3. How and why did we
choose serverless?
Choosing serverless
https://commons.wikimedia.org/wiki/File:Grasshopper_in_green_field.jpghttps://commons.wikimedia.org/wiki/File:Connochaetes_taurinus_-Wildebeest_crossing_river_-East_Africa.jpg
@ben11kehoe
11. • Separation of concerns??
• Microservice SDKs
– Well-separated code
• Downside: instead of HTTP API
hiding, say, DB schema, it’s now
hidden in the SDK…on the client
side
– If I change the DB schema, I
need to update the callers as
well
– Highly-coupled deployments
• Bear with me
Latency & Cost @ben11kehoe
12. • So: deployments of highly-
coupled microservices
• …this is a monolith
• That’s ok!
• Code is still well-separated
• What does deployment look like?
Latency & Cost @ben11kehoe
27. • No need for complicated
abstraction layer
• Use SDK mocking
– placebo, aws-mock, etc.
– Microservice SDKs that just
use the AWS SDK to talk to
resources are now mocked
for free
Unit Testing @ben11kehoe
29. • Lambda env vars
• Service discovery (aaS?)
• VPC endpoints
• Automatic hash-based/ETag
versioning of Lambda
– Hash based purely on inputs
so it’s predictable
• Deployment
What’s still missing? @ben11kehoe
32. • Architecture: skip API Gateway
between microservices
– Lots of implications, pro and
con
– Primary driver for us is cost
• Security: CloudFront WAF is
possible for API Gateway
– A little bit of a Rube Goldberg
• Severless is a spectrum
• Integration testing only on deployed
systems
• Providers should support better
deployment models
Conclusion @ben11kehoe
We make physical things that you buy
i.e., you pay us once
The better our mechanical and electrical engineers do their jobs, the more the cloud costs us
We are therefore cost-conscious
A big chunk of our cost is AWS IoT
Why did we choose serverless?
First, what enabled us to choose it?
Migrating from previous IoT cloud provider
Communications layer from IoT cloud provider to AWS IoT
Backend from combination of IoT cloud provider’s hosted scripting, Azure, on-prem to AWS
Greenfield development
Second, why?
How to architect our system?
Microservices
Why?
Separate code into small independent units
Code is easier to understand, update, and test
Deployment occurs in smaller units
Organizational benefits
Especially if teams are build+run
Implementing microservices on AWS
Traditional: RPC, often over HTTP
Many alternatives, e.g., gRPC
Serverless: HTTP via API Gateway
Implications of API GW
Latency
Cost
Deployment
Discovery
Security
Alternative: directly access resources in other microservices
Red-black entire system
Ok, since you never pay for idle
Scalable in number of services, but not cadence
Two entire systems: how do you switch clients over?
DNSCloudFront custom domains
Separate service discovery service for clients to discover endpoints
Works well for multiple related endpoints (e.g., API Gateway, IoT)
Also multiregion
How to deploy service discovery service?
Service discovery all the way down
API Gateway + CloudFront
API Gateway uses CloudFront
Putting CloudFront in front of CloudFront
wat
Two key benefits we get from this insane-sounding pattern
Red-black switchover
WAF
API Gateway + CloudFront
API Gateway uses CloudFront
Putting CloudFront in front of CloudFront
wat
Two key benefits we get from this insane-sounding pattern
Red-black switchover
WAF
Update origin → red/black switch
Can update multiple origins together
WAF
Note! This breaks SigV4 auth
This is because of the way CF manipulates the Host header
How do you make sure traffic is coming from CloudFront?
API key in custom header
Usage plans mean multiple APIs can share keys
Scheduled Lambda to rotate key once/day (keep current + previous)
Directly hitting the resources means you can use IAM policies to limit this access. But with direct access to the resource, the payloads are not controlled.
Going through an API, access can be more tightly controlled.
Possible to go direct to Lambda
Serverless: not binary
Cloud Robotics
FaaS vs. SaaS vs. managed instances
Integration testing
Can’t do it locally
Can’t intercept service-to-service integrations
e.g., S3 bucket notification -> SNS
Stub/inject in SDK calls
When a client calls the “prod” stage, a Lambda gets invoked (like custom auth. after?). Returns stage to proxy and TTL
Built-in versions choosers
When a client calls the “prod” stage, a Lambda gets invoked (like custom auth. after?). Returns stage to proxy and TTL
Built-in versions choosers