As serverless architectures become more popular, customers need a framework of patterns to help them to identify how to leverage AWS to deploy their workloads without managing servers or operating systems. In this session, we describe reusable serverless patterns while considering costs. For each pattern, we provide operational, security, and reliability best practices and discuss potential challenges. We also demonstrate the implementation of some of the patterns in a reference solution. This session can help you recognize services and applications for serverless architectures in your own organization and understand areas of potential savings and increased agility and reliability.

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless architectural patterns
and best practices
Heitor Lessa
A R C 3 0 7 - R
Principal Serverless Lead, Well-Architected
Amazon Web Services

3. Agenda
Recap on key practices
Patterns – Starring “Call Me Maybe”, The “cherry-pick” and more

4. What we’re not covering
Introduction to AWS serverless platform
Patterns for serverless AI/ML
Best practices for serverless at scale

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. AWS operational responsibility models
On-premises Cloud
Less More
Compute Virtual machine
Amazon EC2 AWS Elastic Beanstalk AWS Lambda
AWS Fargate
Databases MySQL
MySQL on EC2 Amazon RDS MySQL Amazon Aurora Aurora Serverless Amazon QLDB/DynamoDB
Storage Storage
Amazon S3
Messaging ESBs
Amazon MQ Amazon Kinesis Amazon EventBridge/SNS/SQS
Analytics
Hadoop Hadoop on EC2 Amazon EMR Amazon Elasticsearch Service Amazon Athena

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

8. Quick recap: An easier getting-started experience

9. Quick recap: Serverless CI/CD for enterprise

10. Quick recap: Serverless microservices patterns
Circuit Breaker and many more by Jeremy Daly

11. Quick recap: Lambda memory tuning

12. Performance test – Memory tuning, edge to regional API
Retrieve profile
P99 – 802ms to 237ms
Min – 246ms to 70ms

13. Quick recap: Saga within the serverless airline
Start
End
Process booking state machine

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

15. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda
Client
Amazon DynamoDB

16. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda
Client
Amazon DynamoDB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Best practices
Enable access logs, structure logs and
instrument your code
Create metrics async with CloudWatch
Embedded Metric Format

17. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda Amazon DynamoDB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Client
x-api-key
100 RPS
50 burst
Best practices
Enable access logs, structure logs and
instrument your code
Create metrics async with CloudWatch
Embedded Metric Format
Regulate inbound access rates

18. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda Amazon DynamoDB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Client
x-api-key
100 RPS
50 burst
AWS Secrets Manager
Amazon Cognito
Best practices
Enable access logs, structure logs and
instrument your code
Create metrics async with CloudWatch
Embedded Metric Format
Regulate inbound access rates
Authorize consumers. Manage secrets
with AWS Secrets Manager

19. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda Amazon DynamoDB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Client
x-api-key
100 RPS
50 burst
AWS Secrets Manager
Amazon Cognito
On-demand billing
Regional endpoint
Best practices
Enable access logs, structure logs and
instrument your code
Create metrics async with CloudWatch
Embedded Metric Format
Regulate inbound access rates
Authorize consumers. Manage secrets
with AWS Secrets Manager
On-demand tables support up to 40K
read/write request units
Regional endpoints support HTTP2

20. Pattern: The comfortable “REST”
Amazon API Gateway AWS Lambda Amazon DynamoDB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Best practices
Enable access logs, structure logs and
instrument your code
Create metrics async with CloudWatch
Embedded Metric Format
Regulate inbound access rates
Authorize consumers. Manage secrets
with AWS Secrets Manager
On-demand tables support up to 40K
read/write request units
Regional endpoints support HTTP2
Use Lambda Power Tuning for
perf/cost tuning
Client
x-api-key
100 RPS
50 burst
AWS Secrets Manager
Amazon Cognito
On-demand billing
Regional endpoint

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
listFlights{ departureDate, arrivalDate… }
Fetching flights

23. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
getLoyalty loyaltyFn Amazon DynamoDB
Apache Velocity
template
getLoyalty(customer: 1234) { tier, totalPoints }
Fetch loyalty points

24. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Create new booking
initBooking(cust: 123..) { bookingId, bookingRef }

25. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Amazon Cognito
createFlights(flightNumber: 1234, ticketPrice: 300)
Admin only

26. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Use purpose-built databases
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Amazon Cognito
Fetching orders
getOrder(id: 1234) { customer, flights, points… }
ordersDB
addOrder Amazon RDS
AWS Secrets
Manager

27. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
Amazon Cognito
getLoyalty loyaltyFn Amazon DynamoDB
ordersDB
addOrder Amazon RDS
AWS Secrets
Manager
Mutation
initBooking procBooking AWS Step
Functions
Fetch booking
listBookings { bookingRef, departureDate… }
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Use purpose-built databases
Select only data you need
Enable caching

28. Client
Website
Amazon
CloudFront
AWS AppSync
API
Resolver
Amazon
DynamoDB
Amazon SNS
AWS
Step Functions
Booking
Amazon S3 Quasar Vue.js
Frontend
Payment
API
Amazon API Gateway AWS Lambda
Amazon DynamoDB
VTL
Catalog
AWS Lambda
Loyalty
Amazon
DynamoDB
Amazon
API Gateway
AWS Lambda
Automation & monitoring
Amazon CloudWatch
AWS CloudFormation AWS X-Ray
AWS Amplify
Practical example: Serverless Airline

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

30. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda Amazon RDS

31. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Amazon RDS
Concurrency 5

32. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Amazon RDS
Amazon Kinesis
Data Streams
DLQ

33. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ

34. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
For low-volume traffic, Kinesis can
batch records for up to 5 minutes
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ

35. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
For low-volume traffic, Kinesis can
batch records for up to 5 minutes
Alternatively, DynamoDB+SQS to
easily scale webhooks
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ
Client
Amazon API Gateway Amazon SQS AWS Lambda
DLQ
Amazon DynamoDB

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

37. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
AWS Lambda Amazon Simple
Notification Service
Lambda Amazon SQS
Consumer
Lambda

38. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Lambda Amazon SQS
Consumer
Lambda
Best practices
API Gateway can integrate with AWS
services directly

39. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Consumer
Amazon SQS
Consumer
DLQ
DLQ
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ

40. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Consumer
Amazon SQS
Consumer
DLQ
DLQ
Custom
authorizer
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages

41. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages

42. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing

43. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing
Compress and aggregate messages
when possible

44. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing
Compress and aggregate messages
when possible
Consider Kinesis for larger payloads
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Amazon API
Gateway
Client
Amazon Kinesis
Data Streams
Consumer

45. Practical example: Dunelm

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

47. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda Amazon Kinesis
Data Firehose
Amazon S3

48. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda Amazon Kinesis
Data Firehose
Amazon S3
Best practices
Enable source stream record backup
Backup

49. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
S3 bucket
Kinesis Data
Firehose
S3 bucket
S3 bucket
Kinesis Data
Firehose
Kinesis Data
Firehose
Backup

50. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
S3 bucket
Kinesis Data
Firehose
S3 bucket
S3 bucket
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate

51. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler

52. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Use message filtering to prevent
unwanted events. Tune
buffer/compression
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler
SNS topic
SNS topic
SNS topic
DLQ

53. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Use message filtering to prevent
unwanted events. Tune
buffer/compression
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler
SNS topic
SNS topic
SNS topic
DLQ
CloudFront Lambda@Edge
Go Global

54. Practical example: LifeWorks
LifeWorks by
Morneau Shepell
Cognos
Amazon Athena

55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

56. Pattern: The “Strangler”
Client
Corporate
data center
Server
DB
Load Balancer
Server

57. Pattern: The “Strangler”
Amazon API Gateway
Client
Corporate
data center
Server Server Server
DB DB DB
Load Balancer

58. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Targets
Private IP
Corporate
data center
Server Server Server
DB DB DB

59. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Targets
Private IP
Corporate
data center
Server Server Server
DB DB DB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Best practices
Centralize logs, metrics, and
distributing tracing

60. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Corporate
data center
Load Balancer
Server Server Server
DB DB DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Targets
Virtual IP

61. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server Server Server
DB DB DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB

62. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server
DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Gradually shift functionalities to
newer compute/database platforms
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB
Amazon EC2
Amazon ECS
Amazon RDS

63. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server
DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Gradually shift functionalities to
newer compute/database platforms
Use serverless for new functionalities
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB
Amazon EC2
Amazon ECS
Amazon RDS
Amazon DynamoDB
AWS Lambda

64. Practical example: HSBC Part 1
EU-West-1-A EU-West-1-B EU-West-1-C
Platform VPC
Bank bound VPC
Endpoint
VPC subnet
1 X
…
VPC subnet
1 X
…
VPC subnet
1 X
…
Large CIDR block
Bank Bound
Proxy Fleet
EU-West-1-A
Bank Bound
Proxy Fleet
EU-West-1-B EU-West-1-C
Bank Bound
Proxy Fleet
Platform DX VPC
Endpoint service
Network
Load
Balancer
Small CIDR block
HSBC UK
Direct
Connect
• As VPC attached Lambda function scales, subnets must have available IP addresses to
match the number of ENIs = large CIDR block required to your VPC
• Access to on-premise provided via VPC endpoint which encapsulates a set of proxy servers
located on a VPC with Direct Connect = small CIDR used on VPC connected to on-premise

65. Practical example: HSBC Part 2
HSBC UK
Mainframes
Mapper
EMR
Spark
Kinesis
Streams
Direct
Connect
Customer Preferences
DynamoDB Lambda API Gateway
Data Service
Aurora
EMR
DynamoDB
API Gateway
Kinesis
Streams
Event Engine
Kinesis
Streams
Lambda
Push Notifications
Notification Service
API Gateway
Kinesis
Streams
Lambda
Message Service
API Gateway
DynamoDB
Kinesis
Streams
Lambda
JSON
ASCII
Dead Letter Queues
SNS
SQS
VPC CloudWatch KMS
Common Services
EU-West-1
AVRO
EBCDIC
Kafka
AVRO
EBCDIC

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

67. Serverless airline – Multiple patterns/practices

68. Summary

69. Related breakouts
SVS311 Serverless at scale: design patterns and optimizations
SVS401-R Optimizing your serverless applications
SVS403-R Best practices for AWS Lambda and Java
API304 Scalable serverless event-driven applications using Amazon SQS
and Lambda
SVS309 Architecting and operating resilient serverless systems at scale

70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Free foundational to advanced digital courses cover AWS services and
teach architecting best practices
Learn to architect with AWS Training and Certification
Visit aws.amazon.com/training/path-architecting/
Classroom offerings, including Architecting on AWS,
feature AWS expert instructors and hands-on labs
Validate expertise with the AWS Certified Solutions Architect - Associate
or AWS Certification Solutions Architect - Professional exams
Resources created by the experts at AWS to propel your organization and career forward

71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

72. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Heitor Lessa
@heitor_lessa