The Life of a Serverless Microservice on AWS

In this post, I will demonstrate how you can develop, test, deploy, and operate a production-ready serverless microservice using the AWS ecosystem. The combination of AWS Lambda and Amazon API Gateway allows us to operate a REST endpoint without the need of any virtual machines. We will use Amazon DynamoDB as our database, Amazon CloudWatch for metrics and logs, and AWS CodeCommit and AWS CodePipeline as our delivery pipeline. In the end, you will know how to wire together a bunch of AWS services to run a system in production.The LifeMy idea of "The Life of a Serverless Microservice on AWS" is best described by this figure:A developer is pushing code changes to a repository. This git push triggers the CI & CD pipeline to deploy a new version of the service, which our users consume. The load generated on the system produces logs and metrics that are used by the developer to operate the system. The operational feedback is used to improve the quality of the system.What is Serverless?Serverless or Function as a Service (FaaS) describes the idea that the deployment unit is a single function. A function takes input and returns output. The responsibility of the FaaS user is to develop the function while the FaaS provider's responsible is to execute the function whenever some event happens. The following figure demonstrates this idea.Some possible events:File uploaded.E-Mail received.Database changed.Manual invoked.HTTP API called.Cron.The cool things about serverless architecture are:You only pay when the function is executed.No under/over provisioning.No boot time.No patching.No SSH.No load balancing.Read more about Serverless Architectures if you are interested in the details.What is a Microservice?Imagine a small system where users have a public visible profile page with location information of that user. The idea of a microservice architecture is that you slice your system into smaller units around bounded contexts. I identified three of them:Authentication Service: Handles authentication.Location Service: Manages location information via a private HTTP API. Uses the Authentication Service internally to authenticate requests.Profile Service: Stores and retrieves the profile via a public HTTP API. Makes an internal call to the Location Service to retrieve the location information.Each service gets its own database, and services are only to communicate with each other over well-defined APIs, not the database!Let's get started!The source code and installation instruction can be found at the bottom of this page. Please use the us-east-1 region! We will use services that are not available in other AWS regions at the moment.CodeAWS CodeCommit is a hosted Git repository that uses IAM for access control. You need to upload your public SSH key to your IAM User as shown in the following figure:Creating a repository is simple. Just click on the Create new Repository button in the AWS Management Console.We need a repository for each service. You can then clone the repository locally with the following command. Replace $SSHKeyID with the SSH Key ID of your IAM user and $RepositoryName with the name of your repository.git clone ssh://$SSHKeyID@git-codecommit.us-east-1.amazonaws.com/v1/repos/$RepositoryName` We now have a home for our code.Continuous Integration & Continuous DeliveryAWS CodePipeline is a service to manage a build and deployment pipeline. CodePipeline itself is only responsible triggering integrations to do things like:Build.TestDeploy.We need a pipeline for each service that:Downloads the sources from CodeCommit if something changes there.Runs our test and bundles the code in a zip file for Lambda.Deploys the zip file.Luckily, CodePipeline has native support for downloading sources from CodeCommit. To run our tests, we will use a third-party integration to trigger Solano CI to run our tests and bundle the source files. The deployment step is implemented in a Lambda function that triggers a CloudFormation stack update. A CloudFormation stack is a bunch of AWS resources managed by CloudFormation based on a template that you provide (Infrastructure as Code). Read more about CloudFormation on our blog.The following figure shows the pipeline:The cool thing about CloudFormation is that you can define the pipeline itself in a template. So we get Pipeline as Code.The CloudFormation template that is used for service deployment describes a Lambda function, a DynamoDB database, and an API Gateway. After deployment you will see one CloudFormation stack for each service:We now have a CI & CD pipeline.ServiceWe use a bunch of AWS services to run our microservices.Amazon API GatewayAPI Gateway is a service that offers a configurable REST API as a service. You describe what should happen if a certain HTTP Method (GET, POST,PUT, DELETE, ...) is called on a certain HTTP Resource (e.g. /user). In our case, we want to execute a Lambda function if an HTTP request comes in. API Gateway also takes care of mapping input and output data between formats. The following figure shows how this looks like in the AWS Management Console for the Profile Service.The API Gateway is a fully managed service. You only pay for requests, no under/over provisioning, no boot time, no patching, no SSH, no load balancing. AWS takes care of all those aspects.Read more about API Gateway on our blogAWS LambdaTo run code in AWS Lambda you need to:use one of the supported runtimes (Node.js (JavaScript), Python, JVM (Java, Scala, ...).implement a predefined interface.The interface in abstract terms requires a function that takes an input parameter and returns void, something, or throws an error.We will use the Node.js runtime where a function implementation looks like this:exports.handler = function(event, context, cb) { console.log(JSON.stringify(event)); // TODO do something cb(null, {name: 'Michael'}); }; In Node.js, the function is not expected to return something. Instead, you need to call the callback function cb that is passed into the function as a parameter.The following figure shows how this looks like in the AWS Management Console for the profile service.AWS Lambda is a fully managed service. You only pay for function executions, no under/over provisioning, no boot time, no patching, no SSH, no load balancing. AWS takes care of all those aspects.Read more about Lambda on our blogAmazon DynamoDBDynamoDB is a Key-Value-Store or Document-Store. You can lookup values by their key. DynamoDB replicates across multiple Availability Zones (data centers) and is eventually consistent.The following figure shows how this looks like in the AWS Management Console for the authentication service.Amazon DynamoDB is a 99% managed service. The 1% that is up to you is that you need to provision read and write capacity. When your service makes more request than provisioned, you will see errors. So it is your job to monitor the consumed capacity to increase the provisioned capacity before you run out of capacity.Read more about DynamoDB on our blogRequest FlowThe three services work together in the following way:The user's HTTP request hits API Gateway. API Gateway checks if the request is valid — if so, it invokes the Lambda function. The function makes one or more requests to the database and executes some business logic. The result of the function is then transformed into an HTTP response by API Gateway.We now have an environment to run our microservices.Logs, Metrics, and AlertingA Blackbox is very hard to operate. That's why we need as much information from the inside of the system as possible. AWS CloudWatch is the right place to store and analyze this kind of information:Metrics (numbers).Logs (text).CloudWatch also lets you define alarms on metrics. The following figure demonstrated how the pieces work together.Operational insights that you get out-of-the-box:Lambda writes STDOUTand STDERR to CloudWatch logs.Lambda publishes metrics to CloudWatch about the number of invocations, runtime duration, the number of failures, etc.API Gateway publishes metrics about the number of requests, 4XX and 5XX Response Codes, etc.DynamoDB publishes metrics about consumed capacity, the number of requests, etc.The following figure shows a CloudWatch alarm that is triggered if the number of throttled read requests of the Location Service DynamoDB table is bigger or equal to one. This situation indicates that the provisioned capacity is not sufficient to serve the traffic.With all those metrics and alarms in place, we now can be confident that we receive an alert if our system is not working properly.SummaryYou can run a high-quality system on AWS by only using managed services. This approach frees you from many operational tasks that are not directly related to your service. Think of operating a monitoring system, a log index system, a database, virtual machines, etc. Instead, you can focus on operating and improving your service's code.The following figure shows the overall architecture of our system:Serverless or FaaS does not force you to use a specific framework. As long as you are fine with the interface (a function with input and output), you can do whatever you want inside your function to produce an output with the given input. Read more

China moves closer to adopting controversial cybersecurity law

BEIJING China moved closer on Monday to adopting a controversial cybersecurity law, after parliament held a second reading of the draft rules, which carry significant consequences for domestic and foreign business and threaten greater censorship.China enforces widespread controls over the internet that it has sought to codify in law, and Chinese laws often go through multiple readings and drafts before they are adopted.The draft, presented before the standing committee of the National People's Congress, requires network operators to comply with social morals and accept the supervision of the government and public, official news agency Xinhua said.It also reiterated that Chinese citizens' personal data, as well as "important business data" must be stored domestically, adding that those wishing to provide that information overseas faced a government security evaluation.Parliament has not yet published the full second draft of the cybersecurity law and it is not clear when it may be passed. Cybersecurity has been a particularly irksome area in China's relations with economic partners such as the United States and the European Union, which see many recently proposed rules as unfair to foreign firms.Chinese officials say internet restrictions, including the blocking of popular foreign sites like Google and Facebook, are needed to ensure security against growing threats, such as terrorism. The first draft of the cybersecurity law, published almost a year ago, stiffened user privacy protection from hackers and data resellers but also boosted the government's powers to access and block dissemination of private information records that Chinese law deems illegal.China's broadly-defined regulations have been a source of concern, especially for foreign governments, multinational companies and rights activists, which worry that the government can interpret the law as it sees fit. Chinese companies have also been on the receiving end of government efforts to tighten control of the internet. Regulators last month set limits on the number of lucrative healthcare advertisements carried by Baidu Inc after a student died following an experimental cancer treatment he uncovered by using China's biggest internet search engine. (Reporting by Paul Carsten and Michael Martina; Editing by Clarence Fernandez) Read more

AWS Weekly 2016 #24

Monday, June 13Cloud Academy explained Everything You Ever Wanted to Know about Amazon Kinesis Firehose.Tuesday, June 14AWS SES Blog announced Amazon SES Now Supports Email Headers in Notifications.AWS announced More Details from Service Last Accessed Data.AWS announced AWS Config offers a new rule for assessing license compliance.AWS announced New Edge Location in New Delhi, India for Amazon CloudFront and Amazon Route 53.Server Density Blog wrote about How Spotify and GOV.UK handle on call, and more.Wednesday, June 15AWS announced Standardized Architecture for NIST High-Impact Controls on AWS Featuring Trend Micro Deep Security.AWS announced New AWS Public Data Set - IRS 990 Filing Data.AWS announced AWS CodeDeploy Available in Asia Pacific (Seoul) Region.AWS announced Amazon RDS for PostgreSQL now supports cross-region read replicas.Cloud Academy blogged about How to Deploy Apache Storm on AWS with Storm-Deploy.Thursday, June 16AWS announced New Amazon EC2 Spot Console Now Supports Spot Fleet and Spot BlocksAWS announced Amazon CloudWatch Events Available in the South America (São Paulo) and Asia Pacific (Seoul) RegionsTrek10 wrote about Serverless Secrets.Friday, June 17AWS announced Oracle Repository Creation Utility (RCU) and April PSU Patches are now available for Amazon RDS for Oracle.Is anything missing? Looking forward to your feedback! @andreaswittig or andreas@widdix.de. Read more

mLab Launches Private Environments on AWS

mLab, the fully managed cloud database service featuring automated provisioning, scaling, and management of MongoDB databases, today announced the private beta of Private Environments. mLab Private Environments are virtual private networks that customers can provision to house their various database deployments hosted with mLab.Private Environments provide the security benefits of self-hosting database deployments without the headache of self-hosting. With Private Environments, customers can use all of the traditional network security best-practices and techniques for designing their application. Customers can:Isolate their database from public networks while allowing secure access to their application infrastructure.Create sophisticated network topologies to ensure least privilege access to their database deployments using CIDR ranges and AWS Security Groups.Auto-scale their application tier without having to modify database firewall rules.“As an early beta user of Private Environments, we've appreciated the added level of security it provides,” said Chris Lambert, CTO, Lyft. “The private network created by Private Environments keeps our infrastructure secure as we continue to grow, and makes it easy for our team to provision new application servers and auto-scale without needing to modify database firewall rules. We’ve been using mLab’s cloud-hosted MongoDB for several years and it has played a big role in helping Lyft scale.”The new solution is engineered to be a novel way for customers to use virtual private networks through a DBaaS provider. With Private Environments, mLab has created an isolated and self-contained solution that securely and seamlessly integrates into an existing stack as though the databases were inside a customer’s own VPC. The result is network security that is both operationally easy and flexible.mLab’s cloud database-as-a-service platform hosts over 300,000 MongoDB deployments, powering companies like Turner, Lyft, and Whole Foods Market. Private Environments is the first of several releases slated for 2016 as mLab continues to debut new cloud infrastructure capabilities.“mLab is hands-down the easiest way to run MongoDB on AWS,” said Will Shulman, CEO, mLab. “We believe that constantly managing database infrastructure isn’t something most developers should have to worry about; mLab’s platform and tools are designed to automatically provision, host, scale, monitor and backup your MongoDB databases. Private Environments is a powerful new capability that furthers mLab’s goal of providing cloud infrastructure solutions that are both simple and secure. We’re excited for developers to try it out.” Read more

How to Easily Sync Web and Mobile Experiences

Becoming a VIPImagine you just signed up for Amazon’s VIP checkout experience.  In this hypothetical experience, you can click a VIP button that allows you to shop for brand new items not yet available to normal Amazon customers.  “This is awesome!” you say to yourself, as you view the VIP item list in your laptop’s browser.But now, you have to head to the bus and go to work, but you still want to browse for items using the Amazon app.  Because Amazon uses feature flags, your mobile experience is automatically personalized to include the VIP experience.  Cool!  Now, your web and mobile experiences are synced instantly.Cross-Platform Personalization With Feature FlagsFeature flagging is a way to wrap features in conditionals (If/else statements) so that you can control the visibility of those features over time.  In other words, you can deploy a feature as ‘off’ and then turn it ‘on’ at a later time or you can gradually roll out a feature to select users.  So, imagine you feature flag the VIP checkout.  You can create a rule that says: “Any user who opts into the VIP program will get TRUE for the feature and everyone else will get FALSE.”  Those users who are assigned the TRUE variation will see the VIP feature and those who are assigned the FALSE variation will not.What is great about this method is that you can use this same feature flag to control the VIP checkout for both the web and mobile versions of an application.  Some more benefits of cross-platform feature flagging include:The ability to decide whether to release a cross-platform feature simultaneously or separately, with full control over who gets to see that feature. For example, web users might get access to a new search bar before mobile users do.Real time personalization that allows users to opt-in to new features on one platform (like mobile) and have that personalization sync with another platform (like web)Percentage rollouts that allow you to gradually release a feature to targeted users on different platforms, allowing you to assess user and performance feedback for each platformA kill switch that lets you turn off poorly performing features for web and mobile, without having to redeploySubscription plan management using feature flags to bundle cross-platform features into different tiers (ex. to create Bronze, Gold, and VIP plans).SummaryCross-platform feature flagging is an easy way to deliver personalized and synchronized user experiences across different platforms.  Overall, it is paving a way for a new genre of user experience personalization, where companies can harness real time user feedback to customize features across different platforms.  This could usher in an era where users do not have to adapt their behavior to an app… the app will adapt to them. Read more

Older PostNewer Post