Learn how to monitor and manage your serverless APIs in production. We show you how to set up Amazon CloudWatch alarms, interpret CloudWatch logs for Amazon API Gateway and AWS Lambda, and automate common maintenance and management tasks on your service.
2. About me:
Chris Munns - munns@amazon.com, @chrismunns
– Senior Developer Advocate - Serverless
– NewYorker
– Previously:
• Business Development Manager – DevOps, July ’15 - Feb ‘17
• AWS Solutions Architect Nov, 2011- Dec 2014
• Formerly on operations teams @Etsy and @Meetup
• Little time at a hedge fund, Xerox and a few other startups
– Rochester Institute of Technology: Applied Networking and
Systems Administration ’05
– Internet infrastructure geek
3. Agenda
• Brief review of API Gateway/Lambda
• MonitoringYour API
• Amazon CloudWatch Metrics/Alarms
• Amazon CloudWatch Logs
• ProtectingYour API
• Throttling
• Authorization
• Usage Plans
• ManagingYour API
4. Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd party
developers
5. API Gateway integrations
Internet
Mobile Apps
Websites
Services
AWS Lambda
functions
AWS
API Gateway
Cache
Endpoints on
Amazon EC2
All publicly
accessible endpoints
Amazon
CloudWatch
Monitoring
Amazon
CloudFront
Any other AWS
service
6. Cost-effective and
efficient
No Infrastructure to
manage
Pay only for what you use
Bring Your
Own Code
Productivity focused compute platform to build powerful, dynamic, modular
applications in the cloud
Run code in standard
languages
Focus on business logic
AWS Lambda
1 2 3
7. Meet Doug
Doug loves coffee.
Doug also writes apps.
Doug built TAMPR – A service for
sharing reviews of coffee and coffee
shops.
Doug built the TAMPR backend
serverless, with API Gateway and
AWS Lambda.
8. First Reviews of TAMPR
“I want to love this app,but every time I
try to check-in with my morning coffee,
I get errors.”
“The app works great if I’m getting an
afternoon coffee, but during the
mornings it’s almost unusable.”
“Too many errors,it never seems to
work.”
10. Amazon CloudWatch Metrics
API Gateway Default metrics set:
• Count – Total number of invokes received by API Gateway
• 4XXError – Number of invokes that generated a 4XX error
– (includes throttling)
• 5XXError – Number of invokes that generated a 5XX error
• Latency – Total time API Gateway took to fully process request
• IntegrationLatency – Time API Gateway took to call integration
• CacheHitCount – Number of successful cache fetches
• CacheMissCount – Number of unsuccessful cache fetches
11. Amazon CloudWatch Metrics
• Detailed metrics
– Same set of metrics at method level
– Can be enabled globally or only for specific methods
GET PUT DELETE
12. Amazon CloudWatch Metrics
Default Metrics
• Included for free
• Broken down by API stage
Detailed Metrics
• Standard CloudWatch pricing
• Broken down by method
13. Amazon CloudWatch Alarms
• Any metric can be tied to an alarm
• Alarm notifications can be sent to Amazon SNS topic
• SNS topic can then send to any number of destinations
– E-mail address
– SQS queue
– Lambda Function
14. CloudWatch Alarms - NEW
• Error and Cache metrics now support averages and percentiles
• Alarm on the rate of failures in your API, not just raw count!
17. Check in with Doug
Doug now has alarms to be alerted
when his customers get errors calling
his serverless API, but how does he
know why his customers get errors?
19. Amazon CloudWatch Logs
• API Gateway Logging
– 2 Levels of logging, ERROR and INFO
– Optionally log method request/body content
– Set globally in stage, or override per method
• Lambda Logging
– Logging directly from your code
– Basic request information included
• Log Pivots
– Build metrics based on log filters
– Jump to logs that generated metrics
21. CloudWatch Logs
• apilogs - https://github.com/rpgreen/apilogs
• Search and Stream your API Gateway logs (and Lambda)
• Basic syntax highlighting
• View API Gateway and Lambda logs together
22. APILogs Examples:
• Install:
– pip install apilogs
• tail –f for API Gateway/Lambda
– apilogs get --api-id xyz123 --stage prod –watch
• grep for API Gateway / Lambda
– apilogs get --api-id xyz123 --stage test2 --profile myprofile --aws-
region us-east-1 --start='2h ago' --end='1h ago' | grep "ERROR"
23.
24. • Identify performance bottlenecks and errors
• Pinpoint issues to specific service(s) in your
application
• Identify impact of issues on users of the
application
• Visualize the service call graph of your
application
AWS X-Ray
COMING
SOON!
25. Check in with Doug
• Thanks to logging, Doug now
knows that his API is generating
errors during peak loads because
there’s spurious traffic hitting a
particular API method at a much
higher than expected rate due to a
bug in the mobile app.
• He now needs a way to to limit the
traffic from those devices to let
other traffic through.
27. API Gateway Throttling
3 levels of throttling for APIs
• API Key level throttling – Configurable in usage plan
• Method level throttling – Configurable in stage settings
• Account level throttling – Limits can be increased
28. API Gateway Throttling
Token bucket algorithm
• Burst – the maximum size of the bucket
• Rate – the number of tokens added to the bucket
29. API Gateway Throttling - NEW
• Limits apply in order of most specific to least
specific
– API Key, Method, Account
• Requests throttled for any reason will no longer
be billed
30. Check in with Doug
• Thanks to throttling, Doug has
limited the impact from the buggy
version of the application to only
affecting the one method.
• He can ship updates to affected
customers to re-route traffic as
needed.
31. TAMPR Promotions
TAMPR has become popular and
coffee shops and roasters are
contacting Doug to discuss
possibilities of promotions through the
app.
Doug needs a way to allow these
shops to create accounts and create
and edit promotions on demand.
33. Authentication Type Comparison
Feature AWS_IAM CUSTOM COGNITO
Authentication X X X
Authorization X X
Signature V4 X
Cognito User Pools X X
Third Party
Authentication
X
Additional Costs NONE Pay per
authorizer
invoke
NONE
34. API Gateway Authorization - NEW
CUSTOM Authorizers support additional
returned context
• Key/value dictionary
Requests that fail auth will no longer be billed
35.
36. Check in with Doug
• TAMPR promotions have been a hit
and the app is more popular than
ever. Doug is now speaking with
other services, such as a new site
focused on brunch spots, on how
they can work together.
• Doug wants a way he can expose
portions of his API to these third
parties, but track their usage for
potential billing opportunities.
38. API Gateway Usage Plans
• API Key Throttling
– Rate/Burst per API Key
• API Key Usage
– Daily usage records
• API Key Quota
– Periodic limits per API Key
39.
40. Check in with Doug
• TAMPR is continuing to grow and
Doug is now bringing in people to
help work on updates.
• He is looking for ways to formalize
the update process.
42. API Gateway Stages
• Stages are named links to a
deployed version of your API
• Recommended for managing
API lifecycle
– dev/test/prod
– alpha/beta/gamma
• Support for parameterized
values via stage variables
43. API Gateway Stage Variables
• Stage variables act like environment variables
• Use stage variables to store configuration values
• Stage variables are available in the $context object
• Values are accessible from most fields in API
Gateway:
• Lambda function ARN
• HTTP endpoint
• Custom authorizer function name
• Parameter mappings
44. Lambda Environment Variables
• Key-value pairs that you can dynamically pass to your
function
• Available via standard environment variable APIs
such as process.env for Node.js or os.environ for
Python
• Can optionally be encrypted via KMS
– Allows you to specify in IAM what roles have access to the
keys to decrypt the information
• Useful for creating environments per stage (i.e. dev,
testing, production)
45. Stage variables and Lambda alias for stages
Using Stage Variables in API Gateway together with Lambda function Aliases
helps you manage a single API configuration and Lambda function for
multiple stages
myLambdaFunction
1
2
3 = prod
4
5
6 = beta
7
8 = dev
My First API
Stage variable = lambdaAlias
Prod
lambdaAlias = prod
Beta
lambdaAlias = beta
Dev
lambdaAlias = dev
46. Manage MultipleVersions and
Stages of your APIs
Works like a source repository – clone your API to create a new version:
API 1
(v1) Stage (dev)
Stage (prod)
API 2
(v2)
Stage (dev)
47. Custom Domains
• Run your APIs within your own DNS zone
• Recommended for supporting multiple
versions
• api.tampr.com/v1 -> restapi1
• api.tampr.com/v2 -> restapi2
48. Swagger
• Portable API definition (JSON/YAML)
• Import/Export your API
• Swagger extensions for API Gateway
• Recommended for tracking changes to
your API
49. Deployment mechanisms
SAM - https://github.com/awslabs/serverless-application-model
• Serverless Application Model
• Extends CloudFormation
• Can integrate with CodePipeline for CI/CD solution
Chalice - https://github.com/awslabs/chalice
• Python microframework, includes deployment scripts
Serverless - https://github.com/serverless/serverless
• NodeJS, Python, Java and Scala
• Describe API and other resources
50. AWS Serverless Application Model (SAM)
CloudFormation extension optimized for
serverless
New serverless resource types: functions,
APIs, and tables
Supports anything CloudFormation
supports
Open specification (Apache 2.0)
52. Be like Doug
• Monitor your APIs with metrics and
alarms to find problems.
• Use logging to diagnose problems
with your APIs.
• Make use of throttling and
authentication to limit blast radius
and protect critical API components.
• Make your API available to 3rd
parties via usage plans
• Manage your API with
stages/versions and deployment
tools.