© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Mikhail Prudnikov, Solutions Architect, AWS

May 2016

DevOps, Microservices and Serverless Architecure

What to Expect from the Session

• DevOps and Software Delivery• Rise Of Microservices• ECS and Containers• Serverless Architecture• API Gateway + Lambda

Toolchains

Services

Microservices

Sam Newman : “Building Microservices” O’Reilly Publishing

Adrian Cockcroft : numerous talks, presentations, blog posts

• “Loosely coupled service oriented architecture with bounded contexts”

Martin Fowler : numerous blog posts2 sessions at AWS Re:Invent 20148 sessions at AWS Re:Invent 2015

Development Transformation at Amazon

2001 2009

monolithic application + teams

microservices + 2 pizza teams

Availability vs Velocity of Change

AWS re:Invent 2015 | (SPOT302) Availability: The New Kind of Innovator’s Dilemma

Availability and Velocity of Change Thoughts

• "Everything fails, all the time" Werner Vogels, CTO Amazon.com

• How long does it take to push a single line of code to production?

• Do you have the feedback loop?

Multiple Compute Options

• VMs• Machine as the unit of scale• Abstracts the hardware

• Containers• Application as the unit of scale• Abstracts the OS

• Serverless• Functions as the unit of scale• Abstracts the language runtime

ECS

EC2

Lambda

Which Option is Right?

• VMs• “I want to configure machines,

storage, networking, and my OS”

• Containers• “I want to run servers, configure

applications, and control scaling”

• Serverless• “Run my code when it’s needed”

ECS

EC2

Lambda

Hypervisor Containers

ECS on AWS

ECS Internals & Flow

Container InstanceCluster

Agent

Task

Agent

Task

Container

Task

Container

Run Task Schedule Task

Task Definition Task + Service

DefinitionECR

CodeCommit

Scaling ECS With Lambda

Cloudwatch metrics tied to SNS

SNS triggers Lambda Container Scaling function

Lambda scales task count on cluster

Bonus - Extensible ‘cluster intelligence’ layer

ECS Reference Service Discovery

Continuous Integration & Deployment to ECS

Container Registry

CodeCommit

Monitoring with Amazon CloudWatch

Metric data sent to CloudWatch in 1-minute periods and recorded for a period of two weeks

Available metrics: CPUReservation, MemoryReservation, CPUUtilization, MemoryUtilization

Available dimensions: ClusterName, ServiceName

Monitoring with Amazon CloudWatch

Use the Amazon CloudWatch Monitoring Scripts to monitor additional metrics, e.g. disk space

# Edit crontab> crontab -e

# Add command to report disk space utilization to CloudWatch every five minutes*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used

--disk-space-avail --disk-path=/ --from-cron

Logging with Amazon CloudWatch Logs

Logging container with syslogd and CloudWatch Logs Agent

Attach /var/log Volume to Logging container

Link other containers syslogd

CloudWatch Logs Agent

CloudWatch Logs

Container instance

ECS Cluster

ECS Agent Logs

Docker Logs

syslogd

CloudWatch Logs Agent

Managing Infrastructure Is Sadness

The Serverless Compute Manifesto

• Functions are the unit of deployment and scaling.• No machines, VMs, or containers visible in the programming model.• Permanent storage lives elsewhere.• Scales per request. Users cannot over- or under-provision capacity.• Never pay for idle (no cold servers/containers or their costs).• Implicitly fault-tolerant because functions can run anywhere.• BYOC – Bring your own code.• Metrics and logging are a universal right.

Benefits of Amazon API Gateway

Create a unified API frontend for multiple micro-

services

DDoS protection and throttling for

your backend

Authenticate and authorize requests to a

backend

Code is all you need Event driven scaling

Never pay for idle Availability and fault tolerance built in

Benefits of AWS Lambda

Standard API Architecture

VPC subnet

Availability Zone A Availability Zone B

VPC subnetAuto Scaling

group

WEB WEB

Oregon

Tokyo

VPC subnet

Server h

eartbeat

Register v

ia API

Cleanuploop

EC2 APIstart/stopinstances

JOBS

Serverless API Architecture

Internet

Mobile apps

Websites

Services

AWS Lambda functions

AWS

API Gateway cache

Endpoints on Amazon EC2

Any other publicly accessible endpointAmazon

CloudWatch

Amazon CloudFront

Amazon API Gateway

Amazon S3

Amazon DynamoDB

Amazon Kinesis

AWS CloudFormati

on

AWS CloudTrail

Amazon CloudWatc

h LogsAmazon

SNSAmazon

SES

AmazonAPI Gateway

Amazon Cognito

AWSIoTAmazon

Alexa

Cron events

DATA STORES ENDPOINTS

REPOSITORIES EVENT/MESSAGE SERVICES

Lambda Service Integrations

… and the list will continue to grow!

Analytics• Operational management• Live Dashboards

Data workflows• Content management• ETL workflows

Multiple Application TypesInteractive Backends• Bots• Webhooks

Autonomous IT• Policy engines• Infrastructure management

Auth Option 1 – Pervasive throughout AWS

Mobile Apps AWS Lambda lambdaHandlerAPI Gateway

Sigv4 Invoke with caller credentials

Service calls areauthorized using

the IAM Role

DynamoDB

Auth Option 1 – Fine Grained Access

InternetClient AWS Lambda

functionsAmazon

CloudFrontDynamoDB

CognitoId2

…"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito-identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” }}…

Executes with this role

UserID Wins Losses

cognitoId1 3 2

cognitoId2 5 8

cognitoId3 2 3

The credentials and context (Cognito ID) are passed along

Both AWS Lambda & DynamoDB will follow the access policy

API Gateway

Auth Option 2 – Custom Auth With Lambda

Client

Lambda Auth function

API Gateway

OAuth token

OAuth provider

Policy is evaluated

Policy is cached

Endpoints on Amazon EC2

Any other publicly accessible endpoint

AWS Lambda functions

403

Managing Multiple Versions and Stages of APIs

Works like a source repository – clone your API to create a new version

API 1(v1) Stage (dev)

Stage (prod)

API 2(v2)

Stage (dev)

Custom Domain Names

Use custom domain names to put 2 different APIs (V1 and V2) under the same domain

• Custom domain names can point to an API or a Stage

• A custom domain name can include a base path

• Use v1 as your base path in the custom domain name• Pointing to an API you have access to all Stages

• Beta (e.g. yourapi.com/v1/beta)

• Prod (e.g. yourapi.com/v1/prod)

• Pointing directly to your “prod” Stage• Prod (e.g. yourapi.com/v1)

Stage Variables and Lambda Aliases

Using Stage Variables in API Gateway together with Lambda function Aliases helps you manage a single API configuration and Lambda function for multiple stages

myLambdaFunction123 = prod456 = beta78 = dev

My First API

Stage variable = lambdaAlias

ProdlambdaAlias =

prodBeta

lambdaAlias = betaDev

lambdaAlias = dev

Serverless Framework

Serverless is an application framework for building serverless web, mobile and IoT applications. Serverless comes in the form of a command line interface that provides structure, automation and optimization to help you build and maintain your serverless apps.

http://www.serverless.comhttps://github.com/serverless/serverless

Example: Backends

https://github.com/awslabs/lambda-refarch-webapp

Example: Real Time File Processing

https://github.com/awslabs/lambda-refarch-fileprocessing

Example: Stream Processing

https://github.com/awslabs/lambda-refarch-streamprocessing

Function schedules: The how-to guide

• How can I keep a function warm (no cold starts)?Schedule it!

• How can I poll a queue (like SQS)?Schedule a function to read the queue.

• How can I get more timers?Have one scheduled function async invoke other functions.

• How can I get granularity finer than 1 minute?Run a background timer in your scheduled function.

Function versioning: The how-to guide

• How can I get mutable configuration info?Read it (e.g. from DynamoDB) during function initialization.Wrap your config in a function and call it from your published code.

• How do I “roll back” in AWS Lambda?Using aliases, just switch what the alias points to.

• How do I do blue/green deployments?AWS Lambda handles fleet deployments, but if you want to shape traffic, put a second “traffic cop” function in front.

• How can I lock a client/device onto an old version?Point them directly to that version’s ARN.

AWS Lambda VPC basics

• All Lambda functions run in a VPC, all the timeYou never need to “turn on” security – it’s always on

• You can also grant Lambda functions access to resources in your VPCHow: Add VPC subnet IDs and security group IDs to the function configTypical uses: RDB, ElastiCache, private EC2 endpointsAllows access to peered VPCs, VPN endpoints, and private S3 endpoints

• Functions configured for VPC access lose internet access…unless you have managed NAT or a NAT instance in the VPC…Even if you have “Auto-assign Public IP” enabled…Even if you have an internet gateway set up in your VPC…Even if your security group allows all outbound traffic

Thank you!