Upload
others
View
31
Download
0
Embed Size (px)
Citation preview
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
James Beswick, AWS Serverless
October 10, 2019
Serverless APIs and You API World, 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About me
• James Beswick • Email: [email protected]
• Twitter: @jbesw
• Senior Developer Advocate – AWS Serverless
• Self-confessed serverless geek
• Software developer and Product Manager
• Previously: • Multiple start-up tech guy
• Rackspace, USAA, Morgan Stanley, J P Morgan
• Enjoys comedy, travel, coffee and theme parks…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Topics for today
Advanced features of API Gateway
Modern development environment
Building serverless applications
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern development challenges
Agility Scaling Security Complexity
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern development challenges
Agility Scaling Security Complexity
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon API Gateway features
Fully managed Performance at scale Easy configuration
Simple monitoring Robust security
options
Support agile
development
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon API Gateway features
Fully managed Performance at scale Easy configuration
Simple monitoring Robust security
options
Support agile
development
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Programming Interface (API)
Client API Web
Server
Database
Request
Response
https://en.wikipedia.org/wiki/Application_programming_interface
Web Services offer APIs for developers to use, e.g.:
• Social Networks – Facebook, Twitter, etc.
• Payment Processing – Amazon Pay, PayPal, etc.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless API Architecture
Websites
Services
Amazon API Gateway
API Gateway
Cache
Public
Endpoints on
Amazon EC2
Amazon
CloudWatch
Monitoring
All publicly
accessible
endpoints
Lambda
Functions
Endpoints
in VPC
Applications
& Services
in VPC
Other AWS
service
Fully-managed
CloudFront
Distribution
Ed
ge
-Op
tim
ize
d
Reg
ion
al
Pri
va
te
Applications
& Services
in the same
AWS Region AWS Direct
Connect
On-premises
HTTPS
Customer-managed
CloudFront Distribution
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Type of APIs available
Edge-Optimized
• Utilizes CloudFront to reduce
TLS connection overhead
(reduces roundtrip time)
• Designed for a globally
distributed set of clients
Regional
• Recommended API
type for general use
cases
• Designed for
building APIs for
clients in the same
region
Private
• Only accessible from within
VPC (and networks
connected to VPC)
• Designed for building APIs
used internally or by private
microservices
Amazon API Gateway
API Gateway
Cache
Amazon
CloudWatch
Monitoring
Fully-managed
CloudFront
Distribution
Ed
ge
-Op
tim
ize
d
Reg
ion
al
Pri
va
te
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Set up your API via the Management Console…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
… or with CloudFormation
Create a REST API
Proxy integration with Lambda
POST method
Stage name (Prod, Dev, etc)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building serverless
applications
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key attributes of serverless
Automatically scales with demand
Measurable, attributable
No infrastructure to manage
Granular permissions via IAM
http requests, S3 PUTs, scheduled tasks, etc.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless is an ecosystem of services
Amazon SNS AWS Step Functions
Amazon EventBridge
Amazon DynamoDB
Amazon API Gateway
Amazon S3 AWS Lambda
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application services
Machine Learning
Internet of Things Analytics
Web/Mobile/Digital Media
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common serverless application types
Web applications Backends Data processing
Chatbots Amazon Alexa IT Automation
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The coming wave of serverless web applications
API Gateway handles all your
application routing. It can handle
authentication and authorization,
throttling, DDOS protection, and
more.
Lambda runs all the logic behind
your website and interfaces with
databases, other backend services,
or anything else your site needs.
Amazon Simple Storage Service
(Amazon S3) stores all of your
static content: CSS, JS, images,
and more. You would typically front
this with a CDN such as
CloudFront.
Amazon S3
Amazon API Gateway AWS Lambda Amazon CloudFront
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting more out of
API Gateway
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can I reduce boilerplate in my business
logic?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Many API Gateway integrations look like this…
API Gateway configuration: Resources:
MyFunction:
Type: AWS::Serverless::Fn
Properties:
...
Events:
ProxyApi:
Type: Api
Properties:
Path: /{proxy+}
Method: ANY
Business logic const bodyParser = require('body-parser')
const express = require('express')
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/users/:userId', (req, res) => // DB lookup )
// create User endpoint
app.post('/users', (req, res) => {
const { userId, name } = req.body;
if (typeof userId !== 'string') {
res.status(400).json({ error: '"userId" must be a
string' })
} else if (typeof name !== 'string') {
res.status(400).json({ error: '"name" must be a
string' })
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
First, have API Gateway handle the routing…
Business logic const bodyParser = require('body-parser')
const express = require('express')
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/users/:userId', (req, res) => // DB lookup )
// create User endpoint
app.post('/users', (req, res) => {
const { userId, name } = req.body;
if (typeof userId !== 'string') {
res.status(400).json({ error: '"userId" must be a
string' })
} else if (typeof name !== 'string') {
res.status(400).json({ error: '"name" must be a
string' })
API Gateway configuration: ...
Events:
HelloWorldAPI:
Properties:
Path: /
Method: GET
GetUserAPI:
Properties:
Path: /users/:userId
Method: GET
CreateUserAPI:
Properties:
Path: /users/
Method: POST
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Next, request validation…
API Gateway CreateUser model: ...
UserModel:
Type: AWS::ApiGateway::Model,
Properties:
Name: User,
Schema:
title: User,
properties:
userId:
type: string
name:
type: string
required:
- userId
- name
Business logic const bodyParser = require('body-parser')
const express = require('express')
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/users/:userId', (req, res) => // DB lookup )
// create User endpoint
app.post('/users', (req, res) => {
const { userId, name } = req.body;
if (typeof userId !== 'string') {
res.status(400).json({ error: '"userId" must be a
string' })
} else if (typeof name !== 'string') {
res.status(400).json({ error: '"name" must be a
string' })
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Now, the code we write…
API Gateway CreateUser model: ...
UserModel:
Type: AWS::ApiGateway::Model,
Properties:
Name: User,
Schema:
title: User,
properties: {
userId:
type: string
name:
type: string
required: ["userId", "name"]
New business logic // create User function
exports.handler ((event) => {
const params = {
TableName: USERS_TABLE,
Item: {
userId: event.params.userId,
name: event.name,
},
}
// Write to database, return ID
const result = await DynamoDB.put(params).promise()
return result
)}
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Payload modelling
Websites
Method Request
• Modeling
• Validation
• Transformation
Integration Request
Amazon
DynamoDB
AWS
Lambda Amazon
S3
Integration Response
Amazon
DynamoDB
AWS
Lambda Amazon
S3
Method Response
• Transformation
• Custom Errors
Request
Response
Other AWS & On
Premise Services
Other AWS & On
Premise Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why use payload modelling?
• Use native capabilities of API Gateway
• Input validation – still in OWASP top 10
• Parameter type checking
• Reduce boiler plate, focus your code on
business logic
• Reduce costs … how?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Setup
AWS Cloud
Amazon API
Gateway
Weather
Service
Weather
Table
/(get)
/premium (get)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Setup
AWS Cloud
Amazon API
Gateway
Weather
Service
Weather
Table
/(get)
/premium (get)
Proxy
“Lambda functions should
transform not transport”
- Ajay Nair Director, Product Management - Serverless
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Setup
AWS Cloud
Amazon API
Gateway
Weather
Service
Weather
Table
/(get)
/premium (get)
Proxy
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
No Compute
AWS Cloud
Amazon API
Gateway
Weather
Service
Weather
Table
/(get)
/premium (get)
Proxy Integration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Integration Request
{Request}
{Request}
VTL
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Integration Response
{Response} {Response} VTL
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Direct service integration
• Let API Gateway integrate directly with the
downstream service
• “Transform, don’t transport data”.
• Saves on Lambda invocations ( = $)
• Reduces code – and maintenance
• Reduces latency by eliminating steps
• Can improve scalability
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I handle long-running synchronous
requests?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Gateway
Integration timeout: 30 seconds
Approaches:
• Convert to asynchronous work
• … with polling
• … with webhooks
• … with WebSockets
• !API Gateway (IoT Core, ALB)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API Gateway
Asynchronous: Polling
Flow:
1. Client submits request and receives requestID
2. Backing service does work asynchronously,
updating job status
3. Client polls for status of request
4. Client fetches results when work is complete
API Gateway
S3 API Gateway
Step Functions
1. /doWork
2 3. /status
4. /getResults
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SNS
API Gateway SQS
Lambda
Asynchronous: Webhooks
Flow:
0. (optional) Trusted client setup with service.
1. Client submits request. API Gateway returns
once request is stored.
2. Backing service does work asynchronously.
3. Backing service calls back to client when
complete.
1
3
2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HTTP (REST) WebSocket
Client Client
• Request / Response
• HTTP methods (e.g. GET, POST, etc.)
• Short lived communication
• Stateless
• Serverless WebSocket
• 2 way communication channel
• Long lived communication
• Stateful
Asynchronous: WebSockets
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Asynchronous: WebSockets - Implementation
Flow:
1. Client submits request and receives SFn
execution ARN, SFn task token, and
WebSocket endpoint
2. Client opens connection to WebSocket
endpoint with SFn ARN and task token.
Lambda completes OpenConn task
3. When DoWork is done, SFn parallel
state completes, and we send callback
4. Client receives update over WebSockets
API Gateway
(websockets)
Step Functions 1
2
3
4
Lambda
SFn Workflow
API Gateway
(REST)
OpenConn DoWork
Callback onConnect
http://bit.ly/aws-poll-to-push
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can I handle larger payloads?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Payload limits across services
Amazon SNS
256 KB (SMS 1600b)
AWS Lambda
Sync: 6MB / Async: 256KB
Amazon API Gateway
HTTP: 10MB
Amazon SQS
256KB
AWS Step Functions
32 KB
Amazon Kinesis
1MB
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Possible solutions
• S3
• Pass the S3 key through the application
• SQS – Java Extended Client Library – up to 2GB objects
• Binary Payload Support
• API Gateway
• (Also available in SQS/SNS/DynamoDB)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Can I manage multiple stages for my APIs?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Staging
Prod stage
lambdaAlias = prod
Dev stage
lambdaAlias = dev
Beta stage
lambdaAlias = beta
Stages
Stage variable = lambdaAlias
API Gateway
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Staging
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
prod
beta
dev
aliases Prod stage
lambdaAlias = prod
Dev stage
lambdaAlias = dev
Beta stage
lambdaAlias = beta
Stages
Stage variable = lambdaAlias
API Gateway Lambda function
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Canary Releases
My API
Canary (Prod+1)
Amazon
CloudWatch
Prod
My API
Canary Prod+1
Amazon
CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices
AWS Cloud
Amazon API
Gateway
Lambda
function
Table
AWS
Secrets
Manager
AWS Cloud
Amazon API
Gateway
Lambda
function
Table
AWS
Secrets
Manager
AWS Cloud
Amazon API
Gateway
Lambda
function
Table
AWS
Secrets
Manager Dev Account(s) Beta Account(s) Prod Account(s)
SAM Template
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can I secure my API?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What does API security include?
• Authentication and authorization
• Access control:
• CORS
• Client-side SSL certificates
• AWS WAF
• Tracking and limiting access
• Usage plans – API keys
• Throttling
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sample Weather Application
AWS Cloud
Mobile
client
Client
Amazon API Gateway Lambda function Amazon DynamoDB
AWS
X-Ray Amazon
CloudWatch
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
AWS Cloud
Amazon API
Gateway
Weather
Service
Weather
Table
Weather Update Service Event (time-based) Clients
Amazon
Cognito
Host
Bucket
AWS WAF AWS IAM
Acco
un
t T
wo
A
cco
un
t O
ne
AWS
X-Ray
Amazon
CloudWatch
COR
S
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
Amazon API
Gateway
Clients
Amazon
Cognito
Cognito Authorizer
• User authenticates via
Cognito user pool
• API Gateway authorizes
via Cognito Authorizer
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
AWS Cloud
Amazon API
Gateway
Weather Update Service
AWS IAM
IAM Authorizer
Cross Account authorization
via resource policies and
IAM authorizer
Acco
un
t T
wo
A
cco
un
t O
ne
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
AWS Cloud
Amazon API
Gateway
Weather Update Service Clients
Custom Authorizer
(Custom Options)
Custom Authorizer
Clients and Services are
authorized based on custom
logic.
Acco
un
t T
wo
A
cco
un
t O
ne
Corporate
data center
External Web
Based
Services Custom AWS
Hosted Services
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
AWS Cloud
Amazon API
Gateway
Weather Update Service Clients
AWS WAF
AWS WAF
• Web Application Firewall
• Blacklist/Whitelist
• IP/IP range based
• Logic based
Acco
un
t T
wo
A
cco
un
t O
ne
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Weather Application
AWS Cloud
Amazon API
Gateway
Clients
COR
S
CORS
• Cross Origin Resource
Sharing
• What API Gateway is
responsible for
• What application is
responsible for
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Throttling
Websites
Service
Public
Endpoints on
Amazon EC2
Authorized
Mobile client
Lambda
Functions
Any other
AWS service
All publicly
accessible
endpoints
Mobile client
Partner
Websites
Users Usage Plan
Services Usage Plan
Partner Usage Plan
Per
client
Per client
&
per method
Per
method Per
account
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless APIs and You
Agility Scaling Security Complexity
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you! [email protected]