Containerless in the Cloud with AWS LambdaRYAN CUPRAK

Containers

Containers provide execution environment.

Containers + Cloud

EC2

Tomcat / Java EE Container

EC2

Tomcat / Java EE Container

EC2

JMS Server

RDS

SQL Database

Containers = Platform Lock-in

Language

Tool Chain

Ecosystem

Container Drawbacks Overkill for many types of applications Hard to ‘automatically’ scale Complex programming models Significant skills investment:

Security Configuration Technology stack

Traditional App Drawbacks Servers Data Centers Software Monitoring tools Test environments IT support Service contracts Data Replication & Policies Approvals

Container ChallengeQUICKLY develop a web and mobile application: Registration and authentication (OAuth) HTTPS SMS notifications RESTful endpoints Automatic scalability across the globe Native code for both iOS and Android Versioning Real-time monitoring

Time to go: Containerless and Serverless

What is Amazon Lambda?

What is Lambda?

IaaS• Infrastructure as a

Service

PaaS • Platform as a Service

SaaS • Software as a Service

FaaS • Function as a Service

What is Lambda?

Code Deploy Run

What is Lambda? Lambda is a stateless function Executes in response to an event Executes in an isolated environment Can be implemented using:

JavaScript Java Python C#

Dependencies (executables/libraries) can be packaged with a library.

Example Function: 1exports.handler = function(event,context) { context.succeed('Hello ConFoo!'); };

Handler Function

Data passed to function(converted from JSON)

Lambda runtime

Example Function: 2exports.handler = function(event,context) { context.succeed('Hello ' + event.firstName + ' ' + event.lastName + ' you are at ConFoo!'); };

Parsed Parameters{ "firstName": "Ryan",

"lastName": "Cuprak”}

Demo

Lambda Pricing Requests

First 1 million requests are FREE $0.20 per each million requests thereafter

Duration: Charged $0.00001667 for every gigabyte second

used Free Tier

Memory (MB) Free sec/month Price / 100 ms ($)128 3,200,000 0.000000208192 2,133,333 0.000000313256 1,600,000 0.000000417…. … …

Cost ScenariosExecutions Memory Execution

TimeCost

50,000 128 1 second $0.11100,000 128 1 second $0.23500,000 128 1 second $1.141,000,000 128 1 second $2.2850,000 256 1 second $0.21100,000 256 1 second $0.42500,000 256 1 second $2.081,000,000 256 1 second $4.1750,000 128 2 second $0.21100,000 128 2 second $0.42500,000 128 2 second $2.081,000,000 128 2 second $4.17

Not Including Free Tier – add other services

Lambda Basics Security provided by IAM – Identity & Access

Management. Lambda functions can start threads, access the

disk, access other AWS services. Default safety threshold of 100 concurrent

executions per region. Can be increased per request.

AWS will attempt to invoke a Lambda function 3 times.

External libraries should be bundled with Lambda function (zip/jar)

Execution EnvironmentRuntime versions: Node.js v4.3.2

Old, current Node.js release: 6.10.0 Java – Java 8 (OpenJDK) Python 2.7 .NET Core (1.0.1 C#)Libraries available in execution environment: AWS SDK for JavaScript (2.16.0) AWS SDK for Python AWS build of OpenJDK 8

Execution Environment… Lambda environment based on:

amzn-ami-hvm-2016.03.3.x86_64-gp2 Linux kernel: 4.4.35-33.55.amzn1.x86_64 Only 64 bit binaries are supported.

Environment VariablesVariable Variable

LAMBDA_TASK_ROOT AWS_LAMBDA_FUNCTION_VERSION

AWS_EXECUTION_ENV PATHLAMBDA_RUNTIME_DIR LANGAWS_REGION LD_LIBRARY_PATHAWS_DEFAULT_REGION NODE_PATHAWS_LAMBDA_LOG_GROUP_NAME PYTHON_PATHAWS_LAMBDA_LOG_STREAM_NAME

• AWS_ACCESS_KEY• AWS_ACCESS_KEY_ID• AWS_SECRET_KEY• AWS_SECRET_ACCESS_KEY• AWS_SESSION_TOKEN• AWS_SECURITY_TOKEN

AWS_LAMBDA_FUNCTION_NAMEAWS_LAMBDA_FUNCTION_MEMORY_SIZE

Versioning New lambda function = $LATEST version ARN = Amazon Resource Number –

uniquely identifies an Amazon resource Two ARNs associated with a lambda

function: Qualified ARN

arn:aws:lambda:aws-region:acct-id:function:helloworld:$LATEST

Unqualified ARN arn:aws:lambda:aws-region:acct-id:function:helloworld

New versions must be explicitly published

Logging Node.js

Console.log/error/warn/info() Java

log4j 1.2 (LambdaLogger.log()) System.out/err – each line separate event

C# Console.Write/WriteLine Lambda.Log() Via context object: context.Logger.log()

Python Print statements Logger functions in logger module: logging.Logger.info

Logging

View in CloudWatch:

Failures & Errors Lambda function can fail for the following reasons:

Function doesn’t complete before time limit Input data fails to parse Runs out of memory

Failure handling depends upon how it was invoked: Non-stream based

Synchronous – Error 429 is returned, client responsible to retries.

Asynchronous – Retry twice with a time delay, DLQ. Stream-based:

Will attempt to re-process until it succeeds to data expires.

No new records will be processed

Availability Regions Northern Virginia Ohio Oregon Northern California Montreal São Paulo GovCloud Iceland Frankfurt London Signapore

Tokyo Sydney Seoul Mumbai Beijin

Resource LimitsResource Default Limit

Ephemeral disk capacity ("/tmp" space) 512 MBNumber of file descriptors 1024Number of processes and threads (combined total)

1024

Maximum execution duration per request 300 secondsInvoke request body payload size (RequestResponse)

6 MB

Invoke request body payload size (Event) 128 KInvoke response body payload size (RequestResponse)

6 MB

Deployment LimitsItem Default LimitLambda function deployment package size (.zip/.jar file)

50 MB

Total size of all the deployment packages that can be uploaded per region

75 GB

Size of code/dependencies that you can zip into a deployment package (uncompressed zip/jar size)

250 MB

Total size of environment variables set

4 KB

Power of Lambda

Event Sources Invocations: Asynchronous or Synchronous Events sources from AWS services:

Amazon S3 Kinesis DynamoDB CloudTrail SNS Code Commit

HTTPS – via Amazon API Gateway Custom app sources (ex. Android) Scheduled events

Use Cases S3 + Lambda – image processing, filter,

document analysis, indexing. Kinesis + Lambda – transaction order

processing, auditing. SNS + Lambda – alarm response, auditing, event

processing. DynamoDB + Lambda – data validation, data

processing, filter, notification. Alexa + Lambda – automated voice responses

(Amazon Echo).

Blueprints

Exposing/Securing Lambda

Cognito

LambdaAPI-Gateway

Amazon API-Gateway

API-Gateway Build, deploy, manage RESTful APIs Supports throttling and protection against DDoS Supporting versioning and staging Auto-generates client implementations:

Java, JavaScript, Android, Object-C, Swift Flexible authorization model – ties in with Amazon

Cognito.

HTTPS Restful Invokes

API-Gateway

http://swagger.io/

API-Gateway

Demo

API-Gateway

API-Gateway

API-GatewayInvoking service (webpage/app):

API-Gateway Published an API –

now what? APIs can be sold! Two concepts:

Usage Plan API Key

Steps: Create usage plan Associate a key Associate a key on

the service

Amazon Cognito

Amazon CognitoThree ways to secure an API-Gateway:1. API-Keys

Appropriate for service-to-service communication Risky to place secret key on client for long periods of

time2. Identity & Access Management

Inter-application communication Within an organization – IAM integrated

3. Amazon Cognito Appropriate for third-party integration

Amazon Cognito User/identity authentication service. Support storage of user data in the cloud (mobile

app preferences and state). Authenticate users against federated identity

providers (Facebook/Google). Manage custom identity/user pool. Sync functionality to synchronize user profile data

across devices.

Amazon Cognito

User Pools Federated Managing “own” user directory/sign-ups

etc. Support multi-factor authentication (MFA) Users can start anonymous and then register Password recovery (SNS/email/etc.) Collect maintain user meta-information

User Pools

User Pools

Federated Identities Create unique identities for your users and

federate them with identity providers. Supported providers:

Amazon, Facebook, Google, Twitter/Digits Amazon Cognito User Pools Open ID Connect Providers SAML Identity Provider Developer Authenticated Identities

Federated Identities

Federated Identities

Cognito + API GatewayAmazon Cognito API-Gateway

Identity ProviderClient

Login

Get Id

Validation

Invoke Web Service

Cognito + API GatewayJavaScript client: Invoking secured API - config

Cognito + API GatewayJavaScript client: Invoking secured API - config

Java & Lambda

Lambda using Java1. Loading a method directly without implementing an

interface.outputType handler-name(inputType, Context ) {

...}

inputType – event data or custom object context – Java object containing executing environment

information outputType – result for synchronous calls

2. Implementing a standard interface provided by aws-lambda-java-core:

RequestHandler – custom input/output objects: getters/setters/no arg constructor Serialized to JSON automatically

RequestStreamHandler – input/output stream responses

Java Example

JSON converted to Java Objects using Jackson

Java Example

Dependencies

Uber JAR

Java Demo

Demo

Java vs. JavaScript Hello World Java:

167.63 ms (Billed 200 ms) 43 MB

Hello World JavaScript: 2.05 ms 31 MB

Java EE vs AWS Java EE is a standard with several implementations. AWS is a set of ready-to-use services:

SQS + SNS ~ JMS (roughly!) Kinesis ~ Apache Kafka Elastic Search ~ Lucene Lambda ~ Stateless Session Beans

Transactions? Injection?

S3 Buckets – No equivalent DynamoDB ~ MongoDB/Couchbase

AWS cloud spans regions/data centers Data automatically mirrored

Technical Distributed transactions Long running tasks

Report Generation Compute intensive tasks Rules engines

Third party dependencies / applications

Integration with legacy systems

Websockets (bi-directional communication)

Legal Estimating and

controlling costs Third party licenses Regulatory

requirements Snapshots for security

instances

Reason to use Java EE

Example Architecture

EC2

Java EE Container

RDS

SQL Database

Amazon API Gateway

EC2

Java EE Container

Amazon Lambda

Java JS Python

Amazon SQS Elastic Search

DynamoDB S3

Amazon SNS

Conclusion

Challenges• Documentation!• Testing• Debugging• Tooling support• Error handling• AWS Code Commit integration• Node.js version lagging

Best Practices Small archives containing code

Don’t include the entire application! Minimize startup costs Periodically invoke lambdas to keep

“warm” Monitor logs for failures

Resources AWS Compute Blog

https://aws.amazon.com/blogs/compute/ AWS Forums

https://forums.aws.amazon.com/forum.jspa?forumID=186

AWS Pet Store https://github.com/awslabs/api-gateway-secu

re-pet-store http://tinyurl.com/z3qyefg

Authentication/Cognito https://goo.gl/auEWLl

FAQ https://aws.amazon.com/lambda/faqs/

Q&A Twitter: @ctjava Email: rcuprak@gmail.com Blog: cuprak.info