As serverless architectures become more popular, customers need a framework of patterns to help them to identify how to leverage AWS to deploy their workloads without managing servers or operating systems. In this session, we describe reusable serverless patterns while considering costs. For each pattern, we provide operational, security, and reliability best practices and discuss potential challenges. We also demonstrate the implementation of some of the patterns in a reference solution. This session can help you recognize services and applications for serverless architectures in your own organization and understand areas of potential savings and increased agility and reliability.
23. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
getLoyalty loyaltyFn Amazon DynamoDB
Apache Velocity
template
getLoyalty(customer: 1234) { tier, totalPoints }
Fetch loyalty points
24. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Create new booking
initBooking(cust: 123..) { bookingId, bookingRef }
25. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Amazon Cognito
createFlights(flightNumber: 1234, ticketPrice: 300)
Admin only
26. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Use purpose-built databases
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
getLoyalty loyaltyFn Amazon DynamoDB
Mutation
initBooking procBooking AWS Step
Functions
Amazon Cognito
Fetching orders
getOrder(id: 1234) { customer, flights, points… }
ordersDB
addOrder Amazon RDS
AWS Secrets
Manager
27. Pattern: The “cherry-pick” (GraphQL API)
AWS AppSync
Client
Resolvers
listFlights
Data sources
flightsDB
Query
Amazon DynamoDB
Apache Velocity
template
Amazon Cognito
getLoyalty loyaltyFn Amazon DynamoDB
ordersDB
addOrder Amazon RDS
AWS Secrets
Manager
Mutation
initBooking procBooking AWS Step
Functions
Fetch booking
listBookings { bookingRef, departureDate… }
Best practices
Use Lambda for complex logic
Use state machines for long
transactions. Pipeline resolvers for
simpler transactions
Enforce authorization at API, data
field and operation level
Use purpose-built databases
Select only data you need
Enable caching
31. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Amazon RDS
Concurrency 5
32. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Amazon RDS
Amazon Kinesis
Data Streams
DLQ
33. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ
34. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
For low-volume traffic, Kinesis can
batch records for up to 5 minutes
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ
35. Pattern: Call me, “Maybe” (Webhook)
Amazon API Gateway
Client
AWS Lambda
Best practices
Limit concurrency to protect non-
scalable/stateful downstream
services
Kinesis as a buffer + a better
mechanism to limit concurrency
Use Lambda Destinations for failed
requests; set max retries
Enforce authorization and obfuscate
sensitive data on the stream
For low-volume traffic, Kinesis can
batch records for up to 5 minutes
Alternatively, DynamoDB+SQS to
easily scale webhooks
Amazon RDS
Amazon Kinesis
Data Streams
Custom
authorizer
Obfuscate DLQ
Client
Amazon API Gateway Amazon SQS AWS Lambda
DLQ
Amazon DynamoDB
37. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
AWS Lambda Amazon Simple
Notification Service
Lambda Amazon SQS
Consumer
Lambda
38. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Lambda Amazon SQS
Consumer
Lambda
Best practices
API Gateway can integrate with AWS
services directly
39. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Consumer
Amazon SQS
Consumer
DLQ
DLQ
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
40. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Consumer
Amazon SQS
Consumer
DLQ
DLQ
Custom
authorizer
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
41. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
42. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing
43. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing
Compress and aggregate messages
when possible
44. Pattern: The big “Fan” (fan-out)
Amazon API
Gateway
Client
Amazon Simple
Notification Service
Best practices
API Gateway can integrate with AWS
services directly
Integrate with Amazon SQS for
higher durability, batching, and DLQ
Enforce authorization. Verify
signature of Amazon SNS messages
Use message filtering for efficient
processing
Compress and aggregate messages
when possible
Consider Kinesis for larger payloads
DLQ
Custom
authorizer
Consumer
Amazon SQS
Consumer
Amazon SQS
Consumer
Amazon SQS
Multiple consumers w/ DLQ
Status=Created
Status=Processed
Status=Refunded
Amazon API
Gateway
Client
Amazon Kinesis
Data Streams
Consumer
47. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda Amazon Kinesis
Data Firehose
Amazon S3
48. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda Amazon Kinesis
Data Firehose
Amazon S3
Best practices
Enable source stream record backup
Backup
49. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
S3 bucket
Kinesis Data
Firehose
S3 bucket
S3 bucket
Kinesis Data
Firehose
Kinesis Data
Firehose
Backup
50. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
S3 bucket
Kinesis Data
Firehose
S3 bucket
S3 bucket
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
51. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
Client
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler
52. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Use message filtering to prevent
unwanted events. Tune
buffer/compression
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler
SNS topic
SNS topic
SNS topic
DLQ
53. Pattern: They say “I’m a Streamer” (streaming)
Amazon API
Gateway
AWS Lambda
Best practices
Enable source stream record backup
Favor dedicated Data Firehose per
context/domain
Enforce authorization
Obfuscate/remove sensitive stream
data
Enable Parquet transformation. Use
Glue to discover data schema and
Athena to query
Use message filtering to prevent
unwanted events. Tune
buffer/compression
Kinesis Data
Firehose
Kinesis Data
Firehose
Kinesis Data
Firehose
Custom
authorizer
Backup
Obfuscate
S3 bucket AWS Glue crawler
Amazon Athena Data Catalog
S3 bucket AWS Glue crawler
S3 bucket AWS Glue crawler
SNS topic
SNS topic
SNS topic
DLQ
CloudFront Lambda@Edge
Go Global
58. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Targets
Private IP
Corporate
data center
Server Server Server
DB DB DB
59. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Targets
Private IP
Corporate
data center
Server Server Server
DB DB DB
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Best practices
Centralize logs, metrics, and
distributing tracing
60. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
AWS Direct
Connect
AWS NLB
Corporate
data center
Load Balancer
Server Server Server
DB DB DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Amazon CloudWatch
Logs & metrics
AWS X-Ray
Targets
Virtual IP
61. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server Server Server
DB DB DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB
62. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server
DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Gradually shift functionalities to
newer compute/database platforms
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB
Amazon EC2
Amazon ECS
Amazon RDS
63. Pattern: The “Strangler”
Amazon API Gateway
Client
VPC
Targets
Virtual IP
Corporate
data center
Load Balancer
Server
DB
Best practices
Centralize logs, metrics, and
distributing tracing
Use a corporate Load balancer virtual
IP to send traffic to
Enforce authorization
Gradually shift functionalities to
newer compute/database platforms
Use serverless for new functionalities
Custom
authorizer
Amazon CloudWatch
Logs & metrics
AWS X-Ray
AWS Direct
Connect
AWS NLB
Amazon EC2
Amazon ECS
Amazon RDS
Amazon DynamoDB
AWS Lambda
64. Practical example: HSBC Part 1
EU-West-1-A EU-West-1-B EU-West-1-C
Platform VPC
Bank bound VPC
Endpoint
VPC subnet
1 X
…
VPC subnet
1 X
…
VPC subnet
1 X
…
Large CIDR block
Bank Bound
Proxy Fleet
EU-West-1-A
Bank Bound
Proxy Fleet
EU-West-1-B EU-West-1-C
Bank Bound
Proxy Fleet
Platform DX VPC
Endpoint service
Network
Load
Balancer
Small CIDR block
HSBC UK
Direct
Connect
• As VPC attached Lambda function scales, subnets must have available IP addresses to
match the number of ENIs = large CIDR block required to your VPC
• Access to on-premise provided via VPC endpoint which encapsulates a set of proxy servers
located on a VPC with Direct Connect = small CIDR used on VPC connected to on-premise
65. Practical example: HSBC Part 2
HSBC UK
Mainframes
Mapper
EMR
Spark
Kinesis
Streams
Direct
Connect
Customer Preferences
DynamoDB Lambda API Gateway
Data Service
Aurora
EMR
DynamoDB
API Gateway
Kinesis
Streams
Event Engine
Kinesis
Streams
Lambda
Push Notifications
Notification Service
API Gateway
Kinesis
Streams
Lambda
Message Service
API Gateway
DynamoDB
Kinesis
Streams
Lambda
JSON
ASCII
Dead Letter Queues
SNS
SQS
VPC CloudWatch KMS
Common Services
EU-West-1
AVRO
EBCDIC
Kafka
AVRO
EBCDIC
69. Related breakouts
SVS311 Serverless at scale: design patterns and optimizations
SVS401-R Optimizing your serverless applications
SVS403-R Best practices for AWS Lambda and Java
API304 Scalable serverless event-driven applications using Amazon SQS
and Lambda
SVS309 Architecting and operating resilient serverless systems at scale