UPLOAD

    1.4K

    Serverless best practices for security configuration management and cost optimization on AWS - 26 September - 16:00

    Published: October 16, 2019

    AWS Loft 2019 Serverless best practices for security configuration management and cost optimization on AWS - 26 September - 16:00

    Comments

    Serverless best practices for security configuration management and cost optimization on AWS - 26 September - 16:00

    • 1. Slide382 © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ‎Serverless Best Practices Abidin SUNAR – CTO , Foreks Azmi MENGÜ – Backend Team Lead , Getir Burak ÜNÜVAR – Soultions Architect , AWS
    • 2. Slide269 © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Computing evolution – A paradigm shift Physical Machines Virtual Machines Containerization AWS Lambda AWS Fargate FOCUS ON BUSINESS LOGIC LEVEL OF ABSTRACTION
    • 3. Comparison of operational responsibility © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Comparison of operational responsibility AWS Lambda Serverless functions AWS Fargate Serverless containers ECS/EKS Container-management as a service EC2 Infrastructure-as-a-Service More opinionated Less opinionated AWS manages Customer manages •Data source integrations •Physical hardware, software, networking, and facilities •Provisioning •Application code •Container orchestration, provisioning •Cluster scaling •Physical hardware, host OS/kernel, networking, and facilities •Application code •Data source integrations •Security config and updates, network config, management tasks •Container orchestration control plane •Physical hardware software, networking, and facilities •Application code •Data source integrations •Work clusters •Security config and updates, network config, firewall, management tasks •Physical hardware software, networking, and facilities •Application code •Data source integrations •Scaling •Security config and updates, network config, management tasks •Provisioning, managing scaling and patching of servers
    • 4. Development transformation at Amazon: 2001–2002 © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Development transformation at Amazon: 2001–2002 monolithic application + teams 2001 Lesson learned: decompose for agility 2002 microservices + 2 pizza teams
    • 5. Serverless is an operational model that spans many different categories of services © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Serverless is an operational model that spans many different categories of services Source: Digital Rewrites The Rules Of Business, Forrester, February 2018 *** Continuous scaling *** Fault tolerance built-in *** Event-driven *** Pay per usage *** Zero maintenance AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions COMPUTE DATA STORES INTEGRATION Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync
    • 6. AWS Lambda Best Practices © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Lambda Best Practices •Networking : Accessing Resources in a VPC & HA •Security : IAM role per function – STS for tokens– KMS for encyrption •Use Environment Variables to modify operational behavior •Blue Green Deployment with Versioning and Alias •AWS CodeDeploy & Lambda Canary Deployments https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
    • 7. Fine-grained pricing : Never pay for idle © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Fine-grained pricing : Never pay for idle Free Tier 1M requests and 400,000 GB of compute. Every month, every customer. •Leverage Max Memory Used •Optimize execution time
    • 8. AWS Lambda Limits © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Lambda Limits Memory Size : 128 MB to 3,008 MB, in 64 MB increments. Ephemeral Disk Capacity : 512 MB Timeout : 900 seconds or 15 Minutes Concurrent executions : 1000 Deployment Packagesize : 50MB zip, 250MB unzipped, 3MB via c9 © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. •Concurrency Limits : define per function to prevent throttle
    • 9. AWS Lambda Best Practices © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Lambda Best Practices •Separate the Lambda handler from core logic •Minimize package size to necessities •Self-contain dependencies in your function package •Runtime : Compiler vs Interpreter ? Java : use simpler IoC dependency injections like Dagger and Guice rather than a Spring framework. Nodejs, make your Function js file size less than 600 characters and prefer V8 runtime.
    • 10. Lambda considerations and best practices © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda considerations and best practices Can your Lambda functions survive the cold? •Instantiate AWS clients and database clients outside the scope of the handler to take advantage of container re-use. •Schedule with CloudWatch Events for warmth •ENIs for VPC support are attached during cold start import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes during cold start Executes with each invocation
    • 11. Accelerating Fargate and Lambda with Firecracker © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Accelerating Fargate and Lambda with Firecracker Firecracker is open sourced to enable broad access and innovation New Announcement : Improved VPC networking for AWS Lambda functions Security Speed by design Scale and efficiency
    • 12. Abidin SUNAR – CTO , ForeksAzmi MENGÜ – Backend Team Lead , Getir  © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Abidin SUNAR – CTO , Foreks Azmi MENGÜ – Backend Team Lead , Getir
    • 13. Lambda Layers © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda Layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built in support for secure sharing by ecosystem
    • 14. AWS Step Functions © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Step Functions Visualize in the console Define in JSON Monitor executions
    • 15. AWS Serverless Application Model (AWS SAM) © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Serverless Application Model (AWS SAM) Template-driven resource management model optimized for serverless New serverless resource types: Functions, APIs, and tables Supports anything AWS CloudFormation supports Open specification (Apache 2.0) https://github.com/awslabs/serverless-application-model
    • 16. Useful Frameworks © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Useful Frameworks Chalice https://serverless.com/framework/docs/providers/aws/guide/intro/
    • 17. AWS X-Ray is Built for Modern Applications © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS X-Ray is Built for Modern Applications Analyze and debug issues quickly End-to-end view of individual services Identify customer impact Support for Serverless
    • 18. Slide407 © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Serverless Observability with Thundra ●Tricky: Understanding the async structure of serverless environments. ●Hard: Reduce the MTTR in serverless environments. ●Impossible: To use the already existing APM for Lambda because they’re not lightweight. Thundra aims to resolve the issues below by providing light-weight libraries in Java, Node.js, Python, .NET, and Go. With Thundra, you can both have an overall idea in the most complex architecture and have the power of debugging the code even line-by-line. Plug it with Lambda Layers and using well-known deployment tools.
    • 19. Thank you © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you “No server is easier to manage than no server.” - Werner Vogels, Amazon CTO Never pay for idle & scale as you grow Apply serverless patterns for common use-cases: •Web applications •Stream processing •Data lake •Machine learning What will you build with serverless?
    • 20. Slide415 AWS Pop-up Loft | Istanbul © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please Complete Your Session Survey! Serverless best practices for security, configuration management, and cost optimization on AWS https://bit.ly/2kDB5qu
    • 21. Useful Frameworks for Serverless Web Apps © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Useful Frameworks for Serverless Web Apps •AWS Chalice Python Serverless Framework https://github.com/aws/chalice Familiar decorator-based API similar to Flask/Bottle Similar to third-party frameworks, Zappa or Claudia.js •AWS Serverless Express Run Node.js Express apps https://github.com/awslabs/aws-serverless-express •Java - HttpServlet, Spring, Spark and Jersey https://github.com/awslabs/aws-serverless-java-container
    • 22. Use DevOps tools to automate your serverless deployments © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Use DevOps tools to automate your serverless deployments •Direct a portion of traffic to a new version •Monitor stability with CloudWatch •Initiate rollback if needed •Incorporate into your SAM templates AWS CodeDeploy & Lambda Canary Deployments