Do you have the next best idea? How will you quickly migrate a legacy feature to new world for almost free? This talk will give you how to architect and implement your scenario for a cloud-oriented solution. We will share the best practices for storing your state in database; ways to decouple by events and suggested patterns for serverless. You will be equipped with taking advantage of low-cost serverless computing in a secure way and how to minimize operational costs. It will mostly focus AWS offerings like Serverless Aurora, API Gateway and Lambda functions for solutions blueprint

1. Welcome to the
Manchester Community College, Manchester NH
November 2, 2019

2. @bsubra
SERVERLESS
COMPUTING
APIS, SERVERLESS FUNCTIONS, MICROSERVICES - HOW TO GET YOUR PRODUCT QUICKLY
TO MARKET?

3. A BIG thank you to our 2019 Sponsors!
Venue Sponsor
Platinum Sponsor (Lunch & Refreshments)
Diamond Sponsor (Lunch & iPad Raffle)
Gold Sponsor (Speaker Appreciation)
Silver Sponsor (Attendee Appreciation)

4. Another BIG thank you to our in-kind sponsors!
Raffle: Licenses
Raffle: Meadow / Hack Kit Pro
Chocolates
Speaker / Schedule Management
Raffle: Weekday Lift Tickets
Raffle: Licenses

5. @bsubra

6. @bsubra

7. @bsubra
AGENDA
• Why?
• What?
• How? - Demos
• Architectures
• EDA, Patterns, Best Practices
• Advantages
• Disadvantages
• Next Steps

8. @bsubra
STORY OF A CENSUS

9. @bsubra
WHY?

10. @bsubra
WHY?
• Smallest Unit of Compute – Pure Code
• Super, Hyper-Scalable
• Rapid Iteration, CI, CD, Quickest Delivery
• Extreme multi-tenancy
• Very Polyglot friendly (Java, JS, C#, Python,
Powershell, F#, Typescript, PHP, Go and so on)
• Easier to Collaborate – Microservices, APIs
• Deploy Independently – Go live to production
in seconds

11. @bsubra
WHY? – FUTURE OF TECH INDUSTRY

12. @bsubra
SERVERLESS <> CLOUD

13. @bsubra
MANDATORY VIEWING
Source: IDC: Generating Value Through IT Agility & Business Scalability with Serverless
Platform

14. @bsubra
@bsubra

15. @bsubra
WHAT?

16. @bsubra
WHAT?
• Abstraction of backend infrastructure
Completely
• Execution environment for single purpose
functions
• Hosted in public cloud or on-premise
• Serverless functions have a runtime in a
stateless container
• Node.JS, JavaScript, C#, Python, Java
• Event-driven Startup Triggers / Instant Scale-
out or Scale-in
• Micro-billing instead of per-hour / per-month
billing

17. @bsubra
AWS APPS - COMPARISON

18. @bsubra
GCP: WHICH
SERVERLESS
COMPUTE
PLATFORM IS
RIGHT FOR
YOU?

19. @bsubra
DEMOS

20. @bsubra
MICROSERVICES ARCHITECTURE
• Services can communicate via
• through synchronous API requests (for example API
Gateway)
• through asynchronous messaging between services (for
example SQS and SNS)
• through a state machine orchestrator
• State: Backend-as-a-Service (Baas): infrastructure
components managed by a Cloud Provider
• Google Cloud Firestore
• Azure Storage / AWS S3 / Google Cloud Storage
• CosmosDB / DynamoDB
• Azure Kubernetes Service (AKS)
• Google BigQuery

21. @bsubra
SERVERLESS ARCHITECTURE

22. @bsubra
EVENT DRIVEN ARCHITECTURE (EDA)
• Design Pattern around the Production
and Reaction to Events
• Serverless Functions are triggered by
Events
• Examples of Events
• A File uploaded to an S3 bucket
• Inserts on a DynamoDB Table
• A Message published to an SNS topic –
PubSub
• A CloudWatch Alert
• A message is available to read from a
Kinesis stream

23. @bsubra
ADVANTAGES
• Asynchronous, Concurrent
• Infrequent or has Sporadic Demand
• Stateless, Ephemeral
• Highly Dynamic in terms of Changing Business
Requirements

24. @bsubra
EXAMPLES OF SERVERLESS USE CASES
• Multimedia processing
• Database changes or Change Data Capture
• IoT sensor input messages
• Stream processing at scale
• Chat bots
• Batch jobs scheduled tasks
• HTTP REST APIs and web apps
• Mobile back ends
• Business logic
• Continuous integration pipeline
Source: CNCF Serverless Whitepaper
v1.0

25. @bsubra
TIPS AND TRICKS
• Limit your Function Size (JVM Startup time especially)
• Remember Execution is Async
• Do not assume function container reuse but take advantage of it
• Audit dependencies to keep bundle sizes small.
• CloudWatch's default log retention period is forever.
• Structure your logs to ease alert creation and debugging
• Understand AWS account limits
• Think twice before dynamically provisioning AWS resources.
• Price - Is Serverless really as cheap as everyone claims? (dev.to) Unless you are
operating at massive scale, serverless is not just cheap, it's a steal.

26. @bsubra
BEST PRACTICES
• Scrutinize and research before attaching new input/event sources
• Keep the functions’ permissions least privileged and maintain a least privileged build system
• Amount of code that can access sensitive data be reduced, exceptions are handled and input is
validated
• Avoid embedding secrets and access keys in code
• Do not store access keys or credentials in source code repositories
• Throttle and define quotas on the amount of requests that go through
• Keep data encrypted that is stored at rest
• Scrutinize and keep tab on third party API services for vulnerabilities
• Scan third party libraries for potential vulnerabilities and try to keep them up-to-date
• Carefully examine granting permissions that allow creation, modification or removal of the resources

27. @bsubra

28. @bsubra
SERVERLESS FAILURE STORIES
• Serverless out of control
• Mo’ developers, mo’ problems: How serverless has trouble with teams
• Beware “RunOnStartup” in Azure Functions – a serverless horror story
• Serverless: A lesson learned. The hard way.
• Serverless: 15% slower and 8x more expensive

29. @bsubra
DYNAMODB - BEST PRACTICES
• Where it could be Used?
• Wherever we see relationships…
• Document management
• Process control
• Social network
• Data trees
• IT monitoring
• Takeaways
• NoSQL does not mean non-relational
• The ERD still matters
• RDBMS is not deprecated by NoSQL
• Use NoSQL for OLTP or DSS at Scale.
• Use RDBMS for OLAP or OLTP when Scale is not important.

30. @bsubra
DYNAMODB ANTI-PATTERNS
• Prewritten application tied to a traditional relational database – If you are attempting to port an
existing application to the AWS cloud and need to continue using a relational database, you may elect
to use either Amazon RDS (Amazon Aurora, MySQL, PostgreSQL, Oracle, or SQL Server), or one of the
many pre-configured Amazon EC2 database AMIs. You can also install your choice of database
software on an EC2 instance that you manage.
• Joins or complex transactions – While many solutions are able to leverage DynamoDB to support
their users, it’s possible that your application may require joins, complex transactions, and other
relational infrastructure provided by traditional database platforms. If this is the case, you may want to
explore Amazon Redshift, Amazon RDS, or Amazon EC2 with a self-managed database.
• Binary large objects (BLOB) data – If you plan on storing large (greater than 400 KB) BLOB data,
such as digital video, images, or music, you’ll want to consider Amazon S3. However, DynamoDB still
has a role to play in this scenario, for keeping track of metadata (e.g., item name, size, date created,
owner, location, etc.) about your binary objects.
• Large data with low I/O rate –DynamoDB uses SSD drives and is optimized for workloads with a
high I/O rate per GB stored. If you plan to store very large amounts of data that are infrequently
accessed, other storage options may be a better choice, such as Amazon S3.

31. @bsubra
LAMBDA - BEST PRACTICES
• Minimize package size to necessities
• Separate the Lambda handler from core logic
• Read only what you need
• Properly Indexed Databases
• Query Filters in Aurora
• Use S3 Select
• Dynamic Logic via Configuration
• Per Function - Use Environment Variables to modify operational behavior
• Cross Function – Amazon Parameter Store / Secrets Manager
• Self-contain dependencies in your function package
• Leverage “Max Memory Used” to right-size your functions
• Use Functions to TRANSORM (not for TRANSPORT)
• Delete large unused functions (used to be 75GB limit)

32. @bsubra
LAMBDA – ANTI-PATTERNS
• Long-running applications – Each Lambda function must complete within 300
seconds. For long-running applications that may require jobs to run longer than five
minutes, Amazon EC2 is recommended or you create a chain of Lambda functions
where function 1 calls function 2, which calls function 3, and so on until the process is
completed.
• Dynamic websites – While it is possible to run a static website with Lambda, running
a highly dynamic and large volume website can be performance prohibitive. Using
Amazon EC2 and Amazon CloudFront would be a recommended use case.
• Stateful applications –Lambda code must be written in a “stateless” style; that is, it
should assume there is no affinity to the underlying compute infrastructure. Local file
system access, child processes, and similar artifacts may not extend beyond the
lifetime of the request, and any persistent state should be stored in Amazon S3,
DynamoDB, or another Internet-available storage service.

33. @bsubra
SERVERLESS
WEB APP
ON AZURE

34. @bsubra

35. @bsubra
SERVERLESS
APP WITH
AWS AMPLIFY

36. @bsubra
HOW AWS BUILT A PRODUCTION SERVICE USING SERVERLESS TECHNOLOGIES

37. @bsubra
AWS SERVERLESS DATA LAKE

38. @bsubra
GOOGLE GCP

39. @bsubra
HOW MATURE ARE YOU? -
AUTOMATION

40. @bsubra
Features AWS Lambda Azure Functions Google Cloud Functions
Language
Support Node.js, Java, C#, Python Node.js, C#, F#, Python, PHP Node.js
Security
AWS IAM, VPC
OAuth providers such as Azure Active Directory, Facebook, Google,
Twitter, and Microsoft Account Cloud IAM
Monitoring Cloudwatch Application Insights Stackdriver Monitoring
Logging Cloudwatch Application Insights Analytics Stackdriver Logging
Auditing CloudTrail Azure Audit Logs Cloud Audit Logging
Alerts Cloudwatch Alarms Application Insights, Log Analytics, and Azure Monitor Stackdriver Monitoring
Tooling
Support CodePipeline, Code Build Azure Portal, Azure Powershell, Azure CLI, Azure SDK gcloud CLI for functions
Debugging
Support AWS X-Ray
Azure CLI - local debugging,
Azure App Service - remote debugging Stackdriver Debugger
Pricing
it depends
Execution Time: $0.000016/GBs, 400,000 GBs/month are free
Total Executions: $0.20/million executions, with 1 million
executions/month free
Invocations: $0.40/million invocations with 2 million invocations free
Compute Time: $0.0000025/GBsec with 400,00 GB-sec/month free &
$0.0000100/GHzsec with 200,000 GHz-sec/month free
Limits
Memory allocation range: Min. 128 MB / Max. 1536 MB (with 64 MB
increments)
Ephemeral disk capacity ("/tmp" space): 512 MB
Number of file descriptors: 1,024
Number of processes and threads (combined total): 1,024
Maximum execution duration per request: 300 seconds
Invoke request body payload size (RequestResponse): 6 MB
Invoke request body payload size (Event): 128 K
Invoke response body payload size (RequestResponse): 6 MB
Allow only 10 concurrent executions per function
No limitations on max. execution time limit
Resource, Time and Rate Limits are defined under Google Cloud Functions
Quota limits

41. @bsubra
DISADVANTAGES
• Portability
• Automation / DevOps
• Cross-Cloud Communication
• The Cold Start Problem
• Applications that haven't been used recently
take longer to startup and to handle the first
request.
• Because serverless happens on use, there
aren’t dedicated instances ready to handle
requests
• Solution: Run a function in a dedicated
container/VM, not serverless

42. @bsubra
DASHBOARD SHOWS LINK BETWEEN PERFORMANCE & COSTS

43. @bsubra
SECURITY: SHARED RESPONSIBILITY MODEL

44. @bsubra
SECURITY RISKS
1. Function Event-Data Injection
2. Broken Authentication
3. Insecure Serverless Deployment Configuration
4. Overprivileged Function Permissions and Roles
5. Inadequate Function Monitoring and Logging
6. Insecure Third-Party Dependencies
7. Insecure Application Secrets Storage
8. Denial-of-Service and Financial Resource Exhaustion
9. Serverless Business Logic Manipulation
10. Improper Exception Handling and Verbose Error Messages
11. Legacy/Unused Functions & Cloud Resources
12. Cross-Execution Data Persistency
Source: CSA - The 12 Most Critical Risks for Serverless Applications
2019

45. @bsubra
SERVERLESS WEB APP SECURITY

46. @bsubra
CONSIDERATIONS FOR THE ENTERPRISE
• Cloud Silos
• Enterprise Eventing
• Serverless skills gap
• Monitoring vs. Observability
• Stateful vs. Stateless
• Forecasting costs
• Where serverless falls short
Source: The New Stack Serverless Survey 2018
Q: What are the top three areas in which serverless falls short of expectations?

47. @bsubra
WORKS CITED
• Serverless Architectures - Martin Fowler
• Serverless on Google Cloud Platform: an
Introduction with Serverless Store Demo
• Introduction to Serverless: RISE Conference 2018 -
Hong Kong Developer Workshop: Introduction to
Serverless - Shaun Ray
• Serverless is a Doctrine, not a Technology - Paul
Johnston – Medium
• The Serverless Sea Change
• How AWS built a production service using
serverless technologies | AWS Open Source Blog
• Serverless Architectural Patterns and Best Practices
| AWS Architecture Blog
• Contemporary Views on Serverless and
Implications - Subbu’s Blog
@bsubra

48. @bsubra
SERVERLESS ON GOOGLE CLOUD PLATFORM
• App Engine | Google Cloud
• 1. Auth, Storage, Event Streaming, and Third-Party APIs (Firebase Authentication,
Cloud Storage, Cloud Firestore, Cloud Pub/Sub and Third-Party APIs)
• 11. Machine Learning, AI, Data Analytics, and Data Visualization (Cloud Vision API,
Cloud AutoML, DialogFlow +Google Assistant integration, BigQuery and Data Studio)
• 111. Serverless Computing, Management Tools, and Cron Jobs (App Engine, Cloud
Functions, Cloud Scheduler, Stackdriver Logging, Stackdriver Monitoring, and
Stackdriver Tracing)
• 1111. Hacking Google Cloud Run

49. @bsubra
CALL TO ACTION
1. Write an AWS Lambda from Template
• How do I get started with creating serverless applications?
2. Make your monolithic app use Step Functions
3. Try how Azure Kubernetes Service (AKS) can deploy your legacy apps
4. Make your next project be event driven with Azure Event Grid, or GCP Cloud Pub/Sub
• Building a Reliable Serverless Application in a Weekend
5. Become familiar with application observability with comprehensive logging, metrics, and
tracing
6. Follow folks pushing Serverless in twitter
7. Read a book
• Serverless apps: Architecture, patterns, and Azure implementation | Microsoft Docs
8. Watch Videos like
• AWS re:Invent: Accelerate Innovation & Maximize Business Value w/ Serverless Apps (SRV212-R1)
• Keynote: Serverless, Not So FaaS - Kelsey Hightower, Kubernetes Community Member, Google

50. Thank you