is AWS CodePipeline
● End to End CI/CD service

● Model, visualize and automate the steps required

to release your software

● Service to orchestrate all the components, that we

have covered so far, together
What is AWS CodePipeline
● End to End CI/CD service

● Model, visualize and automate the steps required

to release your software

● Service to orchestrate all the DevOps

Components together
AWS CodePipeline Big Picture

Code Repo

Developer Build Code Testing Deploy

AWS CodePipeline
AWS CodePipeline Big Picture
Code Repo

Developer Build Code Testing Deploy

AWS CodeCommit AWS CodeBuild AWS CodeBuild AWS CodeDeploy

AWS CodePipeline
AWS CodePipeline Big Picture
Code Repo

Developer Build Code Testing Deploy

AWS CodeCommit AWS CodeBuild AWS CloudFormation

AWS CodePipeline
AWS CodePipeline Benefits
● Rapid Delivery

● Configurable Workflow

● Fully Managed

● Easy Integration
○ With AWS Services
○ Third Party Tools
DEMO TIME!
● Overall Look & Feel in Console
DEMO TIME!
● Create a Simple Pipeline

AWS CodeCommit AWS CodeDeploy Amazon EC2

CI/CD Flow-2 for Lambda
Code Repo

Lambda Package Uses Package

Build Code (Zip) CloudFormation from S3

GitHub

Developer AWS CodeBuild Amazon S3 AWS Application

CodeDeploy Lambda

AWS CodeCommit

AWS CodePipeline
Power of this Pipeline
Code Repo

Lambda Package Uses Package

Build Code (Zip) CloudFormation from S3

GitHub

Developer AWS CodeBuild Amazon S3 AWS Application

CodeDeploy Lambda

AWS CodeCommit

AWS CodePipeline
CodeStar - What and Why

Primary Purpose Quickly develop. Build and deploy apps on AWS. Includes multiple
Serverless patterns

CI/CD
CodePipeline created. Each step is visualized.

Access to Code base Code be opened in IDE with one click. Natively integrated
with Cloud9.

Track Sprints and Issues Integrated with Jira and Github Issues. Can be tracked from
CodeStar

Manage Project Team Assign team member and roles from the service
AWS SAM
(Serverles
Application Model)
What is SAM
● Shorthand syntax to create Lambda, API,
Database, Event Source Mappings, Layers
○ Can write in plain CloudFormation but will
be much simpler in SAM
○ Converted into CloudFormation during
deployment
What is SAM
Creates
● Lambda
● API in API Gateway
● Put the Lambda as backend for /GET

Plain CloudFormation will be much larger

What is SAM
● Shorthand syntax to create Lambda, API,
Database, Event Source Mappings
○ Can write in plain CloudFormation but will be
much simpler in SAM
○ Converted into CloudFormation during
deployment
● Local Debugging and Testing

● Deep integration with dev tool - AWS and External

○ IDEs, Jenkins, Stackery toolkit etc.
AWS SAM Template Concepts

● Declaring Serverless Resources

○ AWS::Serverless::Function
○ AWS::Serverless::API
○ AWS::Serverless::Application
○ AWS::Serverless::LayerVersion
○ AWS::Serverless::SimpleTable
DEMO
● Install SAM CLI
○ Cloud9 Terminal
○ Local Desktop - Favorite IDE

AWS Cloud9 is my IDE of choice for rest of the demos

DEMO
Author and Deploy SAM
❖ Lambda with no External Dependencies
DEMO
Author and Deploy SAM
❖ Lambda with no External Dependencies
DEMO
Lambda with External Dependencies
❖ Local Testing with SAM
❖ Deploy with SAM
SAM Template
● Mix with regular CloudFormation in same
template
○ E.g. VPC, Kinesis, ELB etc.
● Supports use of parameters, mappings,
outputs, importvalue etc.
● Supports intrinsic functions
● YAML or JSON
Lambda Events in SAM
● Events that trigger Lambda
○ E.g. S3 upload, API, Scheduled etc.
SAM & Swagger
Defining APIs with SAM
AWSTemplateFormatVersion: '2010-09-09’
Transform: AWS::Serverless-2016-10-31
Resources:
GetHtmlFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: s3://sam-demo-bucket/todo_list.zip
Handler: index.gethtml
Runtime: nodejs6.10
Policies: AmazonDynamoDBReadOnlyAccess
Events:
GetHtml:
Type: Api API Endpoint triggering Lambda Function
Properties:
Path: /{proxy+}
Method: ANY
Using Swagger for complex APIs
AWSTemplateFormatVersion: '2010-09-09’
Transform: AWS::Serverless-2016-10-31
Resources:
GetHtmlFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: s3://sam-demo-bucket/todo_list.zip
Handler: index.gethtml
Runtime: nodejs6.10
Policies: AmazonDynamoDBReadOnlyAccess
Events:
GetHtml:
GetHtml:
Type: AWS::Serverless::Api
Type: Api
Properties:
Properties:
StageName: prod
RestApiId: !Ref GetHtml
DefinitionUri: swagger.yml
DEMO
● Defining API with SAM and Swagger
DEMO
● Swagger with already created Lambda
Serverless
Frameworks
Serverless Frameworks
● Why frameworks?
● Different frameworks
○ Yes, there are many!
● Thinking Cap ON - should I adopt third party
serverless Frameworks?
● Detailed Tutorial on frameworks
Serverless Lifecycle
a ck
B
a rs
Ye
ple
o u
C ● Create Lambda and APIs using lines and
lines of CloudFormation
● Create CI/CD pipelines by stitching multiple
pieces
● Go multiple places to monitor and
troubleshoot
Serverless Frameworks
● Simplifies development, deployment and
monitoring
● Introduce high level of abstraction
○ Few lines can spin up serverless
infrastructure
● Single pane to monitor and troubleshoot
Different Serverless Frameworks
AWS Third-Party

Serverless
Framework
AWS SAM

AWS CodeStar AWS Amplify

AWS Chalice
Considerations for 3rd Party Frameworks

● Each Enterprise is different

○ Low abstraction vs High abstraction
● License cost down the line?
● Cloud Agnostic approach
● Openness to Open-Source
● How fast do you adopt new AWS services and
features
○ 3rd party tools will take some time to
integrate new features
The Serverless Framework
The Serverless Framework
● Started in 2015 as open source project
● Supports multi-cloud
● Single pane develop, deploy and monitoring
○ Diving Deeper with example
● Thousands of plugins available
● Have open source and pro edition
○ This course will cover both
AWS SAM

The Serverless Framework

AWS SAM The Serverless Framework

Highly abstracted template Highly abstracted template

Template

Integrates with native AWS Out of box integration not

AWS
tooling - CodeBuild, available, some can be done
Integration
CodeDeploy, CodePipeline etc. through plugins

Dashboard No dashboard, need to collect Single pane dashboard makes

data from various services life easier
Additional No additional SDK needed Serverless SDK required, makes
Code the codebase larger and layered

Multicloud No MultiCloud capability MultiCloud capability

Looking Will evolve, example AWS CDK Always play catch up

ahead
SERVERLESS

CONTAINER
Let’s Start from Beginning
What is Serverless What is Container
No servers to provision or manage
Standard unit of software that packages up code and all its
dependencies
Automatically scales with usage

Never pay for idle

Highly available

Serverless Services

The application runs quickly and reliably from one

computing environment to another

Container Orchestrators

A compute service that lets you run code without

Kubernetes (K8) Amazon EKS Amazon ECS Docker Swarm
provisioning or managing servers
Environment Difference

Serverless Container

Underlying infrastructure managed by Cloud Provider Users control underlying infrastructure - VM Size,
➢ Scales automatically OS, AMI etc.
➢ No Patching headache ➢ Requires management and orchestration
➢ Need to make master node HA, handle VM
failover, AMI rehydration etc.

Can’t install software (e.g. Webserver, Appserver) Install almost any software
in underlying environment ➢ Prepackaged images with different
➢ Code libraries can be installed softwares available

Easy selection of compute power Adjustment of VM parameters requires some work

➢ 128 MB to 3 GB memory
➢ Think of it as changing EC2 instance
➢ 1 sec to 15 Minutes time limit
type on a running instance
No attached hard disk, deployment package size Hard Disks attached to nodes
limited

Superpower - Easier to onboard, focus on solving Superpower - Complete control of environment,

business problem from get go rich ecosystem
Use Case Difference

Serverless Container

Shines at event driven architectures Faster migration to cloud with other softwares
➢ Native integration with other services ➢ Webserver, Appserver
➢ Example - Triggered by S3, Kinesis ➢ App requires third party software

Suited when traffic is unpredictable Suited when traffic is predictable

➢ Autoscaling ➢ You pay for the underlying VM regardless
➢ Pay as you go ➢ Scales an entire VM

Microservices Microservices!
➢ API Gateway integration
➢ Code is modular without software ➢ Easy to move API with dependencies,
dependencies, e.g - python APIs e.g. Spring Boot with Discovery layer
➢ Easier to migrate Cloud native, green fields ➢ Consider cost and complexity for green
apps field
➢ Consider VPC Cold Start Latency

Kryptonite - For brown field monoliths to Lambda, Kryptonite - Steep learning curve with multitudes
major refactoring needed of choices along with significant Day 2 operational
overhead
Scaling of Lambda Vs Container

Serverless Container

Traffic
Amazon EKS
Traffic to Lambda
Traffic
Basically bunch of
Traffic K8 Master EC2s
Traffic to Lambda

Traffic to Lambda

C C C C C C
Traffic to Lambda
C C C C C C

Pod Pod Pod

Traffic to Lambda K8 Node K8 Node
(EC2) (EC2)

C = Container Node is at 50% Utilization

Pay for what you use Charged for entire EC2
Pay for idle resources
Wait before you make up your mind!
Money Matters

Serverless Container
Amazon EKS

3 million/month, 512 MB Memory, 300 ms execution time, 3 million/month, 512 MB Memory, 300 ms execution time
unpredictable traffic
➢ $144/month (Control Plane) + $14.4 (t3.small worker
➢ $8/month node) = $160/month
➢ Cost will increase during higher spike coz of scaling

90 million/month, 512 MB memory, 250 ms execution time, 90 million/month, 512 MB memory, 300 ms execution time,
predictable traffic predictable traffic
➢ $206/month ➢ $144/month (Control Plane) + $28.8 (t3.medium worker
node) = $173/month
➢ Predictable traffic makes it possible to select proper
VM, higher CPU utilization

One is NOT cheaper or pricier than the other, it all depends on the use case
Parting Words

SERVERLESS

CONTAINER
“We don’t believe in one tool to rule the world. We want you to use the right tool for
the right job.”— Andy Jassy, CEO of AWS
Fargate - What & Why

● Both ECS and EKS requires managing Cluster and/or some infrastructure

● What if you just want to run your container

● Serverless version of Container - Fargate

● No need to create cluster or determine EC2 size, Fargate scales on-demand

● Pay for what you use

● One size does NOT fit ALL - Can be cheaper or pricier than ECS/EKS based on usage
What is Docker/Container?

● Docker packages software into standardized units called containers that have
everything your software needs to run including libraries, code and runtime

● Lets you quickly deploy and scale applications into any environment
What is Container Orchestrator?
How Does Docker Work?

Insert Video here

Draw a pentagon representations of 2 apps, color it different, then say it needs a host to
run, so we spin up EC2s, move the pentagons inside EC2.

EC2s are like hyenas, if you see one, other ones are nearby.

To make it Highly Available, you need another in Az

Then comes scaling, put it in ASG, to route traffic you need Load Balancer.
If one task fails then u need to spin up
Tasks Associated with Containers

● Deployment of Containers
● Redundancy and availability of Containers
● Scaling up or down of Containers
● Load Balancing
● Health Monitoring of Containers and Hosts
● Service Discovery
● And More...
Container Orchestrator
Say Hello to Container Orchestrators

● Docker Swarm

● Apache Mesos

● Cattle, Nomad, Empire

● AWS ECS (Elastic Container Service)

● Kubernetes
○ EKS (Elastic Container Service for Kubernetes)

● AWS Fargate
Battle of Orchestrators

So it begins...
Control Plane - ECS & Kubernetes

Control Plane - Main entry point of Orchestrator. Interface to launch an application, query the
state or shut down

ECS
● Fully managed, highly available, highly scalable Control Plane
● You do NOT pay for Control Plane

Kubernetes
● Fully Open-Source, created by Google, run on any cloud or on-prem
● Run your own Control Plane on Host (such as EC2)
● You need to take care of selecting EC2 and scaling etc.
● AWS can manage Kubernetes Control Plane for you - EKS
● Pay for the Control Plane - either for underlying EC2 or AWS Managed EKS Control
Plane
Why Fargate?

● Both ECS and EKS requires managing Cluster and/or some infrastructure

● What if you just want to run your container

● Serverless version of Container - Fargate

● No need to create cluster or determine EC2 size, Fargate scales on-demand

● Pay for what you use

● One size does NOT fit ALL - Can be cheaper or pricier than ECS/EKS based on usage
Fargate - What & Why

● Both ECS and EKS requires managing Cluster and/or some infrastructure

● What if you just want to run your container

● Serverless version of Container - Fargate

● No need to create cluster or determine EC2 size, Fargate scales on-demand

● Pay for what you use

● One size does NOT fit ALL - Can be cheaper or pricier than ECS/EKS based on usage
Money Matters
1 task cost per ECS EKS Fargate
month

Control Plane $0.00 $144.00 $0.00

EC2 worker node $70.28 $70.28 $0.00

(m5.large)
$0.00 $0.00 $27.36 ($0.0506 vCPU/hr X 0.5
Task vCPU X 24 hr X 30 Days + $0.0127
(0.5 vCPU, 1 GB Mem)
GB/hr X 1 GB X 24 hr X 30 Days)

Total $70.28 $214.28 $27.36

24 tasks cost per

month
Control Plane $0.00 $144.00 $0.00

EC2 worker node $421.68 (4 EC2s = $70.28 X 4 ) $0.00

(m5.large X 4)
$421.68 (4 EC2s = $70.28 X 4 )
Task $0.00 $656.64 ($27.36 X 24)
(0.5 vCPU, 1 GB Mem)
$0.00

Total $421.68 $656.64

$565.68
The Good Old Comparison Chart

ECS EKS Fargate

Container Orchestration, created Managed Kubernetes (Open Source) Containers on-demand
by AWS platform by AWS

Requires creating cluster Requires creating cluster No cluster is required

Control Plane Costs Zero, pay for Control Plane Costs 144$ (Dec Only pay for tasks based on CPU
worker nodes 2018), pay for worker nodes and Memory

Deeper integration with other AWS actively working on the Fargate currently runs on ECS,
AWS Services such as IAM, ALB integrations early days, more to come
etc.

Good for cloud native container Good for cloud native container Good for workload which runs for
architectures architectures, easier to move a duration, Fargate is expensive
on-prem Kubernetes to AWS if high CPU/Memory tasks runs
EKS all the time
Serverless Architectures &
Advanced Optimization
Techniques
Optimizing Your Lambda
Couple Words Before We Begin

• Battle hardened real world tips

• Advanced lecture (rewatch parts if needed)
Places Where You can Optimize

• Your Function
• Actual Code
• Execution Environment
• The execution settings of the Lambda
Optimizing Your Function Code
Lambda Code Execution Under The Hood
Lambda
Lambda
Invoke
Invoke

Container Lambda done running

Container Container
Some
code

First Execution Lambda Finished Execution Lambda Invoked again

• Container comes up • Container stays warm for • Container is reused

What Codes Stay Warm?

A Typical Lambda function
Handler() function Event object Context object
Function to be executed Data sent during Lambda Methods available to
upon invocation function Invocation interact with runtime
information (request ID,
log group, etc.)

import json

def lambda_handler(event, context):

# TODO implement
return {
'statusCode': 200,
'body': json.dumps('Hello World!')
}
Lambda Code Execution Under The Hood

Executed during first

execution and stay
warm

Reruns during each

execution
Lambda Code Execution Under The Hood

Is this function executing every

time?
If Yes and expensive, move to
global scope
Lambda Code Execution Under The Hood

Moved to global scope

connect_to_database() will stay
warm through out subsequent
execution
So Why Not Put EVRYTHING in Global
Scope?
Lambda
Invoke

Container Lambda done running

Container • The more code you put on
Some
global scope, cold start on first
code execution will be longer
• Container does go down if
First Execution Lambda Finished Execution
lambda not invoked
Cold Start
• Container comes up • Container stays warm for subsequently for certain time
• Loads your code certain time • It’s a balance (will go over
• Run Code • Some codes stay warm
too! tools to help)
Anti-Pattern

This does not

save anything
Concise Function Logic

Don’t load something

that you don’t need
Import required
libraries from package
rather than loading the
entire package
Lazy Loading

Libraries can be
lazy loaded too!
Lambda Environment Variables

● Key-value pairs that you can dynamically pass to your

function without making code changes
● Available via standard environment variable APIs
● Can be encrypted via AWS Key Management Service
(AWS KMS)
● Useful for creating environments per stage (i.e., dev,
testing, production)
Lambda Environment Variables
Concise function logic
• Separate Lambda handler (entry point) from core logic
• Use Lambda Layers for duplicated logic
• Use functions to TRANSFORM, not TRANSPORT
• API directly integrate with AWS Services
• SNS > Lambda > S3? Do SNS > S3
• Dynamic logic via configuration
•Per function – Environment variables
•Cross function – Amazon Parameter Store/Secrets Manager
• Read only what you need. For example:
•Properly indexed databases
•Use Views instead of compute
•Use Amazon S3 Select
Keep Orchestration out of the code
Optimizing Lambda Code Recap

● Use pre-handler logic strategically

● Think about how re-use impacts variables, connections, and
dependency usage
● Minimize dependencies
● Share secrets based on application scope:
○ Single function: Env-Vars
○ Multi Function/shared environment: Secrets Manager
● Concise logic
● Push orchestration up to Step Functions
● Use Lambda Layers to simplify deploys
Optimizing Execution Environment
HOW MUCH MEMORY AND TIME NEEDED FOR
LAMBDA???
Knowing is Half The Battle
• “In God we trust, all others bring Data” - Adam Breckler
• X-Ray gives you the data, and areas to optimize
• X-Ray Integrates with Lambda and API-Gateway
X-Ray Trace Example

Image: https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html
Seeing a cold start in AWS X-Ray

AWS Lambda Service

Your Function

Cold Start Time

Your Lambda Initialization Time

Image: https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html
Third Party Tools
Lambda performance already available from:
• Datadog
• Epsagon
• NodeSource
• IOPipe
• Thundra
Lambda Memory and Compute Goes Together

CPU
MEMORY

Lambda exposes only a memory control, with CPU

allocated to a function proportionally
Our Very Own Test
Stats for Lambda function that calculates all prime numbers <= 30000 & 3000
times a month
Execution Time
Stats for Lambda function that calculates all prime numbers <=
30000 & 3000 times a month

128 MB 56.13735sec
256 MB 26.43806sec
512 MB 12.68250sec
1024 MB 6.28947sec
Green==Best Red==Worst
https://s3.amazonaws.com/lambda-tools/pricing-calculator.html
Memory Vs Monthly Cost

Stats for Lambda function that calculates all prime numbers <= 30000 &
3000 times a month

128 MB 56.13735sec $0.35

256 MB 26.43806sec $0.33
512 MB 12.68250sec $0.16
1024 MB 6.28947sec $0.08
Green==Best Red==Worst
Moral of The Story (Yes, there’s always one!)
Moral of The Story (No animals get killed in
this one)
● Sometimes even when you crank up memory, cost comes down
● Sometimes with increased memory, cost might increase
○ If Performance increases significantly and cost increases slightly,
worth it
○ You define what’s acceptable for your case
● Worth testing out for time consuming Lambda
Lambda Power Tuning
Project: https://github.com/alexcasalboni/aws-lambda-power-tuning
Analyze execution logs and suggest you the best configuration to
minimize cost or maximize performance
Lambda Power Tuning
CloudWatch Insights
Do You Need Sync Everywhere?

Separate Sync, Async components

Example – GET Sync, POST Async

Sending data to another system

Do I need to insert realtime, is near realtime okay?
Do I need response in the same call?
API Vs topic/queue/stream
Do I need to put my functions in an Amazon VPC?
Lambda Needs to Access resource in VPC
Example – RDS in VPC

Restrict Outbound Access to Internet

Lambda execution models

Synchronous WebSocket Asynchronous Poll-based

Amazon Amazon Amazon

API Gateway API Gateway SNS
Amazon
Kinesis
Amazon
S3

GET, POST Bidirectional Events

changes

AWS Lambda
service

AWS Lambda AWS Lambda AWS Lambda

function function function function
Do You Need Sync Everywhere?

Separate Sync, Async components

Example – GET Sync, POST Async

Sending data to another system

Do I need to insert realtime, is near realtime okay?
Do I need response in the same call?
API Vs topic/queue/stream
Lambda Dead Letter Queues
“By default, a failed Lambda function invoked asynchronously is retried
twice, and then the event is discarded.” –
https://docs.aws.amazon.com/lambda/latest/dg/dlq.html
• Turn this on! (for async use cases) - It’s Free till it’s
used
Do You Need APIs to Expose lambda?

Is Lambda only getting called from internal systems?

Maybe you don’t need API

You can call Lambda like any other AWS Service

Lambda can be called from EC2, Lambda etc.
Like Lambda uses Boto3 to call other Service, Lambda can be
called using Boto3 as well!
Events - Don’t Fire Lambda Unnecessarily
Discard Unnecessary Events
S3 - Use Specific Prefix
SNS - Message Filtering
Lambda Per Function Concurrency Controls
• Concurrency a shared pool by default
• Separate using per function concurrency settings
• Acts as reservation
• Also acts as max concurrency per function
• Especially critical for data sources like Amazon RDS
• “Kill switch” – set per function concurrency to zero
Optimizing Execution Env
Recap

• More memory == More CPU and I/O (proportionally)

• Can also be lower cost
• Use AWS X-Ray to profile your workload
• Think deeply about your execution model and invocation source
needs
• Not everything needs to be an API
• Understand the various aspects to queues, topics, streams when
using them
• VPC has certain benefits but isn’t necessary for security
AWS Well-Architected Framework - Five Pillars

● Operational excellence
● Security
● Reliability
● Performance efficiency
● Cost optimization

Refrence: https://d1.awsstatic.com/whitepapers/architecture/AWS-Serverless-Applications-Lens.pdf
Serverless - General Design Principles

● Speedy, simple, singular

● Share nothing
● Orchestrate your application with state machines
● Design for failures and duplicates
● Use events to trigger transactions
Serverless - Design Components
Compute Layer
● Manages requests from external systems
● Controlling access and ensuring requests are appropriately authorized
● Contains the runtime environment that your business logic will be
deployed and executed
Examples - Lambda, API Gateway, Step Functions

Data Layer
● Persistent storage
● Secure mechanism to store states that your business logic will need
● Provides a mechanism to trigger events in response to data changes

Examples - DynamoDB, S3, Aurora Serverless

Serverless - Design Components
Messaging and Streaming Layer
● Manages communications between components
● Manages real-time analysis and processing of streaming data
Examples - Kinesis, SNS

User Management and Identity Layer

● provides identity, authentication, and authorization for both external and
internal customers of your workload’s interfaces
Examples - Cognito

Systems Monitoring and Deployment

● system visibility through metrics
● defines how your workload changes are promoted
Examples - CloudWatch, X-Ray
Serverless - Design Components
Edge Layer
● Manages the presentation layer and connectivity to external customers
● Provides an efficient delivery method to external customers residing in distinct
geographical locations
Examples - CloudFront
Serverless - Design Scenarios
RESTful Microservices

Image from: https://d1.awsstatic.com/whitepapers/architecture/AWS-Serverless-Applications-Lens.pdf

Serverless - Design Scenarios
Stream Processing

Image from: https://d1.awsstatic.com/whitepapers/architecture/AWS-Serverless-Applications-Lens.pdf

Serverless - Design Scenarios
Periodic Job

Get top news stories

News API

Determine sentiment of news -

2 positive, negative, neutral

3
Save news and sentiment
Serverless - Design Scenarios
Web Application

Image from: https://d1.awsstatic.com/whitepapers/architecture/AWS-Serverless-Applications-Lens.pdf

When NOT to Use Lambda
● Always compare cost with EC2
○ Price varies based on traffic, memory and time

● Gorilla in the room - Cold Start in VPC

○ Based on traffic pattern, cold starts of Lambda could
occur
○ If Lambda in VPC, Cold Starts attaches ENI (Elastic
Network Interface) to Lambda which takes seconds
○ Can try to keep lambda warm using CloudWatch pings
and algorithms
○ For corner cases, ultra low SLA of APIs not achievable

● Super heavy computing exceeding Lambda Memory/Time limit

Important: Always weigh your options unbiasedly, Lambda is not suppose to be all end all for all
design problems
Lambda VPC ENI Cold Start - No More!
Lambda VPC Networking
Lambda Networking with your VPC
Prior to VPC Improvements

ENIs created and attached during function execution

Concurrent Lambdas used to consume large amount of IP Addresses
VPC Improvements (Live Now)

ENIs attached during function creation, NOT execution

Lambdas share an ENI (same subnet, security group combo)
Lambda VPC Improvements

SEC401 GSEC Index PDF
No ratings yet
SEC401 GSEC Index PDF
33 pages
AWS Certified Cloud Practitioner CLF-C02 p10
No ratings yet
AWS Certified Cloud Practitioner CLF-C02 p10
14 pages
Cloud Tech Associate Advanced Backup 2022
No ratings yet
Cloud Tech Associate Advanced Backup 2022
247 pages
Lab 1: Introduction To Amazon EC2: Version 1.1.7 (spl200)
0% (1)
Lab 1: Introduction To Amazon EC2: Version 1.1.7 (spl200)
16 pages
Fundamental Cloud Concepts - Guided Notes - Completed
No ratings yet
Fundamental Cloud Concepts - Guided Notes - Completed
24 pages
AWS Technical Essentials Course
No ratings yet
AWS Technical Essentials Course
2 pages
CDM and AWS Cloud Lab Manual - Simulator - 20200529
No ratings yet
CDM and AWS Cloud Lab Manual - Simulator - 20200529
63 pages
Week 7 - AcademyCloudFoundations_Module_06 - Compute
No ratings yet
Week 7 - AcademyCloudFoundations_Module_06 - Compute
65 pages
Serverless-Architectures-With-Aws-Lambda Documentation
No ratings yet
Serverless-Architectures-With-Aws-Lambda Documentation
50 pages
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
From Everand
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
Poonam Devi
No ratings yet
Week 1 AcaemyCloudFoundations_Module_01 - Cloud Concepts Part-2
No ratings yet
Week 1 AcaemyCloudFoundations_Module_01 - Cloud Concepts Part-2
50 pages
AcademyCloudArchitecting Module 11
No ratings yet
AcademyCloudArchitecting Module 11
58 pages
AcademyCloudArchitecting Module 04
No ratings yet
AcademyCloudArchitecting Module 04
77 pages
AcademyCloudFoundations Module 04
No ratings yet
AcademyCloudFoundations Module 04
65 pages
AcademyCloudFoundations Module 08
No ratings yet
AcademyCloudFoundations Module 08
64 pages
AWS vs Azure vs GCP Feature Wise Comparison Latest
No ratings yet
AWS vs Azure vs GCP Feature Wise Comparison Latest
1 page
Dump 3
No ratings yet
Dump 3
23 pages
?DevOps Interview Disaster_ Avoid These Pitfalls!?
No ratings yet
?DevOps Interview Disaster_ Avoid These Pitfalls!?
7 pages
AcademyCloudFoundations Module 07
No ratings yet
AcademyCloudFoundations Module 07
65 pages
Week 3 AcademyCloudFoundations_Module_05 - Networking
No ratings yet
Week 3 AcademyCloudFoundations_Module_05 - Networking
110 pages
AWS Cloud Technical Essentials
No ratings yet
AWS Cloud Technical Essentials
65 pages
AWS IAM
No ratings yet
AWS IAM
18 pages
AWS Certified Cloud Practitioner Exam Dumps - myTechMint-job 6
No ratings yet
AWS Certified Cloud Practitioner Exam Dumps - myTechMint-job 6
31 pages
Module 11 - AWS Certified Cloud Practitioner Basics
No ratings yet
Module 11 - AWS Certified Cloud Practitioner Basics
3 pages
Week 6 AcademyCloudFoundations_Module_04-Security
No ratings yet
Week 6 AcademyCloudFoundations_Module_04-Security
44 pages
Mod 9 Containers
No ratings yet
Mod 9 Containers
35 pages
saa3_wk7
No ratings yet
saa3_wk7
117 pages
Mastering Prometheus & Grafana
No ratings yet
Mastering Prometheus & Grafana
18 pages
AWS Cloud Practioner Certification Preparation Guide
100% (1)
AWS Cloud Practioner Certification Preparation Guide
12 pages
AcademyCloudFoundations Module 06
No ratings yet
AcademyCloudFoundations Module 06
89 pages
AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Daniel Carter - Read the ebook online or download it for a complete experience
100% (1)
AWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Daniel Carter - Read the ebook online or download it for a complete experience
58 pages
Modernizing Database
No ratings yet
Modernizing Database
67 pages
AWS Certified Cloud Practitioner CLF-C02 Exam -14 Nov 2024 Without Discussions
No ratings yet
AWS Certified Cloud Practitioner CLF-C02 Exam -14 Nov 2024 Without Discussions
239 pages
Ann Afamefuna-59
No ratings yet
Ann Afamefuna-59
42 pages
2.1 HCC-AWS-Lab-1024 PDF
No ratings yet
2.1 HCC-AWS-Lab-1024 PDF
2 pages
Migrating Your Application - Participant Guide
No ratings yet
Migrating Your Application - Participant Guide
267 pages
Prometheus Certified Associate-1
No ratings yet
Prometheus Certified Associate-1
513 pages
AWS Certified Cloud Practitioner 2019 Practice Questions AWS Certified Cloud Practitioner Practice Exam Dumps, 100 Pass... (Busam, Chandra Prakash Busam, Gopi Chand) (Z-Library)
No ratings yet
AWS Certified Cloud Practitioner 2019 Practice Questions AWS Certified Cloud Practitioner Practice Exam Dumps, 100 Pass... (Busam, Chandra Prakash Busam, Gopi Chand) (Z-Library)
108 pages
FortiADC AWS Deployment Guide
No ratings yet
FortiADC AWS Deployment Guide
87 pages
Introduction To AWS IAM
No ratings yet
Introduction To AWS IAM
5 pages
AcademyCloudFoundations Module 02
No ratings yet
AcademyCloudFoundations Module 02
58 pages
Notes KPLABS - AWS Cloud Practitioner
No ratings yet
Notes KPLABS - AWS Cloud Practitioner
896 pages
AcademyCloudFoundations Module 01
No ratings yet
AcademyCloudFoundations Module 01
48 pages
AWS CP - Sruya Kiran Sir Notes
No ratings yet
AWS CP - Sruya Kiran Sir Notes
8 pages
AWS Certified Cloud Practitioner CLF-C02 p8
No ratings yet
AWS Certified Cloud Practitioner CLF-C02 p8
14 pages
Comprehensive Guide to AWS Virtual Private Cloud (VPC)
No ratings yet
Comprehensive Guide to AWS Virtual Private Cloud (VPC)
19 pages
AcademyCloudFoundations Module 04
No ratings yet
AcademyCloudFoundations Module 04
64 pages
AcademyCloudFoundations Module 03
No ratings yet
AcademyCloudFoundations Module 03
40 pages
eks with terraform
No ratings yet
eks with terraform
34 pages
S. Masue Introduction To Microservices
No ratings yet
S. Masue Introduction To Microservices
39 pages
clf-c02_1
No ratings yet
clf-c02_1
16 pages
CLF-C02_Exam_Guide_Slides
No ratings yet
CLF-C02_Exam_Guide_Slides
30 pages
Ec2 Instance
No ratings yet
Ec2 Instance
10 pages
AWS cloud practitioner prep
No ratings yet
AWS cloud practitioner prep
55 pages
System Operations On AWS
No ratings yet
System Operations On AWS
4 pages
aws-certified-cloud-practitioner_2
No ratings yet
aws-certified-cloud-practitioner_2
28 pages
Migrate To AWS Using CloudEndure and AWS Migration Hub ENT313-R2
No ratings yet
Migrate To AWS Using CloudEndure and AWS Migration Hub ENT313-R2
18 pages
Aws Week3 2
No ratings yet
Aws Week3 2
28 pages
AcademyCloudFoundations Module 01
No ratings yet
AcademyCloudFoundations Module 01
46 pages
AWS Certified Solutions Architect Associate Practice Test 03
No ratings yet
AWS Certified Solutions Architect Associate Practice Test 03
72 pages
clf-c02_2
No ratings yet
clf-c02_2
21 pages
About Exam: - Test Fee 150$
No ratings yet
About Exam: - Test Fee 150$
8 pages
Cloud Devops Interview Questions Part-2
No ratings yet
Cloud Devops Interview Questions Part-2
139 pages
Microsoft AZURE® AZ-104 Administrator Practice Tests
From Everand
Microsoft AZURE® AZ-104 Administrator Practice Tests
iCertify Training
No ratings yet
Vol12 - Iss1 - 12 - 26 - Time-Cost - Tradeoff - For - Optimizing - C
No ratings yet
Vol12 - Iss1 - 12 - 26 - Time-Cost - Tradeoff - For - Optimizing - C
15 pages
Appl. Environ. Microbiol. 1992 Field 2219 26
No ratings yet
Appl. Environ. Microbiol. 1992 Field 2219 26
9 pages
Water Quality For Agriculture
No ratings yet
Water Quality For Agriculture
107 pages
Ipcc Far WG I Full Report
No ratings yet
Ipcc Far WG I Full Report
414 pages
Guide To Economic Impact and Impact Analysis
No ratings yet
Guide To Economic Impact and Impact Analysis
244 pages
Cloud System Architecture - Concepts and Design
No ratings yet
Cloud System Architecture - Concepts and Design
41 pages
Multicopy Dynamic Data Possesion in Cloud Computing: Paul Apuroop.K Dr.B.SUJATHA M.Tech.,Ph.D.
No ratings yet
Multicopy Dynamic Data Possesion in Cloud Computing: Paul Apuroop.K Dr.B.SUJATHA M.Tech.,Ph.D.
5 pages
AWS IAM
No ratings yet
AWS IAM
5 pages
compute-optimizer
No ratings yet
compute-optimizer
92 pages
Marklogic Server: Concepts Guide
No ratings yet
Marklogic Server: Concepts Guide
108 pages
Ee Draindumps 2023-Jul-01 by Bancroft 316q Vce
No ratings yet
Ee Draindumps 2023-Jul-01 by Bancroft 316q Vce
23 pages
S3-3
No ratings yet
S3-3
5 pages
AWS Cloud
No ratings yet
AWS Cloud
15 pages
17 - Transit Gateway
No ratings yet
17 - Transit Gateway
8 pages
Soal Aws
No ratings yet
Soal Aws
3 pages
Comparative Study of AWS, Azure & Google
No ratings yet
Comparative Study of AWS, Azure & Google
18 pages
Gopala Krishna Reddy - Devops Engineer
No ratings yet
Gopala Krishna Reddy - Devops Engineer
2 pages
Assignment 1 Iot
No ratings yet
Assignment 1 Iot
11 pages
Aws Index 1
No ratings yet
Aws Index 1
2 pages
terraform intro and install
No ratings yet
terraform intro and install
7 pages
Aws Nosql Mongodb
No ratings yet
Aws Nosql Mongodb
21 pages
Modernize Applications With Microservices Using Amazon Eks - Pdf#modernize Applications With Microservices Using Amazon Eks
No ratings yet
Modernize Applications With Microservices Using Amazon Eks - Pdf#modernize Applications With Microservices Using Amazon Eks
6 pages
Hkiij
No ratings yet
Hkiij
2 pages
saa-c03_2
No ratings yet
saa-c03_2
25 pages
1 - 2. Lecture - Introduction To Cloud Computing (FULL)
No ratings yet
1 - 2. Lecture - Introduction To Cloud Computing (FULL)
118 pages
SafeMedia Private/Hybrid/Community/Public Cloud Security
No ratings yet
SafeMedia Private/Hybrid/Community/Public Cloud Security
21 pages
Exam Question AWS (Test)
No ratings yet
Exam Question AWS (Test)
285 pages
Module 3 Notes
No ratings yet
Module 3 Notes
32 pages
Design Data Management On Aws
No ratings yet
Design Data Management On Aws
1 page
AOC QB SOL
No ratings yet
AOC QB SOL
48 pages
Sputnik Installation and Configuration Guide
No ratings yet
Sputnik Installation and Configuration Guide
10 pages