Taking serverless to the edge

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George John, AWS Product Manager
03.15.18
AWS Meetup
Taking Serverless to the Edge
Archit Jain, Software Development Engineer

What is covered in this session
• What is serverless compute?
• Why do serverless at the edge ?
• How can you do it with Lambda@Edge ?

No servers to provision
or manage
Scales with usage
Never pay for idle Built-in availability
and fault tolerance
Serverless means…

How it works
EVENT SOURCE SERVICES (ANYTHING)
Changes in data
state
Requests to
endpoints
Changes in
resource state
FUNCTION

… but what if you could run your Lambda
functions at the Edge?

Amazon CloudFrontAWS Lambda
Lambda@Edge
Lambda@Edge

CloudFront: Global Content Delivery Network
§ Accelerate static and dynamic content
§ Global Infrastructure
§ Highly Secure
§ Massively Scalable
§ Self Service
§ Priced to Minimize Cost

114 Points of Presence (103 Edge locations + 11 Regional Edge Caches)

Origin
Amazon CloudFront
Compute
Database
Storage

Amazon CloudFront
Origin
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location

CloudFront + Lambda@Edge
Origin
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location

Lambda@Edge
Globally
distributed
No servers to provision
or manage
Scales with usage Never pay for idle Built-in availability
and fault tolerance
Bring your own code to the Edge to improve viewer experience

Write once, run Lambda functions globally
N Virginia
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location
AWS Location

CloudFront events for Lambda@Edge
CloudFront
cache
Viewer Response Origin Response
Origin
Origin Request
Viewer
Viewer Request

Lambda@Edge Programming Model
Event Driven
• Functions are associated with events
• viewer-request -> my_function:1
• Functions are invoked when these events happen
• viewer-request is run when CloudFront receives a request
• Functions are invoked with the details of the event as input
• my_function:1 is invoked with the request object
• Functions can return results back to the caller
• callback(request)

exports.handler = (event, context, callback) => {
/* viewer-request and origin-request events
* have the request as input */
const request = event.Records[0].cf.request;
/* viewer-response and origin-response events
* have the response as input */
/* const response = event.Records[0].cf.response; */
/* Do the processing – say add a header */
/* When I am done I let CloudFront what to do next */
callback(null, request);
}
Lambda@Edge Programming Model

Taking Serverless to the Edge

From Monolith
Authentication and
authorization
Content management
and processing
Localization, internationalization,
and personalization

From Monolith
Authentication and
authorization
Content management
and processing
and personalization
Application code

To Microservices
Amazon
CloudFront
Authentication and
authorization
Content management
and processing
and personalization
Lambda@Edge FunctionsUser Agents HTTP Origins

VIEWER REQUEST EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Origin Request
Origin RequestViewer Request

VIEWER REQUEST EVENTS
Executed on every request before CloudFront’s cache is checked
Modify cache key (URL, cookies, headers, query string)
Perform stateless authentication and authorization checks
Network calls at viewer request
Generate responses that will not be cached

How STATELESS AUTH works
User Agent
User credentials
Identity provider
(IdP)
JSON Web Token
(JWT)
Legacy application
CloudFront distribution
www.example.com
JWT
JWT public key
Access decision
Origin applicationJWT
S3 Bucket
?
?

VIEWER REQUEST: STATELESS AUTH
JWT
JWT public key
Viewer Request Event
User Agent CloudFront distribution
www.example.com
JWT
HTTP 403, 3XX, etc.
NO
Access decision
Legacy application
S3 Bucket
Origin application
OK

VIEWER REQUEST: STATEFUL AUTH
Viewer Request Event
www.example.com
NO
Paywall message,
403, redirect, etc.
$
Entitlement service
HTTP request
Access decision
HTTP Origins
OK

VIEWER REQUEST: REDIRECT
• Redirect to a login page for non-authenticated users
• In viewer-request function validate the cookie
• If cookie is expired or not present, redirect to login page
CloudFront
cache
Viewer Request
Origin
Origin Request
Viewer

'use strict';
/*
* Generate HTTP redirect response with 302 status code and Location header.
*/
const response = {
status: '302',
statusDescription: 'Found',
headers: {
location: [{
key: 'Location',
value: 'http://mydomain.com/login.html',
}],
},
};
callback(null, response);
};
Example - Redirect

ORIGIN REQUEST EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Origin Request
Viewer Request Origin Request

ORIGIN REQUEST EVENTS
Executed on cache miss, before a request is forwarded to the origin
Make one or more external network calls (30s timeout)
Dynamically select an origin based on request headers
Implement pretty URLs by rewriting the origin URL
Generate responses that can be cached

How template rendering works?
<h1>{ page.title }</h1>
{{ for section in page.sections }}
<h2>{ section.title }</h2>
<p>{ section.body }</p>
{{ endfor }}
"page": {
"title": "Hello",
"sections": [ {
"title": "Introduction",
"body": "The quick..."
}, { ... } ]

ORIGIN REQUESTS: Template Rendering
(Body Generation)
www.example.com
Cache Behavior
/blog
Origin Request
Event
S3 Bucket
blog-templates.s3.amazonaws.com
DynamoDB table
blog-posts
Outbound
network calls
Rendered templateCached response

ORIGIN REQUEST: Content Aggregation
Example: Weather App Landing page
Client: Each user has a set of cities.
http://example.com/weather?cities=Seattle;NYC
Function:
• Parses the URL
• Fetches the relevant data
• Sends the aggregated response to the client (app)
CloudFr
ont
cache
Viewer
Request
Origin
Request
Viewer

Promise.all(forecasts.map(getCityForecast)).then((ret) => {
console.log('Aggregating the responses:n', ret);
const response = {
status: '200', /* Status signals this is a generated response */
statusDescription: 'OK',
headers: {
'content-type': [{
key: 'Content-Type',
value: 'application/json',
}],
'content-encoding': [{
key: 'Content-Encoding',
value: 'UTF-8',
}],
},
body: JSON.stringify(ret, null, 't'),
};
console.log('Generated response: ', JSON.stringify(response));

PRETTY URLS FOR USER/API EXPERIENCE
https://tiles.example.com/zoom/x/y.jpg
S3 Bucket
tiles-v1.s3.amazonaws.com
Legacy Service
old-tile-service.example.net
Elastic Load Balancer
tile-service-123456.us-east-1
.amazonaws.com

ORIGIN REQUESTS : PRETTY URLS
https://tiles.example.com/zoom/x/y.jpg
https://tiles-origin.s3.amazonaws.com/f5fdc6f658a49284b.jpg
Origin Request Event
originPath = sha256(requestPath)
CloudFront cache
Cache key: tiles.example.com/zoom/x/y.jpg
Cached response

ORIGIN REQUESTS: IMAGE PROCESSING
www.example.com
Origin Request
Event
S3 Bucket
image-originals.s3.amazonaws.com
GET
/full-resolution image
Resized image based on request
configurations e.g. Device Type

ORIGIN REQUEST: ORIGIN SELECTION
• Multiple origin setup
• Latency: Talk to the origin closest to the viewer
• Load balance across origins
• Controlled rollout of changes at origin
• A/B Testing of new features
• Blue/Green origin deploys
• Migrating between origins
• Including on-premise to cloud
• Search Engine Optimization
• Serve human and web crawler traffic from separate origins

Origin Selection – A/B Testing
Example: You want to test a new feature. It is only deployed to one of your origins.
In the function:
1. Check to see if this is a active session. (Say, using a cookie.)
2. For active sessions, set the origin based on the value in the cookie.
3. For a new session, decide whether to show A or B variant. And set the origin accordingly.
CloudF
ront
cache
Origin
Request
Viewer
Origin B
Origin A

"s3": {
"domainName": "green-bucket.s3.amazonaws.com”,
"path": "/originPath",
"authMethod": "origin-access-identity",
"region": "us-east-1",
"customHeaders": {
"my-custom-origin-header": [
{
"key": "My-Custom-Origin-Header",
"value": "test-value”
}
]
}
}
Origin Selection
• Origin is present as part of request
• event.Records[0].cf.request.origin
• Modified Origin should also be part of the request
structure returned

desiredOrigin = decide(request);
/* Set custom origin fields*/
request.origin = {
custom: {
domainName: desiredOrigin,
port: 443,
protocol: 'https',
}
};
request.headers['host'] = [{ key: 'host',
value: desiredOrigin }];
};
Example – A/B Testing
function decide(request) {
if (request.headers[‘my-session-cookie’]) {
cookie = request.headers[‘my-session-
cookie’].value;
return decodeOrigin(cookie);
} else {
return chooseOrigin(request);
}
};

TRANSPARENT GLOBAL EXPANSION
Region A
customers
Region A
deployment
Region B
customers Region B
deployment
https://saas.example.com

id user
1 alex
2 bob
3 joe
4 jane
User database
200 OK
Application
User Agent
POST /login
user=jane&pass=***
home-region
na
eu
ap
eu
Set-Cookie: home-region=eu

www.example.com
North America
origin
User DB
Cache Behavior
/login
North America
app DB
hom
e-region=na ?
Europe origin Europe app DB
home-region=eu ?
APAC origin APAC app DB
home-region=ap ?
Cache Behavior
/app
Origin Request
Event
Set-Cookie

ORIGIN REQUEST: ROUTE ON USER AGENT
User Agents
Desktop
Mobile
Bots and
crawlers
www.example.com
Origin Request
Event
Mobile optimized
app
Client-rendered
app
Server-rendered
app
Cloudfront-Is-Mobile-Viewer?
Cloudfront-Is-Desktop-Viewer?
Cloudfront-Is-Tablet-Viewer?
User-Agent?

ORIGIN REQUEST: GENERATE REDIRECT
www.example.com
HTTP redirect
www.example.com/de
Origin Request
Event
Cloudfront-Viewer-Country?
Accept-Language?

'use strict';
const originDomainNames = {
'origin_1': 'origin.us-east-1.example.com',
'origin_2': 'origin.eu-west-1.example.com'
};
const defaultOrigin = 'origin_1';
function chooseOrigin(headers) {
/* Parse cookies, inspect headers, etc. */
if (condition1) {
return 'origin_1';
} else if (condition2) {
return 'origin_2';
} else {
return default_origin;
}
}
ORIGIN REQUEST: CUSTOM ROUTING CODE
const headers = request.headers;
const selectedOrigin = chooseOrigin(headers);
/* Modify the request's `origin` object. */
request.origin = {
custom: {
domainName: originDomainNames[selectedOrigin],
keepAliveTimeout: 5000,
path: '/',
port: 443,
protocol: 'https',
readTimeout: 5000,
sslProtocols: ['TLSv1', 'TLSv1.1']
}
};
};

ORIGIN RESPONSE EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Origin Request
Viewer Response
Origin Response

ORIGIN RESPONSE EVENTS
Executed on cache miss, after a response is received from the origin
Make external network calls (30s timeout)
Modify the response headers prior to caching

'use strict';
const response = event.Records[0].cf.response;
const headers = response.headers;
const headerName = 'Strict-Transport-Security';
const headerValue = 'max-age=31536000; includeSubDomains';
headers[headerName.toLowerCase()] = [{
key: headerName,
value: headerValue
}];
};
ORIGIN RESPONSE: INJECT HEADERS
Content-Type
Cache-Control
HTTP Strict Transport
Security (HSTS)
Content-Security-Policy
and more!

VIEWER RESPONSE EVENTS
CloudFront
cache
User Agents
Viewer Request
HTTP Origins
Origin Request
Origin Response
Viewer Response

VIEWER RESPONSE EVENTS
Executed on all requests, after a response is received from the origin or
cache
Modify the response headers without caching the result
Make external network calls

VIEWER RESPONSE: SET USER COOKIES
User Agent
www.example.com
CloudFront cache Origin fetch
Cache miss
Viewer response event
const sid = uuidv4();
headers['set-cookie'].push({
Key: 'Set-Cookie',
Value: 'sessionid=' + sid });

Demo

Thank you!

Taking serverless to the edge

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Taking serverless to the edge

Similaire à Taking serverless to the edge (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Taking serverless to the edge