SlideShare a Scribd company logo

Building a Critical Communications Platform Using Serverless Technologies

Amazon Web Services
Amazon Web Services

By adopting serverless technologies, one organization managed to both accelerate its internal development process and improve operational scalability. In this tech talk, we present optimization strategies for AWS Lambda, followed by the inner workings of a critical communications platform built on serverless technologies. We also share best practices relevant to the development environment and architecture, along with the lessons learned.

Related slideshows

Architecture: When, how, and if to Adopt Microservices
Architecture: When, how, and if to Adopt MicroservicesArchitecture: When, how, and if to Adopt Microservices
Architecture: When, how, and if to Adopt Microservices
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Building microservices on azure
Building microservices on azureBuilding microservices on azure
Building microservices on azure
 
1 of 48
P U B L I C S E C T O R S U M M I T WASHINGTON, DC
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Building a Critical Communications Platform using Serverless Technologies Doug Gartner Sr. Solutions Architect Amazon Web Services 3 0 1 1 8 9 McLanahan Stevens Development Manager Spok
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Related breakouts 295292: To Infinity and Beyond: What's new with Serverless George Mao – Sr. Serverless Specialist SA, AWS 301201: Built & Delivered in 6 months: Using Serverless Technical Patterns and Microservices Len Henry - Senior Solutions Architect, AWS Jack McGurk - Executive Director, The College Board
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Agenda Serverless Review AWS Lambda Best Practices and Optimizations Spok Introduction Journey to 100% Serverless Serverless Orchestration Deep-Dive Lessons Learned
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Serverless Review No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Lambda AWS Fargate Amazon API Gateway Amazon Simple Notification Service (Amazon SNS) Amazon Simple Queue Service (Amazon SQS) AWS Step Functions COMPUTE DATA STORES INTEGRATION Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync Amazon Cognito
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Making development easier with AWS Lambda Trillions of executions every month for hundreds of thousands of active customers Accessible for all developers Enable new application patterns Greater productivity Support for all runtimes with Lambda Layers and Runtime API ISO, PCI, HIPAA, SOC, GDPR, and FedRamp compliances 15 minute functions Amazon SQS for Lambda Automatic Load Balancing for Lambda Support for Kinesis Data Streams Enhanced Fan-Out and HTTP/2 Toolkits for popular IDEs: VSCode, IntelliJ, and PyCharm Simplified deployment with nested apps
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Lambda Best Practices and Optimizations
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda lifecycle 2. Bootstrap 3. Execute 4. Freeze Container 5. Thaw Container 1. Launch Execution Container
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Bootstrap the runtime Start your code Cold start: Understand the function lifecycle Full cold start Partial cold start Warm start Download your code Start new container AWS optimization Your optimization
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Download your code Start new container Create VPC ENI Start your code Attach VPC ENI Full cold start Warm start Bootstrap runtime Partial cold start AWS optimization Your optimization Cold start: Understand the function lifecycle (VPC)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Worker Lambda Function ENI in your VPC Your VPC Local NAT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Worker Lambda Function ENI in your VPC Your VPC Remote NAT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda function runtimes Icon made by Freepik from www.flaticon.com Choose dependencies/frameworks carefully Interpreted languages initialize much quicker but not necessarily faster overall Separate business logic from Lambda handler
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Leverage container reuse s3 = boto3.resource('s3') db = db.connect() def lambda_handler(event, context): global db # verify if still connected # otherwise carry on if not db: db = db.connect() ... Use global scope wisely – function stay warm for ~5mins without VPC and ~15 with VPC Don’t load it if you don’t need it – cold starts are affected
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Separate business logic from function signature app = Todo() def lambda_handler(event, context): ret = app.dispatch(event) return { 'statusCode': ret["status_code"], 'headers': ret["headers"], 'body': json.dumps(ret["body"]) }
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Tweak your function’s power Lambda exposes only a memory control, with the % of CPU core and network capacity allocated to a function proportionally Is your code CPU, Network or memory-bound? If so, it could be cheaper to choose more memory.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Smart resource allocation Match resource allocation (up to 3 GB!) to logic Stats for Lambda function that calculates all prime numbers <= 1000000 and runs 1000 iterations 128 MB 11.722965sec $0.024628 256 MB 6.678945sec $0.028035 512 MB 3.194954sec $0.026830 1024 MB 1.465984sec $0.024638 Green==Best Red==Worst
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Smart resource allocation Match resource allocation (up to 3 GB!) to logic Stats for Lambda function that calculates all prime numbers <= 1000000 and runs 1000 iterations 128 MB 11.722965sec $0.024628 256 MB 6.678945sec $0.028035 512 MB 3.194954sec $0.026830 1024 MB 1.465984sec $0.024638 Green==Best Red==Worst +$0.00001-10.256981sec
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Other Best Practices • Know the limits and concurrency behavior • Minimize package size to necessities • Avoid using recursive code in your Lambda function • Use Environment Variables to modify operational behavior • Self-contain dependencies in your function package • Delete large unused functions (75GB limit) • Consider using layers for reuse https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda Layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built in support for secure sharing by ecosystem
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Using Lambda Layers • Put common components in a ZIP file and upload it as a Lambda Layer • Layers are immutable and can be versioned to manage updates • When a version is deleted or permissions to use it are revoked, functions that used it previously will continue to work, but you won’t be able to create new ones • You can reference up to five layers, one of which can optionally be a custom runtime Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:2 Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda Runtime API Bring any Linux compatible language runtime Powered by the Runtime API - Codifies the runtime calling conventions and integration points At launch, custom runtimes powering Ruby support in AWS Lambda, more runtimes from partners (like Erlang) Custom runtimes distributed as “layers” Rule Stack
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Build PCI and HIPAA compliant serverless applications! Serverless platform services that can be used in both: AWS Lambda Amazon Simple Storage Service (S3) Amazon CloudFront Amazon API Gateway Amazon DynamoDB Amazon Kinesis Data Streams Amazon CognitoAWS Step Functions Amazon SNSAmazon SQS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Critical Events
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T CODE STEMI
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T CODE STEMI – Behind the scenes Console Mobile Pager Phone Mobile
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T SaaS Pipeline DeploySystem Test Dev Release Candidate Dev Build Build Test Test
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Original Infrastructure Amazon elastic Compute Cloud (Amazon EC2) Auto Scaling Application Load Balancing (ALB) Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Users
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Going Serverless
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Initial Test Architecture Amazon DynamoDB Amazon API Gateway Amazon Route 53 Users .Net Core Lambda {Proxy}
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Web Service
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Lambda
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Local public class LocalEntryPoint { public static void Main(string[] args) { BuildWebHost(args).Run(); } public static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup<Startup>() .Build(); }
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Lambda public class LambdaEntryPoint : Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction { protected override void Init(IWebHostBuilder builder) { builder .UseStartup<Startup>(); } }
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security Practices Keep IAM policies locked down (and watch them)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lock Down Your Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:*", ”logs:*", "dynamodb:*” ], "Resource": "*"
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lock Down Your Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:*", ”logs:*", "dynamodb:*” ], "Resource": "*" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:Invoke", ”logs:PutLogEvents", "dynamodb:GetRecords” ], "Resource":[ "arn:aws:dynamodb:us-east-1:1234567890:table/NiftyTable”,
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security Practices Keep IAM policies locked down (and watch them) Use MFA Assume someone will leak an access key
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DynamoDb Tables
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DynamoDb Tables
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Orchestration AWS CloudFormation Bootstrapper Templates
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Reference Architecture Amazon DynamoDB Amazon CloudWatch Amazon API Gateway Amazon CloudFront Amazon Route 53 Amazon Simple Storage Service (S3) Users Amazon Simple Queue Service Amazon Kinesis Event Lambda Service Lambda AWS Lambda AWS Lambda AWS LambdaAWS CloudFormation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Recap • Lambda allows your team to move faster with less expense. • Developers will need direct access to AWS, do it in a separate account and watch it carefully. Infrastructure should always be done as code. • Review your environment on a regular basis. Make sure resources are getting cleaned up. • Keep IAM locked down. Use MFA and assume a key is going to leak. • Follow best practices by leveraging AWS educational material.
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Doug Gartner, AWS McLanahan Stevens, Spok
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T

More Related Content

Building a Critical Communications Platform Using Serverless Technologies

  • 1. P U B L I C S E C T O R S U M M I T WASHINGTON, DC
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Building a Critical Communications Platform using Serverless Technologies Doug Gartner Sr. Solutions Architect Amazon Web Services 3 0 1 1 8 9 McLanahan Stevens Development Manager Spok
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Related breakouts 295292: To Infinity and Beyond: What's new with Serverless George Mao – Sr. Serverless Specialist SA, AWS 301201: Built & Delivered in 6 months: Using Serverless Technical Patterns and Microservices Len Henry - Senior Solutions Architect, AWS Jack McGurk - Executive Director, The College Board
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Agenda Serverless Review AWS Lambda Best Practices and Optimizations Spok Introduction Journey to 100% Serverless Serverless Orchestration Deep-Dive Lessons Learned
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Serverless Review No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Lambda AWS Fargate Amazon API Gateway Amazon Simple Notification Service (Amazon SNS) Amazon Simple Queue Service (Amazon SQS) AWS Step Functions COMPUTE DATA STORES INTEGRATION Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync Amazon Cognito
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Making development easier with AWS Lambda Trillions of executions every month for hundreds of thousands of active customers Accessible for all developers Enable new application patterns Greater productivity Support for all runtimes with Lambda Layers and Runtime API ISO, PCI, HIPAA, SOC, GDPR, and FedRamp compliances 15 minute functions Amazon SQS for Lambda Automatic Load Balancing for Lambda Support for Kinesis Data Streams Enhanced Fan-Out and HTTP/2 Toolkits for popular IDEs: VSCode, IntelliJ, and PyCharm Simplified deployment with nested apps
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Lambda Best Practices and Optimizations
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda lifecycle 2. Bootstrap 3. Execute 4. Freeze Container 5. Thaw Container 1. Launch Execution Container
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Bootstrap the runtime Start your code Cold start: Understand the function lifecycle Full cold start Partial cold start Warm start Download your code Start new container AWS optimization Your optimization
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Download your code Start new container Create VPC ENI Start your code Attach VPC ENI Full cold start Warm start Bootstrap runtime Partial cold start AWS optimization Your optimization Cold start: Understand the function lifecycle (VPC)
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Worker Lambda Function ENI in your VPC Your VPC Local NAT
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Worker Lambda Function ENI in your VPC Your VPC Remote NAT
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda function runtimes Icon made by Freepik from www.flaticon.com Choose dependencies/frameworks carefully Interpreted languages initialize much quicker but not necessarily faster overall Separate business logic from Lambda handler
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Leverage container reuse s3 = boto3.resource('s3') db = db.connect() def lambda_handler(event, context): global db # verify if still connected # otherwise carry on if not db: db = db.connect() ... Use global scope wisely – function stay warm for ~5mins without VPC and ~15 with VPC Don’t load it if you don’t need it – cold starts are affected
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Separate business logic from function signature app = Todo() def lambda_handler(event, context): ret = app.dispatch(event) return { 'statusCode': ret["status_code"], 'headers': ret["headers"], 'body': json.dumps(ret["body"]) }
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Tweak your function’s power Lambda exposes only a memory control, with the % of CPU core and network capacity allocated to a function proportionally Is your code CPU, Network or memory-bound? If so, it could be cheaper to choose more memory.
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Smart resource allocation Match resource allocation (up to 3 GB!) to logic Stats for Lambda function that calculates all prime numbers <= 1000000 and runs 1000 iterations 128 MB 11.722965sec $0.024628 256 MB 6.678945sec $0.028035 512 MB 3.194954sec $0.026830 1024 MB 1.465984sec $0.024638 Green==Best Red==Worst
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Smart resource allocation Match resource allocation (up to 3 GB!) to logic Stats for Lambda function that calculates all prime numbers <= 1000000 and runs 1000 iterations 128 MB 11.722965sec $0.024628 256 MB 6.678945sec $0.028035 512 MB 3.194954sec $0.026830 1024 MB 1.465984sec $0.024638 Green==Best Red==Worst +$0.00001-10.256981sec
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Other Best Practices • Know the limits and concurrency behavior • Minimize package size to necessities • Avoid using recursive code in your Lambda function • Use Environment Variables to modify operational behavior • Self-contain dependencies in your function package • Delete large unused functions (75GB limit) • Consider using layers for reuse https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda Layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built in support for secure sharing by ecosystem
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Using Lambda Layers • Put common components in a ZIP file and upload it as a Lambda Layer • Layers are immutable and can be versioned to manage updates • When a version is deleted or permissions to use it are revoked, functions that used it previously will continue to work, but you won’t be able to create new ones • You can reference up to five layers, one of which can optionally be a custom runtime Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:2 Lambda Layers arn:aws:lambda:region:accountId:layer:shared-lib:3
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lambda Runtime API Bring any Linux compatible language runtime Powered by the Runtime API - Codifies the runtime calling conventions and integration points At launch, custom runtimes powering Ruby support in AWS Lambda, more runtimes from partners (like Erlang) Custom runtimes distributed as “layers” Rule Stack
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Build PCI and HIPAA compliant serverless applications! Serverless platform services that can be used in both: AWS Lambda Amazon Simple Storage Service (S3) Amazon CloudFront Amazon API Gateway Amazon DynamoDB Amazon Kinesis Data Streams Amazon CognitoAWS Step Functions Amazon SNSAmazon SQS
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Critical Events
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T CODE STEMI
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T CODE STEMI – Behind the scenes Console Mobile Pager Phone Mobile
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T SaaS Pipeline DeploySystem Test Dev Release Candidate Dev Build Build Test Test
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Original Infrastructure Amazon elastic Compute Cloud (Amazon EC2) Auto Scaling Application Load Balancing (ALB) Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Docker 2Docker 2Docker 2 Docker 2Docker 2Docker 2 EC2 Instance Users
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Going Serverless
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Initial Test Architecture Amazon DynamoDB Amazon API Gateway Amazon Route 53 Users .Net Core Lambda {Proxy}
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Web Service
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Lambda
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Local public class LocalEntryPoint { public static void Main(string[] args) { BuildWebHost(args).Run(); } public static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup<Startup>() .Build(); }
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T .Net Core Lambda public class LambdaEntryPoint : Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction { protected override void Init(IWebHostBuilder builder) { builder .UseStartup<Startup>(); } }
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security Practices Keep IAM policies locked down (and watch them)
  • 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lock Down Your Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:*", ”logs:*", "dynamodb:*” ], "Resource": "*"
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Lock Down Your Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:*", ”logs:*", "dynamodb:*” ], "Resource": "*" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”lambda:Invoke", ”logs:PutLogEvents", "dynamodb:GetRecords” ], "Resource":[ "arn:aws:dynamodb:us-east-1:1234567890:table/NiftyTable”,
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security Practices Keep IAM policies locked down (and watch them) Use MFA Assume someone will leak an access key
  • 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DynamoDb Tables
  • 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DynamoDb Tables
  • 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Orchestration AWS CloudFormation Bootstrapper Templates
  • 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Reference Architecture Amazon DynamoDB Amazon CloudWatch Amazon API Gateway Amazon CloudFront Amazon Route 53 Amazon Simple Storage Service (S3) Users Amazon Simple Queue Service Amazon Kinesis Event Lambda Service Lambda AWS Lambda AWS Lambda AWS LambdaAWS CloudFormation
  • 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Recap • Lambda allows your team to move faster with less expense. • Developers will need direct access to AWS, do it in a separate account and watch it carefully. Infrastructure should always be done as code. • Review your environment on a regular basis. Make sure resources are getting cleaned up. • Keep IAM locked down. Use MFA and assume a key is going to leak. • Follow best practices by leveraging AWS educational material.
  • 47. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Doug Gartner, AWS McLanahan Stevens, Spok
  • 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T