Graduate Program KB

Section 14 - Serverless Overviews

  • Serverless means developers don't have to manager servers, simply focus on code
  • Ex. Lambda, DynamoDB, Cognito, API Gateway, S3, SNS, SQS, Firehose, Aurora Serverless, Step Functions, Fargate

AWS Lambda

  • EC2 is limited by RAM and CPU while continuously running in the cloud, scaling would require adding/removing servers
  • Lambda are functions which don't require servers to manage, have short execution times and run on-demand. Scaling is also automated
  • Benefits:
    • Pricing is pay per request and compute time, you get one million requests and 400000 GBs of compute time in free tier
    • Integrates with many other AWS services and programming languages
    • Monitor through CloudWatch
    • Easy to get more resources per function (up to 10GB of RAM). More RAM will also improve CPU and network

Lambda Limits

  • Limits are applied per region
  • Execution:
    • Memory allocation: 128MB - 10GB (1MB increments)
    • Maximum execution time: 900 seconds
    • Environment variables: 4KB
    • Disk capacity in the "function container" (/tmp): 512MB to 10GB
    • Concurrency executions: 1000 (increasable)
  • Deployment:
    • Lambda function deployment size (compressed .zip): 50MB
    • Size of uncompressed deployment (code and dependencies): 250MB
    • Can use /tmp directory to load other files at startup
    • Size of environment variables: 4KB

Lambda SnapStart

  • Improves Lambda performance up to 10x for no extra cost for Java 11+
  • When a new function is published:
    • Invokes function from a pre-initialized state
    • Takes snapshot of memory and disk state
    • Cache snapshot for low-latency access

Edge Functions

  • An edge function is attached to a CloudFront distribution and runs close to the users to minimize latency
  • CloudFront provides CloudFront Functions and Lambda@Edge
  • Still serverless and global with pay as you go pricing
  • Use cases:
    • Website security/privacy
    • Dynamic web app at the edge
    • Search engine optimization
    • Intelligent routing across origins and data centres
    • Bot mitigation at edge
    • Real-time image transformation
    • A/B testing
    • User authentication and authorization
    • User prioritization
    • User tracking and analytics

CloudFront Functions

  • Lightweight functions written in JS, useful for high-scale, latency-sensitive CDN customizations
  • Fast startup times (sub-ms), can execute millions of requests per second
  • Typically used to alter viewer requests and responses
  • Maximum memory of 2MB and package size of 10KB
  • Use cases:
    • Cache key normalization
    • Header manipulation
    • URL rewrites or redirects
    • Request authentication and authorization

Lambda@Edge

  • Lambda functions written in NodeJS or Python
  • Scales to thousands of requests per second
  • Used to alter viewer and origin requests and responses
  • Author functions in one region then CloudFront replicates to its locations
  • Use cases:
    • Longer execution times
    • Need adjustable CPU or memory
    • Code depends on libraries such as SDK
    • Network access to use external services for processing
    • File system access or access to the body of HTTP requests

Lambda in VPC

  • Lambda cannot access resources in your VPC by default, as it is launched outside
  • Need to define the VPC ID, subnets and security groups to allow Lambda to create an elastic network interface in your subnets

Lambda with RDS Proxy

  • Functions could overload if there are too many open connections to a database
  • RDS Proxy improves scalability by pooling and sharing DB connections, security is enforced by IAM authentication and Secrets Manager
    • The function must be deployed in your VPC, RDS Proxy is not publicly accessible

Invoking Lambda From RDS & Aurora

  • You can invoke functions within a DB instance to process data events from a database
  • Supported for RDS for Postgresql and Aurora MySQL
  • Must allow outbound traffic to function from within your DB instance (public, NAT gateway, VPC endpoints)
  • The DB instance must have permissions to invoke the function (IAM policy and lambda resource-based policy)

RDS Event Notifications

  • Can subscribe to the event categories: DB instance, DB snapshot, DB Parameter Group, DB Security Group, RDS Proxy, Custom Engine Version
  • Get notified information about a DB instance, such as when it's created, stopped, started, etc.
  • Near real-time events (up to 5 minutes)
  • You can send notifications to SNS or subscribe to events using EventBridge

DynamoDB

  • A fully managed non-relational database service that's highly available with Multi-AZ replication
  • Attributes:
    • Distributed and scales to massive workloads
    • Can handle millions of requests per second with up to hundreds of TB of storage
    • Less than 10ms latency and consistent in performance
    • Integrated with IAM for security
    • Low cost and has auto-scaling, no need to maintain or patch
    • Two classes: Standard and Infrequent Access

DynamoDB Structure

  • DynamoDB consists of Tables
    • Each table has a Primary Key decided at creation time
    • Each table can have infinite number of rows (items)
      • Each item has attributes (can be null)
      • Max. size of an item is 400KB
      • Supported item datatypes are:
        • Scalar: String, Number, Binary, Boolean, Null
        • Document: List, Map
        • Set: String Set, Number Set, Binary Set
  • With DynamoDB, you can rapidly evolve schemas

DynamoDB Read/Write Capacity Modes

  • Provisioned Mode (default)
    • Specify number of reads/writes per second
    • Need to plan capacity beforehand
    • You pay for provisioned Read Capacity Units and Write Capacity Units (can add auto-scaling mode for either)
  • On-Demand Mode
    • Read/writes automatically scale up/down with your workloads
    • No capacity planning needed
    • You pay for what you use but it's more expensive
    • Useful for unpredictable workloads

DynamoDB Accelerator

  • Fully managed and highly available memory cache for DynamoDB
  • Solves read congestion by caching with microseconds latency for accessing cached data
  • No new app logic is required to use DAX
  • Default of 5 minutes TTL for cache

DynamoDB Stream Processing

  • Ordered stream of item-level modifications (create, update, delete) in a table
  • Useful for real-time changes, analytics, cross-region replication and invoking lambda on changes to your tables
  • DynamoDB Streams
    • 24 hours retention
    • Limited consumers
    • Process using Lambda Triggers or DynamoDB Stream Kinesis adapter
  • Kinesis Data Streams
    • 1 year retention
    • High number of consumers
    • Process using Lambda, Kinesis Data Analytics, Firehose, AWS Glue Streaming ETL, etc.

DynamoDB Global Tables

  • Enables tables to be accessed with low-latency across multiple regions
  • Has active-active replication
  • Apps can read and write to the table in any region
  • Must enable DynamoDB Streams to use this feature

DynamoDB TTL

  • You can automatically delete items after an expiry timestamp
  • Useful for reducing stored data, web session handling and adhering to regulatory obligations

DynamoDB Backups

  • Continuous backups using point-in-time recovery
    • Optionally enabled for last 35 days
    • PITR to any time within the backup window, this process creates a new table
  • On-demand backups
    • Full backups for long-term retention until deleted explicitly
    • No affect on performance or latency
    • Configurable and manageable in AWS Backup which can enable cross-region replication
    • Recovery process also creates a new table

DynamoDB and S3 Integration

  • Export to S3 (need to enable PITR)
    • DynamoDB JSON or ION format
    • Read capacity unaffected
  • Import from S3
    • CSV, DynamoDB JSON or ION format
    • No write capacity consumed
    • Logged import errors with CloudWatch

API Gateway

  • Serverless
  • Supports WebSocket protocol
  • Can handle different API versions, environments and security
  • You can create API keys to handle request throttling
  • APIs can be defined by using Swagger or Open API
  • Can transform and validate requests and responses
  • SDK and API specifications can be generated
  • API responses are cacheable

API Gateway Integrations

  • Lambda
    • Expose REST API
  • HTTP
    • Expose HTTP endpoints in backend
    • Add rate limiting, caching, user authentication, etc.
  • AWS Service
    • Expose any AWS API via API Gateway
    • Add authentication, public deployment, rate control, etc.

API Gateway Endpoint Types

  • Edge-Optimized (default)
    • For global clients
    • Route requests through edge locations
  • Regional
    • For clients within the same region
    • Can manually combine with CloudFFront for more control over caching and distribution
  • Private
    • Only accessible from your VPC using a VPC endpoint interface
    • Uses a resource policy to define access

API Gateway Security

  • User authentication via IAM Roles (internal apps), Cognito (external users) or custom authorizer
  • Custom domain name HTTPS security through Certificate Manager integration
    • Certificate must be us-east-1 if using an Edge-Optimized endpoint
    • Certificate must be in the API Gateway region if using a Regional endpoint
    • CNAME or A-alias record must be set up in Route 53

AWS Step Functions

  • Orchestrate Lambda functions by building serverless visual workflows
  • Features sequence, parallel, conditions, timeouts, error handling, etc.
  • Can integrate with EC2, EC2, on-premises servers, API Gateway, SQS, etc.
  • Useful for order fulfillment, data processing, web apps or any workflow

Cognito

  • Provides users an identity to interact with a web or mobile app
  • Cognito User Pools
    • Users go through a sign-n functionality
    • Integrate with API Gateway and ALB
  • Cognito Identity Pools (Federated Identity)
    • Provide AWS credentials to users to access resources directly
    • Integrates with user pools as an identity provider

Cognito User Pools

  • User features:
    • Serverless DB of users for your web and mobile app
    • Standard username/password login
    • Password reset
    • Verification (email, phone)
    • MFA
    • Federated identities (FB, Google, SAML)
  • Integrates with API Gateway and ALB

Cognito Identity Pools

  • Obtain temporary AWS credentials for users (source can be user pools, 3rd party logins, etc.)
  • Users can then access AWS services directly or through API Gateway
  • IAM policies applied to the credentials are defined in Cognito
  • They can be customized based on user_id for fine grained control
  • Authenticated and guest users receive default IAM roles