Serverless APIs and You · 2019-10-28 · Serverless API Architecture Websites Services Amazon API Gateway API Gateway Cache Public Endpoints on Amazon EC2d Amazon CloudWatch Monitoring

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

James Beswick, AWS Serverless

October 10, 2019

Serverless APIs and You API World, 2019


About me

• James Beswick • Email: [email protected]

• Twitter: @jbesw

• Senior Developer Advocate – AWS Serverless

• Self-confessed serverless geek

• Software developer and Product Manager

• Previously: • Multiple start-up tech guy

• Rackspace, USAA, Morgan Stanley, J P Morgan

• Enjoys comedy, travel, coffee and theme parks…


Topics for today

Advanced features of API Gateway

Modern development environment

Building serverless applications


Modern development challenges

Agility Scaling Security Complexity


Modern development challenges



Amazon API Gateway features

Fully managed Performance at scale Easy configuration

Simple monitoring Robust security

options

Support agile

development


Amazon API Gateway features

Fully managed Performance at scale Easy configuration

Simple monitoring Robust security

options

Support agile

development


Application Programming Interface (API)

Client API Web

Server

Database

Request

Response

https://en.wikipedia.org/wiki/Application_programming_interface

Web Services offer APIs for developers to use, e.g.:

• Social Networks – Facebook, Twitter, etc.

• Payment Processing – Amazon Pay, PayPal, etc.


Serverless API Architecture

Websites

Services

Amazon API Gateway

API Gateway

Cache

Public

Endpoints on

Amazon EC2

Amazon

CloudWatch

Monitoring

All publicly

accessible

endpoints

Lambda

Functions

Endpoints

in VPC

Applications

& Services

in VPC

Other AWS

service

Fully-managed

CloudFront

Distribution

Ed

ge

-Op

tim

ize

d

Reg

ion

al

Pri

va

te

Applications

& Services

in the same

AWS Region AWS Direct

Connect

On-premises

HTTPS

Customer-managed

CloudFront Distribution


Type of APIs available

Edge-Optimized

• Utilizes CloudFront to reduce

TLS connection overhead

(reduces roundtrip time)

• Designed for a globally

distributed set of clients

Regional

• Recommended API

type for general use

cases

• Designed for

building APIs for

clients in the same

region

Private

• Only accessible from within

VPC (and networks

connected to VPC)

• Designed for building APIs

used internally or by private

microservices

Amazon API Gateway

API Gateway

Cache

Amazon

CloudWatch

Monitoring

Fully-managed

CloudFront

Distribution

Ed

ge

-Op

tim

ize

d

Reg

ion

al

Pri

va

te


Set up your API via the Management Console…


… or with CloudFormation

Create a REST API

Proxy integration with Lambda

POST method

Stage name (Prod, Dev, etc)


Building serverless

applications


Key attributes of serverless

Automatically scales with demand

Measurable, attributable

No infrastructure to manage

Granular permissions via IAM

http requests, S3 PUTs, scheduled tasks, etc.


Serverless is an ecosystem of services

Amazon SNS AWS Step Functions

Amazon EventBridge

Amazon DynamoDB

Amazon API Gateway

Amazon S3 AWS Lambda


Application services

Machine Learning

Internet of Things Analytics

Web/Mobile/Digital Media


Common serverless application types

Web applications Backends Data processing

Chatbots Amazon Alexa IT Automation


The coming wave of serverless web applications

API Gateway handles all your

application routing. It can handle

authentication and authorization,

throttling, DDOS protection, and

more.

Lambda runs all the logic behind

your website and interfaces with

databases, other backend services,

or anything else your site needs.

Amazon Simple Storage Service

(Amazon S3) stores all of your

static content: CSS, JS, images,

and more. You would typically front

this with a CDN such as

CloudFront.

Amazon S3

Amazon API Gateway AWS Lambda Amazon CloudFront


Getting more out of

API Gateway

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

How can I reduce boilerplate in my business

logic?


Many API Gateway integrations look like this…

API Gateway configuration: Resources:

MyFunction:

Type: AWS::Serverless::Fn

Properties:

...

Events:

ProxyApi:

Type: Api

Properties:

Path: /{proxy+}

Method: ANY

Business logic const bodyParser = require('body-parser')

const express = require('express')

app.get('/', (req, res) => res.send('Hello World!'))

app.get('/users/:userId', (req, res) => // DB lookup )

// create User endpoint

app.post('/users', (req, res) => {

const { userId, name } = req.body;

if (typeof userId !== 'string') {

res.status(400).json({ error: '"userId" must be a

string' })

} else if (typeof name !== 'string') {

res.status(400).json({ error: '"name" must be a

string' })


First, have API Gateway handle the routing…










string' })



string' })

API Gateway configuration: ...

Events:

HelloWorldAPI:

Properties:

Path: /

Method: GET

GetUserAPI:

Properties:

Path: /users/:userId

Method: GET

CreateUserAPI:

Properties:

Path: /users/

Method: POST


Next, request validation…

API Gateway CreateUser model: ...

UserModel:

Type: AWS::ApiGateway::Model,

Properties:

Name: User,

Schema:

title: User,

properties:

userId:

type: string

name:

type: string

required:

- userId

- name










string' })



string' })


Now, the code we write…

API Gateway CreateUser model: ...

UserModel:

Type: AWS::ApiGateway::Model,

Properties:

Name: User,

Schema:

title: User,

properties: {

userId:

type: string

name:

type: string

required: ["userId", "name"]

New business logic // create User function

exports.handler ((event) => {

const params = {

TableName: USERS_TABLE,

Item: {

userId: event.params.userId,

name: event.name,

},

}

// Write to database, return ID

const result = await DynamoDB.put(params).promise()

return result

)}


Payload modelling

Websites

Method Request

• Modeling

• Validation

• Transformation

Integration Request

Amazon

DynamoDB

AWS

Lambda Amazon

S3

Integration Response

Amazon

DynamoDB

AWS

Lambda Amazon

S3

Method Response

• Transformation

• Custom Errors

Request

Response

Other AWS & On

Premise Services

Other AWS & On

Premise Services


Why use payload modelling?

• Use native capabilities of API Gateway

• Input validation – still in OWASP top 10

• Parameter type checking

• Reduce boiler plate, focus your code on

business logic

• Reduce costs … how?


API Setup

AWS Cloud

Amazon API

Gateway

Weather

Service

Weather

Table

/(get)

/premium (get)


API Setup

AWS Cloud

Amazon API

Gateway

Weather

Service

Weather

Table

/(get)

/premium (get)

Proxy

“Lambda functions should

transform not transport”

- Ajay Nair Director, Product Management - Serverless


API Setup

AWS Cloud

Amazon API

Gateway

Weather

Service

Weather

Table

/(get)

/premium (get)

Proxy


No Compute

AWS Cloud

Amazon API

Gateway

Weather

Service

Weather

Table

/(get)

/premium (get)

Proxy Integration


The Integration Request

{Request}

{Request}

VTL


The Integration Response

{Response} {Response} VTL


Direct service integration

• Let API Gateway integrate directly with the

downstream service

• “Transform, don’t transport data”.

• Saves on Lambda invocations ( = $)

• Reduces code – and maintenance

• Reduces latency by eliminating steps

• Can improve scalability


How do I handle long-running synchronous

requests?


API Gateway

Integration timeout: 30 seconds

Approaches:

• Convert to asynchronous work

• … with polling

• … with webhooks

• … with WebSockets

• !API Gateway (IoT Core, ALB)


API Gateway

Asynchronous: Polling

Flow:

1. Client submits request and receives requestID

2. Backing service does work asynchronously,

updating job status

3. Client polls for status of request

4. Client fetches results when work is complete

API Gateway

S3 API Gateway

Step Functions

1. /doWork

2 3. /status

4. /getResults


SNS

API Gateway SQS

Lambda

Asynchronous: Webhooks

Flow:

0. (optional) Trusted client setup with service.

1. Client submits request. API Gateway returns

once request is stored.

2. Backing service does work asynchronously.

3. Backing service calls back to client when

complete.

1

3

2


HTTP (REST) WebSocket

Client Client

• Request / Response

• HTTP methods (e.g. GET, POST, etc.)

• Short lived communication

• Stateless

• Serverless WebSocket

• 2 way communication channel

• Long lived communication

• Stateful

Asynchronous: WebSockets


Asynchronous: WebSockets - Implementation

Flow:

1. Client submits request and receives SFn

execution ARN, SFn task token, and

WebSocket endpoint

2. Client opens connection to WebSocket

endpoint with SFn ARN and task token.

Lambda completes OpenConn task

3. When DoWork is done, SFn parallel

state completes, and we send callback

4. Client receives update over WebSockets

API Gateway

(websockets)

Step Functions 1

2

3

4

Lambda

SFn Workflow

API Gateway

(REST)

OpenConn DoWork

Callback onConnect

http://bit.ly/aws-poll-to-push









How can I handle larger payloads?


Payload limits across services

Amazon SNS

256 KB (SMS 1600b)

AWS Lambda

Sync: 6MB / Async: 256KB

Amazon API Gateway

HTTP: 10MB

Amazon SQS

256KB

AWS Step Functions

32 KB

Amazon Kinesis

1MB


Possible solutions

• S3

• Pass the S3 key through the application

• SQS – Java Extended Client Library – up to 2GB objects

• Binary Payload Support

• API Gateway

• (Also available in SQS/SNS/DynamoDB)


Can I manage multiple stages for my APIs?


Staging

Prod stage

lambdaAlias = prod

Dev stage

lambdaAlias = dev

Beta stage

lambdaAlias = beta

Stages

Stage variable = lambdaAlias

API Gateway


Staging

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

prod

beta

dev

aliases Prod stage

lambdaAlias = prod

Dev stage

lambdaAlias = dev

Beta stage

lambdaAlias = beta

Stages

Stage variable = lambdaAlias

API Gateway Lambda function


Canary Releases

My API

Canary (Prod+1)

Amazon

CloudWatch

Prod

My API

Canary Prod+1

Amazon

CloudWatch


Best Practices

AWS Cloud

Amazon API

Gateway

Lambda

function

Table

AWS

Secrets

Manager

AWS Cloud

Amazon API

Gateway

Lambda

function

Table

AWS

Secrets

Manager

AWS Cloud

Amazon API

Gateway

Lambda

function

Table

AWS

Secrets

Manager Dev Account(s) Beta Account(s) Prod Account(s)

SAM Template


How can I secure my API?


What does API security include?

• Authentication and authorization

• Access control:

• CORS

• Client-side SSL certificates

• AWS WAF

• Tracking and limiting access

• Usage plans – API keys

• Throttling


Sample Weather Application

AWS Cloud

Mobile

client

Client

Amazon API Gateway Lambda function Amazon DynamoDB

AWS

X-Ray Amazon

CloudWatch


Secure Weather Application

AWS Cloud

AWS Cloud

Amazon API

Gateway

Weather

Service

Weather

Table

Weather Update Service Event (time-based) Clients

Amazon

Cognito

Host

Bucket

AWS WAF AWS IAM

Acco

un

t T

wo

A

cco

un

t O

ne

AWS

X-Ray

Amazon

CloudWatch

COR

S



AWS Cloud

Amazon API

Gateway

Clients

Amazon

Cognito

Cognito Authorizer

• User authenticates via

Cognito user pool

• API Gateway authorizes

via Cognito Authorizer



AWS Cloud

AWS Cloud

Amazon API

Gateway

Weather Update Service

AWS IAM

IAM Authorizer

Cross Account authorization

via resource policies and

IAM authorizer

Acco

un

t T

wo

A

cco

un

t O

ne



AWS Cloud

AWS Cloud

Amazon API

Gateway

Weather Update Service Clients

Custom Authorizer

(Custom Options)

Custom Authorizer

Clients and Services are

authorized based on custom

logic.

Acco

un

t T

wo

A

cco

un

t O

ne

Corporate

data center

External Web

Based

Services Custom AWS

Hosted Services



AWS Cloud

AWS Cloud

Amazon API

Gateway

Weather Update Service Clients

AWS WAF

AWS WAF

• Web Application Firewall

• Blacklist/Whitelist

• IP/IP range based

• Logic based

Acco

un

t T

wo

A

cco

un

t O

ne



AWS Cloud

Amazon API

Gateway

Clients

COR

S

CORS

• Cross Origin Resource

Sharing

• What API Gateway is

responsible for

• What application is

responsible for


Throttling

Websites

Service

Public

Endpoints on

Amazon EC2

Authorized

Mobile client

Lambda

Functions

Any other

AWS service

All publicly

accessible

endpoints

Mobile client

Partner

Websites

Users Usage Plan

Services Usage Plan

Partner Usage Plan

Per

client

Per client

&

per method

Per

method Per

account


Serverless APIs and You



Thank you! [email protected]

Documents

Serverless APIs and You · 2019-10-28 · Serverless API Architecture Websites Services Amazon API Gateway API Gateway Cache Public Endpoints on Amazon EC2d Amazon CloudWatch Monitoring