Building Serverless APIs

Building Serverless APIs With the AWS API Gateway and AWS AppSync No servers to provision or manage Scales with usage Never pay for idle Availability and fault tolerance built in Serverless means... SERVICES (ANYTHING) Changes in data state Requests to endpoints Changes in resource state EVENT SOURCE FUNCTION Node.js Python Java C# Go Serverless applications Using AWS Lambda Bring your own code • Node.js, Java, Python, C#, Go • Bring your own libraries (even native ones) Simple resource model • Select power rating from 128 MB to 3 GB • CPU and network allocated proportionately Flexible use • Synchronous or asynchronous • Integrated with other AWS services Flexible authorization • Securely grant access to resources and VPCs • Fine-grained control for invoking your functions Lambda permissions model Fine grained security controls for both execution and invocation: Execution policies: • Define what AWS resources/API calls can this function access via IAM • Used in streaming invocations • E.g. “Lambda function A can read from DynamoDB table users” Function policies: • Used for sync and async invocations • E.g. “Actions on bucket X can invoke Lambda function Z" • Resource policies allow for cross account access Lambda execution model Synchronous (push) Asynchronous (event) Stream-based Amazon API Gateway AWS Lambda function Amazon DynamoDB Amazon SNS /order AWS Lambda function Amazon S3 reqs Amazon Kinesis changes AWS Lambda service function Using AWS Lambda Authoring functions • Cloud9 • WYSIWYG editor or upload packaged .zip • Third-party plugins (Eclipse, Visual Studio) Monitoring and logging • Metrics for requests, errors, and throttles • Built-in logs to Amazon CloudWatch Logs • X-Ray integration Programming model • Use processes, threads, /tmp, sockets normally • AWS SDK built in (Python and Node.js) Stateless • Persist data using external storage • No affinity or access to underlying infrastructure Anatomy of a Lambda function Handler() function Function to be executed upon invocation Event object Data sent during Lambda Function Invocation Context object Methods available to interact with runtime information (request ID, log group, etc.) public String handleRequest (Book book, Context context) { saveBook(book); return book.getName() + " saved!"; } Amazon S3 Amazon DynamoDB Amazon Kinesis AWS CloudFormation AWS CloudTrail Amazon CloudWatch Amazon Cognito Amazon SNS Amazon SES Cron events DATA STORES ENDPOINTS DEVELOPMENT AND MANAGEMENT TOOLS EVENT/MESSAGE SERVICES Event sources that trigger AWS Lambda and more! AWS CodeCommit Amazon API Gateway Amazon Alexa AWS IoT AWS Step Functions Fine-Grained Pricing Buy compute time in 100ms increments Low request charge No hourly, daily, or monthly minimums No per-device fees Never pay for idle Free Tier 1M requests and 400,000 GB-s of compute. Every month, every customer. Common Lambda use cases Web Applications • Static websites • Complex web apps • Packages for Flask and Express Data Processing • Real time • MapReduce • Batch Chatbots • Powering chatbot logic Backends • Apps & services • Mobile • IoT </> </> Amazon Alexa • Powering voice-enabled apps • Alexa Skills Kit IT Automation • Policy engines • Extending AWS services • Infrastructure management Amazon API Gateway Create a unified API frontend for multiple micro- services Authenticate and authorize requests to a backend DDoS protection and throttling for your backend Throttle, meter, and monetize API usage by third-party developers © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway integrations Internet Mobile Apps Websites Services AWS Lambda functions AWS API Gateway Cache Endpoints on Amazon EC2 Amazon CloudWatch Monitoring Amazon CloudFront Any other AWS service YOUR VPC Endpoints in Your VPC Regional API Endpoints All publicly accessible endpoints AWS Lambda functions Amazon API Gateway Security Several mechanisms for adding Authz/Authn to our API: • IAM Permissions • Use IAM policies and AWS credentials to grant access • Custom Authorizers • Use Lambda to validate a bearer token(Oauth or SAML as examples) or request parameters and grant access • Cognito User Pools • Create a completely managed user management system Authentication type comparison Feature AWS_IAM TOKEN REQUEST COGNITO Authentication X X X X Authorization X X X Signature V4 X Cognito User Pools X X X Third -Party Authentication X X Multiple Header Support X Additional Costs NONE Pay per authorizer invoke Pay per authorizer invoke NONE Gateway responses Allows customization of various error responses • Change HTTP status code • Modify body content • Add headers Can customize specific responses and/or modify default 4XX/5XX API Gateway throttling Three levels of throttling for APIs API Key level throttling—configurable in usage plan Method level throttling—configurable in stage settings Account level throttling—limits can be increased API Gateway throttling Token bucket algorithm Burst—the maximum size of the bucket Rate—the number of tokens added to the bucket API Gateway usage plans API Key Throttling Rate/Burst per API Key API Key Quota Periodic limits per API Key API Key Usage Daily usage records Custom domains Run your APIs within your own DNS zone Recommended for supporting multiple versions api.tampr.com/v1 -> restapi1 api.tampr.com/v2 -> restapi2 NEW Support for cross-region redundancy with regional API endpoints