como construir suas aplicações escaláveis sem servidores

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Angelo Carvalho, Solutions Architect, AWS

22 de Setembro de 2016

Como construir suas aplicacões escaláveis sem servidores

Agenda

§ Overview of Serverless Architecture§ Anatomy of a Web Application§ Securing the Web Application§ Demo§ Other Options

Overview of ServerlessArchitecturesServerless? What’s that mean?

What is Serverless?

Provisioningand Utilization

Operations and Management

Scaling Availability and Fault Tolerance

Removes the need for….

Benefits of Serverless?

Provisioningand Utilization

Operations and Management

Scaling Availability and Fault Tolerance

Which leads to….

Low Cost Simple Low Latency Scalable Reliable

Platform of Serverless Products

Storage DatabaseCompute

Messaging and QueuesGateways

User Management

Internet of Things

Machine LearningStreaming Analytics

Real-time Processing

Streams

Files

ETL

IoT Backends

Web Application Serverless Architecture

Anatomy of a Web Application

What makes up a web application?Let’s break it down…

What makes up a web application?

What makes up a web application?

What makes up a web application?

Serverless Web Application

Where did all the servers go?

Static Website Hosting on S3 - refresher

§ Specify an index document (i.e. index.html) § Specify an error document§ Objects publicly readable§ Supports redirects

§ All Requests§ Conditional

bucket with objects

API Gateway - refresher

Create Configure Publish

Maintain Monitor Secure

API Gateway – Stage Variables

§ Key/Value pairs used for configuration§ Used for different stages of API§ Specify a Lambda function name§ Pass to backend

Lambda

§ Serverless, event-driven compute§ Code is: NodeJS, Python, JVM based§ Specify memory allocated§ Determine what invokes the functions

§ API Gateway, S3, DynamoDB, Kinesis, SNS, SES, Cognito, Cloudwatch Logs, Cloudwatch Events, CloudFormation, Config, Scheduled Events

Lambda – Versioning and Aliases

Versioning§ ARN for each one (immutable) § Versions of functions for Dev, Staging, Prod

Aliases§ Point to a version§ Have an ARN also§ Event sources point to Alias ARNs

Lambda – Dynamic Configuration

One option:

§ Pull Configs from DDB § Write values to global vars§ Code uses global vars

Lambda Function

Amazon DynamoDB

DynamoDB - refresher

§ NoSQL database§ Keys: Hash Key and (optional) Range Key§ Tips:

§ Plan your keys§ Think about your queries

Serverless Web Application

…..but what’s missing from this architecture?

Authentication/Authorization

Securing your ServerlessWeb Application

AWS IAM and AWS STS

temporary security

credential

AWS STS

AWS cloud

client

1

2

permissionsrole

AWS IAM

OR

Amazon API Gateway

Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *

Securing API Gateway

Cognito and STS

Authentication Options with Cognito

Federated Identity Providers• Amazon• Facebook• Google

Custom Developed Authentication System

Cognito Identity User Pools (Preview)

Unauthenticated vs Authenticated roles

§ Ability to define both in Cognito

§ Start out unauthenticated switch to authenticated!§ browsing a blogging site then log in to post or comment

Example IAM Policy for API Gateway{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"execute-api:Invoke"

],

"Resource": [

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts",

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*",

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments",

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments/*",

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/users",

"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/login"

]

}

]

}

Cognito – Authentication Flow

Amazon API Gateway

AWSLambda

Other Security Features

§ IAM Roles for Lambda Functions§ Client-side Encryption library using KMS for DynamoDB

Demo

Demo App Architecture

AWS Lambda Functions

web browser

Amazon S3

Call UnauthenticatedAPIs methods

Stat

ic C

onte

nt

Amazon DynamoDB

AmazonCognito

ObtainUser Credentials

Amazon API Gateway

encrypted user data

AWS Lambda Functions

Amazon DynamoDB

Amazon API Gateway

Authentication APIs

Obtain AuthenticatedUser Credentials

AWS STS

AWS Lambda Functions –

Logic for POST Functions

Amazon DynamoDB

Amazon API Gateway –

POST Functions

Call AuthenticatedAPIs methods

3

2

4

5

6

1

AWS KMS

Other Options

Authentication Options

Cognito:• Federated Identity Providers (Amazon, Facebook, Google)• Cognito Identity User Pools

Federated Web Identities• Interact directly with STS and 3rd party identity providers

Authorization Options with API Gateway

API Gateway

Lambda Authfunction

Client

Request w/ a bearer token

Policy is cached

Policy is evaluated

AWS Lambda functions

Endpoints on Amazon EC2

Context + TokenPrincipal + Policy

403 Denied

Allowed

Any other publicly accessible endpoint

Some Tidbits

§ Authorization failures to API Gateway get returned as a CORS error

§ Lambda Functions as stage variable values = manual permissions configuration

Architect to be Serverless

Fully Managed§ No provisioning§ Zero administration§ High availability

Developer Productivity§ Focus on the code that

matters§ Innovate rapidly§ Reduce time to market

Continuous Scaling§ Automatically§ Scale up and scale down

Q&A