DevOps, Microservices, and Serverless Architecture

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mikhail Prudnikov, Solutions Architect, AWS
May 2016
DevOps, Microservices and
Serverless Architecure

2. What to Expect from the Session
• DevOps and Software Delivery
• Rise Of Microservices
• ECS and Containers
• Serverless Architecture
• API Gateway + Lambda

4. Toolchains

5. Services

6. Microservices
Sam Newman : “Building
Microservices” O’Reilly Publishing
Adrian Cockcroft : numerous talks,
presentations, blog posts
• “Loosely coupled service
oriented architecture with
bounded contexts”
Martin Fowler : numerous blog posts
2 sessions at AWS Re:Invent 2014
8 sessions at AWS Re:Invent 2015

7. Development Transformation at Amazon
2001 2009
monolithic
application + teams
microservices + 2 pizza teams

8. Availability vs Velocity of Change
AWS re:Invent 2015 | (SPOT302) Availability: The New Kind of Innovator’s Dilemma

9. Availability and Velocity of Change Thoughts
• "Everything fails, all the time"
Werner Vogels, CTO
Amazon.com
• How long does it take to push
a single line of code to
production?
• Do you have the feedback
loop?

10. Multiple Compute Options
• VMs
• Machine as the unit of scale
• Abstracts the hardware
• Containers
• Application as the unit of scale
• Abstracts the OS
• Serverless
• Functions as the unit of scale
• Abstracts the language runtime
ECS
EC2
Lambda

11. Which Option is Right?
• VMs
• “I want to configure machines,
storage, networking, and my OS”
• Containers
• “I want to run servers, configure
applications, and control scaling”
• Serverless
• “Run my code when it’s needed”
ECS
EC2
Lambda

12. Hypervisor Containers
ECS on AWS

13. ECS Internals & Flow
Container Instance
Cluster
Agent
Task
Agent
Task
Container
Task
Container
Run Task Schedule Task
Task Definition Task + Service Definition
ECR
CodeCommit

14. Scaling ECS With Lambda
 Cloudwatch metrics tied
to SNS
 SNS triggers Lambda
Container Scaling
function
 Lambda scales task
count on cluster
 Bonus - Extensible
‘cluster intelligence’ layer

15. ECS Reference Service Discovery

16. Continuous Integration & Deployment to ECS
Container Registry
CodeCommit

17. Monitoring with Amazon CloudWatch
 Metric data sent to CloudWatch in
1-minute periods and recorded for
a period of two weeks
 Available metrics:
CPUReservation,
MemoryReservation,
CPUUtilization,
MemoryUtilization
 Available dimensions:
ClusterName, ServiceName

18. Monitoring with Amazon CloudWatch
Use the Amazon CloudWatch Monitoring Scripts to monitor
additional metrics, e.g. disk space
# Edit crontab
> crontab -e
# Add command to report disk space utilization to CloudWatch every five minutes
*/5 * * * * <path_to>/mon-put-instance-data.pl --disk-space-util --disk-space-used
--disk-space-avail --disk-path=/ --from-cron

19. Logging with Amazon CloudWatch Logs
 Logging container with
syslogd and CloudWatch
Logs Agent
 Attach /var/log Volume
to Logging container
 Link other containers
syslogd
CloudWatch Logs
Agent
CloudWatch
Logs
Container instance
ECS Cluster
ECS Agent
Logs
Docker
Logs
syslogd
CloudWatch Logs
Agent

20. Managing Infrastructure Is Sadness

21. The Serverless Compute Manifesto
• Functions are the unit of deployment and scaling.
• No machines, VMs, or containers visible in the programming model.
• Permanent storage lives elsewhere.
• Scales per request. Users cannot over- or under-provision capacity.
• Never pay for idle (no cold servers/containers or their costs).
• Implicitly fault-tolerant because functions can run anywhere.
• BYOC – Bring your own code.
• Metrics and logging are a universal right.

22. Benefits of Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
DDoS protection
and throttling for
your backend
Authenticate
and authorize
requests to a
backend

23. Code is all you need Event driven scaling
Never pay for idle Availability and fault tolerance built in
Benefits of AWS Lambda

24. Standard API Architecture
VPC subnet
Availability Zone A Availability Zone B
VPC subnet
Auto Scaling group
WEB WEB
Oregon
Tokyo
VPC subnet
Cleanup
loop
EC2 API
start/stop
instances
JOBS

25. Serverless API Architecture
Internet
Mobile apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpointAmazon
CloudWatch
Amazon
CloudFront
Amazon
API Gateway

26. Amazon
S3
Amazon
DynamoDB
Amazon
Kinesis
AWS
CloudFormation
AWS
CloudTrail
Amazon
CloudWatch
Logs
Amazon
SNS
Amazon
SES
Amazon
API Gateway
Amazon
Cognito
AWS
IoT
Amazon
Alexa
Cron events
DATA STORES ENDPOINTS
REPOSITORIES EVENT/MESSAGE SERVICES
Lambda Service Integrations
… and the list will continue to grow!

27. Analytics
• Operational management
• Live Dashboards
Data workflows
• Content management
• ETL workflows
Multiple Application Types
Interactive Backends
• Bots
• Webhooks
Autonomous IT
• Policy engines
• Infrastructure management

28. Auth Option 1 – Pervasive throughout AWS
Mobile Apps AWS Lambda lambdaHandler
API Gateway
Sigv4
Invoke with
caller credentials
Service calls are
authorized using
the IAM Role
DynamoDB

29. Auth Option 1 – Fine Grained Access
Internet
Client AWS Lambda
functions
Amazon
CloudFront
DynamoDB
CognitoId2
…
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [”${cognito-
identity.amazonaws.com:sub}"],
"dynamodb:Attributes": [
"UserId","GameTitle","Wins","Losses",
"TopScore","TopScoreDateTime”
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES”
}
}
…
Executes with
this role
UserID Wins Losses
cognitoId1 3 2
cognitoId2 5 8
cognitoId3 2 3
The credentials and context (Cognito ID) are passed along
Both AWS Lambda & DynamoDB will follow the access policy
API Gateway

30. Auth Option 2 – Custom Auth With Lambda
Client
Lambda Auth
function
API Gateway
OAuth token
OAuth
provider
Policy is
evaluated
Policy is
cached
Endpoints on
Amazon EC2
Any other publicly
accessible endpoint
AWS Lambda
functions
403

31. Managing Multiple Versions and Stages of APIs
Works like a source repository – clone your API to create a new
version
API 1
(v1) Stage (dev)
Stage (prod)
API 2
(v2)
Stage (dev)

32. Custom Domain Names
Use custom domain names to put 2 different APIs (V1 and V2) under
the same domain
• Custom domain names can point to an API or a Stage
• A custom domain name can include a base path
• Use v1 as your base path in the custom domain name
• Pointing to an API you have access to all Stages
• Beta (e.g. yourapi.com/v1/beta)
• Prod (e.g. yourapi.com/v1/prod)
• Pointing directly to your “prod” Stage
• Prod (e.g. yourapi.com/v1)

33. Stage Variables and Lambda Aliases
Using Stage Variables in API Gateway together with Lambda
function Aliases helps you manage a single API configuration
and Lambda function for multiple stages
myLambdaFunction
1
2
3 = prod
4
5
6 = beta
7
8 = dev
My First API
Stage variable = lambdaAlias
Prod
lambdaAlias = prod
Beta
lambdaAlias = beta
Dev
lambdaAlias = dev

34. Serverless Framework
Serverless is an application framework for building serverless
web, mobile and IoT applications. Serverless comes in the form
of a command line interface that provides structure, automation
and optimization to help you build and maintain your serverless
apps.
http://www.serverless.com
https://github.com/serverless/serverless

35. Example: Backends
https://github.com/awslabs/lambda-refarch-webapp

36. Example: Real Time File Processing
https://github.com/awslabs/lambda-refarch-fileprocessing

37. Example: Stream Processing
https://github.com/awslabs/lambda-refarch-streamprocessing

38. Function schedules: The how-to guide
• How can I keep a function warm (no cold starts)?
Schedule it!
• How can I poll a queue (like SQS)?
Schedule a function to read the queue.
• How can I get more timers?
Have one scheduled function async invoke other functions.
• How can I get granularity finer than 1 minute?
Run a background timer in your scheduled function.

39. Function versioning: The how-to guide
• How can I get mutable configuration info?
Read it (e.g. from DynamoDB) during function initialization.
Wrap your config in a function and call it from your published code.
• How do I “roll back” in AWS Lambda?
Using aliases, just switch what the alias points to.
• How do I do blue/green deployments?
AWS Lambda handles fleet deployments, but if you want to shape traffic,
put a second “traffic cop” function in front.
• How can I lock a client/device onto an old version?
Point them directly to that version’s ARN.

40. AWS Lambda VPC basics
• All Lambda functions run in a VPC, all the time
You never need to “turn on” security – it’s always on
• You can also grant Lambda functions access to resources in your VPC
How: Add VPC subnet IDs and security group IDs to the function config
Typical uses: RDB, ElastiCache, private EC2 endpoints
Allows access to peered VPCs, VPN endpoints, and private S3 endpoints
• Functions configured for VPC access lose internet access…
unless you have managed NAT or a NAT instance in the VPC
…Even if you have “Auto-assign Public IP” enabled
…Even if you have an internet gateway set up in your VPC
…Even if your security group allows all outbound traffic
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zombie Apocalypse Workshop
Building Serverless Microservices

41. Thank you!